Cyber Threat Prediction with Machine Learning

Abstract

In this paper we address the approaches, techniques and results of applying machine learning techniques for cyber threat prediction. Timely discovery of advanced persistent threats is of utmost importance for the protection of NATO’s and its allies’ networks. Therefore, NATO and NATO Communication and Information Agency’s Cyber Security service line is constantly looking for improvements. During Coalition Warrior Interoperability Exercise (CWIX) event data was captured on a Red-Blue Team Simulation. The data set was then used to apply a variety of Machine Learning techniques: deep-learning, auto-encoding and clustering with outliers. A R T I C L E I N F O : RECEIVED: 08 JULY 2020 REVISED: 14 SEP 2020 ONLINE: 22 SEP 2020 K E Y W O R D S : cybersecurity, machine learning, deep learning, auto-encoding, DBSCAN, clustering with outliers, MITRE ATT@CK framework, KNIME Analytics Platform Creative Commons BY-NC 4.0 Introduction The NATO Communication and Information Agency (NCIA) Data Science Team supports projects related to data, (advanced) analytics, machine learning and visualization. This paper describes an increasingly popular area of Cyber Security and how Machine Learning techniques were used for Threat Detection – or perhaps more accurate: Threat Prediction. Timely discovery of Advanced Persistent Threats (APT) is of utmost importance for the protection of NATO’s and its allies’ networks. Hackers apply A. Kok, I. Ilic Mestric, G. Valiyev & M. Street, ISIJ 47, no. 2 (2020): 203-220 204 different techniques over longer periods when targeting a network. Cyber Security experts are tasked to detect the techniques, determine the tactics and recognize the APT. The experiments executed and described in this paper address data preparation and machine learning for technique and tactic prediction; potentially preparing for APT discovery. Experiments for both known and unknown techniques are explored. Cyber Security Simulation NATO Allied Command Transformation (ACT), supported by NATO Communication and Information Agency (NCI Agency), performed a Cyber Security exercise, including a Red-Blue Team Simulation, during the 2019 Coalition Warrior Interoperability Exercise (CWIX) in Poland. During this exercise’s simulation the red team was using known hacking techniques, where the blue team was trying to detect. This simulation took place on an isolated network with simulated user activity. During the simulation NATO’s Cyber Security experts compared implemented detection methods with MITRE and the MITRE ATT@CKTM framework enriched methods. MITRE ATT&CKTM is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Resulting from the simulation exercise – among other results – extracts of all captured windows event logs and MITRE threat detection logs were made available to NCI Agency’s Data Science team. In total 93 million windows event log entries and 75 thousand MITRE threat detection log entries were provided. Windows events logs included: