Interpretable Attack-Chain Stage Detection from AWS CloudTrail Event Sequences via Linear Models and HMM Smoothing

Authors

  • Jingwen Bai Data Science, Columbia University, NY, USA
  • Siyu Chen Information Management, University of Illinois Urbana-Champaign
  • Daren Zheng Information Technology, Carnegie Mellon University
  • Meng-Ju Kuo Department of Electrical and Computer Engineering, Carnegie Mellon University

DOI:

https://doi.org/10.33474/infotron.v6i1.24923

Keywords:

CloudTrail, cloud audit logs, attack chain, MITRE ATT&CK, sequence modeling

Abstract

Cloud audit logs such as AWS CloudTrail are a primary source of evidence for both incident response and compliance auditing, yet operational alerting still struggles with two coupled requirements: (i) recognizing multi-step cloud attacks from sequences of API events, and (ii) producing explanations that analysts and auditors can directly verify. This paper presents a reproducible and interpretable baseline pipeline for attack-chain stage detection from CloudTrail event sequences. Using the public Stratus Red Team AWS detonation logs (v2.23.2), a small labeled dataset containing 310 CloudTrail events across 35 AWS techniques and 10 ATT&CK tactics, we study three tasks: event-level tactic classification, windowed sequence classification, and attack-chain segmentation. Each CloudTrail event is encoded into a compact, schema-aware token set derived from native fields such as service, operation, principal type, management flags, and request/response key signatures, and transparent linear classifiers (TF-IDF + LinearSVC / logistic regression) are used to predict ATT&CK tactics. To recover a more coherent stage timeline, we smooth per-event predictions with a Hidden Markov Model (HMM) and Viterbi decoding using synthetic multi-stage chains assembled from the published technique traces. We further generate coefficient-based evidence reports that link predicted stages to high-weight events and feature tokens. On event-level tactic recognition, LinearSVC achieved 0.961 accuracy and 0.866 macro-F1. On synthetic multi-stage chains, LR + HMM improved boundary-F1 from 0.800 to 0.892, while accuracy and macro-F1 increased slightly from 0.840 to 0.848 and from 0.873 to 0.877, respectively. These results should be interpreted as a controlled public baseline rather than a production-ready estimate, but they show that simple and transparent models can provide useful stage-aware summaries and auditable evidence for cloud audit-log analysis.

References

Amazon Web Services, "AWS CloudTrail User Guide," AWS Documentation, 2024.

Amazon Web Services, "CloudTrail log file examples," AWS Documentation, 2024.

Datadog, "Stratus Red Team (AWS detonation logs v2.23.2)," GitHub repository, 2025.

Datadog, "Grimoire: CloudTrail Trickery for Red Teams," GitHub repository, 2024.

Datadog, "LogLicker: CloudTrail Log Anonymizer," GitHub repository, 2024.

MITRE, "ATT&CK Cloud Matrix," MITRE ATT&CK, 2025.

National Institute of Standards and Technology, "Security and Privacy Controls for Information Systems and Organizations," NIST Special Publication 800-53 Rev. 5, 2020.

National Institute of Standards and Technology, "Guide to Intrusion Detection and Prevention Systems (IDPS)," NIST Special Publication 800-94, 2007.

L. R. Rabiner, "A tutorial on hidden Markov models and selected applications in speech recognition," Proc. IEEE, vol. 77, no. 2, pp. 257-286, 1989.

C. Cortes and V. Vapnik, "Support-vector networks," Machine Learning, vol. 20, pp. 273-297, 1995.

J. Lafferty, A. McCallum, and F. Pereira, "Conditional random fields: Probabilistic models for segmenting and labeling sequence data," in Proc. ICML, 2001.

M. Du, F. Li, G. Zheng, and V. Srikumar, "DeepLog: Anomaly detection and diagnosis from system logs through deep learning," in Proc. ACM CCS, 2017.

S. He, J. Zhu, P. He, and M. R. Lyu, "Drain: An online log parsing approach with fixed depth tree," in Proc. IEEE ICWS, 2017.

W. Xu, L. Huang, A. Fox, D. Patterson, and M. Jordan, "Detecting large-scale system problems by mining console logs," in Proc. ACM SOSP, 2009.

J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, "BERT: Pre-training of deep bidirectional transformers for language understanding," in Proc. NAACL-HLT, 2019.

M. T. Ribeiro, S. Singh, and C. Guestrin, ""Why should I trust you?": Explaining the predictions of any classifier," in Proc. ACM KDD, 2016.

S. M. Lundberg and S.-I. Lee, "A unified approach to interpreting model predictions," in Proc. NeurIPS, 2017.

Y. Liu, X. Wang, J. Wang, and H. Zhang, "LogBERT: Log anomaly detection via BERT," arXiv preprint arXiv:2103.04475, 2021.

Open Cybersecurity Schema Framework, "OCSF Schema," OCSF Foundation, 2024.

SigmaHQ, "Sigma: Generic Signature Format for SIEM Systems," GitHub repository, 2024.

R. Patil, S. Muneeswaran, V. Sachidananda, and M. Gurusamy, “E-Audit: Distinguishing and investigating suspicious events for APTs attack detection,” Journal of Systems Architecture, vol. 144, Art. no. 102988, Nov. 2023, doi: 10.1016/j.sysarc.2023.102988.

M. Keshk, N. Koroniotis, N. Pham, N. Moustafa, B. Turnbull, and A. Y. Zomaya, “An explainable deep learning-enabled intrusion detection framework in IoT networks,” Information Sciences, vol. 639, Art. no. 119000, Aug. 2023, doi: 10.1016/j.ins.2023.119000.

I. H. Sarker, H. Janicke, A. Mohsin, A. Gill, and L. Maglaras, “Explainable AI for cybersecurity automation, intelligence and trustworthiness in digital twin: Methods, taxonomy, challenges and prospects,” ICT Express, vol. 10, no. 4, pp. 935–958, Aug. 2024, doi: 10.1016/j.icte.2024.05.007.

B. Al-Sada, A. Sadighian, and G. Oligeri, “MITRE ATT&CK: State of the Art and Way Forward,” ACM Computing Surveys, vol. 57, no. 1, Art. no. 12, Oct. 2024, doi: 10.1145/3687300.

W. Lin, J. Ma, T. Li, H. Ye, J. Zhang, and Y. Xiao, “CrptAC: Find the Attack Chain with Multiple Encrypted System Logs,” Electronics, vol. 13, no. 7, Art. no. 1378, Apr. 2024, doi: 10.3390/electronics13071378.

M. Boffa, I. Drago, M. Mellia, L. Vassio, D. Giordano, R. Valentim, and Z. B. Houidi, “LogPrécis: Unleashing language models for automated malicious log analysis: Précis: A concise summary of essential points, statements, or facts,” Computers & Security, vol. 141, Art. no. 103805, Jun. 2024, doi: 10.1016/j.cose.2024.103805.

Y. Chen, M. Cui, D. Wang, Y. Cao, P. Yang, B. Jiang, Z. Lu, and B. Liu, “A survey of large language models for cyber threat detection,” Computers & Security, vol. 145, Art. no. 104016, Oct. 2024, doi: 10.1016/j.cose.2024.104016.

L. Ben-Shimol, D. Lavi, E. Klevansky, O. Brodt, D. Mimran, Y. Elovici, and A. Shabtai, “Detection of compromised functions in a serverless cloud environment,” Computers & Security, vol. 150, Art. no. 104261, Mar. 2025, doi: 10.1016/j.cose.2024.104261.

J. Ren and R. Geng, “Provenance-based APT campaigns detection via masked graph representation learning,” Computers & Security, vol. 148, Art. no. 104159, Jan. 2025, doi: 10.1016/j.cose.2024.104159.

Z. Weng, W. Zhang, T. Zhu, Z. Dou, H. Sun, Z. Ye, and Y. Tian, “RT-APT: A real-time APT anomaly detection method for large-scale provenance graph,” Journal of Network and Computer Applications, vol. 233, Art. no. 104036, Jan. 2025, doi: 10.1016/j.jnca.2024.104036.

Downloads

Published

2026-05-31

How to Cite

Bai, J., Chen, S., Zheng, D., & Kuo, M.-J. (2026). Interpretable Attack-Chain Stage Detection from AWS CloudTrail Event Sequences via Linear Models and HMM Smoothing . Informatics, Electrical and Electronics Engineering (Infotron), 6(1), 28–43. https://doi.org/10.33474/infotron.v6i1.24923

Issue

Section

Articles