Forecasting Attacker Actions using Alert-driven Attack Graphs

TL;DR

This work tackles SOC alert fatigue by turning alert-driven attack graphs (AGs) into an action forecasting tool. It builds on the SAGE framework by reversing the suffix-based PDFA into an rSPDFA to predict the next attacker action from partial alert paths and by enabling real-time AG evolution as new alerts arrive. Empirical evaluation across three real-world datasets shows the rSPDFA-based forecasting achieving an average top-3 accuracy of 67.27%, with substantial improvements over baselines, and six SOC analysts report improved prioritization and real-time remediation decisions. Overall, the approach enhances proactive incident response and situational awareness by providing early warnings of likely attacker moves and continuously updated attack narratives, with code released for reproducibility.

Abstract

While intrusion detection systems form the first line-of-defense against cyberattacks, they often generate an overwhelming volume of alerts, leading to alert fatigue among security operations center (SOC) analysts. Alert-driven attack graphs (AGs) have been developed to reduce alert fatigue by automatically discovering attack paths in intrusion alerts. However, they only work in offline settings and cannot prioritize critical attack paths. This paper builds an action forecasting capability on top of the existing alert-driven AG framework for predicting the next likely attacker action given a sequence of observed actions, thus enabling analysts to prioritize non-trivial attack paths. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts to circumvent ongoing attacks and break the cyber killchain. We propose an expectation maximization approach to forecast future actions in a reversed suffix-based probabilistic deterministic finite automaton (rSPDFA). By utilizing three real-world intrusion and endpoint alert datasets, we empirically demonstrate that the best performing rSPDFA achieves an average top-3 accuracy of 67.27%, which reflects a 57.17% improvement over three baselines, on average. We also invite six SOC analysts to use the evolving AGs in two scenarios. Their responses suggest that the action forecasts help them prioritize critical incidents, while the evolving AGs enable them to choose countermeasures in real-time.

Figures (10)

• Figure 1:
• Figure 2: (a) An exemplary S-PDFA. (b) Reversed rSPDFA from a. (c) PDFA learned from the same traces as a and b when they are not reversed. (d) An rSPDFA for demonstrating the abilities of traversal strategies FS, AS, HC.
• Figure 3: The alert severity distribution in the experimental datasets. High-severity alerts are the most infrequent alerts.
• Figure 4: Data manipulation conducted over http for victim 10.0.0.24 showing one observed path and one partial path with an 87.5% probability of ending in data manipulation.
• Figure 5: Scenario 1 (a-b) shows two AGs generated from the Pentest dataset for Host16 approximately one hour apart from each other, representing an ongoing attack campaign. Scenario 2 (c) shows an AG generated from CPTC-2018 dataset for the host 10.0.1.40, suggesting that the attacker will likely perform data manipulation next using http with a probability of 87.5%.