{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T11:26:44Z","timestamp":1763810804869,"version":"build-2065373602"},"reference-count":30,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2022,4,8]],"date-time":"2022-04-08T00:00:00Z","timestamp":1649376000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Zhejiang Province key R&amp;D Program","award":["2020C01078","2019C01012"],"award-info":[{"award-number":["2020C01078","2019C01012"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61902098"],"award-info":[{"award-number":["61902098"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Zhejiang Provincial Natural Science Foundation of China","award":["LY22F020022"],"award-info":[{"award-number":["LY22F020022"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Currently, hidden Markov-based multi-step attack detection models are mainly trained using the unsupervised Baum\u2013Welch algorithm. The Baum\u2013Welch algorithm is sensitive to the initial values of model parameters. However, its training uses random or average parameter initialization methods, which frequently results in the model training into a local optimum, thus, making the model unable to fit the alert logs well and thereby reducing the detection effectiveness of the model. To solve this issue, we propose a pre-training method for multi-step attack detection models based on the high semantic similarity of alerts in the same attack phase. The method first clusters the alerts based on their semantic information and pre-classifies the attack phase to which each alert belongs. Then, the distance of the alert vector to each attack stage is converted into the probability of generating alerts in each attack stage, replacing the initial value of Baum\u2013Welch. The effectiveness of the proposed method is evaluated using the DARPA 2000 dataset, DEFCON21 CTF dataset, and ISCXIDS 2012 dataset. The experimental results show that the hidden Markov multi-step attack detection method based on pre-training of the proposed model parameters had higher detection accuracy than the Baum\u2013Welch-based, K-means-based, and transfer learning differential evolution-based hidden Markov multi-step attack detection methods.<\/jats:p>","DOI":"10.3390\/s22082874","type":"journal-article","created":{"date-parts":[[2022,4,9]],"date-time":"2022-04-09T05:13:08Z","timestamp":1649481188000},"page":"2874","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":14,"title":["Multi-Step Attack Detection Based on Pre-Trained Hidden Markov Models"],"prefix":"10.3390","volume":"22","author":[{"given":"Xu","family":"Zhang","sequence":"first","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Ting","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Qiuhua","family":"Zheng","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Liang","family":"Zhai","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Haizhong","family":"Hu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Weihao","family":"Yin","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6294-4889","authenticated-orcid":false,"given":"Yingpei","family":"Zeng","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Chuanhui","family":"Cheng","sequence":"additional","affiliation":[{"name":"School of Information and Safety Engineering, Zhongnan University of Economics and Law, Wuhan 545001, China"}]}],"member":"1968","published-online":{"date-parts":[[2022,4,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Javadpour, A., Abharian, S.K., and Wang, G. (2017, January 12\u201315). Feature selection and intrusion detection in cloud environment based on machine learning algorithms. Proceedings of the 2017 IEEE International Symposium on Parallel and Distributed Processing with Applications and 2017 IEEE International Conference on Ubiquitous Computing and Communications (ISPA\/IUCC), Guangzhou, China.","DOI":"10.1109\/ISPA\/IUCC.2017.00215"},{"key":"ref_2","unstructured":"Dawkins, J., and Hale, J. (2004, January 9). A systematic approach to multi-stage network attack analysis. Proceedings of the Second IEEE International Information Assurance Workshop, Charlotte, NC, USA."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1016\/j.cose.2018.03.001","article-title":"A systematic survey on multi-step attack detection","volume":"76","author":"Navarro","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_4","first-page":"244","article-title":"Alert correlation for extracting attack strategies","volume":"3","author":"Zhu","year":"2006","journal-title":"Int. J. Netw. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"174","DOI":"10.1504\/IJHPCN.2010.037791","article-title":"A novel technique of recognising multi-stage attack behaviour","volume":"6","author":"Wang","year":"2010","journal-title":"Int. J. High Perform. Comput. Netw."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1","DOI":"10.17706\/IJCCE.2016.5.1.1-10","article-title":"Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights","volume":"5","author":"Wang","year":"2016","journal-title":"Int. J. Comput. Commun. Eng."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Ourston, D., Matzner, S., Stump, W., and Hopkins, B. (2003, January 6\u20139). Applications of hidden markov models to detecting multi-stage network attacks. Proceedings of the 36th Annual Hawaii International Conference on System Sciences, Big Island, HI, USA.","DOI":"10.1109\/HICSS.2003.1174909"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Luktarhan, N., Jia, X., Hu, L., and Xie, N. (2012). Multi-Stage Attack Detection Algorithm Based on Hidden Markov Model, Springer.","DOI":"10.1007\/978-3-642-33469-6_37"},{"key":"ref_9","first-page":"2316","article-title":"Architectures for detecting interleaved multi-stage network attacks using hidden Markov models","volume":"18","author":"Shawly","year":"2019","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Xu, M., Li, X., Ma, J.F., Zhong, C., and Yang, W. (2019, January 20\u201324). Detection of multi-stage attacks based on multi-layer long and short-term memory network. Proceedings of the ICC 2019\u20132019 IEEE International Conference on Communications (ICC), Shanghai, China.","DOI":"10.1109\/ICC.2019.8761487"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"102203","DOI":"10.1016\/j.cose.2021.102203","article-title":"Detecting multi-stage attacks using sequence-to-sequence model","volume":"105","author":"Zhou","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_12","unstructured":"Charan, P.S., Kumar, T.G., and Anand, P.M. Advance persistent threat detection using long short term memory (LSTM) neural networks. Proceedings of the International Conference on Emerging Technologies in Computer Engineering."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"108340","DOI":"10.1016\/j.comnet.2021.108340","article-title":"MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion","volume":"198","author":"Mao","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1564","DOI":"10.1109\/LCOMM.2020.3048995","article-title":"Discovering Attack Scenarios via Intrusion Alert Correlation Using Graph Convolutional Networks","volume":"25","author":"Cheng","year":"2021","journal-title":"IEEE Commun. Lett."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Ramaki, A.A., Khosravi-Farmad, M., and Bafghi, A.G. (2015, January 8\u201310). Real time alert correlation and prediction using Bayesian networks. Proceedings of the 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), Rasht, Iran.","DOI":"10.1109\/ISCISC.2015.7387905"},{"key":"ref_16","unstructured":"Liu, J., Liu, B., Zhang, R., and Wang, C. Multi-step Attack Scenarios Mining Based on Neural Network and Bayesian Network Attack Graph. Proceedings of the International Conference on Artificial Intelligence and Security."},{"key":"ref_17","first-page":"374260","article-title":"The application of baum\u2013Welch algorithm in multistep attack","volume":"2014","author":"Zhang","year":"2014","journal-title":"Sci. World J."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"134","DOI":"10.1109\/TDSC.2017.2751478","article-title":"Real-time multistep attack prediction based on hidden markov models","volume":"17","author":"Holgado","year":"2017","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"99508","DOI":"10.1109\/ACCESS.2019.2930200","article-title":"Hidden Markov models and alert correlations for the prediction of advanced persistent threats","volume":"7","author":"Ghafir","year":"2019","journal-title":"IEEE Access"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1016\/j.future.2018.06.055","article-title":"Detection of advanced persistent threat using machine-learning correlation analysis","volume":"89","author":"Ghafir","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"101974","DOI":"10.1016\/j.cose.2020.101974","article-title":"Attack plan recognition using hidden Markov and probabilistic inference","volume":"97","author":"Li","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1109\/5.18626","article-title":"A tutorial on hidden Markov models and selected applications in speech recognition","volume":"77","author":"Rabiner","year":"1989","journal-title":"Proc. IEEE"},{"key":"ref_23","first-page":"126","article-title":"A gentle tutorial of the EM algorithm and its application to parameter estimation for Gaussian mixture and hidden Markov models","volume":"4","author":"Bilmes","year":"1998","journal-title":"Int. Comput. Sci. Inst."},{"key":"ref_24","unstructured":"Mikolov, T., Chen, K., Corrado, G., and Dean, J. (2013). Efficient estimation of word representations in vector space. arXiv."},{"key":"ref_25","unstructured":"Larue, P., Jallon, P., and Rivet, B. (September, January 29). Modified K-mean clustering method of HMM states for initialization of Baum\u2013Welch training algorithm. Proceedings of the 2011 19th European Signal Processing Conference, Barcelona, Spain."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"134480","DOI":"10.1109\/ACCESS.2020.3011293","article-title":"Learning to learn sequential network attacks using hidden Markov models","volume":"8","author":"Chadza","year":"2020","journal-title":"IEEE Access"},{"key":"ref_27","unstructured":"Zissman, M. (2022, February 21). DARPA Intrusion Detection Scenario Specific Data Sets. Available online: https:\/\/www.ll.mit.edu\/r-d\/datasets\/2000-darpa-intrusion-detection-scenario-specific-datasets."},{"key":"ref_28","unstructured":"(2022, February 21). DEFCON21 CTF Dataset. Available online: https:\/\/media.defcon.org\/DEF%20CON%2021\/."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1016\/j.cose.2011.12.012","article-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection","volume":"31","author":"Shiravi","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_30","unstructured":"Sadighian, A., Fernandez, J.M., Lemay, A., and Zargar, S.T. Ontids: A highly flexible context-aware and ontology-based alert correlation framework. Proceedings of the International Symposium on Foundations and Practice of Security."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/8\/2874\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:50:32Z","timestamp":1760136632000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/8\/2874"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,8]]},"references-count":30,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2022,4]]}},"alternative-id":["s22082874"],"URL":"https:\/\/doi.org\/10.3390\/s22082874","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2022,4,8]]}}}