Received 7 February 2025, accepted 24 February 2025, date of publication 3 March 2025, date of current version 17 March 2025.

Digital Object Identifier 10.1109/ACCESS.2025.3547433

Cyber Attack Prediction: From Traditional

Machine Learning to Generative Artificial
Intelligence
SHILPA ANKALAKI 1 , APARNA RAJESH ATMAKURI 2 , M. PALLAVI 3 ,
GEETABAI S HUKKERI 1 , TONY JAN 4 , AND GANESH R. NAIK 4,5,6
1 Department of Computer Science and Engineering, Manipal Institute of Technology Bengaluru, Manipal Academy of Higher Education, Manipal, Karnataka
576104, India
2 Department of CSE, SoET, Centurion University of Technology and Management, Bhubaneswar, Odisha 761211, India
3 School of Computer Science and Engineering, Presidency University, Bengaluru 560064, India
4 Centre for Artificial Intelligence Research and Optimization (AIRO), Design and Creative Technology Vertical, Torrens University, Ultimo, NSW 2007, Australia
5 Design and Creative Technology Vertical, Torrens University, Adelaide, SA 5000, Australia
6 College of Medicine and Public Health, Flinders University, Adelaide, SA 5042, Australia

Corresponding authors: Shilpa Ankalaki ([email protected]) and Geetabai S Hukkeri ([email protected])

This work was supported by the Manipal Academy of Higher Education (Open Access Funding).

ABSTRACT The escalating sophistication of cyber threats poses significant risks to individuals, organiza-
tions, and nations. Cybercrime, encompassing activities like hacking and data breaches, has severe economic
and societal consequences. In today’s interconnected world, robust cybersecurity measures are paramount
to mitigate these risks and protect sensitive information. However, traditional security solutions struggle
to keep pace with the evolving threat landscape. Artificial Intelligence (AI) offers a powerful arsenal of
techniques to address these challenges. This paper explores the application of AI methods, including Machine
Learning (ML), Deep Learning (DL), Natural Language Processing (NLP), Explainable AI (XAI), and
Generative AI, in solving various cybersecurity problems. This paper presents a comprehensive analysis
of AI techniques for enhancing cybersecurity. Key contributions include: 1) comparative study of ML and
DL methods: Evaluating their accuracy, applicability, and suitability for various cybersecurity challenges; 2)
investigation into XAI approaches: Enhancing the transparency and interpretability of AI-powered security
solutions, particularly in anomaly detection; 3) exploration of emerging trends in Generative AI (Gen-AI)
and NLP: Examining their potential to simulate and mitigate cyber threats through advanced techniques
like threat intelligence generation and attack simulations; 4) application of GenAI in cybersecurity and
real-world products of GenAI for cyber security. This research aims to advance the state-of-the-art in
AI-driven cybersecurity by providing insights into effective and reliable solutions for mitigating cyber risks
and improving the overall security posture.

INDEX TERMS Cybersecurity, cyber-attack prediction, machine learning, deep learning, explainable AI,
generative AI.

I. INTRODUCTION and more convenient in all aspects but concurrently present

With rapid technological advancements and increasing inter- several challenges. One of the significant challenges is the
connectivity in our community, the significance of security swift increase in cybersecurity threats alongside technolog-
solutions and measures for mitigation will be more essen- ical advancements. As technological progress advances and
tial. Technological advancements make everyone’s life easier businesses increasingly rely on digital platforms, the spec-
trum of cyber-attacks has grown more ominous. Such attacks
The associate editor coordinating the review of this manuscript and have the potential to inflict severe damage on individu-
approving it for publication was Mohammad J. Abdel-Rahman . als and organizations alike, leading to financial setbacks,
2025 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License.
44662 For more information, see https://creativecommons.org/licenses/by/4.0/ VOLUME 13, 2025
S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

tarnished reputations, and even jeopardizing national secu- widely acknowledged within the cybersecurity community
rity. Therefore, it is imperative for governments, businesses, that the complete elimination of cyber threats is unattainable.
and individuals to accord the highest priority to cybersecurity Consequently, the predominant strategies tend to be reactive
measures to safeguard their respective interests [1]. Consider- rather than proactive. Notably, in recent years, consider-
ing all these aspects, cybersecurity has become significantly able scholarly attention has been paid to incident response
more important for researchers and professionals. It encom- and intrusion detection, yielding promising results. Nonethe-
passes a wide array of elements, including tools, techniques, less, these efforts primarily address post-event scenarios,
policies, security measures, guidelines, risk-mitigation strate- limiting their effectiveness in pre-emptive measures [8].
gies, training, best practices, and innovative technologies. Artificial Intelligence (AI), Machine Learning (ML), and
These components collectively aim to protect cyberspace and Deep Learning (DL) are increasingly acknowledged as potent
user assets [2]. Cybersecurity refers to mechanisms that pro- instruments for tackling cyber security challenges. They pos-
tect systems against threats and vulnerabilities to ensure the sess the capacity to augment the functionalities of current
efficient delivery of accurate services to users. Owing to the cybersecurity systems and identify unrecognized threats [9].
rapid increase in data volume, ensuring security has become AI, ML, and DL are frequently used interchangeably. Figure 1
a major challenge in cybersecurity. Modern hackers have illustrates the interconnectedness among AI, ML, and DL.
profound knowledge of systems and programming expertise, AI serves as a broad domain akin to the universe, whereas ML
allowing them to exploit well-protected hosts. Some attacks operates within the realm of AI as a subset, and DL further
with immense destructiveness in the last few years are listed specializes as a subset within ML. AI provides the ability to
below. sense, reason, act, and adapt. ML is an application of AI that
enables machines to learn automatically and improve their
• In May 2021, the Colonial Pipeline, a major supplier of
past data experience. DL is an application of ML that utilizes
gasoline to the eastern United States, fell victim to a ran-
complex algorithms and deep neurons to train a model. This
somware attack, resulting in the shutdown of its pipeline
requires a large amount of data.
for an extended duration. The attack was orchestrated
by a Russian hacking group known as DarkSide, which
demanded a $4.4 million ransom payment in Bitcoin.
These cyberattacks triggered widespread panic and fuel
shortages across numerous states [3].
• SolarWinds Supply Chain Attack: It was discovered
in December 2020 that the Orion network monitoring
software had been compromised, and malicious malware
had been introduced into SolarWinds software. Numer-
ous government institutions and commercial businesses
have been affected by the breach [4].
• Log4J Vulnerability: This zero-day attack, known as
Log4Shell before an official CVE designation, was
assigned to the security industry in late 2021. 100s of
FIGURE 1. Relation between AI, ML, and DL.
Millions of devices have been affected [5].
• The WannaCry ransomware assault occurred in May
2017 and affected over 200,000 systems across A. HOW AI ENHANCES CYBERSECURITY: KEY BENEFITS
150 countries. The compromised PC files were AND APPLICATION
encrypted by ransomware, which then requested pay-
ML algorithms are trained with historical experience, to pre-
ment in Bitcoin to unlock them. The attack resulted in
dict future outcomes in a way that resembles human deci-
extensive disturbances, encompassing the shutdown of
sions. ML algorithms are widely used in cybersecurity for
multiple hospitals in England [6].
identifying security threats and breaches, is an example of
As is evident from numerous studies, cybercrime has harmed an ML application. In the past few years, automated secu-
several organizations, companies, and people in recent years. rity tools based on ML have been created to provide an
As cyber threats evolve in complexity and frequency, conven- autonomous response to the threats by using clustering,
tional cybersecurity measures are proving to be insufficient classification and regression techniques [10]. Proactive vul-
to detect and counter emerging attack methodologies [7]. nerability management is also where AI & ML are used.
Cyberattack defense for computer-based systems has become AI/ML based tools like User and Entity Behavior Analytics
increasingly difficult. It is necessary to design more effective (UEBA) work on the principle that malware is often detected
and efficient cybersecurity solutions to prevent cyberattacks. by monitoring user interactions on servers and service end-
To mitigate security risks and minimize their conse- points, helping identify such unusual behavior. This method
quences, the cybersecurity sector has directed its research allows organisations to identify and mitigate risks proactively,
and development endeavors toward specific focal points. It is frequently before exploits are made public0 or patched [11].

VOLUME 13, 2025 44663

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

AI finds application in diverse areas, from very simplistic ML approaches have been proved beneficial for aspects such
recurring processes to more advanced applications of AI like as detection and classification of malware followed up by DL
cybersecurity, where AI counteracts advanced cyber threats. frameworks deployed for traffic characterization and traffic
This is a new technology that is transforming machines into detection [17], [18].
machines that can also think, thus making more human- Nonetheless, AI deployment in cybersecurity has sev-
like decisions, performing tasks and automating them using eral limitations. The major limitations are the difficulties in
assisted, augmented and autonomous intelligence. However, obtaining data on cybersecurity-related incidents [19], the
in today’s digital ecosystem, where cyber risks are contin- vulnerability of the AI models to adversarial attacks [20], and
uously evolving, traditional security measures often lack the the ethical and privacy issues [21].
agility and sophistication needed to effectively defend against The main problem with AI models is their ‘‘black-box’’
21st-century cyberattacks [12], such as zero-day vulnerabil- nature, which complicates the explanation of the reason-
ities. AI in cybersecurity can help organizations to make ing that led to the decisions made by these systems [22].
smarter decisions, detect Network Invasions, and heal the This opacity can be a major trust and accountability issue
effects of cyberattacks. DL is a subbranch of machine learn- because it can be difficult for people to make sense of the
ing that focuses on learning the representation by passing the cybersecurity decisions made by an AI system. Thus, this
information through multiple layers of transformations which means that AI-driven security systems will be prime targets
makes it more accurate for classification and regression tasks. of attacks, rendering them more vulnerable to breaches and
The proposed Defense framework DL-based solution can cyber threats [23], [24].
be increasingly used for defense purposes in Cybersecurity, XAI has come as a Trump card to combat the black-box
as DL-based defense mechanisms are already in place in problem to overcome these challenges pertaining to AI in
different combinations to automate detection of cyber threats, Cybersecurity. Providing clear, understandable justifications
such systems getting trained progressively and improving for the decisions taken by AI systems, XAI improves trans-
as time passes [13]. The adoption of AI in cybersecurity parency. This allows both users and experts to grasp the
comes with its own set of challenges. To function properly, logic behind AI-driven outcomes and the key data supporting
AI systems require large amounts of data, which means pro- them, improving the interpretability and trustworthiness of
cessing can consume a lot of resources. Moreover, false alarm AI-based models in cybersecurity applications [25].
complexity might damage the user trust [20], and late threat
responses could make the entire system less efficient. AI-
based security systems can be vulnerable to cyber-attacks C. AN OVERVIEW OF GENERATIVE ARTIFICIAL
that target the system itself. Nevertheless, ongoing research INTELLIGENCE (GEN-AI)
is improving the resilience of AI against such cyber Given the enormous influence that Gen-AI has on many
threats [14]. important domains, it is only reasonable to wonder what
makes Gen-AI so extraordinary. Gen-AI derives its capa-
bilities from how it processes vast datasets and integrates
B. AI LIMITATIONS THAT HIGHLIGHT THE NEED FOR XAI them into its algorithms. The randomness in output selec-
IN CYBERSECURITY tion, combined with extensive training data, often results
AI algorithms can also be susceptible to adversarial attacks, in outputs that exhibit creative and human-like characteris-
where attackers manipulate input data to trick the AI sys- tics [26]. To find patterns in big datasets, Gen-AI models
tem before the attack takes place, highlighting the need for make use of cutting-edge deep learning methods like Trans-
stringent testing and evaluation. There are several key issues, formers, Variational Autoencoders, and Generative Artificial
one amongst these is that of using AI systems by malicious Networks [27]. These models can use learnt distributions
actors or using AI systems as vectors for attacks. Evasion to produce new material after training. The capabilities of
attacks, for example, can allow attackers to modify malware Gen-AI are demonstrated by tools like ChatGPT [28] and
files to be mistaken as benign files to detection systems that DALLE [29], which have attracted a lot of attention. Ope-
rely on machine learning to detect malicious files. Apart nAI’s ChatGPT is a well-known chatbot that produces a
from the aforementioned threats, AI-enabled cybersecurity variety of content, such as essays and code, whereas DALLE
systems are also susceptible to a wide range of other threats, uses text descriptions to produce lifelike visuals. Although
including communication interception, service failures, acci- these Gen-AI tools have the potential to completely transform
dents, environmental disasters, legal issues, and other security a number of professions, it is yet unclear what the entire
threats, power outages, and other physical damage, all of impact and hazards will be. Applications of Gen-AI in cyber
which might cause the malfunctioning of these systems [15]. security include password protection [30], [31], Gen-AI text
AI is the fundamental technology of Industry 4.0, and it also detection in attack, generate adversarial attack examples,
plays a significant role in advancing cyber security services Malware and intrusion detection, Simulated attacks, Creating
and management [16]. Various AI techniques, especially the honeypots, security code generation and transfer, and cus-
ML and DL algorithms, have been utilized for malware tomized Large Language Models (LLM) for security.
detection, anomaly detection, and network traffic analysis. The objectives of this paper are as follows:

44664 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

• Examine state-of-the-art ML and DL approaches for A. CYBER ATTACKS

cyber-attack predictions in various types of cyber secu- Cyber attacks are evil attempts to illegally enter computer
rity environments. systems, networks, or data with the intention of stealing,
• Provide an in-depth analysis of benchmark datasets, causing physical harm or sabotage. Therefore, learning about
detailing its attributes and suitability of these datasets for the various types of cyber-attacks and how they function
various cybersecurity tasks in cyber-attack prediction. is essential for people and businesses to boost their secu-
• Analyse the challenges faced by traditional AI models rity. These activities are also known as malicious operations
in cybersecurity, especially in terms of interpretabil- performed by individuals or groups that infiltrate computer
ity and adaptability to new threats and explore how systems or networks to remove, modify, or erase information,
XAI approaches address these challenges. Provide the halt services, and achieve other forms of destruction. They
insights of how GenAI is used as customized LLM for can be targeted at different things, including money-making
real-time cybersecurity applications and military or political reasons.
• A comprehensive examination of the current literature
highlights areas for further research and encourages B. TYPES OF CYBER ATTACKS
future exploration in the field of cyber-attack prediction.
i. Untargeted Attacks: In this type of attack, attackers do
not have a specific target on the device, service, or user
II. FUNDAMENTAL CONCEPTS OF CYBER SECURITY, they are attacking. Phishing, waterholing, ransomware,
CYBER-ATTACKS, AND CYBER-SPACE THREATS and scanning are some of the techniques used in these
In today’s era, safeguarding data through cybersecurity mea- types of attacks.
sures is crucial due to escalating cyber risks such as data ii. Targeted Attacks: Targeted attacks are explicitly aimed
breaches, ransomware attacks, and identity theft incidents. at specific organizations because of their particular
It is essential for all organizations, irrespective of their size, interest in financial gain. These types of attacks can
to prioritize cybersecurity to thwart access or tampering with be more severe because they exploit vulnerabilities
information. The rapid development of new technologies side in target personnel or processes. For example, spear-
by side with the rise of cyber threats create a dilemma for phishing botnets are deployed for DDOS and supply
organizations and persons. chain subversion.
Cyber-attacks are the cause for problems like Privacy iii. Insider Threats: This involves employees who launch
breaches, Monetary frauds and stealing of the Government malicious insider threat activities to breach security
property. Hence, it is imperative to understand how cyber- systems and steal sensitive information.
crime detection and prevention works. In order to accurately iv. Cyberwarfare: For economic or social reasons, gov-
respond to these threats, organizations need mechanisms for ernments commit cybercrimes against other countries,
exchanging details about attacks and security during an inci- resulting in cyberwarfare.
dent response. This helps to resolve security breaches and
support the recovery process.
In addition, as devices become increasingly data-driven, C. COMMON CYBER ATTACKS
organizations need cybersecurity tools that can identify risks Many researchers have presented a taxonomy of cyber-attacks
before they materialize. with respect to specific attacks and domains [32], [33], [34],

FIGURE 2. Common types of cyber-attacks.

VOLUME 13, 2025 44665

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 3. Illustration depicting various phishing attack types and techniques, utilizing strategies from existing phishing attacks [36].

[35]. Figure 2 depicts the different types of common cyber- access to systems, operational disturbances, or systems
attacks. becoming non – functional. Malware poses a signif-
icant risk to cyber-security. Malware variants are not
i Phishing: Phishing attacks where socially engineered
unique, with a single variant potentially evolving mul-
e-mails deceive recipients into installing malware or
tiple new features. This characteristic makes malware
revealing confidential information. Phishing incidents
one of the most severe digital threats to cybersecu-
typically aim to obtain access to private and sensi-
rity [37].
tive data such as usernames, passwords, credit card
Figure 4 shows the types of malware attacks.
details, and network access credentials. The under-
lying objective is to persuade the recipient that the iii. DDOS Attacks: Attacks of Distributed Denial of Ser-
message contains valuable or necessary information. vice where traffic blocks the system, leading to service
Phishing schemes may utilize email, telephone calls, interruptions.
text messages, and social media platforms to deceive iv. Zero-Day Attacks: This occurs when hackers exploit
individuals into sharing sensitive information [36]. unknown vulnerabilities in software or systems before
Figure 3 depicts the deceptive and technical subterfuge the manufacturer has an opportunity to correct
types of phishing. them.
ii. Malware-based Attack: This term encompasses mali- v. Logic bombs: Malicious code written to perform
cious software such as ransomware, spyware, and destructive actions when certain conditions are satis-
trojans, which may result in data theft, unauthorized fied.

44666 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 4. Types of Malware attacks [37].

vi Abuse tools: Software applications for taking advan- E. IMPACT OF CYBER THREATS
tage of system weaknesses. 1) PRIVACY CONCERNS
vii Sniffers: Programs that monitor and capture data pass- Cybercriminals prey on individuals’ personal information,
ing through a network, such as passwords and other resulting in breaches of privacy and monetary damage.
confidential information.

2) FINANCIAL SECURITY
D. TYPES OF CYBER THREAT ACTORS
Through various cyber fraud methods, threat actors can
i Hostile Nation-States: Because of their advanced capa- steal money, conduct fraud, and disrupt financial systems by
bilities, nation-states pose complex dangers through obtaining login credentials and personal information.
their cyberwarfare programs, which range from propa-
ganda to the disruption of vital infrastructure.
ii Terrorist Groups: As they grow more technologically 3) ECONOMIC HEALTH
proficient, terrorist groups pose serious concerns as Cyber threat actions force businesses to incur unwelcome
they employ cyberattacks to harm national interests. expenditures, such as ransom payments, business interrup-
iii Corporate Spies and Organized Crime Organizations: tions, reputational harm, intellectual property theft, and
These groups conduct secret trade theft, industrial espi- clientele loss. Operators may reduce risks and safeguard vital
onage, company disruption, and cyberattacks with the services from ever-changing cyber threats by emphasizing
intention of making money. cybersecurity resilience, making significant defense invest-
iv Hacktivists: Rather than destroying infrastructure, ments, and improving threat intelligence sharing.
hacktivists use internet power to further political 1. Cryptojacking: Cybercriminals hijack devices to mine
causes. cryptocurrency, causing performance issues and downtime
v Disgruntled Insiders: By disclosing private information for affected businesses.
or infecting systems with malware, insiders, including 2. Cyber-Physical Attacks: A major threat to national
staff members and outside vendors, pose a frequent security is the hacking of vital infrastructure, such as trans-
threat to cybercrime. portation and electricity grids.

VOLUME 13, 2025 44667

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

3. State-Sponsored Attacks: Nation-states use cyberattacks is the security of IoT applications and devices [76]. There
to breach vital infrastructure and governments, endangering are various ways to acquire network datasets relevant to
people and private businesses. the IoT. In a testbed-driven generation, researchers instru-
ment an IoT device environment and record the network
III. STATE-OF-ART BENCHMARK DATASETS FOR CYBER traffic in normal and attack scenarios to create datasets.
ATTACK PREDICTION This is a labor-intensive task that requires resources in the
Datasets play a significant role in detecting cyber-attacks form of money (for technology) and time (for data collec-
using ML and DL approaches. There are many datasets that tion). However, because synthetic dataset generation relies
are openly available to researchers for predicting various on the modeling or emulation of IoT devices, communi-
attacks. Datasets are available for specific attacks and appli- cation networks, and apps that operate on top of them,
cation areas. With respect to this, datasets are classified into they use fewer resources. Although this strategy is incred-
seven categories. Figure 5 depicts the types of cyberattack ibly versatile, it can be challenging to obtain components
datasets based on the specific application areas [38]. that behave realistically. Ultimately, network traffic from
actual IoT devices used by consumers is recorded to provide
empirical datasets [77]. Numerous researchers have compiled
datasets aimed at detecting attacks on IoT traffic. The process
of generating these datasets had several characteristics. First,
IoT traffic can be categorized based on its type, such as
whether it is IP-based or specific to IoT. Additionally, the
traffic data content can vary, including full packets, headers,
features, sensor data, or signal data. Furthermore, the scale of
the dataset is a crucial aspect that encompasses the number
of devices involved and the duration of data records. The
dataset may also be categorized based on the use of the
devices, which can range from smart home applications to
health monitoring, wearables, and Wireless Sensor Networks
(WSN). Finally, the methodology used for data collection
contributes to the dataset characteristics, which may include
real-world data collection, simulation, testbed experiments,
FIGURE 5. Types of Datasets based on applications. emulation, or a hybrid approach. Table 3 presents state-of-
the-art IoT traffic-based datasets.

A. NETWORK TRAFFIC BASED/NETWORK INTRUSION

D. VIRTUAL PRIVATE NETWORK-BASED DATASET
DETECTION DATASETS
Publicly available intrusion detection datasets are crucial for This dataset, ISCXVPN2016, is proposed by authors in [86]
effectively comparing the different intrusion detection meth- and it is composed of standard and VPN-based network
ods. Additionally, third parties can verify the quality of these traffic. The dataset is labeled and consists of diverse net-
datasets only through public availability. KDL Cup 1999 and work activities including web browsing (Firefox), e-mail
NSL-KDD are the most used network intrusion detection (SMPTS), chat (Skype), streaming (YouTube), file transfer
datasets. Table 1 lists the state-of-the-art benchmark datasets (SFTP), VoIP (Hangouts voice calls), and peer-to-peer (uTor-
for network-based attacks. From Table 1, SSENET-2014 is rent).
the only dataset that is balanced, and the remaining datasets The dataset, referred to as CIC-Darknet2020, was released
are unbalanced. by the authors of [87] in 2020, and includes features from
traffic captured from two darknets, namely The Onion Router
B. MALWARE AND ANDROID APP BASED DATASETS (Tor) and a virtual private network (VPN). The dataset
includes 158,659 samples with hierarchical labels, where the
Malware datasets play a major role in cybersecurity research.
1st layer labels for traffic category are Tor, non-Tor, VPN and
Many cyber-security researchers have generated benchmark
non-VPN.
malware datasets to study the vulnerabilities exploited by
various malware, benchmark the effectiveness of security
tools, and provide information about emerging threats and E. ELECTRICAL NETWORK-BASED DATASETS
malware families. Table 2 lists some of the malware datasets. LBNL [88], IEEE 300-bus power test system [89] and
ICS cyber-attack datasets [90] are electrical network-based
C. IOT-TRAFFIC-BASED DATASETS datasets used for cyber security [38]. The LBNL dataset
The Internet of Things (IoT) is gaining popularity and rapid was gathered using the uPMU (micro-phasor measurement
development, which has led to a wide range of issues for unit) at the electrical network of Lawrence Berkeley National
both manufacturers and users. One of the main concerns Laboratory. The uPMU generates 12 data streams at a fre-

44668 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 1. State-of-the-art benchmark datasets for network-based attacks [39].

VOLUME 13, 2025 44669

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 1. (Continued.) State-of-the-art benchmark datasets for network-based attacks [39].

quency of 120 Hz, providing high-precision measurements (5) Gas Pipeline and Water Storage Tank Data. The Power
with timestamps accurate to within 100 nanoseconds. This System dataset includes 37 scenarios categorized into 8 nat-
dataset is applicable for tasks such as microgrid synchroniza- ural events, 1 no-event scenario, and 28 attack events. The
tion and the characterization of loads and distributed energy attack events are further classified into three types: (1) relay
generation [38], [88]. setting changes, (2) remote tripping command injections, and
Authors of [89] provided the information about IEEE 300- (3) data injections. These datasets are valuable for cybersecu-
bus power test system. This dataset provides a topological and rity intrusion detection within industrial control systems [38],
electrical structure of power grid, which is used especially for [90].
the detection of false data injection attacks in the smart grid.
The system has 411 branches, and average degree (< k >) of
2.74. F. INTERNET TRAFFIC-BASED DATASETS
The ICS datasets comprise of five distinct components: These datasets focus on broader internet traffic, often from
(1) Power System Data, (2) Gas Pipeline Data, (3) Energy ISPs or cloud platforms, capturing a wide range of activi-
Management System Data, (4) New Gas Pipeline Data, and ties. UMASS dataset [91], Tor and non-Tor dataset [92] and

44670 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 2. State-of-the-art benchmark datasets for Malware and Android app based datasets.

TABLE 3. State-of-the-art IoT traffic-based dataset.

MAWI Working Group Traffic Archive [93] are examples of UMASS dataset [91] comprises two components: simple
internet traffic-based datasets. timing attacks on OneSwarm and strong flow correlation

VOLUME 13, 2025 44671

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 4. Classifications and key features of cyber security datasets.

attacks. The simple timing attack on OneSwarm complies in real-world scenarios. Specific emerging IoT threats are
with the constraints of general criminal procedure. It includes absent in even broader data sets like IOT-23.
three types of attacks: timing-based, query forwarding-based, Obsolete or Simulated Attack Patterns: Datasets created in
and TCP throughput-based attacks. The strong flow corre- older times such as Bot-IoT (2019) and N-baiot (2018) do not
lation attacks involve multiple Tor clients browsing the top cover the latest attacking techniques. Moreover, datasets like
50,000 Alexa websites via Tor. TON-IoT are based on simulation traffic that does not cover
Authors of [92] proposed the Tor-nonTor dataset. This the complex scenarios of real-world attacks.
dataset features eight categories of network traffic: VOIP, Table 4 summarizes the classification of various cyber
chat, audio streaming, video streaming, email, P2P, brows- security datasets.
ing, and file transfer. It includes data collected from over
18 widely used applications, including Spotify, Skype, Face- IV. ROLE OF MACHINE LEARNING ALGORITHMS (ML)
book, and Gmail. FOR CYBER ATTACK PREDICTION
The MAWI dataset [93] comprises daily traffic traces in The application of ML in cybersecurity shows considerable
the form of packet captures, collected from a trans-Pacific promise for strengthening security systems and protecting
link between Japan and the United States. This dataset against cyberattacks. To keep up with the ever-changing
is valuable for researching anomaly detection, ana- nature of cyber threats, it is crucial to create and refine
lyzing internet traffic patterns, and developing traffic techniques continuously [94]. Few likely solutions based on
classifiers. machine learning are vulnerable to adversarial assaults, high-
There are some limitations in the benchmark datasets dis- lighting the need to consider this weakness when developing
cussed in this sections that can potentially impact the model countermeasures for sophisticated cyber threats.
generalizability and reliability of AI:
Narrow attack scope: Datasets, such as MQTT-IoT- A. IMPORTANCE OF ML IN CYBER SECURITY
IDS2020 and N-baiot, provide few classes of attacks that ML algorithms [95] can process large amounts of struc-
restrict AI models’ generalization on heterogeneous attacks tured and unstructured data, extract valuable patterns, learn

44672 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 6. ML workflow for cyber security [94].

from past data, and predict outcomes accurately. ML-based use labelled examples [97] to predict future events by
systems can help analyze possible hazards and threats applying the knowledge gained from previous data to
within a firm, aiding in risk assessment and cybersecurity new information. The supervised approach forecasts
planning [96] owing to their learning and pattern-finding the target variable by using a function created over
capabilities. ML is becoming a prominent tool in cyberse- several inputs. Audited algorithms identify the input
curity. As the number of large-scale cyberattacks increases, data and the intended results.
cyber security professionals require faster and more accurate ii. Unsupervised Machine Learning:Unsupervised ML
threat identification and prevention. Machine learning is an approaches are used when training data lack labelled
intriguing approach. data or classification. This learning technique explores
how computers extract functions from un-labeled
B. TYPES OF LEARNING APPROACHES inputs to reveal hidden structures [98]. Unsuper-
Several ML-based methods are used in cybersecurity, includ- vised techniques may detect all types of cyberattacks,
ing regression, probabilistic models, distance-based learning, including undiscovered ones, by identifying system
decision trees, dimension reduction algorithms, and boosting irregularities. Unsupervised machine learning (ML) is
and bagging techniques. These machine-learning technolo- commonly used in cybersecurity to detect anomalies,
gies help detect data breaches and vulnerabilities in computer IoT-based zero-day attacks [99], classify entities, and
systems and networks. One major feature is the ability to eval- explore data.
uate and alter large amounts of data without relying on subject iii. Semi-supervised Machine Learning: Using a com-
specialists. Machine learning techniques can be broadly bination of labelled and un-labeled data can improve
divided into supervised, unsupervised, semi-supervised, and learning precision [98]. The semi-supervised technique
reinforcement-learning techniques. Figure 6 depicts the ML efficiently detects new cyber-attacks by identifying
workflow for cybersecurity. abnormalities and applying them to other types of
attacks. It can be used to identify network breaches,
i. Supervised Machine Learning: This refers to algo- DDoS attacks, and malware.
rithms that require developer supervision. The devel- iv. Reinforcement Learning: The algorithm evolves
oper tags the training data and establishes stringent and chooses the best strategy through iterative pro-
rules and constraints for the algorithm. Algorithms can cesses. Machines and software agents can use this
VOLUME 13, 2025 44673
 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

process to automatically determine the best behaviors characteristics and generates candidate item sets. It uses a
to maximize performance under a particular circum- support and confidence approach to determine the rules. FP-
stance [100]. RL is helpful for system penetration growth [104] rules based on a frequent-pattern tree using the
testing, risk assessment, and the identification of aber- divide-and-conquer method.
rant behaviors. Dimensionality Reduction involves feature selection and
extraction. Feature selection is an important phase in which
the most relevant independent variables are chosen from
C. TYPES OF ML ALGORITHMS the original dataset, which, in turn, reduces the model’s
ML techniques have been used in numerous cybersecurity complexity and overfitting. This can be performed using
applications. These methods include regression, classifica- chi-square, ANOVA [105], Pearson’s correlation coefficient,
tion, clustering, dimensionality reduction, and boosting. and recursive feature elimination techniques. Feature extrac-
Regression analysis predicts continuous values based on tion reduces features from the original dataset by extracting
the independent variables given, and algorithms to perform new features and ignoring unimportant features. This phase
this include simple and multiple regression, which require helps to better understand the data. In Principal Component
one and multiple independent variables, respectively, to pre- Analysis (PCA), new brand components can be created by
dict dependent variables. Polynomial regression analyses the extracting low-dimensional space from the current dataset
relationship between dependent and independent variables attributes.
in a polynomial degree form. LASSO and Ridge regres- Policy-based techniques can be employed through rein-
sion [101] are popularly known as effective approaches that forcement learning. In this type of ML, the agent interacts
are typically employed for developing learning models in the with an unknown environment. Each action receives a reward
presence of a high number of features, as they are capable of in terms of positive/negative. Actions extracted with the max-
preventing overfitting and decreasing the model complexity. imum positive rewards are said to be the optimal policy in the
Regression classifiers are used to detect fraud, malware, and RL environment. When model dynamics, such as transition
other types of attack. probability, rewards, and the next state, are given, it is called
Classification techniques predict discrete values a model-based approach. A Markov decision process can be
(binary/multiple) based on the features fed into a model. The used to solve this type of problem. When model dynamics
naive Bayes classifier assumes that its features are indepen- are not given, model-free techniques, namely Monte Carlo,
dent of each other. It works best with a small amount of data Q-Learning, SARSA, and Deep Q-Learning [106], are used.
but can handle noisy data. Logistic regression works well Real-world applications of RL include game theory, control
with linearly separable data points based on the calculated theory, operations analysis, information theory, simulation-
probability. Decision Tree [102] method is a non-parametric based optimization, manufacturing, supply chain logistics,
method. Here, the most relevant feature becomes the root multi-agent systems, swarm intelligence, aircraft control, and
node, the branch nodes hold the features, and the leaf nodes robot motion control [107].
are the classes. This splitting or construction of the tree All these ML algorithms are used to predict cyber-attacks.
can be achieved using the entropy/Gini index criteria. The Table 5 lists the state-of-the-art ML techniques utilized for
random forest method uses majority voting or the aggregate cyber-attack prediction.
method to select the outcome from several decision trees
constructed in parallel over subsamples of data. The support D. ML KEY CHALLENGES IN CYBER SECURITY
Vector machine finds the optimal hyperplane that represents ML has immense potential for improving cybersecurity
the margin separation between classes. defenses; however, it faces numerous significant hurdles in
Clustering Analysis divides data points into clusters that detecting and mitigating attacks. A few of these are as fol-
are more similar to one another than to the other groups. lows:
This is achieved using unsupervised machine learning tech-
niques. One such popular technique is K-means clustering,
1) DATA QUALITY AND QUANTITY
which is most suited when data samples are well distributed,
based on Euclidean distance clusters formed until there is no To properly train models, machine learning algorithms
change in group assignment. Another important clustering is require large amounts of high-quality [108] data. The scarcity
agglomerative hierarchical, wherein data samples are initially of labelled cybersecurity datasets makes it challenging to
considered to be singleton; later, they are slowly paired up and collect labelled data for training purposes. Furthermore, data
finally form a single cluster using single/complete/average quality issues, such as imbalanced datasets (in which partic-
linkage. ular types of data are underrepresented), might impair model
Association rules help build relationships between pre- accuracy.
dictors with statements like ‘IF’ and ‘THEN.’ Suppose that
a person buying bread in a supermarket is more likely to 2) ADVERSARIAL ATTACKS
buy jams along with it. Apriori [103] is the most commonly Adversarial attacks are designed to trick ML models by
used technique that requires knowledge of frequent item-set exploiting the flaws in the underlying algorithms. Adver-

44674 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 5. State-of-art research in cyber-attack prediction using ML.

VOLUME 13, 2025 44675

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 5. (Continued.) State-of-art research in cyber-attack prediction using ML.

44676 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 5. (Continued.) State-of-art research in cyber-attack prediction using ML.

saries in cybersecurity may use tactics such as adversarial as analysts must comprehend why the ML model makes
examples, which involve modest, carefully engineered mod- a specific decision to take necessary action. Ensuring that
ifications to the input data that cause ML algorithms to ML-based cybersecurity systems are transparent and under-
misclassify them [112]. Adversarial assaults pose a substan- standable is a difficult task.
tial threat to the dependability and robustness of ML-powered
cyber-security systems. 5) RESOURCE CONSTRAINTS
Many machine learning techniques, particularly deep learn-
3) CONCEPT DRIFT ing models, require significant computer resources for train-
As cyber threats evolve, the underlying data distribution shifts ing and inference. Deploying and executing complicated ML
over time. This tendency, known as idea drift, can undermine models in resource-constrained environments, such as edge
the performance of ML models trained on historical data, devices or IoT devices, may be impossible because of pro-
making them less efficient in recognizing new and emerging cessor power, memory, and energy usage limits. Developing
risks. Adapting ML models to deal with concept drift while lightweight and efficient machine learning algorithms that
preserving their effectiveness over time is a critical challenge can be deployed in resource-constrained contexts is a cyber-
in cybersecurity [109]. security challenge [113].

4) INTERPRETABILITY AND EXPLAINABILITY 6) PRIVACY CONCERNS

ML models employed in cybersecurity frequently lack inter- ML models trained on sensitive cybersecurity data may unin-
pretability and explainability, making it difficult for security tentionally divulge sensitive information or harm user pri-
analysts to understand the logic behind model predictions. vacy. Federated learning and differential privacy techniques
Interpretability [111] is critical for trust and accountability, seek to overcome these challenges by allowing collaborative

VOLUME 13, 2025 44677

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

model training across remote data sources, while maintaining Recurrent Neural Networks [126] use memory to cap-
privacy. However, ensuring strong privacy protection while ture temporal dependencies in data. RNNs have a vanishing
preserving the model performance remains a challenge in gradient problem, which arises when the output at a given
ML-based cybersecurity systems [118]. time step is influenced by inputs from a long time ago.
To address this, long-term short-memory and gated recurrent
V. ROLE OF DL IN CYBER SECURITY DOMAIN units can be used with memory cells and gates. LSTM and
Researchers have proposed solutions using deep learning its derivatives, such as ConvLSTM, are efficient models for
algorithms to detect threats, anomalies, malware and network improving attack detection and prediction accuracy in the
intrusions, phishing or spam attacks, website defacements, context of time dependency.
vulnerability assessments, analyzing cyber threat intelli- Auto-encoder models contain an encoder and decoder
gence, user behavior, etc. as two sections, the goal of which is to match the output
with the input. The encoder converts the input data into a
A. IMPORTANCE OF DL IN CYBER SECURITY low-dimensional latent space, and the decoder [127] recon-
DL is an area of machine learning [123] that uses mul- structs it in the output layer. Any type of neural-network
tilayer transformations to analyze large volumes of data, model can be incorporated into this design. Various types
find complicated patterns, and generate accurate predictions. of auto-encoders include sparse, denoising, stacked contrac-
In cybersecurity, deep-learning-based defense systems auto- tive, adversarial, and variational. AEs are commonly used
mate cyber-attack detection and continuously improve their in network intrusion and spam detection operations. This
capabilities. This allows firms to detect, respond to, and architecture is widely used in Industrial IoT applications,
mitigate cyber-attacks more effectively. Its ability to respond including defect diagnostics and physical anomaly detection.
to emerging threats and automate security operations makes Deep belief networks (DBN) evolved from a family of
it a must-have tool in the current cybersecurity world. generative artificial neural networks, which are composed of
stacked Restricted Boltzmann Machines (RBM). The RBM
B. VARIOUS DL MODELS is an energy-based model with a single layer of unconnected
DL models are broadly classified as supervised and can be hidden units and an undirected connection to the visible units.
applied when labelled data are given for classification and In the case of multiple hidden layers, the output of an RBM
regression tasks. Unsupervised methods are mostly used for can be fed as training data to the next level of RBMs [128].
representation learning, and self-learning techniques help in The visible bottom layer represents the state of the input
feature extraction. As per the learning strategies, deep learn- layer as a data vector. A deep neural network (DBN) learns
ing models were mentioned, as shown in the figure 7. to reconstruct inputs in an unsupervised fashion with layers
The prediction in DL models is based on Artificial Neural acting as detectors. DBNs can help detect fake data-injection
Networks. An artificial neural network (ANN) is a struc- attacks in industrial environments and anomalies in IoT net-
ture of interconnected neurons that transfers information to works. The Boltzmann Machine is a generative unsupervised
one another. DNNs [124] differ from single-hidden-layer model that learns the probability distribution from an initial
neural networks owing to the larger number of hidden lay- dataset and uses it to generate inferences regarding previously
ers involved in pattern recognition. A deep neural network unknown data. They have an input layer (visible layer) and
(DNN) comprises an input layer, many hidden layers, and one or more hidden layers (hidden layers).
an output layer. A DNN layer consists of neurons that can Generative Adversarial Network (GAN) follows a
generate nonlinear outputs based on their input. The neurons min-max game strategy wherein the generator tries to capture
in the input layer pass data to the next layer. Neurons in the real distribution of data and, in turn creates samples of
hidden layers compute the weighted sum of the input data and similar ones in order to fool, whereas the discriminators’ role
apply specific activation functions, such as ReLU or tanh. The is to distinguish the fake samples created by generators from
results are then transferred to the output layer, which displays those of real data. The variants of GAN include Big-GAN,
the results. loss-sensitive GAN [129], and Wasserstein-GAN.
Convolutional Neural Networks are specialized neural Probabilistic Neural Networks offer a scalable alter-
networks designed to handle data in the form of numerous native to traditional back-propagation neural networks for
arrays ranging from 1D to 3D [125]. To effectively utilize classification and pattern-recognition applications.
the 2D structure of the input data, local connections, and They do not require the extensive forward and backward
shared weights were used instead of standard fully connected calculations necessary by ordinary neural networks. They can
networks. This approach reduces the number of parameters also work with a variety of training datasets.
and speeds up network training. This is followed by pooling When applied to a classification task, these networks use
(downsampling) and a fully connected layer before the clas- the probability theory to reduce misclassification.
sification phase. CNN models such as ResNet, MobileNet, Deep Reinforcement Learning (DRL) is a combina-
InceptionNet, and EfficientNet have been used for applica- tion of DL and Reinforcement learning used to create
tions in cyber security such as fraud, authentication, and optimal policies and build an interactive agent. Deep
malware detection. learning contributes a large number of actions for each

44678 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 7. Deep learning architectures for cyber security.

state, and reinforcement learning techniques help find develop novel solutions that leverage the potential of deep
the best actions for each of the observational spaces. learning while also taking into account ethical, legal, and
Algorithms include Deep Q networks, adaptive deep Q- technological cybersecurity considerations.
learning, and content-based deep reinforcement learn-
ing [130]. DRL is effective for addressing dynamic, VI. XAI APPROACHES FOR CYBER-ATTACK PREDICTION
complex, and high-dimensional security issues. Examples XAI helps us to understand why AI makes certain deci-
include DRL-based security solutions for CPSs, multiagent sions [137]. It was used to improve the reliability of the ML
DRL-based game theory simulations for cyber-defense strate- results. When machine learning is inaccurate, XAI is difficult
gies, and approaches to autonomous intrusion detection. to understand. However, XAI techniques are good at showing
Table 6 lists the state-of-the-art DL techniques utilized for which features matter most and how they affect the decisions
cyber-attack prediction. made by the model [138]. The National Institute of Standards
and Technology (NIST) proposed four principles of XAI,
C. DL KEY CHALLENGES IN CYBER SECURITY as shown in Figure 8.
DL algorithms require large amounts of high-quality labelled XAI techniques are divided into two categories: transpar-
data to learn effectively. In cybersecurity, obtaining labelled ent and post methods [25], [139]. Transparent models can
datasets for training deep learning models can be difficult easily understand internal mechanisms and decision-making
because of the lack of labelled instances for specific types processes. Examples include fuzzy inference systems, deci-
of cyber threats. Furthermore, maintaining the quality and sion trees, linear regression, and Bayesian models. These
reliability of labelled data is critical for avoiding bias and simple approaches are particularly effective when there are no
mistakes in model training. Other issues can be imbalanced excessively complex or linear relationships between features.
data, deep abstraction layers leading to black-box-related However, post-hoc explainability techniques, such as feature
problems, generalization errors due to unknown threats, and importance rankings, rule sets, heat maps, or plain language
the intensiveness of resources. explanations, can elucidate the inner workings and rationale
To overcome these difficulties, researchers, practitioners, of a trained AI model. These methods are useful for users who
and policymakers must work together in interdisciplinarity to need to comprehend the most relevant data and any potential

VOLUME 13, 2025 44679

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 6. State-of-art research in cyber-attack prediction using DL.

biases in the model. Post-hoc methods are beneficial for tionship between the features and data [139]. Furthermore,
explaining the model’s outputs when there is a complex rela- post hoc approaches are categorized into model-specific and

44680 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

By integrating the principles of XAI with the categories

presented in Figure 9, a more comprehensive framework is
established for understanding how and when to provide trans-
parent, meaningful, and accurate explanations in AI systems,
promoting trust and accountability in AI decision-making
processes.

FIGURE 8. Principles of XAI [108].

model-agnostic methods. Figure 9 illustrates the various XAI

categories. FIGURE 9. Overview of Explainable AI (XAI) Categorization [110].

In this work, we explore the relationship between the

core principles of Explainable AI (XAI) and its catego- XAI methods can also be categorized based on the types
rization framework. Figure 8 outlines key principles of of models they are applied to, namely, model-specific or
XAI, which provide a foundational understanding of how model-agnostic methods. Model-specific explanation tools
explanations should be delivered in AI systems. These are tailored to a particular model or a group of models.
principles—Explanations, Meaningful, Knowledge Limits, For example, the Graph Neural Network (GNN) explainer
and Explanation Accuracy—are crucial in guiding the trans- is designed to provide interpretable explanations for pre-
parency and interpretability of AI models. dictions made by any GNN-based model in graph-based
Figure 9 suggests the other ways to classify XAI methods machine-learning tasks. In contrast, model-agnostic explana-
(type and application), which sheds more light on structur- tion tools are theoretically applicable to any machine learning
ing explanations. Specifically, the Explanations principle of model. These methods typically operate by examining feature
Figure 8 relates to both Post-hoc and Intrinsic methods of inputs and outputs without requiring access to the internal
explanation in Figure 9. The post-hoc explanations are based structure or parameters of the models, such as weights or
on final reasoning after the model has built a stack of various architectural details [25]. Gradient-weighted Class Activation
decisions that resulted in the predicted outcomes, the Intrinsic Mapping (Grad-CAM) [140], Shapley Additive Explanations
ones are built into the model’s architecture and give an idea (SHAP) [141], and saliency maps [142] are examples of
of the inter-connections and particular weights of features model-agnostic XAI tools.
throughout the model runtime. Likewise, the Meaningful XAI approaches are further classified as either local or
principle which stresses for understandable explanation, cor- global. Local explainability methods are an essential first
responds to Explanation output format category in 9 where step towards achieving model transparency [143]. In contrast,
different formats of output such as Text, Visualization are global explainability pertains to understanding the overall
tried based on user needs. learning algorithm, including the training data used, the
The principle of Knowledge Limits relates to the When and proper applications of the algorithms, and any warnings about
how the model explains section of Figure 9, underscoring that their limitations and potential misuse.
explanations should be offered only when the model reaches a Many researchers have utilized XAI approaches for cyber-
certain level of confidence in its output. This is closely linked attack predictions. Authors of [144] introduced a framework
to the Model-specific approach, ensuring that explanations aimed at elucidating the generalization process of deep
are appropriate for the model’s design. Finally, the Explana- neural networks when tested on real-world datasets across
tion Accuracy principle is tied to both Model-agnostic and various layers. Their study involved an analysis of gradi-
Model-specific categories in Figure 9, as the accuracy of ents and weights across different layers of both MalConv
explanations is paramount in ensuring that they align with architecture [145] and emberMalConv [146]. Through this
the model’s underlying processes and accurately reflect the analysis, they were able to discern the contributions of dif-
system’s decision-making. ferent parts of the model to the classification task. Notably,

VOLUME 13, 2025 44681

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 7. State-of-the-art XAI approaches employed for cyber attack prediction.

44682 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

they observed heightened gradient values in the file headers, approaches to fine-tune XAI methods for real-time deploy-
indicating that these segments predominantly influenced the ment under stringent time limitations.
classification outcomes despite occasional peaks in other In Intrusion Detection Systems (IDS), trigger an action for
areas. countermeasure implementation to minimize the impact of an
XMal [147] presented an innovative MLP-based method intrusion. Explainable AI methods like SHAP and LIME have
augmented by an attention mechanism designed for malware been applied to explain why certain network traffic is flagged
detection in Android applications. Notably, the interpretation as malicious. Yet providing these explanations in a timely
phase of this approach focuses on autonomously generating manner, so that it would not impede the real-time detection
neural language descriptions to elucidate the significant mali- process, is a significant challenge.
cious behaviors present within these applications. Although In addition, various optimization techniques such as model
the exact workings of the method have not been fully elu- distillation have been employed to address this and cre-
cidated, the authors assert superior interpretive performance ate a simplified version of a complex model that does
compared with both LIME and DREBIN. not (or only minimally) sacrifice accuracy or the quality
MalDAE [148] introduced a novel framework to investi- of the explanations. LENS-XAI is a lightweight and scal-
gate the disparity and connection between the dynamic and able intrusion detection framework proposed by researchers
static API call sequences. These sequences, which exhibit of [173]. It combines knowledge distillation, variational
correlations, are fused through semantic mapping. MalDAE autoencoders, and attribution-based explainability techniques
offers a pragmatic and interpretable approach to malware to obtain both high detection accuracy and interpretability.
detection and comprehension, emphasizing the correlation The results revealed that the framework outperformed oth-
and fusion of static and dynamic characteristics as fundamen- ers on benchmark datasets, achieving detection accuracies
tal components of its methodology. of 95.34% (Edge-IIoTset), 99.92% (UKM-IDS20), 98.42%
The authors of [149] employed four different XAI (CTU-13), and 99.34% (NSL-KDD). The model accom-
approaches, namely LIME, SHAP, Anchors, and Counter- plishes compelling inference time of 11.92 ms for UKM20
factual explanations for botnet detection. Another Botnet (4,489 configuration parameters), 29.77 ms for Edge-IIoTset
Detection Model, BD-GNNExplainer, was proposed by the (9,167 parameters), and 28.00 ms for NSL-KDD (8,197
authors in [150]. The LIME approach is utilized in various bot parameters), making it suitable for resource-constrained and
detection methods, such as Twitter Bot detection [151], traffic dynamic cybersecurity environments while enhancing effi-
defect prediction Bot [152], and bot type classification [153]. ciency and transparency.
XAI approaches have been employed in spam, phishing,
malware, botnet detection, and other cyber-attack predictions. VII. PERFORMANCE ANALYSIS OF ML/DL APPROACHES
Table 7 lists the state-of-the-art XAI approaches employed for USED FOR PREDICTION OF VARIOUS ATTACKS
cyber-attack prediction. The following are the abbreviations The performance of ML/DL approaches depends on the
used in Table 7: MS- Model Specific, MA- Model-Agnostic, datasets and type of the data. This section summarizes the
L-Local, G-Global, I- Intrinsic, PH-Post-hoc, T- Text, A- performance of ML/DL approaches on each type of cyber-
Argument, V- Visual, and M-models. attacks.
Researchers in [172] explored real-time cyberattack detec- Figure 10 depicts the accuracy of various approaches on
tion using Explainable AI (XAI). They developed an intrusion ten Botnet detection datasets. DT, RF, MLP, and 1-D CNN
detection system based on the UNSW-NB15 dataset, employ- approaches are evaluated on most of the datasets. The per-
ing Random Forest machine learning models to classify formance evaluation study demonstrates that RF and 1D-
normal and anomalous network traffic. To explain the clas- CNN approaches performed well on most Botnet detection
sification decisions, the SHAP XAI method was applied. datasets.
Their findings revealed that incorporating SHAP with Ran- Figure 11 depicts the analysis of various ML and DL
dom Forest significantly improved classification accuracy approaches over state-of-the-art malware detection bench-
compared to using the Random Forest model alone. This mark datasets. The comparison study shows that RF com-
approach demonstrated that meaningful interpretability can paratively performed good on various datasets. CNN and
be achieved without compromising efficiency. The system DNN also performed well on state-of-the-art datasets. KNN,
achieved a 98.9% accuracy for binary classification and RF, DT and CNN performed well on state-of-the-art IoT
96.7% for multiclass classification when using SHAP, com- traffic-based attack datasets which are depicted in Figure 12.
pared to a 91% accuracy for multiclass classification without Table 8 and 9 depict the performance analysis of Performance
SHAP. analysis of State-of-the-art ML and DL approaches employed
Real-time cyber security models focus on the rapid detec- for cyber-attack prediction respectively. The performance is
tion and response to threats. But the use of XAI in these measured in terms of accuracy, precision, recall and F1-
systems places a burden on the system: creating a meaningful Measure. It shows that RF algorithm is commonly used ML
and interpretable explanation without compromising system technique and performs comparatively good on almost all
performance. However, there have been few studies regarding datasets showed in th Table 8.

VOLUME 13, 2025 44683

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 10. Performance analysis of ML/DL approaches used for prediction of Botnet attacks on various state-of-the-art benchmark datasets.

FIGURE 11. Performance analysis of ML/DL approaches used for prediction of Malware attacks on various state-of-the-art benchmark
datasets.

VIII. IMPACT OF GENERATIVE ARTIFICIAL INTELLIGENCE tinguish between illegal and genuine ones. WormGPT is one
ON CYBER SECURITY of these reclaimed innovations; it needs to be acquired on the
The recent development of Generative AI, or ‘GenAI,’ web’s dark side and, like its welcoming sibling (ChatGPT),
enables individuals to explore interesting and innovative is capable of producing code effortlessly, featuring spyware
methods to apply readily accessible artificial intelligence and antivirus flaws with no built-in precautions to prevent
technologies in everyday activities. Although some people misuse.
employ text-generation techniques to improve their email
communication abilities, many employ image-generation A. GENAI FOR CYBER OFFENCE
techniques to convert their inventive concepts into visual This section addresses the feasible application of GenAI
realities. Effortlessly, as one can create a powerful message to improve the effectiveness and power of cyber-offensive
with semantic AI techniques, cyber criminals may adopt these approaches.
methods to create error-free, customized phishing messages The authors of [174] demonstrated that ChatGPT can
that replicate the style and vocabulary of real interactions, perform attacks involving social engineering, spamming
thereby rendering it increasingly difficult for people to dis- assaults, computerized hacking, attack payload production,

44684 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 12. Performance analysis of ML/DL approaches used for prediction of Network Intrusion and IoT traffic-based attacks on
various state-of-the-art benchmark datasets.

spyware creation, and generic malware. When you attempt to themes, such as code similarities, synthesis timings, work-
ask ChatGPT for a query, it usually refuses to respond; how- days, vacations, and vocabulary, could change as GenAI
ever, designating a character who would respond to a query develops ‘‘Offensive Cyber Operations (OCO)’’ malware.
can easily overcome this hesitation. However, the CHARAC- It also renders identification more difficult, particularly when
TER Play technique presents some essential difficulties with the entire procedure is computerized. GenAI is a serious
AI patterns. Rarely do the replies generated by this approach and growing threat to cyber-crime. The following are some
reveal biases in fundamental programming, revealing harmful important factors:
areas of AI development. This does not imply that the AI is 1. Spear Phishing and Social Engineering: GenAI can
biased; instead, it mimics the biases contained in the training create highly effective and customized phishing inquiries
data that were given. or calls, making it simpler for hackers to fool victims and
Figure 13 shows a scenario of simple roleplay in which steal crucial data. AI-generated writings can imitate writing
the instruction asks ChatGPT to assume the role of granny styles and develop plausible storylines, thus improving the
and inquire about techniques to overcome the software achievement rate of such attacks.
firewall. ChatGPT will reject the obvious demand to get 2. Malware Creation and Evasion: Advanced GenAI algo-
around the firewall because it could have an illegal influ- rithms can assist cybercriminals in creating novel malware
ence and violate OpenAI’s ethical guidelines. However, versions that are more successful in avoiding identification
by assuming the position of the grid, the ChatGPT ver- by existing cybersecurity methods. AI is often used to con-
sion circumvents the constraints and releases all the data. tinuously alter malware code to defeat security applications
The ChatGPT framework, assuming the role of granny, pro- and systems that detect intrusion.
vides payloads that breach the Internet Application Firewall, 3. Automated Exploitation: GenAI can help users detect
as shown in Figure 14. There are additional complex hack- weaknesses and generate attack code. Machine learning can
ing approaches, such as Professional Mode, the Always accelerate the job of discovering and taking advantage of
Intelligent and Machiavellian (AIM) chatroom approach, security holes, making it more difficult for attackers to stay
and the Mungo Tom prompt, each of which provides up.
a unique means of circumventing ChatGPT’s customary 4. Deepfakes and Identity Theft: GenAI can generate con-
constraints. vincing fake videos and audio recordings that can be used for
Researchers may be motivated to implement various plat- pretending to be someone extortion or misdirection. The use
forms, regulations, and recommendations to apply GenAI of this technology can destroy confidence and allow for many
to security-related tasks. However, commodities may also types of cyber fraud.
be employed to conduct aggressive internet operations. 5. Cyber Espionage: State-sponsored attackers can use
This not only accelerates the tempo of crimes but also GenAI to evaluate massive amounts of data, discover desir-
makes identification difficult. Recognition efforts will often able goals, and develop complex cyber-spying activities.
use methodologies such as the MICTIC system, which Artificial intelligence can improve the effectiveness and effi-
includes the examination of spyware, infrastructure which ciency of these procedures.
took place, Leadership and Management, Data collection, In summary, GenAI increases the capability of cyber-
security experts, and Cui Bono [175]. Many identification criminals by streamlining and enhancing different facets of

VOLUME 13, 2025 44685

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 8. Performance analysis of State-of-the-art ML approaches employed for cyber-attack prediction.

44686 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 8. (Continued.) Performance analysis of State-of-the-art ML approaches employed for cyber-attack prediction.

VOLUME 13, 2025 44687

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 8. (Continued.) Performance analysis of State-of-the-art ML approaches employed for cyber-attack prediction.

cyber-attacks, thereby providing substantial problems for ChatGPT can reduce the workload of SOC analysts by
cybersecurity experts. automatically analyzing cybersecurity incidents and offering
strategic recommendations. SecOps teams can use ChatGPT
to prevent dangerous scripts and secure untrusted files.
B. GENAI FOR CYBER DEFENSE ChatGPT can analyze extensive log data and quickly iden-
Generative AI (GenAI) plays a crucial role in cybersecu- tify anomalies or security issues in access logs. Consider the
rity by detecting and mitigating cyberattacks [176]. These example shown in Figure 15. ChatGPT provides a Python
systems learn typical network or system behavior patterns, script to detect anomalies in web server logs. When the
enabling them to detect anomalies that may indicate an attack. analyst runs the script on the terminal, it displays the logs
Studies such as TadGAN [177], TanoGAN [178], and Mad- in which SQL or XSS attempts are detected. Figure 16 shows
GAN [179] have explored the use of GANs for anomaly the sample output of the detection obtained from the script
detection in time series data. generated by ChatGPT, which is shown in Figure 15.
GenAI applications extend beyond anomaly detection to This is an example of the Python script used for anomaly
areas such as phishing detection. The authors of [178] detection. Additionally, ChatGPT can help identify security
demonstrated that adversarial autoencoders can create syn- vulnerabilities in any script and offer solutions to address
thetic phishing samples, improving the robustness of phishing them. In a relevant instance, a solution outlined in refer-
detection systems. Moreover, combining GANs with models, ence [174] involves the creation of a PowerShell script. This
such as BERT, has been shown to be effective in detecting script is designed to identify the table within the Adventure-
phishing emails. Works2019 database that utilizes excessive CPU resources.
44688 VOLUME 13, 2025
S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 9. Performance analysis of State-of-the-art DL approaches employed for cyber-attack prediction.

In addition, ChatGPT can be used to generate secure code it is essential to note that ChatGPT is merely one exam-
and identify cyber-attacks. ple of GenAI. GenAI encompasses a broader spectrum
of capabilities and can be applied across various cyber-
C. THE ROLE OF GENAI FOR CYBERSECURITY security domains. Table 10 illustrates the applications of
The preceding sections have outlined the use of Chat- GenAI in cybersecurity, along with relevant real-world
GPT in both cyber offense and defense scenarios. However, use cases.

VOLUME 13, 2025 44689

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

FIGURE 13. Grandma role play [174].

FIGURE 14. Grandma - WAF bypass payload generation [174].

D. REAL-WORLD PRODUCTS OF GENAI FOR CYBER 1) BIGID BIGAI LLM [186], [194]
SECURITY BigID’s BigAI is an advanced LLM designed to enhance
Numerous real-world cybersecurity products are utilizing the the protection of organizational data and the management of
advantages of GAI to fortify their security measures. A few risk through the analysis and categorization of structured and
notable examples are outlined below: unstructured information across on-prem, cloud, or hybrid

44690 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

• Privacy Focused Function: BigAI operates on private

servers to minimize ownership of consumer data and
never exposes data to public models
• BigChat Virtual Assistant: A compliance-support tool
that utilizes internal documentation to offer guidance on
privacy laws like GDPR and CCPA.
• Data tagging and categorization: It simplifies classifica-
tion of data by regulation, sensitivity, type and intended
use, allowing organizations to proactively exclude sen-
sitive or regulated data from LLM training and reduce
risk
• Risk Reduction: Ensures LLM training uses well-curated
datasets that reflect low risk and relevant–to be sensitive
information.
• Comprehensive Data Management: Broadens functions
to administer and safeguard structured data via rational
AI and unstructured data through conversational AI.
Thereby with BigAI, Organizations get the abilities to
handle, analyze, and safeguard data while meeting reg-
ulatory requirements and reducing risks associated with
privacy violations.

2) TALON CYBER SECURITY [186], [192]

It has integrated its Talon Enterprise Browser with Microsoft
Azure OpenAI Service to deliver secure, enterprise-grade
access to generative AI tools like ChatGPT. This integration
enables organizations to utilize Azure resources while main-
taining strict data protection measures. Key features include:
• Data Security: Ensures data entered into ChatGPT
FIGURE 15. Python Script generated by ChatGPT to detect anomalies in
Webserver logs. remains within a secure environment, preventing unau-
thorized transfers to third-party services.
• Administrative Controls: Allows administrators to
restrict users from entering sensitive information, such
as credit card details or source codes, into the browser
or ChatGPT window.
• Enhanced Productivity: Offers AI-powered capabilities,
such as generating email responses or summarizing
lengthy messages.
• Compliance and Reporting: Facilitates compliance mon-
itoring through query logs and enables blocking exten-
sions that use public ChatGPT.
The Talon Enterprise Browser combines robust security fea-
tures with practical AI-driven tools, providing organizations
with a secure and efficient way to harness generative AI
technologies.

FIGURE 16. Usage of script shown in Figure 15. 3) SLASHNEXT GENERATIVE HUMAN AI [186], [195]
It is a cutting-edge service made to protect against sophis-
ticated threats like supply chain attacks, business email
compromise (BEC), financial fraud, and executive imperson-
environments. This allows it to be searched simply, and GAI ation. It harnesses SlashNext’s AI-based technology stack
technologies are used to generate contextually relevant titles to detect and mitigate progressive multi-channel messaging
and description for data elements by classifying them into attacks through machine learning, computer vision, natu-
smaller pieces using a combination of ML driven classifica- ral language processing (NLP), and deep contextualization
tion. BigAI has the following notable features: with relationship graphs. Self-powered learning: The system

VOLUME 13, 2025 44691

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 10. Applications of GenAI in cybersecurity along with relevant real-world use cases.

44692 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 10. (Continued.) Applications of GenAI in cybersecurity along with relevant real-world use cases.

generates multiple variants of core threats using AI data aug- zero-hour detections and analysis from multiple security
mentation and cloning, allowing it to self-train on different vendors.
attack scenarios. Key features of HumanAI include: • HumanAI simulates human emotional triggers, such
as fear-driven urgency, to better identify and block
• BEC GAI Augmentation: HumanAI can spin up thou- malicious behavior. This makes it highly effective in
sands of available BEC types from existing threats. combating a wide range of sophisticated threats.
• Relationship Graphs & Contextual Analysis: It employs
established communication patterns to detect abnormal 4) GOOGLE’S CLOUD SECURITY AI WORKBENCH [186],
interactions and potential threats. [196]
• Natural Language Processing: The HumanAI assesses It is a security platform based on a new LLM (large lan-
tone, emotions, manipulation triggers, and intent for guage model) Sec-PaLM — made specifically for the security
emails, identifying social engineering strategies. domain. It uses Google’s extensive threat data and Man-
• Computer Vision Recognition: Through SlashNext’s diant’s expertise in detecting vulnerabilities, malware and
LiveScan, HumanAI conducts real-time URL matching threat actors to improve security operations. The platform,
to identify tiny variations of phishing pages, like bogus designed to alleviate the overwhelm of managing multiple
online Microsoft 365 login pages. security tools or coping with the talent shortage, enables
• File Attachment Inspection: It identifies ransomware customers to safely connect their private data so that they
and malicious attachments by examining the character- meet their requirements for compliance, data protection, and
istics of social engineering and harmful code. sovereignty. With the help of Google Cloud’s Vertex AI
• Sender Impersonation Analysis: By examining email infrastructure, the Workbench is designed to help improve
authentication and headline details, HumanAI can pre- threat detection, analysis, and response. Key features include:
vent impersonation attacks. The system sources threat • Threat Containment: The Workbench unites threat intel-
data from over 700,000 new threats daily, including ligence, real-time incident analysis and AI-powered

VOLUME 13, 2025 44693

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

detection to contain the spread of an active adversarial IX. METRICS FOR CYBER SECURITY
attack. The latter includes tools such as VirusTotal Code Metrics for cyber security are classified into two classes
Insight — which applies Sec-PaLM to analyze malicious namely, security operations centers (SOCs) metrics and per-
scripts — and Mandiant Breach Analytics for Chronicle, formance metrics to evaluate the performance of ML/DL
which will alert customers of active breaches, to contain approaches for forecast and prediction of cyber-attacks.
the threat.
• Decreasing Complexity: the platform simplifies security A. SOC METRIC
job, and systems protect themselves. Assured OSS lever- A Security Operations Center (SOC) is a centralized hub that
ages LLMs to enhance open-source software vulnera- encompasses people, processes, and technology focused on
bility management, while Mandiant Threat Intelligence the continuous monitoring, detection, and response to cyber-
AI uses Sec-PaLM to rapidly detect and mitigate new security threats and incidents within an organization. The
threats. SOC’s main goal is to protect the confidentiality, integrity,
• Bridging the Talent Gap: The Workbench helps and availability of the organization’s data and systems. It also
non-experts understand security. While the Security plays a crucial role in enhancing cyber situational awareness,
Command Center AI offers clear attack graph visualiza- ensuring compliance, and managing threats effectively [198].
tions and practical recommendations for risk mitigation, SOCs are being implemented by government agencies, uni-
tools like Chronicle AI make it simple for users to versities, and both commercial and private organizations to
discover and evaluate security incidents. protect their networks. However, most research on SOCs
has been heavily centered on technology, often overlooking
5) MICROSOFT SECURITY COPILOT [186], [197] the human factors, operational processes, and the chal-
It is an AI-driven assistant designed to aid cybersecurity lenges faced by SOC analysts [199]. Table 11 describes each
professionals in managing vast amounts of data and identify- cybersecurity performance metric and emphasizes the major
ing security breaches. It integrates information from trusted features connected with it.
sources such as the Cybersecurity and Infrastructure Security
Agency, the National Institute of Standards and Technology’s B. PERFORMANCE METRICS
vulnerability database, and Microsoft’s own threat intelli- Correctly evaluating the effectiveness of ML/DL models
gence network. Powered by OpenAI’s GPT-4 and Microsoft’s depends on the accurate interpretation of performance mea-
specialized security models, Copilot helps analysts with tasks sures. The influence of the model may be ascertained in
like security investigations, summarizing events, analyzing large part thanks to these measurements. AI models created
files, URLs, code snippets, and incident information from for attack detection require careful consideration of several
various security tools. Key features of Microsoft Security metrics [216], [217]. The several measures used to evaluate
Copilot include: ML/DL models within the parameters of the research exam-
• User-Friendly Interface: The Copilot provides a simple ined are explained.
prompt-based interface that allows security profession- • True Positive (TP): The number of attacks that are cor-
als to quickly gain insights or support for investigations rectly identified
and reports. • False Positive (FP): The number of benign instances
• Advanced Threat Intelligence: Leveraging 65 trillion mistakenly classified as attacks.
daily data signals, Copilot assists in efficiently detecting • True Negative (TN): The number of benign instances
and addressing threats by using Microsoft’s robust threat correctly identified.
intelligence system. • False Negative (FN): The number of attacks mistakenly
• Collaborative Workspace: Security teams can pin their classified as benign.
findings into a shared workspace, facilitating collabo- Table 12 depicts the performance metrics derived from TP,
ration and joint efforts in investigating and analyzing FP, TN, and FN [216], [217].
security issues. Informedness, Markedness, and Matthews Correlation
• Prompt Book: This feature enables users to group tasks Coefficient (MCC) are advanced performance metrics
or automations into a single prompt, which simplifies employed to evaluate ML, DL and LLM models.
complex processes like reverse-engineering scripts with- Markedness serves as a key measure of a model’s ability
out needing an expert’s involvement. to handle false positives (e.g., false alarms) and false neg-
• Automated Reporting: Copilot can generate PowerPoint atives (e.g., missed detections). A high Markedness score
presentations that illustrate incidents and attack vectors, indicates a reliable anomaly detection system capable of min-
streamlining reporting processes. imizing incorrect alerts, which is critical for ensuring stable
• Feedback System: Users can provide feedback on incor- and efficient substation operations by avoiding unnecessary
rect results, helping to refine the system’s accuracy and interruptions. Informedness assesses the model’s capacity to
reduce errors over time. detect changes in dataset patterns that signal anomalies. For

44694 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 11. Overview of cybersecurity SOCs metric.

anomaly detection involving LLMs, where actual anomalies datasets, hindering the efficacy of ML and DL models in
occur infrequently, MCC is particularly valuable. It provides training XAI applications to establish robust cyber-attack
an unbiased evaluation of the model’s performance, ensuring defense mechanisms. The ML, DL, XAI, and GENai mod-
it is not disproportionately affected by the majority class, els require large volumes of high-quality data for effective
thereby offering a clear and accurate measure of its overall training. However, obtaining such data, particularly labeled
effectiveness [218], [219]. datasets containing examples of cyber-attacks, can be chal-
lenging owing to privacy concerns and the scarcity of publicly
X. OBSERVATION AND CHALLENGES available data.
In this work, we examined the state-of-the-art ML, DL, XAI,
and GenAI techniques deployed in defending against various B. ADVERSARIAL ATTACKS
cyber-attacks and safeguarding diverse industrial cybersecu- The threat of adversarial attacks, in which malicious actors
rity domains. Although ML, DL, and XAI hold significant manipulate data to deceive ML and DL models, presents a sig-
potential in fortifying cybersecurity domains, they encounter nificant challenge. Such attacks exploit vulnerabilities within
notable challenges in implementation. In the subsequent models, resulting in misclassifications and undermining the
section, we discuss these challenges. efficacy of cyber-attack-prediction systems. For instance,
adversaries may circumvent authentication systems such as
A. DATASETS XAI-enabled facial recognition systems or execute poisoning
An overview of prevalent and widely utilized datasets in ML attacks to manipulate or corrupt training data sources [220].
and DL for various cyber-attacks and industries is presented To address these threats, a potential solution involves ana-
in Tables 1–3, respectively. However, a critical issue persists lyzing the ‘‘Desiderata for adversarial attacks in different
with many of these datasets: they lack updates in specific scenarios involving explainable ML models,’’ as outlined
areas. This limitation may stem from concerns regarding in [221].
privacy and ethics. Consequently, the most recent categories One approach to mitigating adversarial attacks involves
of cyber-attacks are often absent from publicly available training the model to identify the inputs manipulated in

VOLUME 13, 2025 44695

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 12. Overview of performance metrics for assessing ML/DL models for cyber-attack prediction.

44696 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

TABLE 12. (Continued.) Overview of performance metrics for assessing ML/DL models for cyber-attack prediction.

such methods and responding to rejection. The model can Authors of [222] present several ethical frameworks for
learn to recognize input segments prone to carrying mali- analyzing cybersecurity questions, emphasizing the impor-
cious information and evaluate potential consequences before tance of considering risk and probability. Ethical frameworks
withholding a response to a suspicious prompt. By train- are crucial for addressing cybersecurity challenges. The prin-
ing models to defend against adversarial attacks, we can ciples and rights-based approaches, while valuable, require
instill trust in LLMs, ensuring that they do not inad- consideration of risk and probability [222]. Ethical impact
vertently facilitate cybercriminals in obtaining malicious assessments can help researchers evaluate their work’s ethical
code. implications [223]. However, current governance in cyber-
security ethics has shortfalls, particularly in the corporate
sector, where research ethics boards are often unavail-
C. INTERPRETABILITY AND EXPLAINABILITY able [224]. To address these issues, ethics education in
The XAI and GenAI techniques aim to provide insights into computer science curricula should be expanded, and effective
model predictions, but achieving interpretability in complex codes of conduct should be developed [224]. The ‘‘ethics-
ML and DL models remains a challenge. Understanding by-design’’ approach in cybersecurity research emphasizes
the rationale behind model decisions is crucial to trust and educating participants about ethical principles, discussing
accountability in cybersecurity applications. frameworks across stakeholders, and exploring techniques
to apply ethical principles in research methodologies [223].
D. PRIVACY AND ETHICAL ISSUES These efforts aim to improve ethical decision-making in
When integrating ML, DL, XAI, and GENAI within cyber- both research and practice, addressing the complex ethical
security, it is crucial to address privacy and ethical concerns challenges posed by modern information and communication
alongside technical challenges. Throughout the system life technologies.
cycle, explicitly prioritizing privacy considerations is essen- Behavior change interventions are crucial for enhanc-
tial. Protecting individuals’ privacy rights, particularly in sen- ing cybersecurity, as human behavior is often the weakest
sitive areas, such as authentication and emails, is paramount. link in security protocols. Paper [225] highlights the need
Moreover, these AI systems must undergo ethical scrutiny to for ethical considerations in behavior change interventions
mitigate biases and discrimination such as racism and sex- aimed at improving cybersecurity, drawing from utilitar-
ism. Measures should ensure fairness in the decisions made ian, deontological, and virtue ethics traditions. While many
and the explanations provided by AI systems. Eliminating organizations implement security awareness programs, these
ethical bias, particularly in specific cybersecurity domains, do not always lead to actual behavior change, highlighting
is imperative. Given that data originates from security- the need for innovative techniques beyond mere aware-
related sources, heightened privacy and security concerns ness [225]. In healthcare, where cybersecurity risks can have
necessitate safeguarding data and models from adversarial dire consequences, structured behavior change techniques are
attacks and unauthorized access, ensuring that only autho- essential to mitigate vulnerabilities among staff [226]. The
rized individuals have access to ML, DL, XAI, and GENAI AIDE approach—Assess, Identify, Develop, and Evaluate—
models. provides a framework for implementing these interventions
Ethical challenges in cybersecurity are crucial because effectively. Additionally, understanding the factors influ-
they require maintaining the confidentiality of systems and encing employee security behaviors is vital for designing
information with respect to security, rights, and equality. successful interventions [227]. Overall, integrating ethical
Addressing these issues of ethics demands a diverse approach considerations and targeted behavior change strategies can
that involves ethical frameworks, behavior change interven- significantly improve cybersecurity practices across various
tions, and educational strategies. sectors.

VOLUME 13, 2025 44697

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

Improving student engagement in professional ethics edu- • Cultural Sensitivity: Consider cultural differences in
cation, particularly in technical fields like cybersecurity, the interpretation and application of cybersecurity
is crucial. Research suggests several effective strategies: practices.
aligning content with student interests, taking a pragmatic • Continuous Monitoring and Improvement: Regularly
approach, addressing real-world complexities, and making review and update cybersecurity measures to ensure
content entertaining [228]. Authors in [229] proposed four they remain ethical and effective in the face of evolving
principles for improving student engagement in professional threats.
ethics education, particularly cybersecurity, emphasizing
real-world case studies and systemic perspectives. Classroom
debates have been shown to stimulate affective learning, XI. FUTURE RESEARCH DIRECTIONS
enhancing engagement, critical thinking, and ethical sensi- The intersection of cybersecurity and AI is a dynamic and
tivity [230]. The concept of ‘practical wisdom’ is proposed rapidly evolving field. While significant strides have been
as an ethical framework for student engagement practices, made in cyber-attack prediction using traditional ML, gener-
with case studies highlighting various ethical challenges in ative AI opens up new avenues for research and innovation.
research and teaching [231]. In ICT courses, where attrition The same is represented in Figure 17. Below, we explain some
rates are high, implementing a flipped-classroom approach promising future research directions:
and continuous assessment can increase student engage- Enhancing Generative AI for Cyber Attack Prediction
ment in professional skills and ethics education, potentially • Hybrid Models: Explore the fusion of generative and
improving academic performance and retention. These strate- discriminative models for improved cyber-attack predic-
gies collectively emphasize the importance of interactive, tion accuracy. Generative models can create synthetic
relevant, and ethically grounded approaches to teaching pro- attack data to augment training datasets, improving the
fessional ethics in technical disciplines. diversity and robustness of models; similarly, discrim-
Authors of [232] discusses the evolving security and ethi- inative models excel at classification and prediction.
cal challenges posed by information technology, noting the By combining them, we can achieve more accurate
need for new laws and rules of acceptable conduct in the and nuanced predictions. Potential architectures include
digital age. These approaches collectively aim to address generative adversarial networks (GANs) for data aug-
the complex ethical landscape of cybersecurity, balancing mentation and support vector machines (SVMs) for
individual, organizational, and societal interests. classification [174], [233].
The following are the key points to overcome the ethical • Adversarial Learning: Develop adversarial techniques
issues in cybersecurity. The following are the key points to to strengthen the robustness of generative models
overcome the ethical issues in cybersecurity. against adversarial attacks, ensuring their reliability in
real-world cyber security scenarios. We can improve
• Transparency: Ensure that security practices and policies their reliability in real-world scenarios by training mod-
are clear, accessible, and understandable to all stake- els to defend against such attacks. Techniques include
holders. adversarial training, where models are exposed to adver-
• Accountability: Establish clear lines of responsibility for sarial examples during training [235].
cybersecurity actions and decisions. • Explainable AI (XAI): Explainable AI methods help
• Data Privacy: Prioritize and protect the privacy of indi- understand the reasoning behind model predictions,
viduals’ data by adhering to legal standards and best which is crucial for identifying biases, debugging
practices. models, and gaining user acceptance. Techniques
• Informed Consent: Obtain explicit consent from users include Local Interpretable Model-Agnostic Expla-
before collecting, storing, or processing their data. nations (LIME) and SHapley Additive exPlanations
• Security Awareness Training: Educate employees and (SHAP). Explainable AI can focus on developing meth-
users on ethical practices, potential threats, and respon- ods to interpret and explain the predictions made by
sible behaviour in cybersecurity. generative AI models, building trust and transparency in
• Ethical Hacking: Use ethical hacking methods, such as the decision-making process.
penetration testing, to identify and address vulnerabili- • Multimodal Learning: Incorporate diverse data
ties before they can be exploited. sources, such as network traffic, system logs, and
• Compliance with Regulations: Adhere to local, national, threat intelligence feeds, into generative models to
and international laws and regulations governing cyber- capture complex attack patterns and improve predic-
security and data protection. tion accuracy. Incorporate network traffic, system logs,
• Balancing Security and Freedom: Implement security threat intelligence, and social media data. This holistic
measures that protect without unnecessarily infringing approach captures complex attack patterns and enhances
on personal freedoms or rights. model performance [234], [235].

44698 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

Advanced Threat Modeling and Simulation • Human-in-the-Loop: Explore human-AI collabora-

• Generative Threat Modelling: Utilize generative AI tion frameworks for cyber security, leveraging human
to create realistic and diverse attack scenarios, enabling expertise to guide and refine AI-generated predictions.
security teams to develop and test countermeasures Develop interactive systems where humans can provide
proactively. Generative models can generate novel feedback and refine model outputs [246], [247]. Cur-
attack patterns, helping security teams anticipate threats, rent approaches for increasing cybersecurity situational
which helps develop and test countermeasures. Tech- awareness (SA) either emphasize human expertise via
niques include variational autoencoders (VAEs) and alert configurations or instead consider only ML algo-
recurrent neural networks (RNNs) [236]. rithms without human contributions. Yet, both methods
• Red Team Automation: Explore using generative AI to have their weaknesses: human-based systems cannot
automate red team operations, generating novel attack prioritize which suspicious attempt is the more meaning-
techniques and strategies for assessing system vulnera- ful, while ML-based found alerts may be wrong, leading
bilities. Generative AI can assist red teams in developing to decreased accuracy [247].
innovative attack payloads, which helps organizations One such human-in-the-loop active learning-based
continuously evaluate their security posture. Challenges framework is proposed by researchers in [247], where
include ethical considerations and ensuring the gener- they prioritize alerts based on their significance and uti-
ated attacks are realistic but not harmful [237], [238]. lize human investigation results to dynamically update
• Blue Team Optimisation: Develop generative AI-driven an ever-improving detection system. These elements
tools to optimise defensive strategies based on sim- have been condensed into a framework of dynamic
ulated attack scenarios, improving security posture. alert prioritization, human alert investigation, and incre-
Generative AI can generate different attack scenarios mental hypothesis testing. Analysts follow up on alerts
to test the effectiveness of defenses, which can lead generated by a Hidden Markov Model (HMM), and their
to improved resource allocation and incident response feedback is leveraged to update the system’s belief about
plans. Techniques include reinforcement learning for the state of the attacker. The SA process is augmented
decision-making [238], [239]. with the manual expertise of a human based on pol-
icy, while a machine provides decision support, helping
Novel Data Sources and Feature Engineering prioritize alerts and enhancing the accuracy of attack
• Unstructured Data Analysis: Leverage generative AI detection.
to extract valuable information from unstructured data
sources like social media, dark web forums, and code
repositories to identify emerging threats [240], [241].
• Time Series Analysis: Develop advanced time series
analysis techniques using generative AI to capture
long-term dependencies and trends in cyber-attack data.
Generative models can help identify seasonal patterns,
anomalies, and early warning signs. Techniques include
long short-term memory (LSTM) networks and attention
mechanisms [241], [242].
• Feature Learning: Explore automated feature engineer-
ing methods using generative AI to discover hidden
patterns and relationships within complex datasets.
Generative models can learn meaningful data repre-
sentations, reducing manual feature engineering efforts.
Techniques include autoencoders and deep belief net-
works [242], [243].
Ethical Considerations and Responsible AI
• Privacy and Security: Investigate privacy-preserving
techniques for handling sensitive cyber security
data while training generative AI models. Develop FIGURE 17. Future Directions: Cyberseurity – AI, ML and Generative AI.
privacy-preserving techniques like differential privacy
and federated learning. Address potential biases in data
and models to ensure fairness [244], [245]. XII. CONCLUSION
• Bias Mitigation: Develop methods to address potential In cybersecurity, AI plays a pivotal role in analyzing datasets
biases in generative AI models, ensuring fairness and and monitoring diverse security threats and malicious activi-
equity in cyber-attack prediction [246]. ties. Effectively addressing myriad cybersecurity challenges,

VOLUME 13, 2025 44699

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

especially with the rising frequency of attacks, necessitates [15] G. Srivastava, R. H. Jhaveri, S. Bhattacharya, S. Pandya, Rajeswari,
the integration of human expertise with AI capabilities. P. K. R. Maddikunta, G. Yenduri, J. G. Hall, M. Alazab, and T. R.
Gadekallu, ‘‘XAI for cybersecurity: State of the art, challenges, open
This study presents state-of-the-art benchmark cyber-attack issues and future directions,’’ 2022, arXiv:2206.03585.
datasets, ML and DL, and techniques for various cyber-attack [16] I. H. Sarker, M. H. Furhad, and R. Nowrozy, ‘‘AI-driven cybersecurity:
predictions. An overview, security intelligence modeling and research
directions,’’ Social Netw. Comput. Sci., vol. 2, no. 3, pp. 1–18,
In the domain of cybersecurity, transparency, and explain- May 2021.
ability are essential for combating cyber threats and effec- [17] D. Ucci, L. Aniello, and R. Baldoni, ‘‘Survey of machine learning tech-
tively analyzing security decisions. Hence, this study pro- niques for malware analysis,’’ Comput. Secur., vol. 81, pp. 123–147,
Mar. 2019.
vides a thorough overview of cutting-edge research on XAI
[18] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, ‘‘A survey
for cybersecurity applications. We delineate the fundamental of deep learning-based network anomaly detection,’’ Cluster Comput.,
principles and taxonomies of state-of-the-art XAI models, vol. 22, no. S1, pp. 949–961, Jan. 2019.
along with indispensable tools, such as a comprehensive [19] R. A. Nafea and M. A. Almaiah, ‘‘Cyber security threats in cloud:
Literature review,’’ in Proc. Int. Conf. Inf. Technol. (ICIT), Jul. 2021,
framework and accessible datasets. We believe that this paper pp. 779–786.
will be a valuable resource for researchers, developers, and [20] A. Kuppa and N.-A. Le-Khac, ‘‘Black box attacks on explainable artificial
security professionals seeking to leverage ML, DL, XAI, intelligence(XAI) methods in cyber security,’’ in Proc. Int. Joint Conf.
Neural Netw. (IJCNN), Jul. 2020, pp. 1–8.
and GenAI models to address complex challenges within
[21] K. D. Ahmed and S. Askar, ‘‘Deep learning models for cyber security
cybersecurity domains. in IoT networks: A review,’’ Int. J. Sci. Bus., vol. 5, no. 3, pp. 61–70,
Jan. 2021.
CONFLICTS OF INTEREST [22] J. Gerlings, A. Shollo, and I. Constantiou, ‘‘Reviewing the need for
explainable artificial intelligence (xAI),’’ 2020, arXiv:2012.01007.
The authors have no conflicts of interest to declare relevant [23] G. Jaswal, V. Kanhangad, and R. Ramachandra, AI and Deep Learning
to the content of this article. in Biometric Security: Trends Potential and Challenges. Boca Raton, FL,
USA: CRC Press, 2021.
[24] C. Rudin, ‘‘Stop explaining black box machine learning models for
REFERENCES
high stakes decisions and use interpretable models instead,’’ 2018,
[1] G. S. Emile and M. Kala, ‘‘Critical role of cyber security in global arXiv:1811.10154.
economy,’’ Open J. Saf. Sci. Technol., vol. 13, no. 4, pp. 231–248, 2023, [25] Z. Zhang, H. A. Hamadi, E. Damiani, C. Y. Yeun, and F. Taher,
doi: 10.4236/ojsst.2023.134012. ‘‘Explainable artificial intelligence applications in cyber security: State-
[2] R. von Solms and J. van Niekerk, ‘‘From information security to cyber of-the-Art in research,’’ IEEE Access, vol. 10, pp. 93104–93139, 2022,
security,’’ Comput. Secur., vol. 38, pp. 97–102, Oct. 2013. doi: 10.1109/ACCESS.2022.3204051.
[3] J. W. Goodell and S. Corbet, ‘‘Commodity market exposure to energy firm [26] A. Bandi, P. V. S. R. Adapa, and Y. E. V. P. K. Kuchi, ‘‘The power of gen-
distress: Evidence from the colonial pipeline ransomware Atta,’’ Finance erative AI: A review of requirements, models, input–output formats, eval-
Res. Lett., vol. 51, Jan. 2023, Art. no. 103329. uation metrics, and challenges,’’ Future Internet, vol. 15, no. 8, Jul. 2023.
[4] R. Alkhadra, J. Abuzaid, M. AlShammari, and N. Mohammad, ‘‘Solar [Online]. Available: https://www.mdpi.com/1999-5903/15/8/260
winds hack: In-depth analysis and countermeasures,’’ in Proc. 12th Int. [27] J. Babcock and R. Bali, Generative AI With Python and Tensorflow 2:
Conf. Comput. Commun. Netw. Technol. (ICCCNT), Jul. 2021, pp. 1–7. Create Images, Text, and Music With VAEs, GANs, LSTMs, Transformer
[5] Cobalt. (Jun. 20, 2024). 11 Biggest Cybersecurity Attacks in History. Models. Birmingham, U.K.: Packt, 2021.
[Online]. Available: https://www.cobalt.io/blog/biggest-cybersecurity- [28] ChatGPT. Accessed: Jun. 22, 2023. [Online]. Available:
attacks-in-history https://chat.openai.com/
[6] D.-Y. Kao, S.-C. Hsiao, and R. Tso, ‘‘Analyzing WannaCry ransomware
[29] Dall·e Now Available Without Waitlist. Accessed: Jun. 22, 2023. [Online].
considering the weapons and exploits,’’ in Proc. 21st Int. Conf. Adv.
Available: https://openai.com/blog/dall-e-now-available-without-waitlist
Commun. Technol. (ICACT), Feb. 2019, pp. 1098–1107.
[30] B. Hitaj, P. Gasti, G. Ateniese, and F. Perez-Cruz, ‘‘PassGAN: A deep
[7] K. Bresniker, A. Gavrilovska, J. Holt, D. Milojicic, and T. Tran,
learning approach for password guessing,’’ 2017, arXiv:1709.00440.
‘‘Grand challenge: Applying artificial intelligence and machine learning
to cybersecurity,’’ Computer, vol. 52, no. 12, pp. 45–52, Dec. 2019, doi: [31] P. Dhoni and R. Kumar, ‘‘Synergizing generative AI and cybersecurity:
10.1109/MC.2019.2942584. Roles of generative AI entities, companies, agencies, and govern-
[8] M. Husák, J. Komárková, E. Bou-Harb, and P. Celeda, ‘‘Survey of attack ment in enhancing cybersecurity,’’ Authorea Preprints, Aug. 2023, doi:
projection, prediction, and forecasting in cyber security,’’ IEEE Commun. 10.36227/techrxiv.23968809.v1.
Surveys Tuts., vol. 21, no. 1, pp. 640–660, 1st Quart., 2019. [32] J. J. Plotnek and J. Slay, ‘‘Cyber terrorism: A homogenized
[9] N. Mohamed, ‘‘Current trends in AI and ML for cybersecurity: A state- taxonomy and definition,’’ Comput. Secur., vol. 102, Mar. 2021,
of-the-art survey,’’ Cogent Eng., vol. 10, no. 2, pp. 1–11, Dec. 2023, doi: Art. no. 102145.
10.1080/23311916.2023.2272358. [33] S. Kim, G. Heo, E. Zio, J. Shin, and J.-G. Song, ‘‘Cyber attack taxonomy
[10] L. Chan, I. Morgan, H. Simon, F. Alshabanat, D. Ober, J. Gentry, D. Min, for digital environment in nuclear power plants,’’ Nucl. Eng. Technol.,
and R. Cao, ‘‘Survey of AI in cybersecurity for information technology vol. 52, no. 5, pp. 995–1001, May 2020.
management,’’ in Proc. IEEE Technol. Eng. Manage. Conf. (TEMSCON), [34] M. Wu and Y. B. Moon, ‘‘Taxonomy of cross-domain attacks on cyber-
Jun. 2019, pp. 1–8. manufacturing system,’’ Proc. Comput. Sci., vol. 114, pp. 367–374,
[11] G. Disterer, ‘‘ISO/IEC 27000, 27001 and 27002 for information security Mar. 2017.
management,’’ J. Inf. Secur., vol. 4, no. 2, pp. 92–100, 2013. [35] R. Heartfield, G. Loukas, S. Budimir, A. Bezemskij, J. R. J. Fontaine,
[12] J. H. Li, ‘‘Cyber security meets artificial intelligence: A survey,’’ Fron- A. Filippoupolitis, and E. Roesch, ‘‘A taxonomy of cyber-physical threats
tiers Inf. Technol. Electron. Eng., vol. 19, no. 12, pp. 1462–1474, 2018, and impact in the smart home,’’ Comput. Secur., vol. 78, pp. 398–428,
doi: 10.1631/FITEE.1800573. Sep. 2018.
[13] I. H. Sarker, A. S. M. Kayes, S. Badsha, H. Alqahtani, P. Watters, [36] Z. Alkhalil, C. Hewage, L. Nawaf, and I. Khan, ‘‘Phishing attacks:
and A. Ng, ‘‘Cybersecurity data science: An overview from machine A recent comprehensive study and a new anatomy,’’ Frontiers Comput.
learning perspective,’’ J. Big Data., vol. 7, pp. 1–29, May 2020, doi: Sci., vol. 3, Mar. 2021, Art. no. 563060.
10.1186/s40537-020-00318-5. [37] N. Z. Gorment, A. Selamat, L. K. Cheng, and O. Krejcar, ‘‘Machine
[14] D. Aggarwal, D. Sharma, and A. B. Saxena, ‘‘Role of AI in cyber security learning algorithm for malware detection: Taxonomy, current challenges
through anomaly detection and predictive analysis,’’ J. Informat. Educ. and future directions,’’ IEEE Access, vol. 11, pp. 141045–141089, 2023,
Res., vol. 3, no. 2, pp. 1–12, 2023. doi: 10.1109/ACCESS.2023.3256979.

44700 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[38] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, ‘‘Deep [58] M. Alkasassbeh, G. Al-Naymat, A. Hassanat, and M. Almseidin, ‘‘Detect-
learning for cyber security intrusion detection: Approaches, datasets, ing distributed denial of service attacks using data mining techniques,’’
and comparative study,’’ J. Inf. Secur. Appl., vol. 50, Feb. 2020, Int. J. Adv. Comput. Sci. Appl., vol. 7, no. 1, pp. 436–445, 2016.
Art. no. 102419. [59] F. Beer, T. Hofer, D. Karimi, and U. Bühler, ‘‘A new attack composition
[39] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, for network security,’’ in Proc. DFN-Forum Kommunikationstechnolo-
‘‘A survey of network-based intrusion detection data sets,’’ Comput. gien. Gesellschaft für Informatik eV, 2017, pp. 11–20.
Secur., vol. 86, pp. 147–167, Sep. 2019. [60] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, ‘‘Toward generating
[40] (2020). 1998 DARPA Intrusion Detection Evaluation Dataset | MIT a new intrusion detection dataset and intrusion traffic characterization,’’
Lincoln Laboratory. [Online]. Available: https://www.ll.mit.edu/r- in Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, 2018, pp. 16–108, doi:
d/datasets/1998-darpa-intrusion-detection-evaluation-dataset 10.5220/0006639801080116.
[41] Univ. California, Irvine, CA, USA. (Oct. 28, 1999). KDD Cup [61] M. Ring, D. Landes, and A. Hotho, ‘‘Detection of slow port scans
1999 Data. [Online]. Available: http://kdd.ics.uci.edu/databases/kddcu in flow-based network traffic,’’ PLoS ONE, vol. 13, no. 9, Sep. 2018,
p99/kddcup99.htm Art. no. e0204507, doi: 10.1371/journal.pone.0204507.
[42] A. Sperotto, R. Sadre, F. Van Vliet, and A. Pras, ‘‘A labeled data [62] M. Ring, S. Wunderlich, D. Grüdl, D. Landes, and A. Hotho, ‘‘Creation
set for flow-based intrusion detection,’’ in Proc. Pro. Int. Workshop of flow-based data sets for intrusion detection,’’ J. Inf. Warfare, vol. 16,
IP Oper. Manag., Cham, Switzerland. Springer, 2009, pp. 39–50, doi: pp. 40–53, Apr. 2017.
10.1007/978-3-642-04968-2_4. [63] M. Turcotte, A. Kent, and C. Hash, ‘‘Unified host and network data set,’’
[43] B. Sangster, T. J. O’connor, T. Cook, R. Fanelli, E. Dean, C. Morrell, and 2017, arXiv:1708.07518.
G. J. Conti, ‘‘Toward instrumenting network warfare competitions to gen- [64] G. Maciá-Fernández, J. Camacho, R. Magán-Carrión, P. García-
erate labeled datasets,’’ in Proc. 2nd Conf. Cyber Secur. Experimentation Teodoro, and R. Therón, ‘‘UGR’16: A new dataset for the evaluation
Test, 2009, pp. 1–15. of cyclostationarity-based network IDSs,’’ Comput. Secur., vol. 73,
[44] F. Gringoli, L. Salgarelli, M. Dusi, N. Cascarano, F. Risso, and pp. 411–424, Mar. 2018, doi: 10.1016/j.cose.2017.11.004.
K. C. Claffy, ‘‘GT: Picking up the truth from the ground for internet traf- [65] R. Damasevicius, A. Venckauskas, S. Grigaliunas, J. Toldinas,
fic,’’ ACM SIGCOMM Comput. Commun. Rev., vol. 39, no. 5, pp. 12–18, N. Morkevicius, T. Aleliunas, and P. Smuikys, ‘‘LITNET-2020: An
Oct. 2009, doi: 10.1145/1629607.1629610. annotated real-world network flow dataset for network intrusion
[45] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, and detection,’’ Electronics, vol. 9, no. 5, p. 800, May 2020, doi:
P. Hakimian, ‘‘Detecting P2P botnets through network behavior analysis 10.3390/electronics9050800.
and machine learning,’’ in Proc. 9th Annu. Int. Conf. Privacy, Secur. Trust,
[66] A. Ferriyan, A. H. Thamrin, K. Takeda, and J. Murai, ‘‘Generating
Jul. 2011, pp. 174–180, doi: 10.1109/PST.2011.5971980.
network intrusion detection dataset based on real and encrypted synthetic
[46] S. Bhattacharya and S. Selvakumar, ‘‘SSENet-2014 dataset: A dataset attack traffic,’’ Appl. Sci., vol. 11, no. 17, p. 7868, Aug. 2021, doi:
for detection of multiconnection attacks,’’ in Proc. 3rd Int. Conf. 10.3390/app11177868.
Eco-Friendly Comput. Commun. Syst., Dec. 2014, pp. 121–126, doi:
[67] E. Değirmenci, Y. S. Kırca, İ. Özçelik, and A. Yazıcı, ‘‘ROSIDS23: Net-
10.1109/eco-friendly.2014.100.
work intrusion detection dataset for robot operating system,’’ Data Brief,
[47] H. H. Jazi, H. Gonzalez, N. Stakhanova, and A. A. Ghorbani, ‘‘Detecting
vol. 51, Dec. 2023, Art. no. 109739, doi: 10.1016/j.dib.2023.109739.
HTTP-based application layer DoS attacks on web servers in the pres-
[68] M.-E. Mihailescu, D. Mihai, M. Carabas, M. Komisarek, M. Pawlicki,
ence of sampling,’’ Comput. Netw., vol. 121, pp. 25–36, Jul. 2017, doi:
W. Hołubowicz, and R. Kozik, ‘‘The proposition and evaluation of the
10.1016/j.comnet.2017.03.018.
RoEduNet-SIMARGL2021 network intrusion detection dataset,’’ Sen-
[48] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, ‘‘Toward devel-
sors, vol. 21, no. 13, p. 4319, Jun. 2021, doi: 10.3390/s21134319.
oping a systematic approach to generate benchmark datasets for intrusion
detection,’’ Comput. Secur., vol. 31, no. 3, pp. 357–374, May 2012, doi: [69] M. Almseidin, J. Al-Sawwa, and M. Alkasassbeh, Jun. 18, 2022, ‘‘Multi-
10.1016/j.cose.2011.12.012. step cyber-attack dataset (MSCAD for intrusion detection),’’ IEEE
Dataport, doi: 10.21227/phr0-e264.
[49] M. Bhuyan, D. K. Bhattacharyya, and J. Kalita, ‘‘Towards generating real-
life datasets for network intrusion detection,’’ Int. J. Netw. Secur., vol. 17, [70] A. F. Yazi, F. Ö. Çatak, and E. Gül, ‘‘Classification of methamorphic
pp. 683–701, Jan. 2015. malware with deep learning(LSTM),’’ in Proc. 27th Signal Process.
Commun. Appl. Conf. (SIU), Apr. 2019, pp. 1–14.
[50] J. J. Santanna, R. van Rijswijk-Deij, R. Hofstede, A. Sperotto,
M. Wierbosch, L. Z. Granville, and A. Pras, ‘‘Booters—An [71] D. S. Keyes, B. Li, G. Kaur, A. H. Lashkari, F. Gagnon, and
analysis of DDoS-as-a-service attacks,’’ in Proc. IFIP/IEEE Int. F. Massicotte, ‘‘EntropLyzer: Android malware classification and char-
Symp. Integr. Netw. Manage. (IM), May 2015, pp. 243–251, doi: acterization using entropy analysis of dynamic characteristics,’’ in Proc.
10.1109/INM.2015.7140298. Reconciling Data Analytics, Autom., Privacy, Security: A Big Data Chal-
[51] S. García, M. Grill, J. Stiborek, and A. Zunino, ‘‘An empirical comparison lenge (RDAAPS), Hamilton, ON, Canada, May 2021, pp. 1–12, doi:
of botnet detection methods,’’ Comput. Secur., vol. 45, pp. 100–123, 10.1109/RDAAPS48126.2021.9452002.
Sep. 2014, doi: 10.1016/j.cose.2014.05.011. [72] A. H. Lashkari, A. F. A. Kadir, L. Taheri, and A. A. Ghorbani, ‘‘Toward
[52] R. Hofstede, L. Hendriks, A. Sperotto, and A. Pras, ‘‘SSH compromise developing a systematic approach to generate benchmark Android mal-
detection using NetFlow/IPFIX,’’ ACM SIGCOMM Comput. Commun. ware datasets and classification,’’ in Proc. Int. Carnahan Conf. Secur.
Rev., vol. 44, no. 5, pp. 20–26, Oct. 2014, doi: 10.1145/2677046.2677050. Technol. (ICCST), Montreal, QC, Canada, Oct. 2018, pp. 1–7.
[53] E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani, ‘‘Towards [73] A. H. Lashkari, A. F. A. Kadir, H. Gonzalez, K. F. Mbah, and
effective feature selection in machine learning-based botnet detection A. A. Ghorbani, ‘‘Towards a network-based framework for Android mal-
approaches,’’ in Proc. IEEE Conf. Commun. Netw. Secur., Oct. 2014, ware detection and characterization,’’ in Proc. 15th Annu. Conf. Privacy,
pp. 247–255, doi: 10.1109/CNS.2014.6997492. Secur. Trust (PST), Calgary, AB, Canada, Aug. 2017, pp. 1–10.
[54] C. Wheelus, T. M. Khoshgoftaar, R. Zuech, and M. M. Najafabadi, [74] R. Harang and E. M. Rudd, ‘‘SOREL-20M: A large scale benchmark
‘‘A session based approach for aggregating network traffic data—The dataset for malicious PE detection,’’ 2020, arXiv:2012.07634.
SANTA dataset,’’ in Proc. IEEE Int. Conf. Bioinf. Bioeng., Nov. 2014, [75] (2021). Alibaba Cloud Malware Detection Based on Behaviors.
pp. 369–378, doi: 10.1109/BIBE.2014.72. Accessed: Jun. 20, 2021. [Online]. Available: https://tianchi.aliyun.
[55] C. Kolias, G. Kambourakis, A. Stavrou, and S. Gritzalis, ‘‘Intrusion com/competition/entrance/231694/information
detection in 802.11 networks: Empirical evaluation of threats and a public [76] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, ‘‘A survey on security and
dataset,’’ IEEE Commun. Surveys Tuts., vol. 18, no. 1, pp. 184–208, privacy issues in Internet-of-Things,’’ IEEE Internet Things J., vol. 4,
1st Quart., 2016, doi: 10.1109/COMST.2015.2402161. no. 5, pp. 1250–1258, Oct. 2017.
[56] R. Zuech, T. M. Khoshgoftaar, N. Seliya, M. M. Najafabadi, and C. Kemp, [77] F. D. Keersmaeker, Y. Cao, G. K. Ndonda, and R. Sadre, ‘‘A survey
‘‘A new intrusion detection benchmarking system,’’ in Proc. Int. Florida of public IoT datasets for network security research,’’ IEEE Commun.
Artif. Intell. Res. Soc. Conf. (FLAIRS), 2015, pp. 252–256. Surveys Tuts., vol. 25, no. 3, pp. 1808–1840, 3rd Quart., 2023, doi:
[57] N. Moustafa and J. Slay, ‘‘UNSW-NB15: A comprehensive data set for 10.1109/COMST.2023.3288942.
network intrusion detection systems,’’ in Proc. Mil. Commun. Inf. Syst. [78] IOT-23 Dataset. Accessed: Jun. 20, 2021. [Online]. Available:
Conf. (MilCIS), Nov. 2015, pp. 1–6. https://www.stratosphereips.org/datasets-iot23

VOLUME 13, 2025 44701

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[79] A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar, [98] J. Camacho, G. Maciá-Fernández, N. M. Fuentes-García, and E. Saccenti,
‘‘TON_IoT telemetry dataset: A new generation dataset of IoT and ‘‘Semi-supervised multivariate statistical network monitoring for learning
IIoT for data-driven intrusion detection systems,’’ IEEE Access, vol. 8, security threats,’’ IEEE Trans. Inf. Forensics Security, vol. 14, no. 8,
pp. 165130–165150, 2020. pp. 2179–2189, Aug. 2019.
[80] H. Hindy, E. Bayne, M. Bures, R. Atkinson, C. Tachtatzis, and [99] H. Singh, ‘‘Performance analysis of unsupervised machine learning tech-
X. Bellekens, ‘‘Machine learning based IoT intrusion detection system: niques for network traffic classification,’’ in Proc. 5th Int. Conf. Adv.
An MQTT case study (MQTT-IoT-IDS2020 dataset),’’ in Proc. 12th Int. Comput. Commun. Technol., Feb. 2015, pp. 401–404.
Netw. Conf. (INC), vol. 180. Cham, Switzerland: Springer, Jan. 2021, [100] T. T. Nguyen and V. J. Reddi, ‘‘Deep reinforcement learning for cyber
pp. 73–84, doi: 10.1007/978-3-030-64758-2_6. security,’’ IEEE Trans. Neural Netw. Learn. Syst., vol. 34, no. 8, pp. 1–17,
[81] M. A. Ferrag, O. Friha, D. Hamouda, L. Maglaras, and H. Janicke, ‘‘Edge- Nov. 2021.
IIoTset: A new comprehensive realistic cyber security dataset of IoT and [101] I. H. Sarker, ‘‘Machine learning: Algorithms, real-world applications and
IIoT applications for centralized and federated learning,’’ IEEE Access, research directions,’’ Social Netw. Comput. Sci., vol. 2, no. 3, p. 160,
vol. 10, pp. 40281–40306, 2022. May 2021, doi: 10.1007/s42979-021-00592-x.
[82] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai, [102] I. H. Sarker, M. H. Furhad, and R. Nowrozy, ‘‘AI-driven cybersecurity: An
D. Breitenbacher, and Y. Elovici, ‘‘N-BaIoT—Network-based detection overview, security intelligence modeling and research directions,’’ Social
of IoT botnet attacks using deep autoencoders,’’ IEEE Pervasive Comput., Netw. Comput. Sci., vol. 2, no. 3, p. 173, May 2021, doi: 10.1007/s42979-
vol. 17, no. 3, pp. 12–22, Jul. 2018. 021-00557-0.
[83] M. Zolanvari, M. A. Teixeira, L. Gupta, K. M. Khan, and R. Jain, [103] R. Agrawal, J. Gehrke, D. Gunopulos, and P. Raghavan, ‘‘Fast algorithms
‘‘Machine learning-based network vulnerability analysis of industrial for mining association rules,’’ in Proc. Int. Joint Conf. Very Large Data
Internet of Things,’’ IEEE Internet Things J., vol. 6, no. 4, pp. 6822–6834, Bases, vol. 1215, Santiago, Chile, 1994, pp. 487–499.
Aug. 2019. [104] J. Han, J. Pei, and Y. Yin, ‘‘Mining frequent patterns without candidate
[84] M. Al-Hawawreh, E. Sitnikova, and N. Aboutorab, ‘‘X-IIoTID: generation,’’ ACM SIGMOD Rec., vol. 29, no. 2, pp. 1–12, Jun. 2000.
A connectivity-agnostic and device-agnostic intrusion data set for indus- [105] H. Liu and H. Motoda, Feature Extraction, Construction and Selection: A
trial Internet of Things,’’ IEEE Internet Things J., vol. 9, no. 5, Data Mining Perspective, vol. 453. Cham, Switzerland: Springer, 1998.
pp. 3962–3977, Mar. 2022.
[106] M. L. Puterman, Markov Decision Processes: Discrete Stochastic
[85] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, ‘‘Towards the Dynamic Programming. Hoboken, NJ, USA: Wiley, 2014.
development of realistic botnet dataset in the Internet of Things for net-
[107] L. P. Kaelbling, M. L. Littman, and A. W. Moore, ‘‘Reinforce-
work forensic analytics: Bot-IoT dataset,’’ Future Gener. Comput. Syst.,
ment learning: A survey,’’ J. Artif. Intell. Res., vol. 4, pp. 237–285,
vol. 100, pp. 779–796, Nov. 2019, doi: 10.1016/j.future.2019.05.041.
May 1996.
[86] G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani,
[108] N. Amjad, H. Afzal, M. F. Amjad, and F. A. Khan, ‘‘A multi-classifier
‘‘Characterization of encrypted and VPN traffic using time-related
framework for open source malware forensics,’’ in Proc. IEEE 27th Int.
features,’’ in Proc. 2nd Int. Conf. Inf. Syst. Secur. Privacy, 2016,
Conf. Enabling Technol., Infrastruct. Collaborative Enterprises (WET-
pp. 407–414.
ICE), Jun. 2018, pp. 106–111.
[87] A. H. Lashkari, G. Kaur, and A. Rahali, ‘‘DIDarkNet: A contemporary
[109] S. Srinivasan and P. Deepalakshmi, ‘‘ENetRM: ElasticNet regression
approach to detect and characterize the darknet traffic using deep image
model based malicious cyber-attacks prediction in real-time server,’’
learning,’’ in Proc. 10th Int. Conf. Commun. Netw. Secur., Nov. 2020,
Meas., Sensors, vol. 25, Feb. 2023, Art. no. 100654.
pp. 1–13.
[110] S. Chesney, K. Roy, and S. Khorsandroo, ‘‘Machine learning algorithms
[88] E. Stewart, A. Liao, and C. Roberts, ‘‘Open µpmu: A real world reference
for preventing IoT cybersecurity attacks,’’ in Proc. SAI Intell. Syst. Conf.,
distribution micro-phasor measurement unit data set for research and
vol. 3. Cham, Switzerland: Springer, 2021, pp. 679–686.
application development,’’ Lawrence Berkeley Nat. Lab., Berkeley, CA,
USA, Tech. Rep. LBNL-1006408, Oct. 2016. [111] S. S. Althagafi, H. F. Aljudiaibi, B. A. Alharbi, and R. Wazirali,
‘‘Uses of artificial intelligence in cyber security to mitigate DDOS,’’
[89] P. Hines, S. Blumsack, E. C. Sanchez, and C. Barrows, ‘‘The topological
in Proc. Future Technol. Conf. Cham, Switzerland: Springer, Jan. 2023,
and electrical structure of power grids,’’ in Proc. 43rd Hawaii Int. Conf.
pp. 550–565.
Syst. Sci., 2010, pp. 1–10.
[90] U. Adhikari, S. Pan, T. Morris, R. Borges, and J. Beave. Industrial [112] Y. Ahmed, A. T. Asyhari, and M. A. Rahman, ‘‘A cyber kill chain
Control System (ICS) Cyber Attack Datasets. Accessed: Nov. 25, 2024. approach for detecting advanced persistent threats,’’ Comput., Mater.
[Online]. Available: https://sites.google.com/a/uah.edu/tommy-morris- Continua, vol. 67, no. 2, pp. 2497–2513, 2021.
uah/ics-data-sets [113] Y. Balakrishnan and P. N. Renjith, ‘‘An analysis on keylogger attack
[91] Umass Dataset. Accessed: Nov. 25, 2024. [Online]. Available: and detection based on machine learning,’’ in Proc. Int. Conf. Artif.
http://traces.cs.umass.edu Intell. Knowl. Discovery Concurrent Eng. (ICECONF), Jan. 2023,
[92] A. H. Lashkari, G. D. Gil, M. S. I. Mamun, and A. A. Ghorbani, ‘‘Charac- pp. 1–8.
terization of tor traffic using time based features,’’ in Proc. 3rd Int. Conf. [114] S. H. Haji and S. Y. Ameen, ‘‘Attack and anomaly detection in IoT
Inf. Syst. Secur. Privacy, vol. 2, 2017, pp. 253–262. networks using machine learning techniques: A review,’’ Asian J. Res.
[93] R. Fontugne, P. Borgnat, P. Abry, and K. Fukuda, ‘‘MAWILab: Com- Comput. Sci., vol. 9, no. 2, pp. 30–46, Jun. 2021.
bining diverse anomaly detectors for automated anomaly labeling and [115] P. K. Binu and M. Kiran, ‘‘Attack and anomaly prediction in IoT networks
performance benchmarking,’’ in Proc. 6th Int. Conf., Nov. 2010, pp. 1–12. using machine learning approaches,’’ in Proc. 4th Int. Conf. Electr.,
[94] M. Ozkan-Okay, E. Akin, Ö. Aslan, S. Kosunalp, T. Iliev, I. Stoyanov, Comput. Commun. Technol. (ICECCT), Sep. 2021, pp. 1–6.
and I. Beloev, ‘‘A comprehensive survey: Evaluating the efficiency of [116] A. Agarwal, ‘‘Load forecast anomaly detection under cyber attacks using
artificial intelligence and machine learning techniques on cyber secu- a novel approach,’’ in Proc. IEEE 4th Int. Conf. Cybern., Cognition Mach.
rity solutions,’’ IEEE Access, vol. 12, pp. 12229–12256, 2024, doi: Learn. Appl. (ICCCMLA), Oct. 2022, pp. 1–6.
10.1109/ACCESS.2024.3355547. [117] S. Y. Diaba, M. Shafie-Khah, and M. Elmusrati, ‘‘Cyber security in
[95] K. Shaukat, S. Luo, V. Varadharajan, I. A. Hameed, and M. Xu, power systems using meta-heuristic and deep learning algorithms,’’ IEEE
‘‘A survey on machine learning techniques for cyber security in the Access, vol. 11, pp. 18660–18672, 2023.
last decade,’’ IEEE Access, vol. 8, pp. 222310–222354, 2020, doi: [118] H. Ünözkan, M. Ertem, and S. Bendak, ‘‘Using attack graphs to defend
10.1109/ACCESS.2020.3041951. healthcare systems from cyberattacks: A longitudinal empirical study,’’
[96] M. F. Franco, E. Sula, A. Huertas, E. J. Scheid, L. Z. Granville, and Netw. Model. Anal. Health Informat. Bioinf., vol. 11, no. 1, pp. 1–12,
B. Stiller, ‘‘SecRiskAI: A machine learning-based approach for cyber- Dec. 2022.
security risk prediction in businesses,’’ in Proc. IEEE 24th Conf. Bus. [119] V. Tomer and S. Sharma, ‘‘Detecting IoT attacks using an ensem-
Informat. (CBI), Amsterdam, The Netherlands, Jun. 2022, pp. 1–10, doi: ble machine learning model,’’ Future Internet, vol. 14, no. 4, p. 102,
10.1109/CBI54897.2022.00008. Mar. 2022.
[97] M. C. Belavagi and B. Muniyal, ‘‘Performance evaluation of supervised [120] J. Alsamiri and K. Alsubhi, ‘‘Internet of Things cyber attacks detection
machine learning algorithms for intrusion detection,’’ Proc. Comput. Sci., using machine learning,’’ Int. J. Adv. Comput. Sci. Appl., vol. 10, no. 12,
vol. 89, pp. 117–123, Jan. 2016. pp. 1–11, 2019.

44702 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[121] C. Dutta, M. Maheswari, K. G. Saravanan, N. Dhaliwal, A. Pandey, and [142] R. Iyer, Y. Li, H. Li, M. Lewis, R. Sundar, and K. Sycara, ‘‘Transparency
S. Sophia, ‘‘Prediction and analysis of various cyber attack models in and explanation in deep reinforcement learning neural networks,’’ 2018,
cyber physical system in virtual environment,’’ in Proc. 2nd Int. Conf. arXiv:1809.06061.
Augmented Intell. Sustain. Syst. (ICAISS), Aug. 2023, pp. 1260–1264. [143] V. Arya, R. K. E. Bellamy, P.-Y. Chen, A. Dhurandhar, M. Hind,
[122] A. Swaminathan, B. Ramakrishnan, M. Kanishka, and R. Surendran, S. C. Hoffman, S. Houde, Q. Vera Liao, R. Luss, A. Mojsilović,
‘‘Prediction of cyber-attacks and criminality using machine learning algo- S. Mourad, P. Pedemonte, R. Raghavendra, J. Richards, P. Sattigeri,
rithms,’’ in Proc. Int. Conf. Innov. Intell. Informat., Comput., Technol. K. Shanmugam, M. Singh, K. R. Varshney, D. Wei, and Y. Zhang, ‘‘One
(3ICT), Nov. 2022, pp. 547–552. explanation does not fit all: A toolkit and taxonomy of AI explainability
[123] M. Macas, C. Wu, and W. Fuertes, ‘‘A survey on deep learning for techniques,’’ 2019, arXiv:1909.03012.
cybersecurity: Progress, challenges, and opportunities,’’ Comput. Netw., [144] S. Bose, T. Barao, and X. Liu, ‘‘Explaining AI for malware detection:
vol. 212, Jul. 2022, Art. no. 109032. Analysis of mechanisms of MalConv,’’ in Proc. Int. Joint Conf. Neural
[124] G. Apruzzese, M. Colajanni, L. Ferretti, A. Guido, and M. Marchetti, Netw. (IJCNN), Jul. 2020, pp. 1–8.
‘‘On the effectiveness of machine and deep learning for cyber security,’’ [145] E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and
in Proc. 10th Int. Conf. Cyber Conflict (CyCon), May 2018, pp. 371–390. C. K. Nicholas. (Jun. 2018). Malware Detection by Eating a Whole
[125] G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, EXE. Accessed: Jul. 18, 2022. [Online]. Available: https://www.aaai.
‘‘Densely connected convolutional networks,’’ in Proc. IEEE Conf. org/ocs/index.php/WS/AAAIW18/paper/view/16422
Comput. Vis. Pattern Recognit. (CVPR), Jul. 2017, pp. 4700–4708, doi: [146] H. S. Anderson and P. Roth, ‘‘EMBER: An open dataset for training static
10.1109/CVPR.2017.243. PE malware machine learning models,’’ 2018, arXiv:1804.04637.
[126] R. Pascanu, C. Gulcehre, K. Cho, and Y. Bengio, ‘‘How to construct deep [147] B. Wu, S. Chen, C. Gao, L. Fan, Y. Liu, W. Wen, and M. R. Lyu, ‘‘Why
recurrent neural networks,’’ 2013, arXiv:1312.6026. an Android app is classified as malware: Toward malware classifica-
[127] D. P. Kingma and M. Welling, ‘‘Auto-encoding variational Bayes,’’ 2013, tion interpretation,’’ ACM Trans. Softw. Eng. Methodol., vol. 30, no. 2,
arXiv:1312.6114. pp. 1–29, Apr. 2021.
[128] G. E. Hinton, S. Osindero, and Y.-W. Teh, ‘‘A fast learning algorithm [148] W. Han, J. Xue, Y. Wang, L. Huang, Z. Kong, and L. Mao, ‘‘MalDAE:
for deep belief nets,’’ Neural Comput., vol. 18, no. 7, pp. 1527–1554, Detecting and explaining malware based on correlation and fusion of
Jul. 2006, doi: 10.1162/neco.2006.18.7.1527. static and dynamic characteristics,’’ Comput. Secur., vol. 83, pp. 208–233,
Jun. 2019.
[129] G.-J. Qi, ‘‘Loss-sensitive generative adversarial networks on Lipschitz
densities,’’ Int. J. Comput. Vis., vol. 128, no. 5, pp. 1118–1140, May 2020, [149] H. Suryotrisongko, Y. Musashi, A. Tsuneda, and K. Sugitani, ‘‘Robust
doi: 10.1007/s11263-019-01265-2. botnet DGA detection: Blending XAI and OSINT for cyber threat intel-
ligence sharing,’’ IEEE Access, vol. 10, pp. 34613–34624, 2022.
[130] V. Mnih, A. P. Badia, M. Mirza, A. Graves, T. Lillicrap, T. Harley,
[150] X. Zhu, Y. Zhang, Z. Zhang, D. Guo, Q. Li, and Z. Li, ‘‘Interpretability
D. Silver, and K. Kavukcuoglu, ‘‘Asynchronous methods for deep
evaluation of botnet detection model based on graph neural network,’’ in
reinforcement learning,’’ in Proc. Int. Conf. Mach. Learn., 2016,
Proc. IEEE Conf. Comput. Commun. Workshops (INFOCOM WKSHPS),
pp. 1928–1937.
May 2022, pp. 1–6.
[131] M. Kravchik and A. Shabtai, ‘‘Detecting cyber attacks in industrial
[151] M. Kouvela, I. Dimitriadis, and A. Vakali, ‘‘Bot-detective: An explainable
control systems using convolutional neural networks,’’ in Proc. Workshop
Twitter bot detection service with crowdsourcing functionalities,’’ in
Cyber-Phys. Syst. Secur. Privacy, Jan. 2018, pp. 72–83.
Proc. 12th Int. Conf. Manage. Digit. EcoSystems, Nov. 2020, pp. 55–63.
[132] B. Hussain, Q. Du, B. Sun, and Z. Han, ‘‘Deep learning-based DDoS-
[152] C. Khanan, W. Luewichana, K. Pruktharathikoon, J. Jiarpakdee,
attack detection for cyber–physical system over 5G network,’’ IEEE
C. Tantithamthavorn, M. Choetkiertikul, C. Ragkhitwetsagul, and
Trans. Ind. Informat., vol. 17, no. 2, pp. 860–870, Feb. 2021.
T. Sunetnanta, ‘‘JITBot: An explainable just-in-time defect prediction
[133] B. F. Balogun, K. Tripathi, S. Tiwari, J. S. S. Mohan, and A. K. Tyagi, bot,’’ in Proc. 35th IEEE/ACM Int. Conf. Automated Softw. Eng. (ASE),
‘‘A blockchain-based deep learning approach for cyber security in next- Sep. 2020, pp. 1336–1339.
generation medical cyber-physical systems,’’ J. Auto. Intell., vol. 7, no. 5, [153] I. Dimitriadis, K. Georgiou, and A. Vakali, ‘‘Social Botomics: A sys-
p. 1478, Mar. 2024, doi: 10.32629/jai.v7i5.1478. tematic ensemble ML approach for explainable and multi-class bot
[134] Y. Luo, Y. Xiao, L. Cheng, G. Peng, and D. Yao, ‘‘Deep learning-based detection,’’ Appl. Sci., vol. 11, no. 21, p. 9857, Oct. 2021.
anomaly detection in cyber-physical systems: Progress and opportuni- [154] A. Guerra-Manzanares, S. Nõmm, and H. Bahsi, ‘‘Towards the integration
ties,’’ ACM Comput. Surv., vol. 54, no. 5, pp. 1–36, Jun. 2022. of a post-hoc interpretation step into the machine learning workflow for
[135] S. Dalal, P. Manoharan, U. K. Lilhore, B. Seth, D. M. Alsekait, IoT botnet detection,’’ in Proc. 18th IEEE Int. Conf. Mach. Learn. Appl.
S. Simaiya, M. Hamdi, and K. Raahemifar, ‘‘Extremely boosted neu- (ICMLA), Dec. 2019, pp. 1162–1169.
ral network for more accurate multi-stage cyber attack prediction in [155] P. P. Kundu, T. Truong-Huu, L. Chen, L. Zhou, and S. G. Teo, ‘‘Detec-
cloud computing environment,’’ J. Cloud Comput., vol. 12, no. 1, p. 14, tion and classification of botnet traffic using deep learning with model
Jan. 2023, doi: 10.1186/s13677-022-00356-9. explanation,’’ IEEE Trans. Dependable Secure Comput., early access,
[136] S. Mahdavifar and A. A. Ghorbani, ‘‘Dennes: Deep embedded neural Jun. 15, 2022, doi: 10.1109/TDSC.2022.3183361.
network expert system for detecting cyber-attacks,’’ Neural Comput. [156] M. M. Alani, ‘‘BotStop: Packet-based efficient and explainable IoT
Appl., vol. 32, no. 18, pp. 14753–14780, 2020. botnet detection using machine learning,’’ Comput. Commun., vol. 193,
[137] S. Bach, A. Binder, G. Montavon, F. Klauschen, K.-R. Müller, and pp. 53–62, Sep. 2022.
W. Samek, ‘‘On pixel-wise explanations for non-linear classifier deci- [157] H. Bahsi, S. Nõmm, and F. B. La Torre, ‘‘Dimensionality reduction for
sions by layer-wise relevance propagation,’’ PLoS ONE, vol. 10, no. 7, machine learning based IoT botnet detection,’’ in Proc. 15th Int. Conf.
Jul. 2015, Art. no. e0130140. Control, Autom., Robot. Vis. (ICARCV), Nov. 2018, pp. 1857–1862, doi:
[138] A. B. Parsa, A. Movahedi, H. Taghipour, S. Derrible, and 10.1109/ICARCV.2018.8581205.
A. K. Mohammadian, ‘‘Toward safer highways, application of XGBoost [158] M. Mazza, S. Cresci, M. Avvenuti, W. Quattrociocchi, and M. Tesconi,
and SHAP for real-time accident detection and feature analysis,’’ ‘‘RTbust: Exploiting temporal patterns for botnet detection on Twitter,’’
Accident Anal. Prevention, vol. 136, Mar. 2020, Art. no. 105405, doi: in Proc. 10th ACM Conf. Web Sci., New York, NY, USA, Jun. 2019,
10.1016/j.aap.2019.105405. pp. 183–192, doi: 10.1145/3292522.3326015.
[139] P. J. Phillips, C. A. Hahn, P. C. Fontana, D. A. Broniatowski, and [159] R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran,
M. A. Przybocki, ‘‘Four principles of explainable artificial intelligence,’’ A. Al-Nemrat, and S. Venkatraman, ‘‘Deep learning approach
NIST Interagency, Gaithersburg, MD, USA, Internal NISTIR-8312, for intelligent intrusion detection system,’’ IEEE Access, vol. 7,
Aug. 2020, doi: 10.6028/NIST.IR.8312. pp. 41525–41550, 2019, doi: 10.1109/ACCESS.2019.2895334.
[140] R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and [160] M. Melis, D. Maiorca, B. Biggio, G. Giacinto, and F. Roli, ‘‘Explaining
D. Batra, ‘‘Grad-CAM: Visual explanations from deep networks via black-box Android malware detection,’’ in Proc. 26th Eur. Signal Process.
gradient-based localization,’’ Int. J. Comput. Vis., vol. 128, no. 2, Conf. (EUSIPCO), Sep. 2018, pp. 524–528.
pp. 336–359, Feb. 2020, doi: 10.1007/s11263-019-01228-7. [161] J. Feichtner and S. Gruber, ‘‘Understanding privacy awareness in Android
[141] S. M. Lundberg and S.-I. Lee, ‘‘A unified approach to interpreting predic- app descriptions using deep learning,’’ in Proc. 10th ACM Conf. Data
tions,’’ in Proc. Adv. Neural Inf. Process. Syst., vol. 30, 2017, pp. 1–10. Appl. Secur. Privacy, Mar. 2020, pp. 203–214.

VOLUME 13, 2025 44703

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[162] W. Guo, D. Mu, J. Xu, P. Su, G. Wang, and X. Xing, ‘‘LEMNA: Explain- [181] B. Hitaj, P. Gasti, G. Ateniese, and F. Perez-Cruz, ‘‘PassGAN:
ing deep learning based security applications,’’ in Proc. ACM SIGSAC A deep learning approach for password guessing,’’ in Proc. 17th
Conf. Comput. Commun. Secur., Oct. 2018, pp. 364–379. Int. Conf. Appl. Cryptogr. Netw. Secur., Bogota, Colombia. Berlin,
[163] A. Yan, Z. Chen, H. Zhang, L. Peng, Q. Yan, M. U. Hassan, Germany: Springer-Verlag, Jun. 2019, pp. 217–237, doi: 10.1007/978-3-
C. Zhao, and B. Yang, ‘‘Effective detection of mobile malware 030-21568-2_11.
behavior based on explainable deep neural network,’’ Neurocom- [182] R. Thoppilan et al., ‘‘LaMDA: Language models for dialog applications,’’
puting, vol. 453, pp. 482–492, Sep. 2021, doi: 10.1016/j.neucom. 2022, arXiv:2201.08239.
2020.09.082. [183] AI-Powered Talent & Sales Intelligence Platform | Draup. Accessed:
[164] G. Iadarola, F. Martinelli, F. Mercaldo, and A. Santone, ‘‘Towards an Dec. 22, 2024. [Online]. Available: https://draup.com/draup-home/
interpretable deep learning model for mobile malware detection and fam- [184] H. Trehan and F. Di Troia, ‘‘Fake malware generation using HMM and
ily identification,’’ Comput. Secur., vol. 105, Jun. 2021, Art. no. 102198, GAN,’’ in Proc. Silicon Valley Cybersecu. Conf., S.-Y. Chang, L. Bathen,
doi: 10.1016/j.cose.2021.102198. F. Di Troia, T. H. Austin, and A. J. Nelson, Eds., Cham, Switzerland:
[165] M. Kinkead, S. Millar, N. McLaughlin, and P. O’Kane, ‘‘Towards explain- Springer, 2022, pp. 3–21.
able CNNs for Android malware detection,’’ Proc. Comput. Sci., vol. 184, [185] S. G. Selvaganapathy and S. Sadasivam, ‘‘Healthcare security:
pp. 959–965, Jan. 2021, doi: 10.1016/j.procs.2021.03.118. Usage of generative models for malware adversarial attacks and
[166] M. M. Alani and A. I. Awad, ‘‘PAIRED: An explainable lightweight defense,’’ in Communication and Intelligent Systems, H. Sharma,
Android malware detection system,’’ IEEE Access, vol. 10, M. K. Gupta, G. S. Tomar, and W. Lipo, Eds., Singapore: Springer, 2021,
pp. 73214–73228, 2022, doi: 10.1109/ACCESS.2022.3189645. pp. 885–897.
[167] P. Barnard, N. Marchetti, and L. A. DaSilva, ‘‘Robust network [186] S. Sai, U. Yashvardhan, V. Chamola, and B. Sikdar, ‘‘Genera-
intrusion detection through explainable artificial intelligence (XAI),’’ tive AI for cyber security: Analyzing the potential of ChatGPT,
IEEE Netw. Lett., vol. 4, no. 3, pp. 167–171, Sep. 2022, doi: DALL-E, and other models for enhancing the security space,’’ IEEE
10.1109/LNET.2022.3186589. Access, vol. 12, pp. 53497–53516, 2024, doi: 10.1109/ACCESS.2024.
3385107.
[168] M. Al-Hawawreh and N. Moustafa, ‘‘Explainable deep learning for
attack intelligence and combating cyber–physical attacks,’’ Ad Hoc [187] M. Bhatt et al., ‘‘Purple llama CyberSecEval: A secure coding benchmark
Netw., vol. 153, Feb. 2024, Art. no. 103329, doi: 10.1016/j.adhoc.2023. for language models,’’ 2023, arXiv:2312.04724.
103329. [188] Introducing Llama: A Foundational, 65-Billion-Parameter
[169] O. Arreche, T. R. Guntur, J. W. Roberts, and M. Abdallah, ‘‘E-XAI: Language Model. Accessed: Dec. 22, 2024. [Online]. Available:
Evaluating black-box explainable AI frameworks for network intru- https://ai.facebook.com/blog/large-language-model-llamameta-ai/
sion detection,’’ IEEE Access, vol. 12, pp. 23954–23988, 2024, doi: [189] Overview—Advanced Hunting | Microsoft Learn. Accessed:
10.1109/ACCESS.2024.3365140. Dec. 22, 2024. [Online]. Available: https://learn.microsoft.com/
en-us/microsoft-365/security/defender/advancedhunting-overview?view
[170] O. Arreche, T. Guntur, and M. Abdallah, ‘‘XAI-IDS: Toward proposing an
=o365-worldwide
explainable artificial intelligence framework for enhancing network intru-
sion detection systems,’’ Appl. Sci., vol. 14, no. 10, p. 4170, May 2024, [190] Vulnerability Scanning Tools | Veracode. Accessed: Dec. 22, 2024.
doi: 10.3390/app14104170. [Online]. Available: https://www.veracode.com/security/vulnerability-
scanning-tools
[171] C. I. Nwakanma, L. A. C. Ahakonye, T. Jun, J. M. Lee, and D.-S. Kim,
[191] Yara—The Pattern Matching Swiss Knife for Malware Researchers.
‘‘Explainable SCADA-edge network intrusion detection system: Tree-
Accessed: Dec. 22, 2024. [Online]. Available: https: //virustotal.gith
LIME approach,’’ in Proc. IEEE Int. Conf. Commun., Control, Comput.
ub.io/yara/
Technol. Smart Grids (SmartGridComm), Glasgow, U.K., Oct. 2023,
pp. 1–7, doi: 10.1109/smartgridcomm57358.2023.10333968. [192] Azure OpenAI Service—Advanced Language Models | Microsoft Azure.
Accessed: Dec. 22, 2024. [Online]. Available: https://azure.micro
[172] X. Larriva-Novo, C. Sánchez-Zas, V. A. Villagrá, A. Marín-Lopez, and
soft.com/en-in/products/cognitive-services/openaiservice
J. Berrocal, ‘‘Leveraging explainable artificial intelligence in real-time
[193] O. D. Okey, E. U. Udo, R. L. Rosa, D. Z. Rodríguez, and
cyberattack identification: Intrusion detection system approach,’’ Appl.
J. H. Kleinschmidt, ‘‘Investigating ChatGPT and cybersecurity: A
Sci., vol. 13, no. 15, p. 8587, Jul. 2023.
perspective on topic modeling and sentiment analysis,’’ Comput.
[173] M. A. Yagiz and P. Goktas, ‘‘LENS-XAI: Redefining lightweight and Secur., vol. 135, Dec. 2023, Art. no. 103476. [Online]. Available:
explainable network security through knowledge distillation and vari- https://www.sciencedirect.com/science/article/pii/S0167404823003863
ational autoencoders for scalable intrusion detection in cybersecurity,’’
[194] Bigid Launches BigAI, a ’privacy-by-design’ LLM Designed to Discover
2025, arXiv:2501.00790.
Data. Accessed: Dec. 22, 2024. [Online]. Available: https://venturebeat.
[174] M. Gupta, C. Akiri, K. Aryal, E. Parker, and L. Praharaj, ‘‘From com/security/bigid-launches-bigai-a-privacyby-design-llm-designed-to-
ChatGPT to ThreatGPT: Impact of generative AI in cybersecurity discover-data/
and privacy,’’ IEEE Access, vol. 11, pp. 80218–80245, 2023, doi:
[195] SlashNext Launches Industry’s First Generative AI Solution for
10.1109/ACCESS.2023.3300381.
Email Security. Accessed: Dec. 22, 2024. [Online]. Available: https://
[175] P. R. Brandao, H. S. Mamede, and M. Correia, ‘‘Advanced persistent www.prnewswire.com/news-releases/slashnextlaunches-industrys-first-
threats campaigns and attribution,’’ J. Comput. Sci., vol. 19, no. 8, generative-ai-solution-for-email-security301757649.html
pp. 1015–1028, Aug. 2023, doi: 10.3844/jcssp.2023.1015.1028. [196] How Google Cloud Plans to Supercharge Security With Generative AI
[176] S. Neupane, I. A. Fernandez, S. Mittal, and S. Rahimi, ‘‘Impacts and risk | Google Cloud Blog. Accessed: Jun. 22, 2024. [Online]. Available:
of generative AI technology on cyber defense,’’ 2023, arXiv:2306.13033. https://cloud.google.com/blog/products/identitysecurity/rsa-google-
[177] A. Geiger, D. Liu, S. Alnegheimish, A. Cuesta-Infante, and cloud-security-ai-workbench-generative-ai
K. Veeramachaneni, ‘‘TadGAN: Time series anomaly detection using [197] Microsoft Security Copilot | Microsoft Security. Accessed:
generative adversarial networks,’’ in Proc. IEEE Int. Conf. Big Data (Big Dec. 22, 2024. [Online]. Available: https://www.microsoft.com/en-
Data), Dec. 2020, pp. 33–43. in/security/business/ai-machine-learning/microsoft-securitycopilot
[178] M. A. Bashar and R. Nayak, ‘‘TAnoGAN: Time series anomaly detection [198] S. Mansfield-Devine, ‘‘Creating security operations centres that work,’’
with generative adversarial networks,’’ in Proc. IEEE Symp. Ser. Comput. Netw. Secur., vol. 2016, no. 5, pp. 15–18, May 2016.
Intell. (SSCI), Dec. 2020, pp. 1778–1785. [199] E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, ‘‘Challenges
[179] D. Li, D. Chen, B. Jin, L. Shi, J. Goh, and S.-K. Ng, ‘‘MAD- and performance metrics for security operations center analysts: A sys-
GAN: Multivariate anomaly detection for time series data with gen- tematic review,’’ J. Cyber Secur. Technol., vol. 4, no. 3, pp. 125–152,
erative adversarial networks,’’ in Proc. Int. Conf. Artif. Neural Netw. Jul. 2020, doi: 10.1080/23742917.2019.1698178.
(ICANN), Munich, Germany. Cham, Switzerland: Springer, 2019, [200] E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown, and W. Robinson,
pp. 703–716. ‘‘Performance measurement guide for information security,’’ Dept.
[180] H. Shirazi, S. R. Muramudalige, I. Ray, and A. P. Jayasumana, ‘‘Improved Inf. Technol., Nat. Inst. Standards Technol., Gaithersburg, MD, USA,
phishing detection algorithms using adversarial autoencoder synthesized Tech. Rep. 800-55, 2008. Accessed: Sep. 2, 2024. [Online]. Available:
data,’’ in Proc. IEEE 45th Conf. Local Comput. Netw. (LCN), Nov. 2020, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
pp. 24–32. 55r1.pdf

44704 VOLUME 13, 2025

S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[201] Information Technology—Security Techniques—Information Security [224] K. Macnish and J. van der Ham, ‘‘Ethics in cybersecurity research and
Management—Monitoring, Measurement, Analysis and Evaluation, practice,’’ Technol. Soc., vol. 63, Nov. 2020, Art. no. 101382.
Standard ISO/IEC 27004:2016, 2016. Accessed: Sep. 2, 2024. [Online]. [225] K. Mersinas and M. Bada, ‘‘Behavior change approaches for cyber secu-
Available: https://www.iso.org/standard/64120.html rity and the need for ethics,’’ in Proc. Int. Conf. Cybersecur., Situational
[202] N. Salmi, ‘‘The present state of information security metrics,’’ Awareness Social Media. Singapore: Singapore, 2023, pp. 107–129.
M.S. thesis, Dept. Inf. Technol., Univ. Jyväskylä, Jyväskylä, Finland, [226] T. Skinner, J. Taylor, J. Dale, and J. McAlaney, ‘‘The development
2018. of intervention e-learning materials and implementation techniques
[203] M. Vielberth, F. Böhm, I. Fichtinger, and G. Pernul, ‘‘Security operations for cyber-security behaviour change,’’ in Proc. ACM SIG CHI, 2018,
center: A systematic study and open challenges,’’ IEEE Access, vol. 8, pp. 1–11.
pp. 227756–227779, 2020, doi: 10.1109/ACCESS.2020.3045514. [227] D. Branley-Bell, L. Coventry, E. Sillence, S. Magalini, P. Mari,
[204] D. Nathans, Designing and Building a Security Operations Center, A. Magkanaraki, and K. Anastasopoulou, ‘‘Your hospital needs you:
S. Elliot, Ed., Amsterdam, The Netherlands: Elsevier, 2014. Eliciting positive cybersecurity behaviours from healthcare staff,’’ Ann.
[205] P. Keltanen, ‘‘Measuring outsourced cyber security operations center,’’ Disaster Risk Sci., vol. 3, no. 1, pp. 1–12, Nov. 2020.
M.S. thesis, Eastern Finland Univ. Appl. Sci., Mikkeli, Finland, 2019. [228] J. Blythe, ‘‘Cyber security in the workplace: Understanding and promot-
[206] E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, ‘‘Towards ing behaviour change,’’ in Proc. CHItaly Doctoral Consortium, vol. 1065,
a framework for measuring the performance of a security operations 2013, pp. 92–101.
center analyst,’’ in Proc. Int. Conf. Cyber Secur. Protection Digit. Services [229] J. D. Bustard, ‘‘Improving student engagement in the study of profes-
(Cyber Security), Jun. 2020, pp. 1–8. sional ethics: Concepts and an example in cyber security,’’ Sci. Eng.
[207] F. B. Kokulu, A. Soneji, T. Bao, Y. Shoshitaishvili, Z. Zhao, A. Doupé, Ethics, vol. 24, pp. 683–698, Apr. 2018.
and G.-J. Ahn, ‘‘Matched and mismatched SOCs: A qualitative study on [230] S. Jagger, ‘‘Affective learning and the classroom debate,’’ Innov. Educ.
security operations center issues,’’ in Proc. ACM SIGSAC Conf. Comput. Teaching Int., vol. 50, no. 1, pp. 38–50, Feb. 2013.
Commun. Secur., Nov. 2019, pp. 1955–1970. [231] C. Taylor and C. Robinson, ‘‘’What matters in the end is to act well’: Stu-
[208] C. Onwubiko, ‘‘Cyber security operations centre: Security monitor- dent engagement and ethics,’’ in Understanding and Developing Student
ing for protecting business and supporting cyber defense strategy,’’ in Engagement. Evanston, IL, USA: Routledge, 2014, pp. 161–175.
Proc. Int. Conf. Cyber Situational Awareness, Data Analytics Assessment [232] D. K. Tiwary and U. Pradesh, ‘‘Security and ethical issues in it:
(CyberSA), Jun. 2015, pp. 1–10. An organization’s perspective,’’ Int. J. Enterprise Comput. Bus. Syst.,
[209] B. A. Alahmadi, L. Axon, and I. Martinovic, ‘‘99% false positives: vol. 2, no. 1, pp. 2230–8849, 2011.
A qualitative study of SOC analysts’ perspectives on security alarms,’’ in [233] A. Dunmore, J. Jang-Jaccard, F. Sabrina, and J. Kwak, ‘‘A comprehen-
Proc. 31st USENIX Secur. Symp. (USENIX Secur.), 2022, pp. 2783–2800. sive survey of generative adversarial networks (GANs) in cybersecurity
[210] C. Crowley and J. Pescatore. (2019). Common and Best intrusion detection,’’ IEEE Access, vol. 11, pp. 76071–76094, 2023, doi:
Practices for Security Operations Centers: Results of 10.1109/ACCESS.2023.3296707.
the 2019 SOC Survey. SANS Inst. [Online]. Available: [234] S. Bahadoripour, H. Karimipour, A. N. Jahromi, and A. Islam,
https://www.sans.org/media/analyst-program/common-practices- ‘‘An explainable multi-modal model for advanced cyber-attack detec-
securityoperations-centers-results-2019-soc-survey-39060.pdf tion in industrial control systems,’’ Internet Things, vol. 25, Apr. 2024,
[211] How to Build and Operate a Modern Security Operations Center, Gartner, Art. no. 101092, doi: 10.1016/j.iot.2024.101092.
Stamford, CT, USA, 2021. [235] I. H. Sarker, ‘‘Generative AI and large language modeling in cyber-
[212] Logsign. (2020). Guide for Security Operations Metrics. [Online]. Avail- security,’’ in AI-Driven Cybersecurity and Threat Intelligence: Cyber
able: https://www.logsign.com/uploads/Guide_for_Security_Operations Automation, Intelligent Decision-Making and Explainability. Cham,
_Metrics_Whitepaper_2f999f27cc.pdf Switzerland: Springer, 2024, pp. 79–99, doi: 10.1007/978-3-031-54497-
[213] M. Simos and J. Dellinger. (2019). CISO Series: Lessons Learned 2.
From the Microsoft SOC-Part 1: Organization. [Online]. Available: [236] A. Y. Wong, E. G. Chekole, M. Ochoa, and J. Zhou, ‘‘On the secu-
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned- rity of containers: Threat modeling, attack analysis, and mitigation
from-the-microsoft-soc-part-1-organization/ strategies,’’ Comput. Secur., vol. 128, May 2023, Art. no. 103140, doi:
[214] C. Zimmerman and C. Crowley. (2019). Practical SOC Metrics. 10.1016/j.cose.2023.103140.
[Online]. Available: https://www.fireeye.com/content/dam/fireeye-www/ [237] F. M. Teichmann and S. R. Boticiu, ‘‘An overview of the benefits, chal-
summit/cds-2019/presentations/cds19-executive-s03bpractical-soc-metr lenges, and legal aspects of penetration testing and red teaming,’’ Int.
ics.pdf.fireEyeCyberDefenseSummit2019 Cybersecur. Law Rev., vol. 4, no. 4, pp. 387–397, 2023.
[215] J. Forsberg and T. Frantti, ‘‘Technical performance metrics of a security [238] C. Chindrus and C.-F. Caruntu, ‘‘Securing the network: A red and blue
operations center,’’ Comput. Secur., vol. 135, Dec. 2023, Art. no. 103529, cybersecurity competition case study,’’ Information, vol. 14, no. 11,
doi: 10.1016/j.cose.2023.103529. p. 587, Oct. 2023.
[216] H. Ahmetoglu and R. Das, ‘‘A comprehensive review on detection [239] M. R. Endsley, ‘‘Supporting human-AI teams: Transparency, explainabil-
of cyber-attacks: Data sets, methods, challenges, and future research ity, and situation awareness,’’ Comput. Hum. Behav., vol. 140, Mar. 2023,
directions,’’ Internet Things, vol. 20, Nov. 2022, Art. no. 100615, doi: Art. no. 107574.
10.1016/j.iot.2022.100615. [240] S. Hiremath, E. Shetty, A. J. Prakash, S. P. Sahoo, K. K. Patro,
[217] Y. Ahmed, M. A. Azad, and T. Asyhari, ‘‘Rapid forecasting of cyber K. N. V. P. S. Rajesh, and P. Pławiak, ‘‘A new approach to data analysis
events using machine learning-enabled features,’’ Information, vol. 15, using machine learning for cybersecurity,’’ Big Data Cognit. Comput.,
no. 1, p. 36, Jan. 2024, doi: 10.3390/info15010036. vol. 7, no. 4, p. 176, Nov. 2023.
[218] A. Zaboli, S. L. Choi, T.-J. Song, and J. Hong, ‘‘A novel generative AI- [241] T. Arjunan, ‘‘Detecting anomalies and intrusions in unstructured cyber-
based framework for anomaly detection in multicast messages in smart security data using natural language processing,’’ Int. J. Res. Appl. Sci.
grid communications,’’ 2024, arXiv:2406.05472. Eng. Technol., vol. 12, no. 2, pp. 1023–1029, Feb. 2024.
[219] I. M. de Diego, A. R. Redondo, R. R. Fernández, J. Navarro, and [242] A.-R. Al-Ghuwairi, Y. Sharrab, D. Al-Fraihat, M. AlElaimat,
J. M. Moguerza, ‘‘General performance score for classification prob- A. Alsarhan, and A. Algarni, ‘‘Intrusion detection in cloud computing
lems,’’ Appl. Intell., vol. 52, no. 10, pp. 12049–12063, Jan. 2022. based on time series anomalies utilizing machine learning,’’ J. Cloud
[220] A. Kuppa and N.-A. Le-Khac, ‘‘Adversarial XAI methods in cybersecu- Comput., vol. 12, no. 1, p. 127, Aug. 2023.
rity,’’ IEEE Trans. Inf. Forensics Security, vol. 16, pp. 4924–4938, 2021. [243] Z. Liu, Y. Wang, F. Feng, Y. Liu, Z. Li, and Y. Shan, ‘‘A DDoS
[221] J. Vadillo, R. Santana, and J. A. Lozano, ‘‘When and how to fool detection method based on feature engineering and machine learn-
explainable models (and humans) with adversarial examples,’’ 2021, ing in software-defined networks,’’ Sensors, vol. 23, no. 13, p. 6176,
arXiv:2107.01943. Jul. 2023.
[222] M. Loi and M. Christen, ‘‘Ethical frameworks for cybersecurity,’’ in The [244] S. Al-Mansoori and M. B. Salem, ‘‘The role of artificial intelligence
Ethics of Cybersecurity, M. Christen, B. Gordijn, and M. Loi, Eds., Cham, and machine learning in shaping the future of cybersecurity: Trends,
Switzerland: Springer, 2020, pp. 73–95. applications, and ethical considerations,’’ Int. J. Social Analytics, vol. 8,
[223] E. Kenneally, M. Bailey, and D. Maughan, ‘‘A framework for understand- no. 9, pp. 1–16, 2023.
ing and applying ethical principles in network and security research,’’ in [245] N. Vemuri, N. Thaneeru, and V. M. Tatikonda, ‘‘Securing trust: Ethical
Proc. Int. Conf. Financial Cryptography Data Secur. Berlin, Germany: considerations in AI for cybersecurity,’’ J. Knowl. Learn. Sci. Technol.,
Springer, Jan. 2010, pp. 240–246. vol. 2, no. 2, pp. 167–175, May 2023.

VOLUME 13, 2025 44705

 S. Ankalaki et al.: Cyber Attack Prediction: From Traditional ML to Gen-AI

[246] N. G. Camacho, ‘‘The role of AI in cybersecurity: Addressing threats GEETABAI S HUKKERI received the integrated
in the digital age,’’ J. Artif. Intell. Gen. Sci. (JAIGS), vol. 3, no. 1, B.E. and Ph.D. degrees in computer science
pp. 143–154, Mar. 2024. and engineering from Visvesvaraya Technological
[247] Y. Kim, G. Dán, and Q. Zhu, ‘‘Human-in-the-Loop cyber intrusion detec- University, Belagavi, India. Since 2023, she has
tion using active learning,’’ IEEE Trans. Inf. Forensics Security, vol. 19, been an Assistant Professor with the Department
pp. 8658–8672, 2024, doi: 10.1109/TIFS.2024.3434647. of Computer Science and Engineering, Mani-
pal Institute of Technology Bengaluru, Manipal
Academy of Higher Education, Manipal, India.
She is the author of two books, four journal arti-
cles, and more than five conference publications.
Her research interests include computer vision, information retrieval, big
data, machine learning, and deep learning and its applications.
SHILPA ANKALAKI received the Ph.D. degree
in computer science and engineering from Visves-
varaya Technological University, Belagavi, India.
She is currently an Assistant Professor with the
Department of Computer Science and Engineer- TONY JAN is currently the Head of the School of
ing, Manipal Institute of Technology Bengaluru, IT and the Director of the Artificial Intelligence
Manipal Academy of Higher Education, Manipal. Research Centre, Torrens University, Australia.
She has authored several research papers published He was previously the Associate Head and an
in various international journals and conferences. Associate Professor with the School of IT and
Her research interests include machine learning, Engineering, Melbourne Institute of Technology;
deep learning, data mining, and artificial intelligence. and the University of Technology Sydney, respec-
tively. He specializes in machine learning for
cybersecurity and smart technologies, with over
70 articles in prestigious journals supported by
several large research grants totaling over 20 million dollars in the domains
of AI automation and homeland security.

APARNA RAJESH ATMAKURI is currently an

Associate Professor with the Department of CSE,
SoET, Centurion University of Technology and
Management Bhubaneswar, Odisha. She has pub- GANESH R. NAIK received the Ph.D. degree in
lished several papers and book chapters in inter- electronics engineering, specializing in biomedi-
national conferences and journals, authored four cal engineering and signal processing, from RMIT
technical books, and holds three patents. Her University, Melbourne, Australia, in December
research interests include cybersecurity, cloud 2009. He is currently a Senior Lecturer in IT and
computing, the IoT, and AI/ML. CS with Torrens University, Adelaide, Australia.
He is a leading expert in data science and biomed-
ical signal processing. Previously, he was an
Academic and a Research Theme Co-Lead with
the Sleep Institute, Flinders University. He was
also a Postdoctoral Research Fellow with the MARCS Institute, Western
Sydney University, from July 2017 to July 2020. Before that, he was a
Chancellor’s Postdoctoral Research Fellow with the Centre for Health Tech-
M. PALLAVI received the B.E. degree in computer nologies, University of Technology Sydney (UTS), from February 2013 to
science and engineering from the Atria Institute June 2017. As a mid-career researcher, he has edited 15 books and authored
of Technology, Bengaluru, the M.Tech. degree around 160 papers in peer-reviewed journals and conferences. He is a
in computer science and engineering from the Baden–Württemberg Scholarship recipient from Berufsakademie, Stuttgart,
Nitte Meenakshi Institute of Technology (NMIT), Germany, in 2006 and 2007. In 2010, he was awarded an ISSI Overseas Fel-
Bengaluru, and the Ph.D. degree in computer lowship from Skilled Institute Victoria, Australia. Recently, he was awarded
science from Presidency University, Bengaluru, a BridgeTech Industry Fellowship from the Medical Research Future Fund,
in 2023. She is currently an Assistant Profes- Government of Australia. He is an Associate Editor of IEEE ACCESS, Fron-
sor with the Department of Computer Science tiers in Neurorobotics, and two Springer journals. He ranked top 2% of
and Engineering, Presidency University, Banga- researchers worldwide in biomedical engineering.
lore. Her research interests include machine learning and deep learning.

Open Access funding provided by ‘Manipal Academy of Higher Education’ within the CRUI CARE Agreement

44706 VOLUME 13, 2025