Files
Abstract
System calls performed during host-based cyber attacks are often recorded in audit logs. As log files grow in both size and complexity, the objective of detecting attacks, let alone specific phases of attacks, becomes more difficult. Recently published literature focuses on attack detection rather than classification. Using an end-to-end AI system such as Cyberian gives an added ability of identifying phases of a host-based cyber attack from a system call log by analyzing the extracted attack sequence and its respective provenance graph. It is still difficult, however, to successfully classify the attack in its current form. In this research we employ an inference step in Cyberian, a hidden Markov model, to take a sequence of system calls and infer a high-level sequence of abstracted actions, which we refer to as a storyline. The storyline helps explain the attack in a more human-readable format. We show that the HMM step of Cyberian significantly improves attack classification.