A Logical Framework for Plan Recognition for Intrusion Detection

This document describes the results of our work during the first two years of our PhD. studies. The aim of our PhD. thesis is the development of a methodology for automated intrusion detection based on attack plan recognition, and therefore, the design of a general framework for the characterization and theoretical investigation of the plan recognition problem in adversarial scenarios. In the AI literature, the term plan recognition refers to the process of inferring agent goals from observed actions. Knowing the plan an agent is pursuing is important for several reasons. It allows us to predict actions the agent might take in the future, and aid or hamper the agent by suggesting or even taking action alternatives. Plan recognition is useful in many application areas, such as, for example, discourse analysis in natural language question answering systems, story understanding, intelligent human-computer interfaces, and multi-agent coordination. Another challenging application area, from our perspective, is computer security, in particular intrusion detection. We believe that the ability to recognize intrusion scenarios as soon as they start, in conjunction with the prediction of attacker’s future actions, will help increase the security level of computer systems and limit the damages caused by the intrusion. Given a set of observations, a plan recognition system typically searches a space of possible plan hypotheses for candidate plans and goals that account for the observations. The search space is defined using a plan library, which is an explicit representation of plans potentially executed and goals potentially pursued by the observed agent. The recognizer matches observations to specific plan steps in the library, and tries to infer the plan that the observed agent is actually executing and the sequence of actions that constitute the plan the observed agent tries to follow. Despite the advantage of having a rich expressiveness, the use of a plan library has several limitations. First, plans not appearing in the library cannot be recognized. Moreover, acquiring and encoding the plan library is a