Discovery and prevention of attack episodes by frequent episodes mining and finite state machines

This paper proposes a framework that applies frequent episode rules, implemented by finite state machines (FSMs), to design a real-time network-based intrusion prevention system (NIPS) for Probe/Exploit (hacking) intrusion. This type of Probe/Exploit (hacking) intrusion is executed by a series of relevant actions that occur in some sequence. In frequent episode rules mining, data are viewed as a sequence of events, where each event has an associated time of occurrence; thus, such mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to a devastating attack on a victim's computer, the hacker must gather information about the victim, and transfer instructions or files to the victim's computer. The proposed system could detect such abnormal episodes and repel hackers from the firewall before they are able to launch a deadly attack. In one network service (a corresponding port number), mine frequent episode rules from the log files of a commercial honeypot system, then refine the rules, which eventually constructs a finite state machine to protect the network service, according to the refined rules. During implementation and simulation, this study applied the framework focus on protecting a Server Message Block (SMB) protocol, which is the most important protocol in Microsoft's Windows Network. As confirmed in the experiments, this study successfully mined sophisticated intrusion episodes and demonstrated the efficiency of tracing connections by a FSM. The framework of intrusion prevention proposed in this paper can be modified straightforward to protect other network services.