PRISM: A Hierarchical Intrusion Detection Architecture for Large-Scale Cyber Networks

The increase in scale of cyber networks and the rise in sophistication of cyber-attacks have introduced several challenges in intrusion detection. The primary challenge is the requirement to detect complex multi-stage attacks in realtime by processing the immense amount of traffic produced by presen...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2023-11, Vol.20 (6), p.1-17
Main Authors: Javed, Yahya, Khayat, Mosab A., Elghariani, Ali A., Ghafoor, Arif
Format: Article
Language:English
Subjects:
Behavioral sciences
Communications traffic
Computer architecture
Cybersecurity
Hidden Markov models
Intrusion detection
machine learning
Markov chains
Modular design
Modularity
Multilayers
network security
network traffic sampling
Networks
Real time
Security
stream processing
Surveillance
Telecommunication traffic
threat forecasting
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The increase in scale of cyber networks and the rise in sophistication of cyber-attacks have introduced several challenges in intrusion detection. The primary challenge is the requirement to detect complex multi-stage attacks in realtime by processing the immense amount of traffic produced by present-day networks. In this paper we present PRISM, a hierarchical intrusion detection architecture that uses a novel attacker behavior model-based sampling technique to minimize the realtime traffic processing overhead. PRISM has a unique multi-layered architecture that monitors network traffic distributedly to provide efficiency in processing and modularity in design. PRISM employs a Hidden Markov Model-based prediction mechanism to identify multi-stage attacks and ascertain the attack progression for a proactive response. Furthermore, PRISM introduces a stream management procedure that rectifies the issue of alert reordering when collected from distributed alert reporting systems. To evaluate the performance of PRISM, multiple metrics have been proposed, and various experiments have been conducted on a multi-stage attack dataset. The results exhibit up to 7.5x improvement in processing overhead as compared to a standard centralized IDS without the loss of prediction accuracy while demonstrating the ability to predict different attack stages promptly.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2023.3240315