A Study of the Ordinal Scale Classification Algorithm for Cyber Threat Intelligence Based on Deception Technology

Abstract

Cyber deception technology plays an important role in monitoring attackers’ activities and detecting new attack types. However, in a deceptive environment, low-risk attack traffic, such as scanning, is included in large quantities and acts as noise. Therefore, even though high-risk traffic is actually present, it may be overlooked, or the analysis algorithm’s accuracy regarding traffic may be reduced, causing significant difficulties in intrusion detection and analysis processes. In this study, we propose a model that can identify and filter the ordinal scale risk of the source IP in deceptive environment-generated traffic. This model aims to quickly classify low-risk attacks, including information gathering and scanning, which are widely and repeatedly performed, as well as high-risk attacks, rather than classifying specific types of attacks. Most existing deceptive technology-based Cyber Threat Intelligence (CTI) generation studies have been limited in their applicability to real-world environments because data labeling, learning, and detection processes using AI algorithms that consume significant amounts of time and computing resources. Here, the Naive Bayes discriminant analysis-based ordinary scale classification model showed higher accuracy for low-risk attack classification, while consuming significantly fewer resources than the models presented in other studies do. The accuracy of the current active deceptive environment traffic analysis research may be enhanced by filtering low-risk traffic via preprocessing.