MIDAS: Multi-layered attack detection architecture with decision optimisation

Abstract

The proliferation of cyber attacks has led to the use of data-driven detection countermeasures, in an effort to mitigate this threat. Machine learning techniques, such as the use of neural networks, have become mainstream and proven effective in attack detection. However, these data-driven solutions are limited by: a) high computational overhead associated with data pre-processing and inference cost, b) inability to scale beyond a centralised deployment to cope with environmental variances, and c) requirement to use multiple bespoke detection models for effective attack detection coverage across the cyber kill chain. In this context, this paper introduces MIDAS, a cost-effective framework for attack detection, which introduces a dynamic decision boundary that is used in a multi-layered detection architecture. This is achieved by modelling the decision confidence of the participating detection models and judging its benefits using a novel reward policy. Specifically, a reward is assigned to a set of available actions, corresponding to a decision boundary, based on its cost-to-performance, where an overall cost-saving is prioritised. We evaluate our approach on two widely used datasets representing two of the most common threats today, i.e., phishing and malware. MIDAS shows that it effectively reduces the expenditure on detection inference and processing costs by controlling the frequency of expensive detection operations. This is achieved without significant sacrifice of attack detection performance.