Papers
Topics
Authors
Recent
Search
2000 character limit reached

PARD-SSM: Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models

Published 2 Apr 2026 in cs.CR | (2604.02299v1)

Abstract: Modern adversarial campaigns unfold as sequences of behavioural phases - Reconnaissance, Lateral Movement, Intrusion, and Exfiltration - each often indistinguishable from legitimate traffic when viewed in isolation. Existing intrusion detection systems (IDS) fail to capture this structure: signature-based methods cannot detect zero-day attacks, deep-learning models provide opaque anomaly scores without stage attribution, and standard Kalman Filters cannot model non-stationary multi-modal dynamics. We present PARD-SSM, a probabilistic framework that models network telemetry as a Regime-Dependent Switching Linear Dynamical System with K = 4 hidden regimes. A structured variational approximation reduces inference complexity from exponential to O(TK2), enabling real-time detection on standard CPU hardware. An online EM algorithm adapts model parameters, while KL-divergence gating suppresses false positives. Evaluated on CICIDS2017 and UNSW-NB15, PARD-SSM achieves F1 scores of 98.2% and 97.1%, with latency less than 1.2 ms per flow. The model also produces predictive alerts approximately 8 minutes before attack onset, a capability absent in prior systems.

Summary

  • The paper presents a regime-dependent switching linear dynamical system (RD-SLDS) that jointly models latent attack phases and continuous network dynamics for enhanced cyber defense.
  • It leverages structured mean-field variational inference to reduce computational complexity, enabling CPU-based real-time detection and an 8-minute predictive alert window.
  • Experimental evaluations demonstrate high detection accuracy with F1 scores of 0.982 and 0.971, and precise kill-chain phase attribution outperforming conventional and deep learning methods.

Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models (PARD-SSM)

Problem Formulation and Motivation

PARD-SSM addresses the critical challenge in cyber-defense of real-time detection and predictive attribution of multi-stage attacker campaigns within high-dimensional enterprise network telemetry. Unlike classical anomaly detection, which optimizes for point-wise statistical deviation, the central task is sequential probabilistic inference of latent adversarial phases (e.g., Reconnaissance, Lateral Movement, Intrusion, Exfiltration) that unfold over temporally extended windows and may be individually indistinguishable from benign activity. The limitations of conventional approaches—signature-based IDSs’ inability to detect zero-days or provide regime attribution, deep learning NIDSs’ opacity, reliance on GPUs, and lack of predictive semantics, and the modeling inadequacies of HMMs and single-regime LDSs—motivate the proposed framework.

Model Architecture

PARD-SSM introduces a Regime-Dependent Switching Linear Dynamical System (RD-SLDS) for the joint generative modeling of observed network feature streams, discrete attack stages, and continuous latent flow state. The model comprises two coupled stochastic processes: a K=4K=4 hidden Markov chain for kill-chain regime progression, and regime-indexed linear Gaussian latent dynamics encoding traffic “momentum,” discriminable via eigenstructure modulation.

Formally, given the active regime st{0,1,2,3}s_t \in \{0,1,2,3\}, the continuous latent xtRnx_t \in \mathbb{R}^n evolves as xt=A(s)xt1+ut+wt(s)x_t = A^{(s)} x_{t-1} + u_t + w_t^{(s)}, with observations yt=C(s)xt+vt(s)y_t = C^{(s)} x_t + v_t^{(s)}, where A(s)A^{(s)} and C(s)C^{(s)} are regime-specific, n=8n=8 and observation dimension m=17m=17 in typical deployments. The model interprets regime index semantics as: $0=$Normal, st{0,1,2,3}s_t \in \{0,1,2,3\}0Reconnaissance, st{0,1,2,3}s_t \in \{0,1,2,3\}1Lateral Movement, st{0,1,2,3}s_t \in \{0,1,2,3\}2Exfiltration, with explicit spectral constraints on st{0,1,2,3}s_t \in \{0,1,2,3\}3, e.g., mean-reverting for st{0,1,2,3}s_t \in \{0,1,2,3\}4, growth-dominated for st{0,1,2,3}s_t \in \{0,1,2,3\}5.

The Regime Transition Probability Matrix st{0,1,2,3}s_t \in \{0,1,2,3\}6 is learned online, capturing non-stationary and non-reversible phase progression.

Variational Inference and Online Adaptation

Inference in switching state-space models is computationally intractable due to the combinatorial regime sequence space (st{0,1,2,3}s_t \in \{0,1,2,3\}7 mixture components). PARD-SSM leverages a structured mean-field variational approximation, factorizing the joint posterior as st{0,1,2,3}s_t \in \{0,1,2,3\}8 and maximizing the Evidence Lower Bound (ELBO) via coordinate ascent. The continuous st{0,1,2,3}s_t \in \{0,1,2,3\}9 is inferred via a regime-weighted Kalman smoother, and the discrete xtRnx_t \in \mathbb{R}^n0 via HMM-style forward-backward, where emission probabilities are set by log-likelihood under the current regime-specific LDS. This reduces computational complexity to xtRnx_t \in \mathbb{R}^n1, allowing CPU-rate packetflow inference without GPU requirements.

The regime transition matrix xtRnx_t \in \mathbb{R}^n2 and noise covariances are continuously updated per-packet via exponential-forgetting Online EM, ensuring robust adaptation to traffic drift while avoiding catastrophic forgetting of rare adversarial dynamics.

Feature Engineering

The observation vector xtRnx_t \in \mathbb{R}^n3 is a 17-dimensional aggregation of per-window metrics, capturing inter-arrival statistics, port and protocol diversity, payload entropy, directionality, fragmentation, and high-level behavioral signals, such as DNS query rate weighted by DGA score and HTTP method entropy. All features are dynamically standardized using a rolling baseline.

Predictive Alerting and False Positive Control

A fundamental innovation is PARD-SSM’s predictive capability: by maintaining and exploiting significant off-diagonal mass in the learned xtRnx_t \in \mathbb{R}^n4 (Figure 1), the system forecasts regime transition likelihoods ahead of observed transitions, enabling kill-chain phase alerts with a mean lead time of approximately 8 minutes before ground-truth attack onset. Figure 1

Figure 1: The regime transition matrix xtRnx_t \in \mathbb{R}^n5 quantified from empirical data demonstrates strong persistence in each regime (high diagonal) plus ordered off-diagonal transitions aligned with the attack kill chain structure.

False-positive suppression is achieved by the introduction of a KL-divergence gating mechanism that issues alerts only when the divergence between current and predicted posterior regime distributions exceeds a learned threshold, robustly filtering benign anomalies such as load spikes from true regime shifts.

Experimental Evaluation

Extensive benchmarking against CICIDS2017 and UNSW-NB15 datasets demonstrates that PARD-SSM achieves:

  • xtRnx_t \in \mathbb{R}^n6 score of 0.982 (CICIDS2017) and 0.971 (UNSW-NB15), outperforming BiLSTM, Isolation Forest, and both signature-based and single-regime Kalman filter methods by large margins
  • Stage Attribution Accuracy of 0.861, indicating precise per-timestep kill-chain phase annotation, which is absent in all baselines
  • Inference latency xtRnx_t \in \mathbb{R}^n7 ms/flow on CPUs—substantially more efficient than GPU-accelerated BiLSTM (8.4 ms/flow)
  • Predictive Early Detection Margin: the only evaluated system with nonzero (xtRnx_t \in \mathbb{R}^n88 minutes) pre-attack alerting, enabled by regime prediction via xtRnx_t \in \mathbb{R}^n9
  • Low FPR, attributed directly to the KL-gating mechanism Figure 2

    Figure 2: Regime posterior probability time-series on the CICIDS2017 PortScan-to-Infiltration scenario, highlighting PARD-SSM’s ability to issue a Reconnaissance alert 8 minutes before the attack proper is observed.

Theoretical and Practical Implications

The deployment of PARD-SSM constitutes an advance in the formal integration of structured graphical models and information-theoretic detection for operational network defense. By separating regime inference from feature anomaly scoring, the framework establishes a prior on kill-chain transitions, thereby enabling both earlier detection and automated reconstruction of adversarial campaign timelines.

The model’s tractable variational procedure demonstrates that probabilistic multi-regime generative modeling can be made compatible with enterprise traffic rates on accessible hardware, thus enabling wider practical adoption than deep recurrent NIDSs, whose dependencies on bespoke hardware and post-hoc explainability remain significant barriers.

Furthermore, the online learning protocol endows PARD-SSM with continual adaptation to dynamic environments, which is crucial for real-world resilience as network baselines and attacker TTPs drift.

Limitations and Future Work

The main modeling assumption is linearity within each regime. While the architecture is extensible to non-linear variants via, e.g., EKF/UKF or neural parameterization, empirical validation is pending. Scaling to richer attack stage ontologies (beyond four kill-chain phases) will require Bayesian non-parametric extensions. Encrypted traffic severely limits payload-based features, so additional flow- and timing-based signals are likely necessary. Adversarial robustness, e.g., to mimicry attacks that specifically target regime identification, is also unaddressed.

Conclusion

PARD-SSM establishes a computationally and operationally efficient probabilistic framework for real-time multi-stage intrusion detection and phase attribution. By integrating regime-dependent LDS, structured variational inference, and information-gated alerting, the method achieves strong detection accuracy, low latency, and (most notably) significant predictive capability on real enterprise datasets, outperforming current deep learning and signature methods. The architecture’s modularity and analytic transparency position it as a robust foundation for future advancements in automated network defense and kill-chain analytics.


Reference: "PARD-SSM: Probabilistic Cyber-Attack Regime Detection via Variational Switching State-Space Models" (2604.02299)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We're still in the process of identifying open problems mentioned in this paper. Please check back in a few minutes.

Collections

Sign up for free to add this paper to one or more collections.