Early Detection of Cyber Threats using Structured Behavior Modeling

The rapid evolution of network intrusions has rendered traditional Intrusion Detection Systems (IDS) insufficient for cyber attacks such as the Advanced Persistent Threats (APT), which are sophisticated and enduring network intrusion campaigns comprising multiple imperceptible steps of malicious cyber activities. Dealing with such elaborated network intrusions calls for novel and more proactive defense methodologies.

The following figure outlines the early intrusion detection system called SID we proposed based on structured modeling of cyber attack behavior, which aims to discover the underlying high-level behavioral patterns within network traffic that are likely to be early signs of cyber attacks.

Our method is essentially language-based, with the assumption that misuse and anomalous patterns of network behavior can be treated as learning syntactic structures and semantic fragments of the "network language". In particular, the system models the long-distance dependency between the structural patterns in history network traffic and possible incoming cyber attacks. F1 scores of more than 0.9 are reported for early detection of network attacks in the KDD99 dataset.