Analysis of Hidden Markov Model Learning Algorithms for the Detection and Prediction of Multi-stage Network Attacks - MATLAB Code

This work implements a critical analysis of the detection and prediction accuracy of supervised learning as well as a wide range of unsupervised training and initialisation algorithms including the spectral, Baum–Welch, differential evolution, K-means (with and without using predefined stages), and segmental K-means. The performance of these algorithms has been evaluated, both individually and in a hybrid approach, for detecting all the states and current state, and predicting the next state (NS), and the next observation (NO) of a given alert observation sequence. For generating this alert sequence, the Snort signature-based intrusion detection system was utilised, using either bespoke or default rules, to raise alerts while examining the DARPA 2000 MSA dataset. The results also shed further light on alternative approaches for forecasting the possible NS and NO in an MSA campaign, as well as, the impact of window size on the prediction performance for all analysed techniques.

This code reproduces the work and results as described in the Elsevier article "Analysis of hidden Markov model learning algorithms for the detection and prediction of multi-stage network attacks" by Timothy Chadza, Konstantinos Kyriakopoulos & Sangarapillai Lambotharan, published in Future Generation Computer Systems, 2020 (https://doi.org/10.1016/j.future.2020.03.014).

This is published under GNU GENERAL PUBLIC LICENSE Version 3. If you use this code, please, cite the above article.

To run this code, simply run the main.m file.