Abstract
The sophistication of cyberattacks penetrating into enterprise networks has called for predictive defense beyond intrusion detection, where different attack strategies can be analyzed and used to anticipate next malicious actions, especially the unusual ones. Unfortunately, traditional predictive analytics or machine learning techniques that require training data of known attack strategies are not practical, given the scarcity of representative data and the evolving nature of cyberattacks. This paper describes the design and evaluation of a novel automated system, ASSERT, which continuously synthesizes and separates cyberattack behavior models to enable better prediction of future actions. It takes streaming malicious event evidences as inputs, abstracts them to edge-based behavior aggregates, and associates the edges to attack models, where each represents a unique and collective attack behavior. It follows a dynamic Bayesian-based model generation approach to determine when a new attack behavior is present, and creates new attack models by maximizing a cluster validity index. ASSERT generates empirical attack models by separating evidences and use the generated models to predict unseen future incidents. It continuously evaluates the quality of the model separation and triggers a re-clustering process when needed. Through the use of 2017 National Collegiate Penetration Testing Competition data, this work demonstrates the effectiveness of ASSERT in terms of the quality of the generated empirical models and the predictability of future actions using the models.
Highlights
As new system vulnerabilities are discovered and attack tools become even more prevalent, cyber attackers may employ a variety of evolving strategies with a plethora of exploits
Model shuffling via DBSCAN ASSERT monitors the quality of the classification continuously by referencing the Wemmert-Gancarski Index (WGI)
The use of pair-wise Jensen-Shannon divergence (JSD) between observable aggregates allows re-clustering with DBSCAN, which enables improvement and recovery from imperfect decisions made earlier by the dynamic Bayesian classifier with insufficient evidences
Summary
As new system vulnerabilities are discovered and attack tools become even more prevalent, cyber attackers may employ a variety of evolving strategies with a plethora of exploits. Imagine a system that can process a significant volume of observables produced by intrusion detection systems, and continuously synthesize and update a manageable set of ‘empirical attack models’ that reflect the different ‘how’, ‘where’, and ‘what’ attack activities are present in the network. Such a system will assist security analysts to prioritize and anticipate critical attacks, offering a robust predictive cyber defense even in the presence of evolving and diverse cyberattack tactics. This is different from many previous studies where similar observables are ‘clustered’ together to identify similar behaving end hosts (Xu et al 2011) or traffic flows (McGregor et al 2004; Shadi et al 2017; Song and Chen 2007)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
