TY - CHAP
T1 - A Logic Programming Approach to Predict Enterprise-Targeted Cyberattacks
AU - Almukaynizi, Mohammed
AU - Marin, Ericsson
AU - Shah, Malay
AU - Nunes, Eric
AU - Simari, Gerardo I.
AU - Shakarian, Paulo
N1 - Funding Information:
Acknowledgements Some of the authors are supported by the Office of Naval Research (ONR) Neptune program. Paulo Shakarian is supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) under contract number FA8750-16-C-0112. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government.
Publisher Copyright:
© Springer Nature Switzerland AG 2020.
PY - 2020
Y1 - 2020
N2 - Although cybersecurity research has demonstrated that many of the recent cyberattacks targeting real-world organizations could have been avoided, proactively identifying and systematically understanding when and why those events are likely to occur is still challenging. It has earlier been shown that monitoring malicious hacker discussions about software vulnerabilities in the Dark web and Deep web platforms (D2web) is indicative of future cyberattack incidents. Based on this finding, a system generating warnings of cyberattack incidents was previously developed. However, key limitations to this approach are (1) the strong reliance on explicit software vulnerability mentions from malicious hackers, and (2) the inability to adapt to the ephemeral, constantly changing nature of D2web sites. In this chapter, we address those limitations by leveraging indicators that capture aggregate discussion trends identified from the context of hacker discussions across multiple hacker community websites. Our approach is evaluated on real-world, enterprise-targeted attack events of malicious emails. Compared to a baseline statistical prediction model, our approach provides better precision-recall tradeoff. In addition, it produces actionable, transparent predictions that provide details about the observed hacker activity and reasoning led to certain decision. Moreover, when the predictions of our approach are fused with the predictions of the statistical prediction model, recall can be improved by over 14% while maintaining precision.
AB - Although cybersecurity research has demonstrated that many of the recent cyberattacks targeting real-world organizations could have been avoided, proactively identifying and systematically understanding when and why those events are likely to occur is still challenging. It has earlier been shown that monitoring malicious hacker discussions about software vulnerabilities in the Dark web and Deep web platforms (D2web) is indicative of future cyberattack incidents. Based on this finding, a system generating warnings of cyberattack incidents was previously developed. However, key limitations to this approach are (1) the strong reliance on explicit software vulnerability mentions from malicious hackers, and (2) the inability to adapt to the ephemeral, constantly changing nature of D2web sites. In this chapter, we address those limitations by leveraging indicators that capture aggregate discussion trends identified from the context of hacker discussions across multiple hacker community websites. Our approach is evaluated on real-world, enterprise-targeted attack events of malicious emails. Compared to a baseline statistical prediction model, our approach provides better precision-recall tradeoff. In addition, it produces actionable, transparent predictions that provide details about the observed hacker activity and reasoning led to certain decision. Moreover, when the predictions of our approach are fused with the predictions of the statistical prediction model, recall can be improved by over 14% while maintaining precision.
UR - http://www.scopus.com/inward/record.url?scp=85079438564&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85079438564&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-38788-4_2
DO - 10.1007/978-3-030-38788-4_2
M3 - Chapter
AN - SCOPUS:85079438564
T3 - Intelligent Systems Reference Library
SP - 13
EP - 32
BT - Intelligent Systems Reference Library
PB - Springer
ER -