Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of assets on these networks necessitate the need for a robust AI-based Zero Day Threat detection model that can quickly analyze petabyte-scale data for potentially malicious and novel activity. In this paper, the authors introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time. The methodology utilizes network flow telemetry augmented with asset-level graph features, which are passed through a dual-autoencoder structure for anomaly and novelty detection respectively. The models have been trained and tested on four large scale datasets that are representative of real-world organizational networks and they produce strong results with high precision and recall values. The models provide a novel methodology to detect complex threats with low false-positive rates that allow security operators to avoid alert fatigue while drastically reducing their mean time to response with near-real-time detection. Furthermore, the authors also provide a novel, labelled, cyber attack dataset generated from adversarial activity that can be used for validation or training of other models. With this paper, the authors' overarching goal is to provide a novel architecture and training methodology for cyber anomaly detectors that can generalize to multiple IT networks with minimal to no retraining while still maintaining strong performance.
翻译:“零日威胁”(ZDT)是恶意行为者用来攻击和利用信息技术网络或基础设施的新方法。在过去几年中,这些威胁的数量以惊人的速度增加,使各组织花费数百万美元进行补救。网络攻击面的不断扩大和这些网络上资产数量的急剧增加使得需要有一个强有力的基于AI的“零日威胁”的“零日威胁”的检测模型,该模型可以快速分析潜在的恶意和新颖活动所需的小行星级数据。在本文中,作者对“零日威胁”的检测采用了一种基于深层次学习的基于深度的方法,该方法可以普及、扩大和有效识别近实时的威胁。该方法利用网络流动的遥测方法,以资产级图表特征为基础,通过双自动编码结构结构分别用于异常和新颖的检测。这些模型经过了培训和测试,可以快速分析可能恶意和新颖的“零日”组织网络。这些模型仍然提供了一种基于低伪阳性比例的“零日威胁”探测“威胁”的新方法,使得安全操作者能够近实时进行“网络”的“远程测量 ”,同时用“双级的“目标”的“目标”系统进行实时检测。这些模型可以提供实时的“更新的“更新”的“实时”数据,同时提供“实时”的“实时”的“更新”的“实时”的“数据,可以提供“更新”的“实时”的“实时”的“实时”的“结构”的“实时”的“数据,可以提供”为”为”的“更新”的“更新”的“数据,可以提供“更新的“实时”的“实时”的“实时”的“实时”的“实时”的“数据,可以提供“实时”的“实时”为”为”的“实时”的“实时”的“实时”为”为”的“实时”的“实时”为”为”的“操作。