English

On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

Cryptography and Security 2019-03-22 v1

Abstract

This paper presents PULSAR, a framework for pre-empting Advanced Persistent Threats (APTs). PULSAR employs a probabilistic graphical model (specifically a Factor Graph) to infer the time evolution of an attack based on observed security events at runtime. PULSAR (i) learns the statistical significance of patterns of events from past attacks; (ii) composes these patterns into FGs to capture the progression of the attack; and (iii) decides on preemptive actions. PULSAR's accuracy and its performance are evaluated in three experiments at SystemX: (i) a study with a dataset containing 120 successful APTs over the past 10 years (PULSAR accurately identifies 91.7%); (ii) replaying of a set of ten unseen APTs (PULSAR stops 8 out of 10 replayed attacks before system integrity violation, and all ten before data exfiltration); and (iii) a production deployment of PULSAR (during a month-long deployment, PULSAR took an average of one second to make a decision).

Keywords

Cite

@article{arxiv.1903.08826,
  title  = {On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models},
  author = {Phuong Cao},
  journal= {arXiv preprint arXiv:1903.08826},
  year   = {2019}
}
R2 v1 2026-06-23T08:14:37.712Z