A Causal Graph-Based Approach for APT Predictive Analytics

Abstract

In recent years, complex multi-stage cyberattacks have become more common, for which audit log data are a good source of information for online monitoring. However, predicting cyber threat events based on audit logs remains an open research problem. This paper explores advanced persistent threat (APT) audit log information and uses a combination of causal graphs and deep learning techniques to perform predictive analysis of APT. The study focuses on two different methods of constructing malicious activity scenarios, including those based on malicious entity evolving graphs and malicious entity neighborhood graphs. Deep learning networks are then utilized to learn from past malicious activity scenarios and predict specific malicious attack events. To validate the effectiveness of this approach, audit log data published by DARPA’s Transparent Computing Program and restored by ATLAS are used to demonstrate the confidence of the prediction results and recommend the most effective malicious event prediction by Top-N.