Collaborative Information Sharing for ML-Based Threat Detection
This addresses the challenge for network defenders in quickly responding to emerging attack patterns like WannaCry, though it is incremental as it builds on existing ML-based detection tools.
The paper tackles the problem of adapting machine learning-based threat detection to new coordinated attacks by proposing three information sharing methods across networks, resulting in significantly improved detection of evasive self-propagating malware.
Recently, coordinated attack campaigns started to become more widespread on the Internet. In May 2017, WannaCry infected more than 300,000 machines in 150 countries in a few days and had a large impact on critical infrastructure. Existing threat sharing platforms cannot easily adapt to emerging attack patterns. At the same time, enterprises started to adopt machine learning-based threat detection tools in their local networks. In this paper, we pose the question: \emph{What information can defenders share across multiple networks to help machine learning-based threat detection adapt to new coordinated attacks?} We propose three information sharing methods across two networks, and show how the shared information can be used in a machine-learning network-traffic model to significantly improve its ability of detecting evasive self-propagating malware.