Modeling Malicious Network Packets with Generative Probabilistic Graphical Models

Cyber enterprise systems often are difficult to protect due to a large number of sub-components that must work in concert to remain resilient. In cyber enterprises where incoming traffic may approach a few megabits per second, an IDS and host system controlled by a Markov Decision Process may serve as an efficient resiliency solution. However, the structure of this model leverages very little information about the adversary. For example, attack signatures of well known attacks and the behavior of previous packets are not considered when the system decides if a network packet is malicious or normal. In this paper, we attempt a first step to augmenting such a resiliency system by learning about adversary behavior through modeling malicious packet data with a probabilistic graphical model. We examine the effects of weakening the Markov assumption on the behavior of an adversary, and investigate how well this Markov adversary model is borne out in real data for four different cyber attack types. Finally, we investigate how well our model captures intrinsic characteristics of malicious behavior by using log-likelihood scores of various attack models to train a discriminative classifier; we find that our classifier is able to attain anywhere from 93% to 98% classification accuracy, a strong indicator that our generative models have successfully captured the distribution of features and behaviors that comprise a malicious adversary vs. a benign one.