Suffix-based Finite Automata for Learning Explainable Attacker Strategies

Learning about attacker behavior, such as their tactics, techniques and procedures (TTPs) is largely a manual and expert knowledge-driven task in defensive cybersecurity. An attack graph is a graphical representation of attacker strategies that shows all the pathways an attacker can use to penetrate a network. Existing techniques correlate system vulnerabilities and expert input regarding network topology to construct attack graphs, thus providing a static and hypothetical view of the threat landscape. These traditional attack graphs cannot directly be used to monitor ongoing attacks in Security Operations Centers (SOCs) since they do not show the dynamic strategies being employed by the attackers. Meanwhile, SOC analysts defend against cyber attacks by monitoring millions of intrusion alerts on a daily basis2, often leading to ‘alert fatigue’ and reduced productivit