Causal inference for improved cybersecurity threat detection

Understanding the causal links in the tactics and techniques of cyberattacks

Project status



Understanding how a cyberattack unfolds is key to defending against it. At present it is difficult to ascertain that an attack is taking place and what an optimal defence might look like. One potential solution to these problems lies in the space of causal inference where we study the causal effects of measurable actions and observational data, to build models capable of detecting threats but also automatically acting on them.

Explaining the science

A causal approach will be explored to determine the root cause of an anomaly, i.e. whether a detected anomaly has been caused by a cyber-attack, or a non-malicious action, in a network defence system. In current cyber security systems, combining information is typically achieved by correlating indicators; however, this may yield misleading insights as correlated events are not necessarily causally related. An approach to addressing this issue is to use causal models – which can capture expert knowledge – that describe the relationships between indicators of anomalous behaviour and the likelihood they have a certain root cause.

Project aims

The project is led by Principal Investigator Neil Dhir who is looking to develop new mathematical methods and related software tools which could be utilised in machine learning environments. Where the system would automatically learn the nature of an attack and consequently recommend actions to defend against the attack. Another bigger part is the interaction with complex, real world data, to be able to easily tackle questions where there is a variety of different data to consume. Cybersecurity data is notoriously difficult to work with and this project aims to make analysis of the latter a bit easier.


This project aims to use novel techniques in the area of causal inference to:

1. Understand which indicators from the framework could lead to others, and what is the optimal sequence of both attack and defence actions.
2. How to best combine heterogenous cyber datasets and leverage these for causal queries.
3. Add a causal dimension to Threat Detection in networks.

A better understanding of these areas will enable the NCSC to better advise the UK Government, and private companies, of cyber risks inherent in working online, and how to better keep their systems safe and secure.


    Contact info

    [email protected]

    External team members

    • Paul J, NCSC Data Science Lead