On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models
It addresses cybersecurity threats for organizations by providing a method to preempt APTs, though it appears incremental as it builds on existing probabilistic graphical models.
This paper tackles the problem of preempting Advanced Persistent Threats (APTs) by introducing PULSAR, a framework that uses probabilistic graphical models to infer attack evolution from runtime security events, achieving 91.7% accuracy in identifying past APTs and stopping 8 out of 10 unseen attacks before system integrity violation.
This paper presents PULSAR, a framework for pre-empting Advanced Persistent Threats (APTs). PULSAR employs a probabilistic graphical model (specifically a Factor Graph) to infer the time evolution of an attack based on observed security events at runtime. PULSAR (i) learns the statistical significance of patterns of events from past attacks; (ii) composes these patterns into FGs to capture the progression of the attack; and (iii) decides on preemptive actions. PULSAR's accuracy and its performance are evaluated in three experiments at SystemX: (i) a study with a dataset containing 120 successful APTs over the past 10 years (PULSAR accurately identifies 91.7%); (ii) replaying of a set of ten unseen APTs (PULSAR stops 8 out of 10 replayed attacks before system integrity violation, and all ten before data exfiltration); and (iii) a production deployment of PULSAR (during a month-long deployment, PULSAR took an average of one second to make a decision).