Transformer-based framework for alert aggregation and attack prediction in a multi-stage attack

In recent years, the growing threat of cyber attacks has made more researchers focus on the study of alert correlation and attack prediction. While numerous solutions have been proposed, the existing works still have some shortcomings. Without aggregation, previous approaches directly put the excessive and duplicate alerts into models, ignoring the internal logic between adjacent payloads, which we believe is a significant clue to distinguish different types of attacks. In this paper, we propose a similarity based aggregation algorithm to correlate and aggregate alerts, then train a Transformer based model to handle input with variable length and complete the attack prediction. Additionally, a threat estimation method as well as its practical application has been proposed to assess the predicted output. Experimental results demonstrate that our proposed framework has the capability to effectively aggregate alerts, predict different attack intelligence in good mode as well as assess how much threat the administrator would face in the near future.