ASSERT:attack synthesis and separation with entropy redistribution towards predictive cyber defense

The sophistication of cyberattacks penetrating into enterprise networks has called for predictive defense beyond intrusion detection,where different attack strategies can be analyzed and used to anticipate next malicious actions,especially the unusual ones.Unfortunately,traditional predictive analytics or machine learning techniques that require training data of known attack strategies are not practical,given the scarcity of representative data and the evolving nature of cyberattacks.This paper describes the design and evaluation of a novel automated system,ASSERT,which continuously synthesizes and separates cyberattack behavior models to enable better prediction of future actions.It takes streaming malicious event evidences as inputs,abstracts them to edge-based behavior aggregates,and associates the edges to attack models,where each represents a unique and collective attack behavior.It follows a dynamic Bayesian-based model generation approach to determine when a new attack behavior is present,and creates new attack models by maximizing a cluster validity index.ASSERT generates empirical attack models by separating evidences and use the generated models to predict unseen future incidents.It continuously evaluates the quality of the model separation and triggers a re-clustering process when needed.Through the use of 2017 National Collegiate Penetration Testing Competition data,this work demonstrates the effectiveness of ASSERT in terms of the quality of the generated empirical models and the predictability of future actions using the models.

Forecasting cyberattacks with incomplete,imbalanced,and insignificant data

Having the ability to forecast cyberattacks before they happen will unquestionably change the landscape of cyber warfare and cyber crime.This work predicts specific types of attacks on a potential victim network before the actual malicious actions take place.The challenge to forecasting cyberattacks is to extract relevant and reliable signals to treat sporadic and seemingly random acts of adversaries.This paper builds on multi-faceted machine learning solutions and develops an integrated system to transform large volumes of public data to aggregate signals with imputation that are relevant and predictive of cyber incidents.A comprehensive analysis of the individual parts and the integrated whole demonstrates the effectiveness and trade-offs of the proposed approach.Using 16-months of reported cyber incidents by an anonymized victim organization,the integrated approach achieves up to 87%,90%,and 96% AUC for forecasting endpoint-malware,malicious-destination,and malicious-email attacks,respectively.When assessed month-by-month,the proposed approach shows robustness to perform consistently well,achieving F-Measure between 0.6 and 1.0.The framework also enables an examination of which unconventional signals are meaningful for cyberattack forecasting.

ASSERT:attack synthesis and separation with entropy redistribution towards predictive cyber defense

The sophistication of cyberattacks penetrating into enterprise networks has called for predictive defense beyond intrusion detection,where different attack strategies can be analyzed and used to anticipate next malicious actions,especially the unusual ones.Unfortunately,traditional predictive analytics or machine learning techniques that require training data of known attack strategies are not practical,given the scarcity of representative data and the evolving nature of cyberattacks.This paper describes the design and evaluation of a novel automated system,ASSERT,which continuously synthesizes and separates cyberattack behavior models to enable better prediction of future actions.It takes streaming malicious event evidences as inputs,abstracts them to edge-based behavior aggregates,and associates the edges to attack models,where each represents a unique and collective attack behavior.It follows a dynamic Bayesian-based model generation approach to determine when a new attack behavior is present,and creates new attack models by maximizing a cluster validity index.ASSERT generates empirical attack models by separating evidences and use the generated models to predict unseen future incidents.It continuously evaluates the quality of the model separation and triggers a re-clustering process when needed.Through the use of 2017 National Collegiate Penetration Testing Competition data,this work demonstrates the effectiveness of ASSERT in terms of the quality of the generated empirical models and the predictability of future actions using the models.