DeepSecure: A computational design science approach for interpretable threat hunting in cybersecurity decision making

IF 6.7 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Decision Support Systems Pub Date : 2024-11-06 DOI:10.1016/j.dss.2024.114351

Prabhat Kumar , Danish Javeed , A.K.M. Najmul Islam , Xin (Robert) Luo

{"title":"DeepSecure: A computational design science approach for interpretable threat hunting in cybersecurity decision making","authors":"Prabhat Kumar , Danish Javeed , A.K.M. Najmul Islam , Xin (Robert) Luo","doi":"10.1016/j.dss.2024.114351","DOIUrl":null,"url":null,"abstract":"<div><div>Businesses and industries are placing a greater emphasis on information systems for cybersecurity decision-making due to the rising cybersecurity threat landscape and the critical need to protect their digital assets. Threat hunting provides a data-driven and proactive approach to cybersecurity, enabling organizations to efficiently detect, analyze, and respond to cyber threats in real-time. Despite playing a crucial role, these systems face several obstacles, including the manual analysis of technical threat intelligence, the non-Gaussian nature of real-world data, the high rate of false positives produced during threat hunting, and the lack of interpretation and justification for these complex models. This article adopts the computational design science paradigm to develop a novel IT artifact for threat-hunting named DeepSecure. First, to automatically extract latent patterns from multivariate time series datasets, we propose a dynamic vector quantized variational autoencoder technique. Second, a multiscale hierarchical attention bi-directional gated recurrent unit-based threat-hunting mechanism is designed. Finally, we provide the visualization of attention scores to aid in model interpretation. We evaluate the DeepSecure against state-of-the-art benchmarks on two publicly available datasets, namely, ToN-IoT and CSE-CIC-IDS2018. The experimental evaluation proves that our model can efficiently identify threat types. Beyond demonstrating practical utility, the proposed framework can help address the lack of interpretation and justification for complex models in cyber threat detection and will allow organizations to respond to potential security incidents quickly.</div></div>","PeriodicalId":55181,"journal":{"name":"Decision Support Systems","volume":"188 ","pages":"Article 114351"},"PeriodicalIF":6.7000,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Decision Support Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167923624001842","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Businesses and industries are placing a greater emphasis on information systems for cybersecurity decision-making due to the rising cybersecurity threat landscape and the critical need to protect their digital assets. Threat hunting provides a data-driven and proactive approach to cybersecurity, enabling organizations to efficiently detect, analyze, and respond to cyber threats in real-time. Despite playing a crucial role, these systems face several obstacles, including the manual analysis of technical threat intelligence, the non-Gaussian nature of real-world data, the high rate of false positives produced during threat hunting, and the lack of interpretation and justification for these complex models. This article adopts the computational design science paradigm to develop a novel IT artifact for threat-hunting named DeepSecure. First, to automatically extract latent patterns from multivariate time series datasets, we propose a dynamic vector quantized variational autoencoder technique. Second, a multiscale hierarchical attention bi-directional gated recurrent unit-based threat-hunting mechanism is designed. Finally, we provide the visualization of attention scores to aid in model interpretation. We evaluate the DeepSecure against state-of-the-art benchmarks on two publicly available datasets, namely, ToN-IoT and CSE-CIC-IDS2018. The experimental evaluation proves that our model can efficiently identify threat types. Beyond demonstrating practical utility, the proposed framework can help address the lack of interpretation and justification for complex models in cyber threat detection and will allow organizations to respond to potential security incidents quickly.

查看原文本刊更多论文

DeepSecure：在网络安全决策中采用可解释的威胁猎取计算设计科学方法

由于网络安全威胁的不断增加以及保护数字资产的迫切需要，各行各业都更加重视信息系统的网络安全决策。威胁猎取系统为网络安全提供了一种数据驱动的前瞻性方法，使企业能够高效地实时检测、分析和应对网络威胁。尽管这些系统发挥着至关重要的作用，但也面临着一些障碍，包括技术威胁情报的人工分析、现实世界数据的非高斯性、威胁猎取过程中产生的高误报率，以及缺乏对这些复杂模型的解释和论证。本文采用计算设计科学范式，开发了一种名为 DeepSecure 的新型 IT 工件，用于威胁猎取。首先，为了从多元时间序列数据集中自动提取潜在模式，我们提出了一种动态向量量化变分自动编码器技术。其次，我们设计了一种基于多尺度分层注意力双向门控递归单元的威胁猎捕机制。最后，我们提供了注意力分数的可视化，以帮助解释模型。我们在两个公开数据集（即 ToN-IoT 和 CSE-CIC-IDS2018）上对照最先进的基准对 DeepSecure 进行了评估。实验评估证明，我们的模型可以有效识别威胁类型。除了展示实际效用外，所提出的框架还有助于解决网络威胁检测中复杂模型缺乏解释和论证的问题，并使企业能够快速应对潜在的安全事件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Decision Support Systems 工程技术-计算机：人工智能

CiteScore

14.70

自引率

6.70%

发文量

119

审稿时长

13 months

期刊介绍： The common thread of articles published in Decision Support Systems is their relevance to theoretical and technical issues in the support of enhanced decision making. The areas addressed may include foundations, functionality, interfaces, implementation, impacts, and evaluation of decision support systems (DSSs).