DeepSecure: A computational design science approach for interpretable threat hunting in cybersecurity decision making

Abstract

Businesses and industries are placing a greater emphasis on information systems for cybersecurity decision-making due to the rising cybersecurity threat landscape and the critical need to protect their digital assets. Threat hunting provides a data-driven and proactive approach to cybersecurity, enabling organizations to efficiently detect, analyze, and respond to cyber threats in real-time. Despite playing a crucial role, these systems face several obstacles, including the manual analysis of technical threat intelligence, the non-Gaussian nature of real-world data, the high rate of false positives produced during threat hunting, and the lack of interpretation and justification for these complex models. This article adopts the computational design science paradigm to develop a novel IT artifact for threat-hunting named DeepSecure. First, to automatically extract latent patterns from multivariate time series datasets, we propose a dynamic vector quantized variational autoencoder technique. Second, a multiscale hierarchical attention bi-directional gated recurrent unit-based threat-hunting mechanism is designed. Finally, we provide the visualization of attention scores to aid in model interpretation. We evaluate the DeepSecure against state-of-the-art benchmarks on two publicly available datasets, namely, ToN-IoT and CSE-CIC-IDS2018. The experimental evaluation proves that our model can efficiently identify threat types. Beyond demonstrating practical utility, the proposed framework can help address the lack of interpretation and justification for complex models in cyber threat detection and will allow organizations to respond to potential security incidents quickly.