DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks

Mohammed Almukaynizi; Ericsson Marin; Eric Nunes; Paulo Shakarian; Gerardo I. Simari; Dipsy Kapoor; Timothy Siedlecki

doi:10.1109/ISI.2018.8587334

DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks

Mohammed Almukaynizi, Ericsson Marin, Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Dipsy Kapoor, Timothy Siedlecki

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

15 Scopus citations

Abstract

Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

Original language	English (US)
Title of host publication	2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018
Editors	Dongwon Lee, Ghita Mezzour, Ponnurangam Kumaraguru, Nitesh Saxena
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	31-36
Number of pages	6
ISBN (Electronic)	9781538678480
DOIs	https://doi.org/10.1109/ISI.2018.8587334
State	Published - Dec 24 2018
Event	16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018 - Miami, United States Duration: Nov 9 2018 → Nov 11 2018

Publication series

Name	2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018

Other

Other	16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018
Country/Territory	United States
City	Miami
Period	11/9/18 → 11/11/18

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems and Management
Safety, Risk, Reliability and Quality
Communication

Access to Document

10.1109/ISI.2018.8587334

Cite this

Almukaynizi, M., Marin, E., Nunes, E., Shakarian, P., Simari, G. I., Kapoor, D., & Siedlecki, T. (2018). DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. In D. Lee, G. Mezzour, P. Kumaraguru, & N. Saxena (Eds.), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018 (pp. 31-36). Article 8587334 (2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISI.2018.8587334

DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. / Almukaynizi, Mohammed; Marin, Ericsson; Nunes, Eric et al.
2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. ed. / Dongwon Lee; Ghita Mezzour; Ponnurangam Kumaraguru; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. p. 31-36 8587334 (2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Almukaynizi, M, Marin, E, Nunes, E, Shakarian, P, Simari, GI, Kapoor, D & Siedlecki, T 2018, DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. in D Lee, G Mezzour, P Kumaraguru & N Saxena (eds), 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018., 8587334, 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018, Institute of Electrical and Electronics Engineers Inc., pp. 31-36, 16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018, Miami, United States, 11/9/18. https://doi.org/10.1109/ISI.2018.8587334

Almukaynizi M, Marin E, Nunes E, Shakarian P, Simari GI, Kapoor D et al. DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks. In Lee D, Mezzour G, Kumaraguru P, Saxena N, editors, 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 31-36. 8587334. (2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018). doi: 10.1109/ISI.2018.8587334

Almukaynizi, Mohammed ; Marin, Ericsson ; Nunes, Eric et al. / DARKMENTION : A deployed system to predict enterprise-targeted external cyberattacks. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018. editor / Dongwon Lee ; Ghita Mezzour ; Ponnurangam Kumaraguru ; Nitesh Saxena. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 31-36 (2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018).

@inproceedings{a1a50c0eae124f56ad5d42b9e04ac3fb,

title = "DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks",

abstract = "Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.",

author = "Mohammed Almukaynizi and Ericsson Marin and Eric Nunes and Paulo Shakarian and Simari, {Gerardo I.} and Dipsy Kapoor and Timothy Siedlecki",

note = "Funding Information: Some of the authors were supported by the Office of Naval Research (ONR) Neptune program, the ASU Global Security Initiative (GSI), and the National Council for Scientific and Technological Development (CNPq-Brazil). Paulo Shakarian, Dipsy Kapoor, and Timothy Siedlecki are supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0112. Gerardo Simari is also partially supported by Universidad Nacional del Sur (UNS) and CONICET, Argentina. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government. Publisher Copyright: {\textcopyright} 2018 IEEE.; 16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018 ; Conference date: 09-11-2018 Through 11-11-2018",

year = "2018",

month = dec,

day = "24",

doi = "10.1109/ISI.2018.8587334",

language = "English (US)",

series = "2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "31--36",

editor = "Dongwon Lee and Ghita Mezzour and Ponnurangam Kumaraguru and Nitesh Saxena",

booktitle = "2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018",

}

TY - GEN

T1 - DARKMENTION

T2 - 16th IEEE International Conference on Intelligence and Security Informatics, ISI 2018

AU - Almukaynizi, Mohammed

AU - Marin, Ericsson

AU - Nunes, Eric

AU - Shakarian, Paulo

AU - Simari, Gerardo I.

AU - Kapoor, Dipsy

AU - Siedlecki, Timothy

N1 - Funding Information: Some of the authors were supported by the Office of Naval Research (ONR) Neptune program, the ASU Global Security Initiative (GSI), and the National Council for Scientific and Technological Development (CNPq-Brazil). Paulo Shakarian, Dipsy Kapoor, and Timothy Siedlecki are supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0112. Gerardo Simari is also partially supported by Universidad Nacional del Sur (UNS) and CONICET, Argentina. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government. Publisher Copyright: © 2018 IEEE.

PY - 2018/12/24

Y1 - 2018/12/24

N2 - Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

AB - Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

UR - http://www.scopus.com/inward/record.url?scp=85061065311&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061065311&partnerID=8YFLogxK

U2 - 10.1109/ISI.2018.8587334

DO - 10.1109/ISI.2018.8587334

M3 - Conference contribution

AN - SCOPUS:85061065311

T3 - 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018

SP - 31

EP - 36

BT - 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018

A2 - Lee, Dongwon

A2 - Mezzour, Ghita

A2 - Kumaraguru, Ponnurangam

A2 - Saxena, Nitesh

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 9 November 2018 through 11 November 2018

ER -

DARKMENTION: A deployed system to predict enterprise-targeted external cyberattacks

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this