Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

Traditional attack detection approaches utilize predefined databases of known signatures about already-seen tools and malicious activities observed in past cyber-attacks to detect future attacks. More sophisticated approaches apply machine learning to detect abnormal behavior. Nevertheless, a growing number of successful attacks and the increasing ingenuity of attackers prove that these approaches are insufficient. This paper introduces an approach for digital forensics-based early detection of ongoing cyber-attacks called Fronesis. The approach combines ontological reasoning with the MITRE ATT & CK framework, the Cyber Kill Chain model, and the digital artifacts acquired continuously from the monitored computer system. Fronesis examines the collected digital artifacts by applying rule-based reasoning on the Fronesis cyber-attack detection ontology to identify traces of adversarial techniques. The identified techniques are correlated to tactics, which are then mapped to corresponding phases of the Cyber Kill Chain model, resulting in the detection of an ongoing cyber-attack. Finally, the proposed approach is demonstrated through an email phishing attack scenario.

Automated summary

Traditional attack detection approaches are insufficient due to the increasing number of successful and sophisticated attacks. This paper introduces an approach called Fronesis, which combines ontological reasoning and various frameworks to detect ongoing cyber-attacks. The proposed approach examines digital artifacts and applies rule-based reasoning to identify adversarial techniques, correlating them to tactics and mapping them to phases of the Cyber Kill Chain model for effective attack detection. The approach is demonstrated through an email phishing attack scenario.