Forecasting Attacker Actions using Alert-driven Attack Graphs
- URL: http://arxiv.org/abs/2408.09888v1
- Date: Mon, 19 Aug 2024 11:04:47 GMT
- Title: Forecasting Attacker Actions using Alert-driven Attack Graphs
- Authors: Ion Băbălău, Azqa Nadeem,
- Abstract summary: This paper builds an action forecasting capability on top of the alert-driven AG framework for predicting the next likely attacker action.
We also modify the framework to build AGs in real time, as new alerts are triggered.
This way, we convert alert-driven AGs into an early warning system that enables analysts circumvent ongoing attacks and break the cyber killchain.
- Score: 1.3812010983144802
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: While intrusion detection systems form the first line-of-defense against cyberattacks, they often generate an overwhelming volume of alerts, leading to alert fatigue among security operations center (SOC) analysts. Alert-driven attack graphs (AGs) have been developed to reduce alert fatigue by automatically discovering attack paths in intrusion alerts. However, they only work in offline settings and cannot prioritize critical attack paths. This paper builds an action forecasting capability on top of the existing alert-driven AG framework for predicting the next likely attacker action given a sequence of observed actions, thus enabling analysts to prioritize non-trivial attack paths. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts to circumvent ongoing attacks and break the cyber killchain. We propose an expectation maximization approach to forecast future actions in a reversed suffix-based probabilistic deterministic finite automaton (rSPDFA). By utilizing three real-world intrusion and endpoint alert datasets, we empirically demonstrate that the best performing rSPDFA achieves an average top-3 accuracy of 67.27%, which reflects a 57.17% improvement over three baselines, on average. We also invite six SOC analysts to use the evolving AGs in two scenarios. Their responses suggest that the action forecasts help them prioritize critical incidents, while the evolving AGs enable them to choose countermeasures in real-time.
Related papers
- Relaxing Graph Transformers for Adversarial Attacks [49.450581960551276]
Graph Transformers (GTs) surpassed Message-Passing GNNs on several benchmarks, their adversarial robustness properties are unexplored.
We overcome these challenges by targeting three representative architectures based on (1) random-walk PEs, (2) pair-wise-short-paths, and (3) spectral perturbations.
Our evaluation reveals that they can be catastrophically fragile and underlines our work's importance and the necessity for adaptive attacks.
arXiv Detail & Related papers (2024-07-16T14:24:58Z) - Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search [6.830322979559498]
"Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today.
We present Carbon Filter, a statistical learning based system that dramatically reduces the number of alerts analysts need to manually review.
arXiv Detail & Related papers (2024-05-07T22:06:24Z) - Nip in the Bud: Forecasting and Interpreting Post-exploitation Attacks in Real-time through Cyber Threat Intelligence Reports [6.954623537148434]
Advanced Persistent Threat (APT) attacks have caused significant damage worldwide.
Various Detection and Response (EDR) systems are deployed by enterprises to fight against potential threats.
Analysts need to investigate and filter detection results before taking countermeasures.
We propose Forecasting and Interpreting (EFI), a real-time attack forecast and interpretation system.
arXiv Detail & Related papers (2024-05-05T06:25:52Z) - Critical Path Prioritization Dashboard for Alert-driven Attack Graphs [3.4000567392487127]
This paper proposes a querying and prioritization-enabled visual analytics dashboard for SAGE.
We describe the utility of the proposed dashboard using intrusion alerts collected from a distributed multi-stage team-based attack scenario.
We find that the dashboard is useful in depicting attacker strategies and attack progression, but can be improved in terms of usability.
arXiv Detail & Related papers (2023-10-19T18:16:04Z) - That Escalated Quickly: An ML Framework for Alert Prioritization [2.5845893156827158]
We present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC.
On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by $22.9%$, suppress $54%$ of false positives with a $95.1%$ detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by $14%$.
arXiv Detail & Related papers (2023-02-13T19:20:52Z) - AdvDO: Realistic Adversarial Attacks for Trajectory Prediction [87.96767885419423]
Trajectory prediction is essential for autonomous vehicles to plan correct and safe driving behaviors.
We devise an optimization-based adversarial attack framework to generate realistic adversarial trajectories.
Our attack can lead an AV to drive off road or collide into other vehicles in simulation.
arXiv Detail & Related papers (2022-09-19T03:34:59Z) - Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers.
Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods.
Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
arXiv Detail & Related papers (2022-07-20T19:49:09Z) - Fixed Points in Cyber Space: Rethinking Optimal Evasion Attacks in the
Age of AI-NIDS [70.60975663021952]
We study blackbox adversarial attacks on network classifiers.
We argue that attacker-defender fixed points are themselves general-sum games with complex phase transitions.
We show that a continual learning approach is required to study attacker-defender dynamics.
arXiv Detail & Related papers (2021-11-23T23:42:16Z) - Certifiers Make Neural Networks Vulnerable to Availability Attacks [70.69104148250614]
We show for the first time that fallback strategies can be deliberately triggered by an adversary.
In addition to naturally occurring abstains for some inputs and perturbations, the adversary can use training-time attacks to deliberately trigger the fallback.
We design two novel availability attacks, which show the practical relevance of these threats.
arXiv Detail & Related papers (2021-08-25T15:49:10Z) - SAGE: Intrusion Alert-driven Attack Graph Extractor [4.530678016396476]
Attack graphs (AGs) are used to assess pathways availed by cyber adversaries to penetrate a network.
We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge.
arXiv Detail & Related papers (2021-07-06T17:45:02Z) - Adversarial vs behavioural-based defensive AI with joint, continual and
active learning: automated evaluation of robustness to deception, poisoning
and concept drift [62.997667081978825]
Recent advancements in Artificial Intelligence (AI) have brought new capabilities to behavioural analysis (UEBA) for cyber-security.
In this paper, we present a solution to effectively mitigate this attack by improving the detection process and efficiently leveraging human expertise.
arXiv Detail & Related papers (2020-01-13T13:54:36Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.