Forecasting Network Intrusions from Security Logs Using LSTMs

Abstract

Computer network intrusions are of increasing concern to governments, companies, and other institutions. While technologies such as Intrusion Detection Systems (IDS) are growing in sophistication and adoption, early warning of intrusion attempts could help cybersecurity practitioners put defenses in place early and mitigate the effects of cyberattacks. It is widely known that cyberattacks progress through stages, which suggests that forecasting network intrusions may be possible if we are able to identify certain precursors. Despite this potential, forecasting intrusions remains a difficult problem. By leveraging the rapidly growing and widely varying data available from network monitoring and Security Information and Event Management (SIEM) systems, as well as recent advances in deep learning, we introduce a novel intrusion forecasting application. Using six months of data from a real, large organization, we demonstrate that this provides improved intrusion forecasting accuracy compared to existing methods.