MMSP: A LSTM Based Framework for Multi-Step Attack Prediction in Mixed Scenarios

Abstract

A multi-step attack scenario consisting of more than one attack step is difficult to predict because of various attack steps and complex combinations. The multi-step attack scenarios occurring simultaneously construct a mixed attack scenario, which is more common than a single attack scenario in practical systems. However, most of the existing multi-step attack prediction approaches only focus on a single attack scenario. In this paper, a framework MMSP is proposed for multi-step attack prediction in mixed scenarios. MMSP fractionates alerts by separating them into different scenarios and removing redundant samples. The attack scenarios fingerprint database of MMSP is built by modeling the attack steps regarding different scenarios based on the long short-term memory (LSTM) model. Each scenario corresponds to an LSTM model. A scenario matching method is also proposed to find potential attack scenarios hiding in the real-time alerts from the database. Finally, MMSP feeds fractionated alerts into the matched scenarios' LSTM models to predict attack steps. Extensive evaluations based on real-world datasets show that MMSP outperforms the state-of-the-art attack step prediction model in both single and mixed scenarios. MMSP achieves a 14.3 % -38.1 % improvement in accuracy for attack step prediction in the single scenario. In particular, MMSP can maintain a high level accuracy in mixed attack scenarios.