MABAT: A Multi-Armed Bandit Approach for Threat-Hunting

Threat hunting relies on cyber threat intelligence to perform active hunting of prospective attacks instead of waiting for an attack to trigger some pre-configured alerts. One of the most important aspects of threat hunting is automation, especially when it concerns targeted data collection. Multi-armed bandits (MAB) is a family of problems that can be used to optimize the targeted data collection and balance between exploration and exploitation of the collected data. Unfortunately, state-of-the-art policies for solving MAB with dependent arms do not utilize the detailed interrelationships between attacks such as telemetry or artifacts shared by multiple attacks. We propose new policies, one of which is theoretically proven, to prioritize the investigated attacks during targeted data collection. Experiments with real data extracted from VirusTotal behavior reports show the superiority of the proposed techniques and their robustness in presence of noise.