Forecasting Attacker Actions using Alert-driven Attack Graphs

TL;DR

This paper enhances alert-driven attack graphs by enabling real-time action forecasting to prioritize attack paths and improve SOC analysts' response effectiveness, demonstrated through empirical accuracy improvements and analyst feedback.

Contribution

It introduces a real-time, probabilistic attack graph framework with action forecasting capabilities, advancing offline models to support early warning and attack prioritization.

Findings

Achieves 67.27% top-3 accuracy in predicting attacker actions.

57.17% improvement over baseline models.

SOC analysts find the system helpful for prioritizing incidents.

Abstract

While intrusion detection systems form the first line-of-defense against cyberattacks, they often generate an overwhelming volume of alerts, leading to alert fatigue among security operations center (SOC) analysts. Alert-driven attack graphs (AGs) have been developed to reduce alert fatigue by automatically discovering attack paths in intrusion alerts. However, they only work in offline settings and cannot prioritize critical attack paths. This paper builds an action forecasting capability on top of the existing alert-driven AG framework for predicting the next likely attacker action given a sequence of observed actions, thus enabling analysts to prioritize non-trivial attack paths. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts to circumvent ongoing attacks and break the cyber killchain. We propose an expectation maximization approach to forecast future actions in a reversed suffix-based probabilistic deterministic finite automaton (rSPDFA). By utilizing three real-world intrusion and endpoint alert datasets, we empirically demonstrate that the best performing rSPDFA achieves an average top-3 accuracy of 67.27%, which reflects a 57.17% improvement over three baselines, on average. We also invite six SOC analysts to use the evolving AGs in two scenarios. Their responses suggest that the action forecasts help them prioritize critical incidents, while the evolving AGs enable them to choose countermeasures in real-time.