https://jjcit.org/paper/179 AN EARLY DETECTION MODEL FOR KERBEROASTING ATTACKS AND DATASET LABELING 10.5455/jjcit.71-1661423262 Remah Younisse,Mouhammd Alkasassbeh,Mohammad Almseidin,Hamza Abdi Kerberoasting attacks,Attack life-cycle,Dataset labeling,Early detection 225 63 25-Aug.-2022 28-Oct.-2022 22-Nov.-2022 The wild nature of humans has become civilized and the weapons they use to attack each other are now digitized. Security over the Internet usually takes a defensive shape, aiming to fight against attacks created for malicious reasons. Invaders’ actions over the Internet can take patterns by going through specific steps every time they attack. These patterns can be used to predict, mitigate and stop these attacks. This study proposes a method to label datasets related to multi-stage attacks according to attack stages rather than the attack type. These datasets can be used later in machine-learning models to build intelligent defensive models. On the other hand, we propose a method to predict and early kill attacks in an active directory environment, such as kerberoasting attacks. In this study, we have collected data related to a suggested kerberoasting attack scenario in pcap files. Every pcap file contains data related to a particular stage of the attack life-cycle and the extracted information from the pcap files was used to highlight the features and specific activities during every step. The information was used to draw an efficient defensive plan against the attack. Here, we propose a methodology to draw equivalent defensive plans for other similar attacks as the kerberoasting attack covered in this study.