- The paper presents a regime-dependent switching linear dynamical system (RD-SLDS) that jointly models latent attack phases and continuous network dynamics for enhanced cyber defense.
- It leverages structured mean-field variational inference to reduce computational complexity, enabling CPU-based real-time detection and an 8-minute predictive alert window.
- Experimental evaluations demonstrate high detection accuracy with F1 scores of 0.982 and 0.971, and precise kill-chain phase attribution outperforming conventional and deep learning methods.
Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models (PARD-SSM)
PARD-SSM addresses the critical challenge in cyber-defense of real-time detection and predictive attribution of multi-stage attacker campaigns within high-dimensional enterprise network telemetry. Unlike classical anomaly detection, which optimizes for point-wise statistical deviation, the central task is sequential probabilistic inference of latent adversarial phases (e.g., Reconnaissance, Lateral Movement, Intrusion, Exfiltration) that unfold over temporally extended windows and may be individually indistinguishable from benign activity. The limitations of conventional approaches—signature-based IDSs’ inability to detect zero-days or provide regime attribution, deep learning NIDSs’ opacity, reliance on GPUs, and lack of predictive semantics, and the modeling inadequacies of HMMs and single-regime LDSs—motivate the proposed framework.
Model Architecture
PARD-SSM introduces a Regime-Dependent Switching Linear Dynamical System (RD-SLDS) for the joint generative modeling of observed network feature streams, discrete attack stages, and continuous latent flow state. The model comprises two coupled stochastic processes: a K=4 hidden Markov chain for kill-chain regime progression, and regime-indexed linear Gaussian latent dynamics encoding traffic “momentum,” discriminable via eigenstructure modulation.
Formally, given the active regime st∈{0,1,2,3}, the continuous latent xt∈Rn evolves as xt=A(s)xt−1+ut+wt(s), with observations yt=C(s)xt+vt(s), where A(s) and C(s) are regime-specific, n=8 and observation dimension m=17 in typical deployments. The model interprets regime index semantics as: $0=$Normal, st∈{0,1,2,3}0Reconnaissance, st∈{0,1,2,3}1Lateral Movement, st∈{0,1,2,3}2Exfiltration, with explicit spectral constraints on st∈{0,1,2,3}3, e.g., mean-reverting for st∈{0,1,2,3}4, growth-dominated for st∈{0,1,2,3}5.
The Regime Transition Probability Matrix st∈{0,1,2,3}6 is learned online, capturing non-stationary and non-reversible phase progression.
Variational Inference and Online Adaptation
Inference in switching state-space models is computationally intractable due to the combinatorial regime sequence space (st∈{0,1,2,3}7 mixture components). PARD-SSM leverages a structured mean-field variational approximation, factorizing the joint posterior as st∈{0,1,2,3}8 and maximizing the Evidence Lower Bound (ELBO) via coordinate ascent. The continuous st∈{0,1,2,3}9 is inferred via a regime-weighted Kalman smoother, and the discrete xt∈Rn0 via HMM-style forward-backward, where emission probabilities are set by log-likelihood under the current regime-specific LDS. This reduces computational complexity to xt∈Rn1, allowing CPU-rate packetflow inference without GPU requirements.
The regime transition matrix xt∈Rn2 and noise covariances are continuously updated per-packet via exponential-forgetting Online EM, ensuring robust adaptation to traffic drift while avoiding catastrophic forgetting of rare adversarial dynamics.
Feature Engineering
The observation vector xt∈Rn3 is a 17-dimensional aggregation of per-window metrics, capturing inter-arrival statistics, port and protocol diversity, payload entropy, directionality, fragmentation, and high-level behavioral signals, such as DNS query rate weighted by DGA score and HTTP method entropy. All features are dynamically standardized using a rolling baseline.
Predictive Alerting and False Positive Control
A fundamental innovation is PARD-SSM’s predictive capability: by maintaining and exploiting significant off-diagonal mass in the learned xt∈Rn4 (Figure 1), the system forecasts regime transition likelihoods ahead of observed transitions, enabling kill-chain phase alerts with a mean lead time of approximately 8 minutes before ground-truth attack onset.
Figure 1: The regime transition matrix xt∈Rn5 quantified from empirical data demonstrates strong persistence in each regime (high diagonal) plus ordered off-diagonal transitions aligned with the attack kill chain structure.
False-positive suppression is achieved by the introduction of a KL-divergence gating mechanism that issues alerts only when the divergence between current and predicted posterior regime distributions exceeds a learned threshold, robustly filtering benign anomalies such as load spikes from true regime shifts.
Experimental Evaluation
Extensive benchmarking against CICIDS2017 and UNSW-NB15 datasets demonstrates that PARD-SSM achieves:
Theoretical and Practical Implications
The deployment of PARD-SSM constitutes an advance in the formal integration of structured graphical models and information-theoretic detection for operational network defense. By separating regime inference from feature anomaly scoring, the framework establishes a prior on kill-chain transitions, thereby enabling both earlier detection and automated reconstruction of adversarial campaign timelines.
The model’s tractable variational procedure demonstrates that probabilistic multi-regime generative modeling can be made compatible with enterprise traffic rates on accessible hardware, thus enabling wider practical adoption than deep recurrent NIDSs, whose dependencies on bespoke hardware and post-hoc explainability remain significant barriers.
Furthermore, the online learning protocol endows PARD-SSM with continual adaptation to dynamic environments, which is crucial for real-world resilience as network baselines and attacker TTPs drift.
Limitations and Future Work
The main modeling assumption is linearity within each regime. While the architecture is extensible to non-linear variants via, e.g., EKF/UKF or neural parameterization, empirical validation is pending. Scaling to richer attack stage ontologies (beyond four kill-chain phases) will require Bayesian non-parametric extensions. Encrypted traffic severely limits payload-based features, so additional flow- and timing-based signals are likely necessary. Adversarial robustness, e.g., to mimicry attacks that specifically target regime identification, is also unaddressed.
Conclusion
PARD-SSM establishes a computationally and operationally efficient probabilistic framework for real-time multi-stage intrusion detection and phase attribution. By integrating regime-dependent LDS, structured variational inference, and information-gated alerting, the method achieves strong detection accuracy, low latency, and (most notably) significant predictive capability on real enterprise datasets, outperforming current deep learning and signature methods. The architecture’s modularity and analytic transparency position it as a robust foundation for future advancements in automated network defense and kill-chain analytics.
Reference: "PARD-SSM: Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models" (2604.02299)