Fuzzy Automaton as a Detection Mechanism for the Multi-Step Attack

Mohammad Almseidin, Imre Piller, Mouhammd Al-Kasassbeh, Szilveszter Kovacs


The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. This integration allows a discretely defined state-machine to act on continuous universes and handle uncertainty in applications like Intrusion Detection Systems (IDS). The typical IDS detection mechanisms are targeted to detect and prevent single-stage attacks. These types of attacks can be detected using either a common convincing threshold or by pre-defined rules. However, attack techniques have changed in recent years. Currently, the largest proportion of attacks performed, are multi-step attacks. The goal of this paper is to introduce a novel detection mechanism for multi-step attacks built upon Fuzzy Rule Interpolation (FRI) based fuzzy automaton. In that respect, the FRI method instruments the fuzzy automaton to be able to act on a not fully defined state transition rule-base, by offering interpolated conclusion even for situations which are not explicitly defined. In the suggested model, the intrusion definition state transition rule-base is defined using an open source fuzzy declarative language. On the multi-step attack benchmark dataset introduced in this paper, the proposed detection mechanism was able to achieve 97.836% detection rate.  Furthermore, in the studied examples, the suggested method was able not only to detect but also early detect the multi-step attack in stages, where the planned attack is not fully elaborated and hence less harmful. According to these results, the IDS built upon the FRI based fuzzy automaton could be a useful device for detecting multi-step attacks, even in cases when the intrusion state transition rule-based is incomplete. The early detection of multi-step attacks also allows the administrator to take the necessary actions in time, to mitigate the potential threats.


Intrusion Detection System (IDS); fuzzy automaton; Fuzzy Rule Interpolation (FRI); multi-step attack.

Full Text:



C Yuan. Research on multi-step attack detection method based on GCT. Jilin University, Jilin, China, 2010.

Yanxue Zhang, Dongmei Zhao, and Jinxing Liu. The application of baum-welch algorithm in multistep attack. The Scientific World Journal, 2014.

Kaspersky. The cost of ddos attacks. , Kaspersky, B2B International, 2017.

Samaneh Rastegari, M Iqbal Saripan, and Mohd Fadlee A Rasid. Detection of denial of service attacks against domain name system using neural networks. In Proceedings of the World Congress on Engineering, Vol I WCE 2010, June 30 - July 2, 2010, London, U.K.

Salem Benferhat, Tayeb Kenaza, and Aicha Mokhtari. A naive bayes approach for detecting coordinated attacks. In Annual IEEE International Computer Software and Applications Conference, pages 704–709. IEEE, 2008.

Can Chen and BQ Yan. Network attack forecast algorithm for multistep attack. Computer Engineering, 5(37):172–174, 2011.

Chih-Fong Tsai, Yu-Feng Hsu, Chia-Ying Lin, and Wei-Yang Lin. Intrusion detection by machine learning: A review. Expert Systems with Applications, 36(10):11994–12000, 2009.

Mouhammd Alkasassbeh, Ghazi Al-Naymat, Ahmad BA Hassanat, and Mohammad Almseidin. Detecting distributed denial of service attacks using data mining techniques. International Journal of Advanced Computer Science and Applications, 7(1), 2016.

Mohammad Almseidin, Maen Alzubi, Szilveszter Kovacs, and Mouhammd Alkasassbeh. Evaluation of machine learning algorithms for intrusion detection system. In Intelligent Systems and Informatics (SISY), 2017 IEEE 15th International Symposium on, pages 000277– 000282. IEEE, 2017.

M. Almseidin and S. Kovacs. Intrusion detection mechanism using fuzzy rule interpolation. Journal of Theoretical and Applied Information Technology, 96(16):5473–5488, 2018.

R Shanmugavadivu and N Nagarajan. Network intrusion detection system using fuzzy logic. Indian Journal of Computer Science and Engineering (IJCSE), 2(1):101–111, 2011.

Xuejiao Liu, Debao Xiao, Ting Gu, Hui Xu, et al. Scenario recognition based on collaborative attack modeling in intrusion detection. In Proceedings of the International MultiConference of Engineers and Computer Scientists, volume 1, 2008.

Guy Helmer, Johnny Wong, Mark Slagell, Vasant Honavar, Les Miller, and Robyn Lutz. A software fault tree approach to requirements analysis of an intrusion detection system. Requirements Engineering, 7(4):207– 220, 2002.

Yanxin Wang, Smruti Ranjan Behera, Johnny Wong, Guy Helmer, Vasant Honavar, Les Miller, Robyn Lutz, and Mark Slagell. Towards the automatic generation of mobile agents for distributed intrusion detection system. Journal of Systems and Software, 79(1):1–14, 2006.

Fred eric Cuppens, Fabien Autrel, Alexandre Miege, Salem Benferhat, et al. Recognizing malicious intention in an intrusion detection process. In HIS, pages 806–817, 2002.

Ashvin Alagiya, Hiren Joshi, and Ashish Jani. Performance analysis and enhancement of utm device in local area network. International Journal of Modern Education and Computer Science, 5(10):43, 2013.

Do-hyeon Lee, Doo-young Kim, and Jae-il Jung. Multi-stage intrusion detection system using hidden markov model algorithm. In Information Science and Security, 2008. ICISS. International Conference on, pages 72–77. IEEE, 2008.

Dirk Ourston, Sara Matzner, William Stump, and Bryan Hopkins. Applications of hidden markov models to detecting multi-stage network attacks. In System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on, pages 10–pp. IEEE, 2003.

Joel Branch, Alan Bivens, Chi-Yu Chan, Taek Kyeun Lee, and Boleslaw K Szymanski. Denial of service intrusion detection using time-dependent deterministic finite automata. In Proc. Graduate Research Conference, pages 45–51, 2002.

Juan J Flores, Anastacio Antolino, Juan M Garcia, and Felix Calderon Solorio. Hybrid network anomaly detection–learning hmms through evolutionary computation — Iconcept Press Ltd., 2012.

Mrs. Manisha Bharati and Santosh Lomte. A survey on hidden Markov model (hmm) based intention prediction techniques. International Journal of Engineering Research and Applications, 6(1):167–172, 2016.

Shrijit S Joshi and Vir V Phoha. Investigating hidden Markov models capabilities in anomaly detection. In Proceedings of the 43rd annual Southeast regional conference-Volume 1, pages 98–103. ACM, 2005.

DARPA Datasets. Mit lincoln laboratory, darpa intrusion detection evaluation data sets, 2000.

Nagaraju Devarakonda, Srinivasulu Pamidi, V Valli Kumari, and A Govardhan. Integrated Bayes network and hidden Markov model for host-based ids. International Journal of Computer Applications, 41(20), 2012.

Stephen D Bay, Dennis Kibler, Michael J Pazzani, and Padhraic Smyth. The uci kdd archive of large data sets for data mining research and experimentation. ACM SIGKDD explorations newsletter, 2(2):81–85, 2000.

AS Aneetha and S Bose. A probabilistic approach for intrusion detection system-fomc technique. In Advanced Computing (ICoAC), Sixth International Conference on pages 178–183. IEEE, 2014.

Nagaraju Devarakonda, Srinivasulu Pamidi, V Valli Kumari, and A Govardhan. Intrusion detection system using bayesian network and hidden markov model. Procedia Technology, 4:506–514, 2012. [Online]. Available: https://doi.org/10.1016/j.protcy.2012.05.081.

Uttam Adhikari, Thomas H Morris, and Shengyi Pan. Applying nonnested generalized exemplars classification for cyber-power event and intrusion detection. IEEE Transactions on Smart Grid, 2016.

IBM. Behavior modeling with state machine and activity diagrams. KTH Royal Institute of Technology in Stockholm, 2008.

Mor Vered. Finite state machines. Benson Idahosa University, 2008.

John E Hopcroft, Rajeev Motwani, and Jeffrey D Ullman. Automata theory, languages, and computation. International Edition, 24, 2006.

R Sekar, Mugdha Bendre, Dinakar Dhurjati, and Pradeep Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In sp, page 0144. IEEE, 2001.

J. Treurniet. A finite state machine algorithm for detecting TCP anomalies: An examination of the 1999 DARPA intrusion detection evaluation data set. Defense R&D Canada-Ottawa, 2005.

Zong-Fen Han, Jian-Ping Zou, Hai Jin, Yan-Ping Yang, and Jian-Hua Sun. Intrusion detection using adaptive time-dependent finite automata. In Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on, volume 5, pages 3040–3045. IEEE, 2004.

Giovanni Vigna and Richard A Kemmerer. Netstat: A network-based intrusion detection approach. In Computer Security Applications Conference, 1998. Proceedings. 14th Annual, pages 25–34. IEEE, 1998.

A Gemona, I Duncan, and A Miller. Nemesi: Using a tcp finite state machine against tcp syn flooding attacks. University of St Andrews, 2006.

Rahul Kumar Singh and Ajay Guide Kumar. Conversion of Fuzzy Regular Expressions to Fuzzy Automata using the Follow Automata. Ph.D. thesis, Thapar University, 2014.

Mansoor Doostfatemeh and Stefan C Kremer. New directions in fuzzy automata. International Journal of Approximate Reasoning, 38(2):175– 214, 2005.

Szilveszter Kovacs, David Vincze, Marta Gacsi, Adam Miklosi, and Peter Korondi. Ethologically inspired robot behavior implementation. In Human System Interactions (HSI), 4th International Conference on, IEEE, pages 64–69, 2011.

Szilveszter Kovacs. New aspects of interpolative reasoning. In Proceedings of the 6th. International Conference on Information Processing and Management of Uncertainty in Knowledge-Based Systems, Granada, Spain, pages 477–482, 1996.

Szilveszter Kovacs and László Kóczy. The use of the concept of vague environment in approximate fuzzy reasoning. Fuzzy Set Theory and Applications, Tatra Mountains Mathematical Publications, Mathematical Institute Slovak Academy of Sciences, Bratislava, Slovak Republic, 12:169–181, 1997.

Szilveszter Kovacs and László Kóczy. Approximate fuzzy reasoning based on interpolation in the vague environment of the fuzzy rule base. In Intelligent Engineering Systems, Proceedings, IEEE International Conference on, pages 63–68. IEEE, 1997.

Szilveszter Kovacs. Fuzzy rule interpolation. In Encyclopedia of Artificial Intelligence, pages 728–733. IGI Global, 2009.

Alireza Shameli Sendi, Michel Dagenais, Masoume Jabbarifar, and Mario Couture. Real-time intrusion prediction based on optimized alerts with hidden Markov model. JNW, 7(2):311–321, 2012.

Andre Arnes, Fredrik Valeur, Giovanni Vigna, and Richard A Kem-merer. Using hidden Markov models to evaluate the risks of intrusions. In International Workshop on Recent Advances in Intrusion Detection, pages 145–164. Springer, 2006. [Online]. Available: https://doi.org/10.1007/11856214_8

Opeyemi Osanaiye, Haibin Cai, Kim-Kwang Raymond Choo, Ali Dehghantanha, Zheng Xu, and Mqhele Dlodlo. Ensemble-based multifilter feature selection method for ddos detection in cloud computing. EURASIP Journal on Wireless Communications and Networking, 2016(1):130, 2016..

Imre Piller, David Vincze, and Szilveszter Kovacs. Declarative language for behaviour description. In Emergent Trends in Robotics and Intelligent Systems, pages 103–112. Springer, 2015. [Online]. Available: https://doi.org/10.1007/978-3-319-10783-7_11.

Imre Piller. The simulation environment. http://mat76.mat.uni-miskolc. hu/∼imre/fbdl/simulator.html.

Aleksandar Lazarevic, Vipin Kumar, and Jaideep Srivastava. Intrusion detection: A survey. In Managing Cyber Threats, pages 19–78. Springer, 2005.

DOI: http://dx.doi.org/10.18517/ijaseit.9.2.7591


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development