A Modular Framework for Rapidly Building Intrusion Predictors

Abstract-- We study automated intrusion prediction in an IT system using statistical learning methods. The focus is on developing online attack predictors that detect attacks in real time and identify the current stage of the attack. While such predictors have been proposed in the recent literature, these works typically rely on constructing a monolithic predictor tailored to a specific attack type and scenario. Given that hundreds of attack types are cataloged in the MITRE framework, training a separate monolithic predictor for each of them is infeasible. In this paper, we propose a modular framework for rapidly assembling online attack predictors from reusable components. Using public datasets for training and evaluation, we provide many examples of modular predictors and show how an effective predictor can be dynamically assembled during training from a network of modular components. Traditional intrusion detection systems (IDS), such as Snort [1] or Suricata [2], rely on rule-based configurations that are manually crafted and maintained by domain experts. The growing complexity and rapid evolution of IT systems make the maintenance of these rules increasingly challenging and time-consuming. As a response, research efforts into automated cyberdefence have started, based on the idea that attack patterns can be dynamically learned. The rules are no longer defined by humans, but automatically inferred from observing systems under attack. Over the last decade, various approaches have been proposed for automated cyberdefence, most of them based on statistical learning, e.g., [3], [4], [5], [6]. We follow this direction in the paper. We are specifically interested in predicting the stage of an ongoing attack in real time, based on current and earlier observations of an IT system.