DeepAG: Attack Graph Construction and Threats Prediction With Bi-Directional Deep Learning

The complicated multi-step attacks, such as Advanced Persistent Threats (APTs), have brought considerable threats to cybersecurity because they are naturally varied and complex. Therefore, studying the strategies of adversaries and making predictions are still significant challenges for attack prevention. To address these problems, we propose DeepAG , a framework utilizing system logs to detect threats and predict the attack paths. DeepAG leverages transformer models to novelly detect APT attack sequences by modeling semantic information of system logs. On the other hand, DeepAG utilizes Long Short-Term Memory (LSTM) network to propose bi-directional prediction for attack paths, which achieves higher performance than traditional BiLSTM. In addition, with previously detected attack sequences and predicted paths, DeepAG constructs the attack graphs that attackers may follow to compromise the network. Furthermore, DeepAG offers the mechanisms of Out-Of-Vocabulary (OOV) word processor and online update respectively to adapt new attack patterns that show up during detection and prediction stages. The experiments on open-source data sets show that more than 99% of over 15000 sequences can be detected accurately by DeepAG . Moreover, DeepAG can improve the baseline by 11.166% of accuracy in terms of prediction.