Model-Guided Infection Prediction and Active Defense Using Context-Specific Cybersecurity Observations

Abstract

Cybersecurity tools such as intrusion detection and prevention systems usually generate far too many alerts, indicators or log data, many of which do not have obvious security implications unless their correlations and temporal causality relationships are determined. In order to infer cybersecurity observations and take defensive actions for a given set of assets, this paper proposes methods to first estimate the infected and exploited assets and then take recovery and preventive actions, with the help of graphs, deep learning, and autonomous agents. The proposed motif and graph thinking analysis of cyber infection and exploitation predicts the infection states of some assets. This prediction data of infections is taken as input data by deep learning networks to enable the agents to determine effective actions for inferring adversary activities and protecting assets. The results of the infection prediction and the games of these agents show the effectiveness of actions.