Differentiating and Predicting Cyberattack Behaviors Using LSTM

Classifying and predicting cyberattack behaviors are outstanding challenges due to the changing and broad attack surfaces as attackers penetrate into enterprise networks. The rise of Recurrent Neural Networks (RNNs) for temporally structured data in machine learning presents an opportunity to address these challenges, though it would require sufficient data and reasonable labels indicative of attack behaviors. This paper presents the use of RNNs to model penetration behaviors exhibited by ten teams in the 2017 Collegiate Penetration Testing Competition (CPTC'17). The Long-Short-Term-Memory (LSTM) models obtained by training on the CPTC data enable the assessment of the differentiability of attack behaviors across teams and the predictability of future actions. This first-of-its kind attempt presents observations and insights for how earlier attack actions may or may not be indicative of future behaviors. The paper concludes with future considerations to integrate the LSTM models and enable predictive analytics to defend against complex, multistage cyberattacks.