Network intrusion prediction model using external data

Abstract

Nowadays does the internet presence of companies increase, and with it, their attack surface and the probability of breaches: every information system in the company's network may be an entry point for an outsider. Therefore, companies need to secure their information systems. However, current risk assessment frameworks fail to connect the security measures with the impact of future breaches, making it difficult for a company to prioritize their security investments: what security indicators should they look at to limit the impact of future intrusions? In this report, we study how to collect external security indicators from a company's network, and how to process this information to build an intrusion prediction model. First, we build a scanning tool to retrieve relevant security indicators from the company's network (such as services misconfigurations or vulnerabilities) and public datasets. Then, we associate the collected indicators with incidents data from a Managed Security Service Provider in order to model using a Random Forest algorithm the probability of intrusions. Finally, we analyze the most significant indicators according to the model in an effort to find which indicators are the most relevant to evaluate the company's security posture. When we assess our model on real company's data, it achieves 92% accuracy on intrusions prediction.