Attack Scenario Reconstruction Via Fusing Heterogeneous Threat Intelligence

Xiaodong Zang,Jian Gong,Xinchang Zhang,Guiqing Li
DOI: https://doi.org/10.1016/j.cose.2023.103420
IF: 5.105
2023-01-01
Computers & Security
Abstract:Nowadays, new-generation threats often use multiple means or perform several steps to intrude into networks and ultimately reach their objective. These new threats have multi-staged, and we can understand their intrusion pattern from the kill-chain defensive model. This paper focuses on fusing heterogeneous threat intelligence collected from security information and event management systems to reconstruct multi-step attack scenarios and discover critical attack paths. However, the need for an agreed-upon vocabulary to represent the heterogeneous threat intelligence makes it difficult to model the attack scenarios accurately and efficiently. Therefore, we devise a heterogeneous threat intelligence fusing approach for real-time reconstruction of the attack scenarios. Firstly, we use structured threat information expression (STIX) to format heterogeneous threat intelligence (TI). We analyze the causal relationship of each heterogeneous threat intelligence and piece them together. Then, we model the multi-stage attack scenario reconstruction as a community discovery problem. We mine the attack scenarios with semantic correlation weight and a community detection algorithm. We finally use the open-source benchmark datasets (DARPA 2000, CICIDS 2017) and the real Internet traffic captured from the China Education Research Network backbone (CERNET) to evaluate our work. Extensive results demonstrate that our proposal can accurately reconstruct multi-step attack scenarios and discover covert C&C channels.
What problem does this paper attempt to address?