Abstract

Multi-Stage Network Attacks (MSNAs) are complex, coordinated sequences of malicious activities that can unfold over extended periods-lasting hours, days, or even months. Detecting and mitigating these attacks is challenging due to their prolonged nature, and the cost of defense increases significantly depending on the stage at which the attack is detected. Organizations often face multiple concurrent MSNAs, and limited resources necessitate a strategic approach to prioritize threats, particularly those closest to their final stages. This study investigates existing methodologies for predicting the next phase of an already detected MSNA attack. We evaluate three distinct models—Hidden Markov Models (HMM), Random Forest (RF), and Long Short-Term Memory (LSTM) networks—using two well-known datasets, DARPA and CTF22, to analyze attack sequences and intrusion detection system (IDS) alert data. Our comparative analysis of the models’ predictive performance, based on the F1 score, shows that HMM performed best (67.5%) on the DARPA dataset, while RF excelled on the CTF dataset (75.1%). These findings provide valuable insights for prioritizing responses to critical network threats and improving the strategic allocation of defensive resources. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.