Preliminary Investigation into Uncertainty-Aware Attack Stage Classification

TL;DR

This paper introduces an uncertainty-aware classification method for identifying attack stages in cybersecurity, leveraging Evidential Deep Learning to improve detection accuracy and robustness against out-of-distribution inputs.

Contribution

It presents a novel application of Evidential Deep Learning for attack stage inference, enabling uncertainty estimation and OOD detection in cybersecurity threat analysis.

Findings

Accurately infers attack stages with calibrated confidence

Effectively detects out-of-distribution inputs

Demonstrates robustness in simulated environments

Abstract

Advanced Persistent Threats (APTs) represent a significant challenge in cybersecurity due to their prolonged, multi-stage nature and the sophistication of their operators. Traditional detection systems typically focus on identifying malicious activity in binary terms (benign or malicious) without accounting for the progression of an attack. However, effective response strategies depend on accurate inference of the attack's current stage, as countermeasures must be tailored to whether an adversary is in the early reconnaissance phase or actively conducting exploitation or exfiltration. This work addresses the problem of attack stage inference under uncertainty, with a focus on robustness to out-of-distribution (OOD) inputs. We propose a classification approach based on Evidential Deep Learning (EDL), which models predictive uncertainty by outputting parameters of a Dirichlet distribution over possible stages. This allows the system not only to predict the most likely stage of an attack but also to indicate when it is uncertain or the input lies outside the training distribution. Preliminary experiments in a simulated environment demonstrate that the proposed model can accurately infer the stage of an attack with calibrated confidence while effectively detecting OOD inputs, which may indicate changes in the attackers' tactics. These results support the feasibility of deploying uncertainty-aware models for staged threat detection in dynamic and adversarial environments.