Accepted Papers at CNS'25
10. July 2025
Double tap at the IEEE Conference on Communications and Network Security (CNS 2025)!
Abstract: Tagging Alerts to Adversaries: ML-Enabled Classification Using MITRE ATT&CK Framework
An intrusion detection system (IDS) in an enterprise network plays an important role in identifying and alerting suspicious activity. The triggered alerts are generated along with false alarms where a legitimate activity is mistakenly classified as malicious and results in alerts fatigue. Too many alerts that are not integrated and lack related context and correlation can burden security analytics and make prioritization of threats more challenging. For security operations centers (SOCs) in an enterprise, it can result in critical alerts being overlooked or undetected, which can lead to dire attacks not being identified on time. Therefore, an automated tagging of alerts for prioritization of high-risk events is important. To overcome this challenge, we use machine learning (ML) to enrich the alerts of IDS with the real-world adversary information of the MITRE ATT&CK framework. In particular, we leverage the knowledge of the MITRE ATT&CK matrix for enterprise and apply multi-layer perceptron (MLP) and transformer-based learning in a novel way to uncover the possible correlation of alerts to known adversarial behaviors (or tactics). We evaluate our models over the recent security logs of the real enterprise network and demonstrate an accuracy of up to 95% with our automated alert classification. Extensive experiments are performed with publicly available datasets as well to demonstrate the performance of the transformer model and verify its effectiveness against different IDS setups.
Abstract: Real-Time Detection of Multi-Stage Attacks using Kill Chain State Machines
Cyber threats present an ongoing challenge for organisations worldwide. Attackers range from cyber criminals to state-funded groups that have a specialised skill set to execute complex attacks and present an Advanced Persistent Threat(APT). Therefore, organisations use security monitoring as a second line of defence to detect attacks based on signatures that raise alarms when an Indicator of Compromise (IoC) is observed. However, current Intrusion Detection Systems (IDS) generate many false positives, leading to alert fatigue. The raised alerts also do not show the whole attack as they need to be dissected individually. Our work presents a simplified approach that enables efficient and real-time construction of attacks by correlating alerts. Tests with different network datasets suggest that our prioritisation mechanisms can reduce the number of false-positive alerts by 99%. Our performance evaluation indicates that we can detect multi-stage attacks in real time with a low memory footprint and short execution time.