Forecasting multistage attacks in Kubernetes from Falco alerts using State-Space Models

The article discusses the problem of proactive detection and forecasting of multi-stage cyberattacks in Kubernetes clusters based on the analysis of security event streams. As a mathematical framework, the use of Selective State-Space Models (SSM) is proposed, which allows for effective processing of long sequences of Falco alerts, taking into account the context of system calls and orchestrator metadata. It is demonstrated that the developed architecture outperforms baseline recurrent neural networks (LSTM/GRU) in the task of binary incident classification, achieving a ROC-AUC score of 0.93 and an F1-score of 0.84 on a test dataset generated using MITRE ATT&CK scenarios. It is established that the proposed method enables early threat detection (on average at 57% of the attack episode length), which facilitates the application of proactive response mechanisms, such as container migration, before critical consequences occur.