Few-Shot Learning-Based Cyber Incident Detection with Augmented Context Intelligence

TL;DR

This paper introduces a few-shot learning approach for cyber incident detection in cloud environments, utilizing augmented context intelligence and semantic analysis to identify unseen attacks with limited training data.

Contribution

It presents a novel few-shot learning framework that leverages semiotics extraction and semantic similarity for improved attack detection in cloud systems.

Findings

Effective detection of unseen attacks with limited samples

High generalization capability across diverse attack types

Accurate predictions demonstrated through comprehensive experiments

Abstract

In recent years, the adoption of cloud services has been expanding at an unprecedented rate. As more and more organizations migrate or deploy their businesses to the cloud, a multitude of related cybersecurity incidents such as data breaches are on the rise. Many inherent attributes of cloud environments, for example, data sharing, remote access, dynamicity and scalability, pose significant challenges for the protection of cloud security. Even worse, cyber threats are becoming increasingly sophisticated and covert. Attack methods, such as Advanced Persistent Threats (APTs), are continually developed to bypass traditional security measures. Among the emerging technologies for robust threat detection, system provenance analysis is being considered as a promising mechanism, thus attracting widespread attention in the field of incident response. This paper proposes a new few-shot learning-based attack detection with improved data context intelligence. We collect operating system behavior data of cloud systems during realistic attacks and leverage an innovative semiotics extraction method to describe system events. Inspired by the advances in semantic analysis, which is a fruitful area focused on understanding natural languages in computational linguistics, we further convert the anomaly detection problem into a similarity comparison problem. Comprehensive experiments show that the proposed approach is able to generalize over unseen attacks and make accurate predictions, even if the incident detection models are trained with very limited samples.