Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Use of Graph Neural Networks in Aiding Defensive Cyber Operations

Shaswata Mitra, Trisha Chakraborty, Subash Neupane, Aritran Piplai, Sudip Mittal

TL;DR

This paper looks into the application of GNNs in aiding to break each stage of one of the most renowned attack life cycles, the Lockheed Martin Cyber Kill Chain (CKC), and discusses how GNNs contribute to preparing and preventing an attack from a defensive standpoint.

Abstract

In an increasingly interconnected world, where information is the lifeblood of modern society, regular cyber-attacks sabotage the confidentiality, integrity, and availability of digital systems and information. Additionally, cyber-attacks differ depending on the objective and evolve rapidly to disguise defensive systems. However, a typical cyber-attack demonstrates a series of stages from attack initiation to final resolution, called an attack life cycle. These diverse characteristics and the relentless evolution of cyber attacks have led cyber defense to adopt modern approaches like Machine Learning to bolster defensive measures and break the attack life cycle. Among the adopted ML approaches, Graph Neural Networks have emerged as a promising approach for enhancing the effectiveness of defensive measures due to their ability to process and learn from heterogeneous cyber threat data. In this paper, we look into the application of GNNs in aiding to break each stage of one of the most renowned attack life cycles, the Lockheed Martin Cyber Kill Chain. We address each phase of CKC and discuss how GNNs contribute to preparing and preventing an attack from a defensive standpoint. Furthermore, We also discuss open research areas and further improvement scopes.

Use of Graph Neural Networks in Aiding Defensive Cyber Operations

TL;DR

This paper looks into the application of GNNs in aiding to break each stage of one of the most renowned attack life cycles, the Lockheed Martin Cyber Kill Chain (CKC), and discusses how GNNs contribute to preparing and preventing an attack from a defensive standpoint.

Abstract

In an increasingly interconnected world, where information is the lifeblood of modern society, regular cyber-attacks sabotage the confidentiality, integrity, and availability of digital systems and information. Additionally, cyber-attacks differ depending on the objective and evolve rapidly to disguise defensive systems. However, a typical cyber-attack demonstrates a series of stages from attack initiation to final resolution, called an attack life cycle. These diverse characteristics and the relentless evolution of cyber attacks have led cyber defense to adopt modern approaches like Machine Learning to bolster defensive measures and break the attack life cycle. Among the adopted ML approaches, Graph Neural Networks have emerged as a promising approach for enhancing the effectiveness of defensive measures due to their ability to process and learn from heterogeneous cyber threat data. In this paper, we look into the application of GNNs in aiding to break each stage of one of the most renowned attack life cycles, the Lockheed Martin Cyber Kill Chain. We address each phase of CKC and discuss how GNNs contribute to preparing and preventing an attack from a defensive standpoint. Furthermore, We also discuss open research areas and further improvement scopes.
Paper Structure (45 sections, 10 equations, 9 figures, 9 tables)

This paper contains 45 sections, 10 equations, 9 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Graph Neural Networks
  3. Preliminaries
  4. Major GNN Frameworks
  5. Graph Convolutional Network (GCN)
  6. GraphSAGE-mean
  7. Graph Attention network (GAT)
  8. Gated Graph Neural Network (GGNN)
  9. Survey Overview and Taxonomy
  10. Reconnaissance
  11. Weaponization
  12. Delivery
  13. Exploitation
  14. Installation
  15. Command & Control
  16. ...and 30 more sections

Figures (9)

  • Figure 1: Illustration of GNN aggregate and update functions. The nodes $v$ of input graph $G$ is aggregates the embeddings $h_u^{(k)}$ over $k$ iteration from the neighbourhood $\mathcal{N}(v)$. Then, the node embedding of node $v$ is updated which is denoted by $a_v$. The final updated nodes are passed through a neural network for prediction. [Icons from flaticon]
  • Figure 2: Overview of our proposed taxonomy. We considered seven phases of the cyber kill chain (CKC) [Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives] with possible attacker activities. For prevention, we consider seven defensive phases [Privacy Maintenance, Research, Anomaly Detection, Vulnerability Detection, Intrusion Detection, Malware Detection, Report] with measures to counter and break the CKC from culmination.
  • Figure 3: Privacy Maintenance as a security measure against reconnaissance to obfuscate victim information.
  • Figure 4: Research as a proactive measure against weaponization to prepare against possible attack.
  • Figure 5: Anomaly Detection to detect malicious payload against weaponization to prepare against possible attack.
  • ...and 4 more figures