Online detection and control of malware infected assets

Malware infection activities need to be detected as early as possible to minimize the adverse impact of malware delivery, infection, exploitation, and spreading. Given that cybersecurity observations over a network are usually incomplete, noisy, uncertain, and need to be extracted from a big data size, it is a challenge to extract quality information for identifying vulnerable, infected, or exploited assets and then taking appropriate actions to mitigate the impact of malware infection and spread. This paper presents an integrated model of logistic regression and Partially Observable Markov Decision Process (POMDP) along with online data analytics on temporal causality and dependency relationships of observations. New regression and malware infection features are developed by capturing and formulating the cross relationships of observations. Logistic regression of these new features is used to estimate the initial probability values that sensor measurements are indicative of vulnerability exploitations, which help infer the infection status of those assets associated with the vulnerabilities to be likely exploited. The results of the logistic regression on the infection status of assets are considered as the initial belief state of POMDP. The integrated model of logistic regression and POMDP is designed to iteratively collaborate in identifying and controlling malware infection and spread. Experimental results show the efficiency of having such collaboration in identifying and controlling malware-infected assets.