MABAT: A Multi-Armed Bandit Approach for Threat-Hunting

Liad Dekel, Ilia Leybovich, Polina Zilberman, Rami Puzis

Research output: Contribution to journalArticlepeer-review


Threat hunting relies on cyber threat intelligence to perform active hunting of prospective attacks instead of waiting for an attack to trigger some pre-configured alerts. One of the most important aspects of threat hunting is automation, especially when it concerns targeted data collection. Multi-armed bandits (MAB) is a family of problems that can be used to optimize the targeted data collection and balance between exploration and exploitation of the collected data. Unfortunately, state-of-the-art policies for solving MAB with dependent arms do not utilize the detailed interrelationships between attacks such as telemetry or artifacts shared by multiple attacks. We propose new policies, one of which is theoretically proven, to prioritize the investigated attacks during targeted data collection. Experiments with real data extracted from VirusTotal behavior reports show the superiority of the proposed techniques and their robustness in presence of noise.

Original languageAmerican English
Pages (from-to)477-490
Number of pages14
JournalIEEE Transactions on Information Forensics and Security
StatePublished - 1 Jan 2023


  • Digital forensics
  • computer security
  • reinforcement learning
  • threat hunting
  • threat intelligence

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'MABAT: A Multi-Armed Bandit Approach for Threat-Hunting'. Together they form a unique fingerprint.

Cite this