DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks

Mohammed Almukaynizi, Ericsson Marin, Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Dipsy Kapoor, Timothy Siedlecki

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

Original languageEnglish (US)
Title of host publication2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018
EditorsDongwon Lee, Ghita Mezzour, Ponnurangam Kumaraguru, Nitesh Saxena
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages31-36
Number of pages6
ISBN (Electronic)9781538678480
DOIs
StatePublished - Dec 24 2018
Event16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018 - Miami, United States
Duration: Nov 9 2018Nov 11 2018

Other

Other16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018
CountryUnited States
CityMiami
Period11/9/1811/11/18

Fingerprint

Association rules
Industry
incident
vulnerability
Sensors
hacker
intelligence
Attack
threat
organization
Warning
Malware
Incidents
Vulnerability
software

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality
  • Communication

Cite this

Almukaynizi, M., Marin, E., Nunes, E., Shakarian, P., Simari, G. I., Kapoor, D., & Siedlecki, T. (2018). DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. In D. Lee, G. Mezzour, P. Kumaraguru, & N. Saxena (Eds.), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018 (pp. 31-36). [8587334] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISI.2018.8587334

DARKMENTION : A deployed system to predict enterprise-targeted external cyberattacks. / Almukaynizi, Mohammed; Marin, Ericsson; Nunes, Eric; Shakarian, Paulo; Simari, Gerardo I.; Kapoor, Dipsy; Siedlecki, Timothy.

2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. ed. / Dongwon Lee; Ghita Mezzour; Ponnurangam Kumaraguru; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. p. 31-36 8587334.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Almukaynizi, M, Marin, E, Nunes, E, Shakarian, P, Simari, GI, Kapoor, D & Siedlecki, T 2018, DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. in D Lee, G Mezzour, P Kumaraguru & N Saxena (eds), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018., 8587334, Institute of Electrical and Electronics Engineers Inc., pp. 31-36, 16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018, Miami, United States, 11/9/18. https://doi.org/10.1109/ISI.2018.8587334
Almukaynizi M, Marin E, Nunes E, Shakarian P, Simari GI, Kapoor D et al. DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. In Lee D, Mezzour G, Kumaraguru P, Saxena N, editors, 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 31-36. 8587334 https://doi.org/10.1109/ISI.2018.8587334
Almukaynizi, Mohammed ; Marin, Ericsson ; Nunes, Eric ; Shakarian, Paulo ; Simari, Gerardo I. ; Kapoor, Dipsy ; Siedlecki, Timothy. / DARKMENTION : A deployed system to predict enterprise-targeted external cyberattacks. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. editor / Dongwon Lee ; Ghita Mezzour ; Ponnurangam Kumaraguru ; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 31-36
@inproceedings{a1a50c0eae124f56ad5d42b9e04ac3fb,
title = "DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks",
abstract = "Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45{\%} and 57{\%}. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.",
author = "Mohammed Almukaynizi and Ericsson Marin and Eric Nunes and Paulo Shakarian and Simari, {Gerardo I.} and Dipsy Kapoor and Timothy Siedlecki",
year = "2018",
month = "12",
day = "24",
doi = "10.1109/ISI.2018.8587334",
language = "English (US)",
pages = "31--36",
editor = "Dongwon Lee and Ghita Mezzour and Ponnurangam Kumaraguru and Nitesh Saxena",
booktitle = "2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - DARKMENTION

T2 - A deployed system to predict enterprise-targeted external cyberattacks

AU - Almukaynizi, Mohammed

AU - Marin, Ericsson

AU - Nunes, Eric

AU - Shakarian, Paulo

AU - Simari, Gerardo I.

AU - Kapoor, Dipsy

AU - Siedlecki, Timothy

PY - 2018/12/24

Y1 - 2018/12/24

N2 - Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

AB - Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

UR - http://www.scopus.com/inward/record.url?scp=85061065311&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061065311&partnerID=8YFLogxK

U2 - 10.1109/ISI.2018.8587334

DO - 10.1109/ISI.2018.8587334

M3 - Conference contribution

AN - SCOPUS:85061065311

SP - 31

EP - 36

BT - 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018

A2 - Lee, Dongwon

A2 - Mezzour, Ghita

A2 - Kumaraguru, Ponnurangam

A2 - Saxena, Nitesh

PB - Institute of Electrical and Electronics Engineers Inc.

ER -