A Modular Framework for Rapidly Building Intrusion Predictors
Xiaoxuan Wang, Rolf Stadler
TL;DR
The paper tackles the infeasibility of building monolithic intrusion predictors for the hundreds of MITRE ATT&CK attacks by introducing a modular, component-based framework that assembles online predictors from reusable building blocks. The approach enables real-time attack-stage prediction, integration of existing systems like Snort, and tunable trade-offs among accuracy, timeliness, and resource use. Through experiments on three public, multi-stage datasets, it demonstrates that 2–4 component chains suffice for effective prediction and introduces a gradual predictor selection method to manage combinatorial complexity. This modular paradigm offers scalable, adaptable intrusion prediction suitable for diverse environments and constraints, advancing practical situational awareness for defenders and automated systems.
Abstract
We study automated intrusion prediction in an IT system using statistical learning methods. The focus is on developing online attack predictors that detect attacks in real time and identify the current stage of the attack. While such predictors have been proposed in the recent literature, these works typically rely on constructing a monolithic predictor tailored to a specific attack type and scenario. Given that hundreds of attack types are cataloged in the MITRE framework, training a separate monolithic predictor for each of them is infeasible. In this paper, we propose a modular framework for rapidly assembling online attack predictors from reusable components. The modular nature of a predictor facilitates controlling key metrics like timeliness and accuracy of prediction, as well as tuning the trade-off between them. Using public datasets for training and evaluation, we provide many examples of modular predictors and show how an effective predictor can be dynamically assembled during training from a network of modular components.