A performance overview of machine learning-based defense strategies for advanced persistent threats in industrial control systems

Abstract

Cybersecurity incident response is a very crucial part of the cybersecurity management system. Adversaries emerge and evolve with new cybersecurity tactics, techniques, and procedures (TTPs). It is essential to detect the TTPs in a timely manner to respond effectively and mitigate the vulnerabilities to secure business operations. This research focuses on TTP identification and detection based on a machine learning approach. Early identification and detection are paramount in protecting, responding to, and recovering from such adversarial attacks. Analyzing use cases is a critical tool to ensure proper and in-depth evaluation of sector-specific cybersecurity challenges. In this regard, this study investigates existing known methodologies for cyber-attacks such as Mitre attacks, and developed a method for identifying threat cases. In addition, Windows-based threat cases are implemented, comprehensive datasets are generated, and supervised machine learning models are applied to detect threats effectively and efficiently. Random forest outperforms other models with the highest accuracy of 99%. Future work can be done for generating threat cases based on multiple log sources, including network security and endpoint protection device, and achieve high accuracy by removing false positives using machine learning. Similarly, real-time threat detection is also envisioned for future work.