Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

Juan HUANG^1,2, Zhemin AN^1,2, Steven MECKL¹, Gheorghe TECUCI^1,2*, Dorin MARCU^1
1 Learning Agents Center
² Department of Computer Science, George Mason University, Fairfax, Virginia, 22030, USA
jhuang21@gmu.edu, zan2@gmu.edu, smeckl@gmu.edu, tecuci@gmu.edu (*Corresponding author),
dmarcu@gmu.edu

Abstract: Large CSOCs (cybersecurity operation centers) must analyze tens of thousands of security incidents per day. Not only that there are not enough cybersecurity analysts available but the average cost of a cybersecurity analyst keeps going up. This paper presents a novel approach to the detection of APTs (advanced persistent threats), where an expert cybersecurity analyst directly teaches (rather than programs) a cognitive agent how to investigate cybersecurity alerts, as the analyst would teach a student, through explained examples of investigations. It then presents two complementary instantiations of this approach, as implemented in ADONIS (Automating the ATT&CK^TM-based Detection Of Novel Network Intrusions System) and CAAPT (Cognitive Agent for APT detection). ADONIS detects adversary’s behavior in terms of MITRE’s ATT&CK (Adversarial Tactics, Techniques & Common Knowledge), independent of specific malware and tools. It can therefore detect novel intrusions, but is expected to be less efficient because of the multitude of tactics and techniques that can be employed. CAAPT only detects known malware based on combinations of weak IOCs (indicators of compromise) and, as demonstrated by the experimental results, is efficient. Therefore, once a new malware is detected with ADONIS, its IOCs can be identified and CAAPT can be trained to rapidly detect it. This instructable agents approach promises to significantly reduce the cost of operating the CSOCs and improve their detection performance by automating much of the analysts’ investigative activity. It increases the probability of detecting intrusion activity and reduces the false positive detections presented to the analysts who can spend their time on more complex tasks and on teaching the agents.

Keywords: Cybersecurity, Intrusion detection, Instructable agent, Evidence-based reasoning, Artificial intelligence.

>>FULL TEXT: PDF

CITE THIS PAPER AS:
Juan HUANG, Zhemin AN, Steven MECKL, Gheorghe TECUCI, Dorin MARCU, Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection, Studies in Informatics and Control, ISSN 1220-1766, vol. 29(3), pp. 269-282, 2020. https://doi.org/10.24846/v29i3y202001