Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

Traditional attack detection approaches utilize predefined databases of known signatures about
already-seen tools and malicious activities observed in past cyber-attacks to detect future
attacks. More sophisticated approaches apply machine learning to detect abnormal behavior.
Nevertheless, a growing number of successful attacks and the increasing ingenuity of attackers
prove that these approaches are insufficient. This paper introduces an approach for digital
forensics-based early detection of ongoing cyber-attacks called Fronesis. The approach
combines ontological reasoning with the MITRE ATT&CK framework, the Cyber Kill Chain
model, and the digital artifacts acquired continuously from the monitored computer system.
Fronesis examines the collected digital artifacts by applying rule based reasoning on the
Fronesis cyber-attack detection ontology to identify traces of adversarial techniques. The
identified techniques are correlated to tactics, which are then mapped to corresponding phases
of the Cyber Kill Chain model, resulting in the detection of an ongoing cyber-attack. Finally,
the proposed approach is demonstrated through an email phishing attack scenario.