A framework for comprehensible multi-modal detection of cyber threats

TL;DR

This paper introduces a comprehensive multi-modal detection framework that integrates diverse data sources to improve cyber threat detection and provide full attack lifecycle insights, demonstrated through a real malware case study.

Contribution

It presents a novel framework that combines multiple data modalities for holistic cyber threat detection, addressing limitations of existing narrow-scope methods.

Findings

Framework effectively captures full attack lifecycle.

Enables detection of complex threats requiring multi-source data.

Validated on real malware infection case study.

Abstract

Detection of malicious activities in corporate environments is a very complex task and much effort has been invested into research of its automation. However, vast majority of existing methods operate only in a narrow scope which limits them to capture only fragments of the evidence of malware's presence. Consequently, such approach is not aligned with the way how the cyber threats are studied and described by domain experts. In this work, we discuss these limitations and design a detection framework which combines observed events from different sources of data. Thanks to this, it provides full insight into the attack life cycle and enables detection of threats that require this coupling of observations from different telemetries to identify the full scope of the incident. We demonstrate applicability of the framework on a case study of a real malware infection observed in a corporate network.