Autonomic Cyber Security Enhanced with Survival Analysis (ACSeSA) Taylor Bradley Information Security Institute Johns Hopkins University Baltimore, MD tbradl17@jhu.edu Lanier Watkins Information Security Institute Johns Hopkins University Baltimore, MD lanier.watkins@jhuapl.edu Elie Alhajjar Engineering and Applied Sciences RAND Corporation Arlington, VA eliealhajjar@gmail.com Abstract—Today, many organizations’ cyber defense and re- siliency strategies rely heavily on the use of Intrusion Detection Systems (IDS) for the identification of cyber attacks. However, one downside of these systems is their reliance on known attack signatures for proper training and detection. As cyber-attacks become more sophisticated, their behavior can be difficult for IDS to learn and predict, as malicious behavior is often multifaceted. This makes it difficult to create and train robust IDS, as these qualities often lead to both high false positive and low detection rates. The next generation of IDS have been established as autonomic cybersecurity systems, and in this paper, we focus on improving the detection capabilities of these systems by applying our Survival Analysis technique, which helps to identify features that may contribute to missclassifications. To demonstrate the utility of our work: (1) we implement an Autonomic Cybersecurity system using multiple micro-intrusion detectors, that aggregate the results, and decides if the system has experienced anomalous behavior or not, (2) apply our threat model, (3) and review detection capabilities before and after applying our technique. Our results show that our approach, Autonomic Cybersecurity enhanced with Survival Analysis (AC- SeSA), makes slight improvements in the detection capabilities of decision tree classifiers and even greater improvements for other types of classifiers such as linear regression and SVM. Index Terms—Intrusion Detection Systems, Autonomic Cyber- security, survival analysis, network security, machine-learning classifiers I. I NTRODUCTION Intrusion Detection Systems are an integral component of modern cybersecurity solutions, with the vast majority of organizations implementing some variation of these systems for the detection of anomalous network events [1]. In 2020, the global market value for intrusion detection and prevention systems was valued at over $4.5 billion dollars. Over the next decade alone, that value is expected to more than double [2]. Intrusion Detection Systems work by learning to identify and distinguish ”normal” system events from anomalous ac- tivity. They do this in one of two ways, through signature- based methods, or anomaly-based methods. Signature-based detection involves detecting attacks based on known attack signatures, patterns, or intrusion sequences which must be trained into the model. Conversely, anomaly-based detection involves comparing new events against a known model of trusted activity that the system has been trained to recognize as normal. For many years, the idea of autonomic systems has con- tracted a considerable amount of attention across domains in- cluding network management, business applications, and query optimization. Given their ability to self-manage— or dynam- ically adjust their programming, algorithms, etc. without any human intervention, these systems provide a promising way to optimize performance while reducing the time and resources necessary to make manual adjustments. Recently, researchers have sought to expand these concepts to the cybersecurity realm with applications in intrusion detection, combining the idea of traditional IDS with autonomic computing principles to create self-managing IDS agents. The main contributions of our paper are: (1) a novel enhancement to the concept of autonomic cybersecurity, Auto- nomic Cybersecurity (ACS) Enhanced with Survival Analysis (ACSeSA) and (2) a demonstration of how it can be used to improve the detection performance in autonomic cybersecurity micro-intrusion detectors. The remainder of our paper is as follows. In Section II, we discuss relevant literature on similar research, approaches, and techniques in this domain. Next, in Section III, we discuss our methodology, including our network architecture, threat model, and a brief overview of relevant survival analysis methods. Then, in Section IV, we discuss our experimental design and how we tested the perfor- mance of our ACS agent. After that, in Section V, we discuss resulting observations with an emphasis on the application of survival analysis and the interpretation of coefficients therein, as well as a comparison of classifier performance before and after feature elimination. Next, in Section VI, we provide a brief discussion on the broad applications of our results and the limitations of our study. Lastly, in Section VII we conclude our research and suggest some potential avenues for future work in this area. II. RELATED WORKS Below we discuss other research related to autonomic computing/cybersecurity and survival analysis. None of these works are directly related; however, we do feel they are tangentially related. 2023 IEEE 48th Conference on Local Computer Networks (LCN) | 979-8-3503-0073-4/23/$31.00 ©2023 IEEE | DOI: 10.1109/LCN58197.2023.10223332