A Logic Programming Approach to Predict Enterprise-Targeted Cyberattacks

Abstract

Although cybersecurity research has demonstrated that many of the recent cyberattacks targeting real-world organizations could have been avoided, proactively identifying and systematically understanding when and why those events are likely to occur is still challenging. It has earlier been shown that monitoring malicious hacker discussions about software vulnerabilities in the Dark web and Deep web platforms (D2web) is indicative of future cyberattack incidents. Based on this finding, a system generating warnings of cyberattack incidents was previously developed. However, key limitations to this approach are (1) the strong reliance on explicit software vulnerability mentions from malicious hackers, and (2) the inability to adapt to the ephemeral, constantly changing nature of D2web sites. In this chapter, we address those limitations by leveraging indicators that capture aggregate discussion trends identified from the context of hacker discussions across multiple hacker community websites. Our approach is evaluated on real-world, enterprise-targeted attack events of malicious emails. Compared to a baseline statistical prediction model, our approach provides better precision-recall tradeoff. In addition, it produces actionable, transparent predictions that provide details about the observed hacker activity and reasoning led to certain decision. Moreover, when the predictions of our approach are fused with the predictions of the statistical prediction model, recall can be improved by over 14% while maintaining precision.