New goal recognition algorithms using attack graphs

Abstract

Goal recognition is the task of inferring the goal of an actor given its observed actions. Attack graphs are a common representation of assets, vulnerabilities, and exploits used for analysis of potential intrusions in computer networks. This paper introduces new goal recognition algorithms on attack graphs. The main challenges involving goal recognition in cyber security include dealing with noisy and partial observations as well as the need for fast, near-real-time performance. To this end we propose improvements to existing planning-based algorithms for goal recognition, reducing their time complexity and allowing them to handle noisy observations. We also introduce two new metric-based algorithms for goal recognition. Experimental results show that the metric based algorithms improve performance when compared to the planning based algorithms, in terms of accuracy and runtime, thus enabling goal recognition to be carried out in near-real-time. These algorithms can potentially improve both risk management and alert correlation mechanisms for intrusion detection.