Behind firewalls, more and more cybersecurity attacks are specifically targeted to the very network where they are taking place. This review proposes a comprehensive framework for addressing the challenge of characterising novel complex threats and relevant counter-measures. Two kinds of attacks are particularly representative of this issue: zero-day attacks that are not publicly disclosed and multi-step attacks that are built of several individual steps, some malicious and some benign. Two main approaches are developed in the artificial intelligence field to track these attacks: statistics and machine learning. Statistical approaches include rule-based and outlier-detection-based solutions. Machine learning includes the detection of behavioural anomalies and event sequence tracking. Applications of artificial intelligence cover the field of intrusion detection, which is typically performed online, and security investigation, performed offline.

中文翻译：

---

零日和多步攻击检测的人工智能基础和应用

在防火墙之后，越来越多的网络安全攻击专门针对正在发生的网络。这项审查提出了一个综合框架，以应对表征新型复杂威胁和相关对策的挑战。两种攻击特别能代表该问题：未公开的零日攻击和由几个步骤，一些恶意步骤和一些良性步骤构成的多步攻击。人工智能领域开发了两种主要方法来跟踪这些攻击：统计数据和机器学习。统计方法包括基于规则和基于异常检测的解决方案。机器学习包括行为异常的检测和事件序列跟踪。