Incorporating Taxonomies of Cyber Incidents Into Detection Networks for Improved Detection Performance

TL;DR

This paper explores how different cyber incident taxonomies can be integrated into detection networks to enhance detection accuracy, analyzing trade-offs and proposing an optimal detection strategy validated through simulations.

Contribution

It introduces a framework for leveraging cyber incident taxonomies within detection networks to optimize threat detection performance.

Findings

Networks of detections exhibit specific properties affecting detection performance.

Trade-offs between precision and recall limit detection set construction.

An equilibrium detection strategy is proven and validated through simulations.

Abstract

Many taxonomies exist to organize cybercrime incidents into ontological categories. We examine some of the taxonomies introduced in the literature; providing a framework, and analysis, of how best to leverage different taxonomy structures to optimize performance of detections targeting various types of threat-actor behaviors under the umbrella of precision and recall. Networks of detections are studied, and results are outlined showing properties of networks of interconnected detections. Some illustrations are provided to show how the construction of sets of detections to prevent broader types of attacks is limited by trade-offs in precision and recall under constraints. An equilibrium result is proven and validated on simulations, illustrating the existence of an optimal detection design strategy in this framework.