Electronic computing systems provide useful and necessary services that assist individuals in business and in their everyday lives. In recent years, a growing number of cyber-attacks are being conducted on governmental agencies and private enterprises. These cyber-attacks tend to focus on computing systems with network connectivity (referred to as “network devices”) communicatively coupled to a network within the governmental agency or private enterprise. These cyber-attacks are orchestrated in an attempt to gain access to content stored on these computing systems for illicit (i.e., unauthorized) purposes, such as spying or other malicious or nefarious activities.
Normally, cyber-attacks against computing systems are started by exploiting a weakness in software installed on the computing systems or a weakness in training where a person unknowingly compromises his or her computing system by allowing malicious software to be loaded thereon. Upon loading the malicious software, the attacker may gain entry to stored network resources maintained by the governmental agency or private company. Herein, the malicious software may include any software that is used to (i) monitor activity on a target computing system, (ii) cause harm to the target computing system, such as intentional corruption of data stored on the computing system, data theft (e.g., credentials, financial information such as credit card information, identity information, or the like), or (iii) assist in an exfiltration of data from the target computing system. Examples of malicious software may include, but are not limited or restricted to, viruses, trojan horses, rootkits, worms, advanced persistent threats (APTs), keyloggers, and/or other programs intended to compromise computing systems as well as the data stored on the computing system and other computing systems connected to the network.
Many computing systems within enterprises are monitored for purposes of security with a view to identifying indicators of compromise (IOCs) evidencing, verifying or tracking a cyber-attack. The resulting data can be presented to network or security administrators for her or his review, evaluation and, if appropriate, remedial action. This IOC detection process can be challenging as, after infiltration of the malicious software, the operations by the malicious software may bear a strong similarity to legitimate and typical communications exchanged within a network. Currently, some existing cybersecurity solutions may experience a high number of false positives or false negatives because actual malware within network traffic may be more subtle to detect than IOCs associated with detecting a breach of the network itself.