BAN: Predicting APT Attack Based on Bayesian Network With MITRE ATT&CK Framework

Abstract

Since cyberattacks have become sophisticated in the form of advanced persistent threats (APTs), predicting and defending the APT attacks have drawn lots of attention. Although there have been related studies such as attack graphs, Hidden Markov Models, and Bayesian networks, they have four representative limitations; (i) non-standard attack modeling, (ii) lack of data-driven approaches, (iii) absence of real-world APT dataset, and (iv) high system dependability. In this paper, we propose Bayesian ATT&CK Network (BAN) which is based on system-independent data-driven approach. Specifically, BAN is based on Bayesian network, which adopts structure learning and parameter learning to model APT attackers with the MITRE ATT&CK® framework. The trained BAN aims to predict upcoming attack techniques and derives corresponding countermeasures. In addition, we prepare datasets via both automatic and manual labeling to overcome the data insufficiency issues of APT prediction. Experimental results show that BAN successfully contributes to handling APT attacks, given the best parameters extracted from extensive evaluations.