A Markov multi-phase transferable belief model for cyber situational awareness

eXfiltration Advanced Persistent Threats (XAPTs) increasingly account for incidents concerned with critical information exfiltration from High Valued Targets (HVTs). Existing Cyber Defence frameworks and data fusion models cannot cope with XAPTs due to a lack of provision for multi-phase attacks characterized by uncertainty and conflicting information. The Markov Multi-phase Transferable Belief Model (MM-TBM) extends the Transferable Belief Model to address the multi-phase nature of cyber-attacks and to obtain previously indeterminable Cyber SA. As a data fusion technique, MM-TBM constitutes a novel approach for performing hypothesis assessment and evidence combination across phases, by means of a new combination rule, called the Multi-phase Combination Rule with conflict Reset (MCR 2 ). The impact of MM-TBM as a Cyber Situational Awareness capability and its implications as a multi-phase data fusion theory have been empirically validated through a series of scenario-based Cyber SA experiments for detecting, tracking, and predicting XAPTs.