Thursday , January 21 2021

Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

Juan HUANG1,2, Zhemin AN1,2, Steven MECKL1, Gheorghe TECUCI1,2*, Dorin MARCU1
1 Learning Agents Center
2 Department of Computer Science, George Mason University, Fairfax, Virginia, 22030, USA,,, (*Corresponding author),

Abstract: Large CSOCs (cybersecurity operation centers) must analyze tens of thousands of security incidents per day. Not only that there are not enough cybersecurity analysts available but the average cost of a cybersecurity analyst keeps going up. This paper presents a novel approach to the detection of APTs (advanced persistent threats), where an expert cybersecurity analyst directly teaches (rather than programs) a cognitive agent how to investigate cybersecurity alerts, as the analyst would teach a student, through explained examples of investigations. It then presents two complementary instantiations of this approach, as implemented in ADONIS (Automating the ATT&CKTM-based Detection Of Novel Network Intrusions System) and CAAPT (Cognitive Agent for APT detection). ADONIS detects adversary’s behavior in terms of MITRE’s ATT&CK (Adversarial Tactics, Techniques & Common Knowledge), independent of specific malware and tools. It can therefore detect novel intrusions, but is expected to be less efficient because of the multitude of tactics and techniques that can be employed. CAAPT only detects known malware based on combinations of weak IOCs (indicators of compromise) and, as demonstrated by the experimental results, is efficient. Therefore, once a new malware is detected with ADONIS, its IOCs can be identified and CAAPT can be trained to rapidly detect it. This instructable agents approach promises to significantly reduce the cost of operating the CSOCs and improve their detection performance by automating much of the analysts’ investigative activity. It increases the probability of detecting intrusion activity and reduces the false positive detections presented to the analysts who can spend their time on more complex tasks and on teaching the agents.

Keywords: Cybersecurity, Intrusion detection, Instructable agent, Evidence-based reasoning, Artificial intelligence.


Juan HUANG, Zhemin AN, Steven MECKL, Gheorghe TECUCI, Dorin MARCUComplementary Approaches to Instructable Agents for Advanced Persistent Threats Detection, Studies in Informatics and Control, ISSN 1220-1766, vol. 29(3), pp. 269-282, 2020.