Joint prediction on security event and time interval through deep learning

Abstract

Recently, sophisticated attacks on cyberspace have occurred frequently, causing severe damage to the Internet. Predicting potential threats can assist security engineers in deploying corresponding defenses in advance to reduce the damage. Thus, threat prediction has drawn attention in communities recently. Previous works utilized merely historical security event sequences to predict the subsequent event through the recurrent neural network (RNN), yielding inaccurate results when the input sequence is corrupted by false reports from underlying detection logs. In this paper, we develop a joint predictor for security events and time intervals through attention-based LSTM (Long Short-Term Memory). To enhance the event predicting performance for corrupted input sequences, time intervals between events are incorporated into the input tuple, providing more distinguishing features. Moreover, a time discretization method is proposed to transform the skewed long-tail dwell time distribution into a predictable distribution of the time interval. In addition, the joint optimization function enables the model to predict the occurrence time of the next event simultaneously, which is supportive for security managers to select appropriate defenses. Our model is proved to be effective on four real-world datasets, outperforming previous methods on both event and time prediction. Moreover, the empirical results also validate the model’s stability.