Near Real-time Learning and Extraction of Attack Models from Intrusion Alerts

TL;DR

This paper introduces ASSERT, an unsupervised learning system that processes streaming intrusion alerts to extract and update attack models in near real-time, aiding SOC analysts in understanding ongoing cyber threats.

Contribution

The paper presents a novel near real-time attack model extraction system using information theoretic unsupervised learning for cybersecurity alerts.

Findings

ASSERT effectively processes streaming alerts in real-time.

It generates concise attack models for SOC analysts.

The system is designed for deployment and community sharing.

Abstract

Critical and sophisticated cyberattacks often take multitudes of reconnaissance, exploitations, and obfuscation techniques to penetrate through well protected enterprise networks. The discovery and detection of attacks, though needing continuous efforts, is no longer sufficient. Security Operation Center (SOC) analysts are overwhelmed by the significant volume of intrusion alerts without being able to extract actionable intelligence. Recognizing this challenge, this paper describes the advances and findings through deploying ASSERT to process intrusion alerts from OmniSOC in collaboration with the Center for Applied Cybersecurity Research (CACR) at Indiana University. ASSERT utilizes information theoretic unsupervised learning to extract and update `attack models' in near real-time without expert knowledge. It consumes streaming intrusion alerts and generates a small number of statistical models for SOC analysts to comprehend ongoing and emerging attacks in a timely manner. This paper presents the architecture and key processes of ASSERT and discusses a few real-world attack models to highlight the use-cases that benefit SOC operations. The research team is developing a light-weight containerized ASSERT that will be shared through a public repository to help the community combat the overwhelming intrusion alerts.