A Modular Framework for Rapidly Building Intrusion Predictors

TL;DR

This paper introduces a modular framework that enables rapid construction of online intrusion predictors, improving flexibility and scalability in detecting various attack types in real time.

Contribution

The paper presents a novel modular approach for building attack predictors, allowing dynamic assembly and tuning for different attack scenarios, unlike monolithic models.

Findings

Effective modular predictors can be assembled during training.

The framework improves control over prediction timeliness and accuracy.

Demonstrated on public datasets with multiple predictor configurations.

Abstract

We study automated intrusion prediction in an IT system using statistical learning methods. The focus is on developing online attack predictors that detect attacks in real time and identify the current stage of the attack. While such predictors have been proposed in the recent literature, these works typically rely on constructing a monolithic predictor tailored to a specific attack type and scenario. Given that hundreds of attack types are cataloged in the MITRE framework, training a separate monolithic predictor for each of them is infeasible. In this paper, we propose a modular framework for rapidly assembling online attack predictors from reusable components. The modular nature of a predictor facilitates controlling key metrics like timeliness and accuracy of prediction, as well as tuning the trade-off between them. Using public datasets for training and evaluation, we provide many examples of modular predictors and show how an effective predictor can be dynamically assembled during training from a network of modular components.