The Parameter Optimization Based on LVPSO Algorithm for Detecting Multi-step Attacks

How to detect intrusion attacks is a big challenge for network administrators since the attacks involve multi-step nowadays. The hidden markov model (HMM) is widely used in the field of multi-step attacks detection. However, the existing traditional Baum-Welch algorithm of HMM has two shortcomings: one is the number of attack states need to be determined in advance, the other is the algorithm may make the parameters converge to a local (not overall) optimal solution. In this paper, we propose a novel LVPSO-HMM algorithm based on variable length particle swarm optimization, which solves the shortcomings mentioned above. Concretely, it can optimize the number of attack states when the attacks state is unknown and it can make the model parameters converge to a global optimal solution. Then, we present a multi-step attack detection model architecture whose main idea is, when the number of attack states is unknown in the actual network environment LVPSO-HMM algorithm is used to solve the problem of relying on prior knowledge in current detection. Experiments on the well-known Darpa2000 dataset verify the efficiency of the method.