Robust Active Learning for Semi-autonomous Cyber Incident Detection

Cyber attacks have become increasingly sophisticated and diverse over the past decade, which together with the recent success of machine learning has triggered tremendous interest in anomaly based intrusion detection systems (IDSs).

Nonetheless, anomaly based IDSs generate a high number of false positives, which leads to cognitive stress among security analysts and hence reduced detection performance.

At this background, the objective of this proposal is to develop a mathematical framework and algorithmic foundations for optimizing the use of human expertise in ML-enabled IDS for timely detection and response.

The key tenet of the proposal is that the problem can be cast as an active learning problem over a dynamic Bayesian network, used for maintaining a belief about the threat level and the progression of the attacker.

We propose to design novel models of active learning that take into account dynamic observation models, the heterogeneity of human experts and the strategic interaction between active learning and the adversary.

We will develop computationally efficient robust learning policies that minimize the time to detection and allow optimal allocation of monitoring and human resources.

Our results will enable a new generation of semi-autonomous incident detection and response solutions, where the strengths of ML and humans are combined for mitigating advanced threats.