CL-AP[formula omitted]: A composite learning approach to attack prediction via attack portraying

Abstract

The capabilities of accurate prediction of cyberattacks have long been desired as detection methods cannot avoid the damages caused by occurrences of cyberattack. Attack prediction still remains an open issue especially to specify the upcoming steps of an attack with the quickly evolving intelligent techniques at the attackers’ side. This study proposes a composite learning approach (namely CL-AP2), which fulfills this task in two phases of “attack portraying” and “attack prediction”: (1) (Attack Portraying) CL-AP2 generates a Temporal Attack Knowledge Graph (TAKG) from real-time system logs providing full knowledge that formulates time-aware entities related to attacks and the relations amongst them; Over the TAKG, a Tactic-based Cyber Kill Chain (TCKC) model highlights the attacker’s portrait via evaluation of behaviors in the past, i.e., presenting the tactical path and attack steps taken by the attacker; (2) (Attack Prediction) The Soft Actor-Critic algorithm applies to identify the most possible attack trajectory confined in the attack portrait; The transformer model finally derives the specific attack technique to be taken next.Experiments have been performed versus the state-of-the-art counterparts over a public dataset and results indicate that: (1) CL-AP2 can effectively reveal the tactical path taken by the attacker and form a complete portrait of the attack; and (2) CL-AP2 excels in predicting attack techniques to be taken by attackers and providing the defense guidance against the predicted attacks.