EAGER: Social Media Based Early Cybersecurity Threat Detection

Society’s ever-increasing reliance on the complex digital world with a huge repository of highly confidential and private data has made maintaining cybersecurity an uncompromising task for organizations. The loss incurred by the US healthcare system due to ransomware attacks has exceeded 157 million dollars since 2016. Traditionally, cyberattack detection techniques leverage network traffic data to detect certain types of attacks.

However, this kind of approach is difficult to generalize. Furthermore, the requisite data is too expensive to obtain and information about organizational compromise can often originate outside the institution. Hence, open source indicators like social media platforms, which propagate rich security-related discussions for ongoing cyberattacks, can be inexpensive yet effective sources of data for an early cyberattack detection system.

This project aims to implement a social media based multitask active learning framework for early cybersecurity threat detection. Its reliance on open source data will generalize the application of the research across different target entities. The project will produce a theoretical framework for teaching cyberattack detection or social media mining, providing academia and the industry a broader understanding of fundamental methodological approaches.

This research will design the solution through different interconnected research thrusts. The key challenges in social media based cyberattack detection are lack of comprehensive ground truth data and expensive labeling effort. The project tackles this problem by innovatively incorporating both dynamic query expansion and active learning.

The dynamic query expansion component provides an effective procedure to collect domain specific labeled data while the active learning module interactively updates the training dataset by labeling the data collected outside the constraints of the dynamic query expansion. Furthermore, to address the problem of generalizing over various types of cyberattacks, the project explores a novel multitask learning framework with message passing mechanism to model varied and distinctive types of cybersecurity events.

Additionally, the investigator intends to implement a visual interface which explores novel deep learning-based storyline generation techniques for the detected security events which will provide an interpretable visual analysis of cybersecurity related incidents for different organizations across time.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.