DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.

[1]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[2]  Bud Mishra,et al.  The Temporal Logic of Causal Structures , 2009, UAI.

[3]  Paulo Shakarian,et al.  Annotated probabilistic temporal logic , 2011, TOCL.

[4]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[5]  Paulo Shakarian,et al.  Proactive identification of exploits in the wild through vulnerability mentions online , 2017, 2017 International Conference on Cyber Conflict (CyCon U.S.).

[6]  Paulo Shakarian,et al.  Annotated Probabilistic Temporal Logic: Approximate Fixpoint Implementation , 2012, TOCL.

[7]  J. Munkres ALGORITHMS FOR THE ASSIGNMENT AND TRANSIORTATION tROBLEMS* , 1957 .

[8]  Michael D. Ward,et al.  Improving Predictions using Ensemble Bayesian Model Averaging , 2012, Political Analysis.

[9]  Paulo Shakarian,et al.  Mining for Causal Relationships: A Data-Driven Study of the Islamic State , 2015, KDD.

[10]  Stefan Savage,et al.  An analysis of underground forums , 2011, IMC '11.

[11]  Milind Tambe,et al.  Addressing Scalability and Robustness in Security Games with Multiple Boundedly Rational Adversaries , 2014, GameSec.

[12]  P. Suppes A Probabilistic Theory Of Causality , 1970 .

[13]  Luca Allodi,et al.  Economic Factors of Vulnerability Trade and Exploitation , 2017, CCS.

[14]  Ahmad Diab,et al.  Darknet and deepnet mining for proactive cybersecurity threat intelligence , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[15]  Paulo Shakarian,et al.  Data Driven Game Theoretic Cyber Threat Mitigation , 2016, AAAI.

[16]  Paulo Shakarian,et al.  DarkEmbed: Exploit Prediction With Neural Language Models , 2018, AAAI.