PARD-SSM: Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models

TL;DR

PARD-SSM is a probabilistic model that detects cyber-attack phases in real-time by modeling network traffic as a switching linear dynamical system, outperforming existing IDS methods.

Contribution

It introduces a scalable variational inference framework for regime detection in network traffic, enabling early and accurate attack identification.

Findings

Achieves F1 scores of 98.2% and 97.1% on CICIDS2017 and UNSW-NB15 datasets.

Provides predictive alerts about 8 minutes before attack onset.

Runs in less than 1.2 ms per flow on standard CPU hardware.

Abstract

Modern adversarial campaigns unfold as sequences of behavioural phases - Reconnaissance, Lateral Movement, Intrusion, and Exfiltration - each often indistinguishable from legitimate traffic when viewed in isolation. Existing intrusion detection systems (IDS) fail to capture this structure: signature-based methods cannot detect zero-day attacks, deep-learning models provide opaque anomaly scores without stage attribution, and standard Kalman Filters cannot model non-stationary multi-modal dynamics. We present PARD-SSM, a probabilistic framework that models network telemetry as a Regime-Dependent Switching Linear Dynamical System with K = 4 hidden regimes. A structured variational approximation reduces inference complexity from exponential to O(TK^2), enabling real-time detection on standard CPU hardware. An online EM algorithm adapts model parameters, while KL-divergence gating suppresses false positives. Evaluated on CICIDS2017 and UNSW-NB15, PARD-SSM achieves F1 scores of 98.2% and 97.1%, with latency less than 1.2 ms per flow. The model also produces predictive alerts approximately 8 minutes before attack onset, a capability absent in prior systems.