A Modular Framework for Rapidly Building Intrusion Predictors
This work addresses the challenge of efficiently predicting hundreds of attack types in real-time for IT security, representing an incremental improvement over existing monolithic approaches.
The paper tackles the problem of building online intrusion predictors for IT systems by proposing a modular framework that uses reusable components to rapidly assemble predictors, demonstrating its effectiveness on public datasets with examples of dynamically assembled predictors.
We study automated intrusion prediction in an IT system using statistical learning methods. The focus is on developing online attack predictors that detect attacks in real time and identify the current stage of the attack. While such predictors have been proposed in the recent literature, these works typically rely on constructing a monolithic predictor tailored to a specific attack type and scenario. Given that hundreds of attack types are cataloged in the MITRE framework, training a separate monolithic predictor for each of them is infeasible. In this paper, we propose a modular framework for rapidly assembling online attack predictors from reusable components. The modular nature of a predictor facilitates controlling key metrics like timeliness and accuracy of prediction, as well as tuning the trade-off between them. Using public datasets for training and evaluation, we provide many examples of modular predictors and show how an effective predictor can be dynamically assembled during training from a network of modular components.