Ajay Modi,Zhibo Sun,Anupam Panwar,Tejas Khairnar,Ziming Zhao,Adam Doupe,Gail-Joon Ahn,Paul Black

DOI: https://doi.org/10.1109/cic.2016.060

2016-01-01

Abstract:The volume and frequency of new cyber attacks have exploded in recent years. Such events have very complicated workflows and involve multiple criminal actors and organizations. However, current practices for threat analysis and intelligence discovery are still performed piecemeal in an ad-hoc manner. For example, a modern malware analysis system can dissect a piece of malicious code by itself. But, it cannot automatically identify the criminals who developed it or relate other cyber attack events with it. Consequently, it is imperative to automatically assemble the jigsaw puzzles of cybercrime events by performing threat intelligence fusion on data collected from heterogeneous sources, such as malware, underground social networks, cryptocurrency transaction records, etc. In this paper, we propose an Automated Threat Intelligence fuSion framework (ATIS) that is able to take all sorts of threat sources into account and discover new intelligence by connecting the dots of apparently isolated cyber events. To this end, ATIS consists of 5 planes, namely analysis, collection, controller, data and application planes. We discuss the design choices we made in the function of each plane and the interfaces between two adjacent planes. In addition, we develop two applications on top of ATIS to demonstrate its effectiveness.

Jun Zhao,Qiben Yan,Jianxin Li,Minglai Shao,Zuti He,Bo Li

DOI: https://doi.org/10.1016/j.cose.2020.101867

2020-08-01

Abstract:<p>Security organizations increasingly rely on Cyber Threat Intelligence (CTI) sharing to enhance resilience against cyber threats. However, its effectiveness remains dubious due to two major limitations: first, the existing approaches fail to identify the unseen types of <em>Indicator of compromise</em> (IOC); second, they are incapable of automatically generating categorized CTIs with domain tags (e.g., finance, government), which makes CTI sharing ineffective. To combat the challenges, this paper proposes TIMiner, a novel automated framework for CTI extraction and sharing based on social media data. Particularly, an efficient domain recognizer based on convolutional neural network is first implemented to identify CTIs' targeted domain. Then, an indicator of compromise (IOC) extraction approach based on word embedding and syntactic dependence is proposed, which provides the ability to identify unseen types of IOCs. Finally, the extracted IOC and its domain tag are integrated to generate a categorized CTI with specific-domain. TIMiner is capable of generating CTIs with domain tags automatically. With the categorized CTIs, <em>Threat-Index</em> is presented to quantify the severity of the threats toward different domains. Experimental results confirm that the proposed CTI domain recognizer and IOC extraction achieve superior performance with the accuracy exceeding 84% and 94%, respectively. Moreover, TIMiner stimulates new insights on the evolution of cyber attacks across multiple domains.</p>

computer science, information systems

Yongyan Guo,Zhengyu Liu,Cheng Huang,Nannan Wang,Hai Min,Wenbo Guo,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2023.103371

IF: 5.105

2023-01-01

Computers & Security

Abstract:Cyber-attacks, with various emerging attack techniques, are becoming increasingly sophisticated and difficult to deal with, posing great threats to companies and every individual. Therefore, analyzing attack incidents and tracing the attack groups behind them becomes extremely important. Threat intelligence provides a new technical solution for attack traceability by constructing Cybersecurity Knowledge Graph (CKG). In this paper, we propose a framework for threat intelligence extraction and fusion, which is able to extract, correlate and unify cybersecurity entity-relation triples from structured and unstructured data. However, the existing entity and relation extraction for cybersecurity concepts uses the traditional pipeline model that suffers from error propagation and ignores the connection between the two subtasks. To solve the above problem, we propose a joint entity and relation extraction model for cybersecurity concepts. We model the joint extraction problem as a multiple sequence labeling problem, generating separate label sequences for different relations, which contain information about the involved entities and the subject and object of that relation. Experimental results on Open Source Intelligence (OSINT) data show that the F1 value of the joint model is 81.37%, which is better than the previous pipeline model. For the knowledge fusion, we propose an improved Levenshtein distance to correlate the same entities extracted from different data sources to construct a preliminary CKG, which is demonstrated in the Experiments section.

Menghan Wang,Libin Yang,Wei Lou

DOI: https://doi.org/10.1109/dsn-w54100.2022.00037

2022-01-01

Abstract:Extraordinary growth of the Internet poses a great challenge for defending worldwide evolution of cyber attacks. Introducing cyber threat intelligence (CTI) is a promising approach for alleviating malicious attacks, which heavily relies on the quality of CTI themselves. However, most of current studies develop CTI quality assessment from the perspective of source or content separately, regardless of their availability in practical. In this paper, a dynamic method named CTIC to comprehensively assess CTI quality is proposed. Specifically, we propose a novel CTI feed assessing scheme by modeling the interactions of feeds as a correlation graph. An iterative algorithm is elaborated to depict the feed quality precisely. We design a CTI content assessing scheme together with a machine learning algorithm to score the availability of content from multi-dimensions. Experimental results on real data confirm our proposed mechanism can quantitatively as well as effectively assess CTI quality.

Xiaodong Zang,Jian Gong,Xinchang Zhang,Guiqing Li

DOI: https://doi.org/10.1016/j.cose.2023.103420

IF: 5.105

2023-01-01

Computers & Security

Abstract:Nowadays, new-generation threats often use multiple means or perform several steps to intrude into networks and ultimately reach their objective. These new threats have multi-staged, and we can understand their intrusion pattern from the kill-chain defensive model. This paper focuses on fusing heterogeneous threat intelligence collected from security information and event management systems to reconstruct multi-step attack scenarios and discover critical attack paths. However, the need for an agreed-upon vocabulary to represent the heterogeneous threat intelligence makes it difficult to model the attack scenarios accurately and efficiently. Therefore, we devise a heterogeneous threat intelligence fusing approach for real-time reconstruction of the attack scenarios. Firstly, we use structured threat information expression (STIX) to format heterogeneous threat intelligence (TI). We analyze the causal relationship of each heterogeneous threat intelligence and piece them together. Then, we model the multi-stage attack scenario reconstruction as a community discovery problem. We mine the attack scenarios with semantic correlation weight and a community detection algorithm. We finally use the open-source benchmark datasets (DARPA 2000, CICIDS 2017) and the real Internet traffic captured from the China Education Research Network backbone (CERNET) to evaluate our work. Extensive results demonstrate that our proposal can accurately reconstruct multi-step attack scenarios and discover covert C&C channels.

Beifeng Mao,Jing Liu,Yingxu Lai,Motong Sun

DOI: https://doi.org/10.1016/j.comnet.2021.108340

IF: 5.493

2021-01-01

Computer Networks

Abstract:Most attacks on the Internet are progressive attacks and exploit multiple nodes. Traditional Intrusion Detection Systems (IDS) cannot detect the original attack node, making it difficult to block the attack at its source. This paper focuses on using IDS’ alerts corresponding to abnormal traffic to correlate attacks detected by the IDS, reconstruct multi-step attack scenarios and discover attack chains. Due to many false positives in the information provided by IDS, accurate reconstruction of the attack scenario and extraction of the most critical attack chain is challenging. Therefore, we propose a method to reconstruct multi-step attack scenarios in the network based on multiple information fusion of attack time, risk assessment and attack node information. First, we propose a Convolution and Agent Decision Tree Network (CTnet), a convolutional neural network that evaluates the attacks detected by the IDS and gives an alert with an attack risk assessment. Then, we reconstruct the weighted attack scenario by applying Graph-based Fusion Module (GM) on the captured attacks’ risk assessment and time information. Finally, we extract the high-risk attack chain by Depth First Search with Time and Weight (TW-DFS) algorithm. The experimental results show that the proposed method can accurately reconstruct multi-step attack scenarios and trace them back to the original host. It can help administrators to deploy security measures more effectively to ensure the overall security of the network.

Ming Xu,Hongtai Wang,Jiahao Liu,Yun Lin,Chenyang Xu Yingshi Liu,Hoon Wei Lim,Jin Song Dong

2024-12-14

Abstract:To combat increasingly sophisticated cyberattacks, a common practice is to transform unstructured cyber threat intelligence (CTI) reports into structured intelligence, facilitating threat-focused security tasks such as summarizing detection rules or simulating attack scenarios for red team exercises.

Cryptography and Security

Yizhe You,Jun Jiang,Zhengwei Jiang,Peian Yang,Baoxu Liu,Huamin Feng,Xuren Wang,Ning Li

DOI: https://doi.org/10.1186/s42400-021-00106-5

2022-02-01

Abstract:Abstract TTPs (Tactics, Techniques, and Procedures), which represent an attacker’s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration test and compensate for defense deficiency. However, most TTP intelligence is described in unstructured threat data, such as APT analysis reports. Manually converting natural language TTPs descriptions to standard TTP names, such as ATT&CK TTP names and IDs, is time-consuming and requires deep expertise. In this paper, we define the TTP classification task as a sentence classification task. We annotate a new sentence-level TTP dataset with 6 categories and 6061 TTP descriptions from 10761 security analysis reports. We construct a threat context-enhanced TTP intelligence mining (TIM) framework to mine TTP intelligence from unstructured threat data. The TIM framework uses TCENet (Threat Context Enhanced Network) to find and classify TTP descriptions, which we define as three continuous sentences, from textual data. Meanwhile, we use the element features of TTP in the descriptions to enhance the TTPs classification accuracy of TCENet. The evaluation result shows that the average classification accuracy of our proposed method on the 6 TTP categories reaches 0.941 . The evaluation results also show that adding TTP element features can improve our classification accuracy compared to using only text features. TCENet also achieved the best results compared to the previous document-level TTP classification works and other popular text classification methods, even in the case of few-shot training samples. Finally, the TIM framework organizes TTP descriptions and TTP elements into STIX 2.1 format as final TTP intelligence for sharing the long-period and essential attack behavior characteristics of attackers. In addition, we transform TTP intelligence into sigma detection rules for attack behavior detection. Such TTP intelligence and rules can help defenders deploy long-term effective threat detection and perform more realistic attack simulations to strengthen defense.

computer science, information systems, interdisciplinary applications, software engineering

Prasasthy Balasubramanian,Sadaf Nazari,Danial Khosh Kholgh,Alireza Mahmoodi,Justin Seby,Panos Kostakos

2024-02-15

Abstract:The extraction of cyber threat intelligence (CTI) from open sources is a rapidly expanding defensive strategy that enhances the resilience of both Information Technology (IT) and Operational Technology (OT) environments against large-scale cyber-attacks. While previous research has focused on improving individual components of the extraction process, the community lacks open-source platforms for deploying streaming CTI data pipelines in the wild. To address this gap, the study describes the implementation of an efficient and well-performing platform capable of processing compute-intensive data pipelines based on the cloud computing paradigm for real-time detection, collecting, and sharing CTI from different online sources. We developed a prototype platform (TSTEM), a containerized microservice architecture that uses Tweepy, Scrapy, Terraform, ELK, Kafka, and MLOps to autonomously search, extract, and index IOCs in the wild. Moreover, the provisioning, monitoring, and management of the TSTEM platform are achieved through infrastructure as a code (IaC). Custom focus crawlers collect web content, which is then processed by a first-level classifier to identify potential indicators of compromise (IOCs). If deemed relevant, the content advances to a second level of extraction for further examination. Throughout this process, state-of-the-art NLP models are utilized for classification and entity extraction, enhancing the overall IOC extraction methodology. Our experimental results indicate that these models exhibit high accuracy (exceeding 98%) in the classification and extraction tasks, achieving this performance within a time frame of less than a minute. The effectiveness of our system can be attributed to a finely-tuned IOC extraction method that operates at multiple stages, ensuring precise identification of relevant information with low false positives.

Cryptography and Security

Libin Yang,Menghan Wang,Wei Lou

DOI: https://doi.org/10.1016/j.cose.2024.104079

2025-01-01

Abstract:The emergence of cyber threat intelligence (CTI) is a promising approach for alleviating malicious activities. However, the effectiveness of CTIs is heavily dependent on their quality. Current literature develops the CTI quality assessment ontology mainly from the perspective of CTI source or content separately, regardless of their availability in practice. In this paper, we propose an automated CTI quality assessment method that synthesizes the trustworthiness of CTI sources and the availability of CTI contents. Specifically, we model the interactions of CTI feeds as a correlation graph and propose an iterative algorithm to well discriminate the feeds’ trustworthiness. We elaborate a CTI content assessment together with a machine learning algorithm to automatically classify CTIs’ availability from a set of content metrics. A comprehensive CTI quality assessment is proposed by jointly considering the feed trustworthiness and content availability. Extensive experimental results on real datasets demonstrate that our proposed method can quantitatively as well as effectively assess CTI quality.

Yuheng Wei,Futai Zou

DOI: https://doi.org/10.1007/978-3-030-90019-9_3

2021-01-01

Abstract:Sharing plenty and accurate structured Cyber Threat Intelligence (CTI) will play a pivotal role in adapting to rapidly evolving cyber attacks and malware. However, the traditional CTI generation methods are extremely time and labor-consuming. The recent work focuses on extracting CTI from well structured Open Source Intelligence (OSINT). However, many challenges are still to generate CTI and Indicators of Compromise(IoC) from non-human-written malware traces. This work introduces a method to automatically generate concise, accurate and understandable CTI from unstructured malware traces. For a specific class of malware, we first construct the IoC expressions set from malware traces. Furthermore, we combine the generated IoC expressions and other meaningful information in malware traces to organize the threat intelligence which meets open standards such as Structured Threat Information Expression (STIX). We evaluate our algorithm on real-world dataset. The experimental results show that our method achieves a high average recall rate of 89.4% on the dataset and successfully generates STIX reports for every class of malware, which means our methodology is practical enough to automatically generate effective IoC and CTI.

Ankang Ju,Yuanbo Guo,Ziwei Ye,Tao Li,Jing Ma

DOI: https://doi.org/10.1155/2019/5483918

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:In the current enterprise network environment, multistep targeted cyber-attacks with concealment and advanced characteristics have become the main threat. Multisource security data are the prerequisite of targeted cyber-attacks detection. However, these data have characters of heterogeneity and semantic diversity, and existing attack detection methods do not take comprehensive data sources into account. Identifying and predicting attack intention from heterogeneous noisy data can be meaningful work. In this paper, we first review different data fusion mechanisms of correlating heterogeneous multisource data. On this basis, we propose a big data analytics framework for targeted cyber-attacks detection and give the basic idea of correlation analysis. Our approach will offer the ability to correlate multisource heterogeneous security data and analyze attack intention effectively.

Yali Gao,Xiaoyong Li,Hao Peng,Binxing Fang,Philip S. Yu

DOI: https://doi.org/10.1109/tkde.2020.2987019

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Cyber attacks have become increasingly complicated, persistent, organized, and weaponized. Faces with this situation, drives a rising number of organizations across the world are showing a growing willingness to leverage the open exchange of cyber threat intelligence (CTI) for obtaining a full picture of the fast-evolving cyber threat situation and protecting themselves against cyber-attacks. However, modeling CTI is challenging due to the explicit and implicit relationships among CTI and the heterogeneity of cyber-threat infrastructure nodes involved in CTI. Owing to the limited labels of cyber threat infrastructure nodes involved in CTI, automatically identifying the threat type of infrastructure nodes for early warning is also challenging. To tackle these challenges, a practical system called HinCTI is developed for modeling cyber threat intelligence and identifying threat types. We first design a threat intelligence meta-schema to depict the semantic relatedness of infrastructure nodes. We then model cyber threat intelligence on heterogeneous information network (HIN), which can integrate various types of infrastructure nodes and rich relations among them. Following, we define a meta-path and meta-graph instances-based threat Infrastructure similarity (MIIS) measure between threat infrastructure nodes and present a MIIS measure-based heterogeneous graph convolutional network (GCN) approach to identify the threat types of infrastructure nodes involved in CTI. Moreover, through the hierarchical regularization strategy, our model can alleviate the problem of overfitting and achieve good results in the threat type identification of infrastructure nodes. To the best of our knowledge, this work is the first to model CTI on HIN for threat identification and propose a heterogeneous GCN-based approach for threat type identification of infrastructure nodes. With HinCTI, comprehensive experiments are conducted on real-world datasets, and experimental results demonstrate that our proposed approach can significantly improve the performance of threat type identification compared to the existing state-of-the-art baseline methods. Our work is beneficial to greatly relieve security analysts from heavy analysis work and efficiently protect organizations against cyber-attacks.

Md Rayhanur Rahman,Rezvan Mahdavi-Hezaveh,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.2109.06808

2021-09-14

Cryptography and Security

Abstract:Cybersecurity researchers have contributed to the automated extraction of CTI from textual sources, such as threat reports and online articles, where cyberattack strategies, procedures, and tools are described. The goal of this article is to aid cybersecurity researchers understand the current techniques used for cyberthreat intelligence extraction from text through a survey of relevant studies in the literature. We systematically collect "CTI extraction from text"-related studies from the literature and categorize the CTI extraction purposes. We propose a CTI extraction pipeline abstracted from these studies. We identify the data sources, techniques, and CTI sharing formats utilized in the context of the proposed pipeline. Our work finds ten types of extraction purposes, such as extraction indicators of compromise extraction, TTPs (tactics, techniques, procedures of attack), and cybersecurity keywords. We also identify seven types of textual sources for CTI extraction, and textual data obtained from hacker forums, threat reports, social media posts, and online news articles have been used by almost 90% of the studies. Natural language processing along with both supervised and unsupervised machine learning techniques such as named entity recognition, topic modelling, dependency parsing, supervised classification, and clustering are used for CTI extraction. We observe the technical challenges associated with these studies related to obtaining available clean, labelled data which could assure replication, validation, and further extension of the studies. As we find the studies focusing on CTI information extraction from text, we advocate for building upon the current CTI extraction work to help cybersecurity practitioners with proactive decision making such as threat prioritization, automated threat modelling to utilize knowledge from past cybersecurity incidents.

Binhui Tang,Junfeng Wang,Huanran Qiu,Jian Yu,Zhongkun Yu,Shijia Liu

DOI: https://doi.org/10.32604/cmc.2023.029135

2023-01-01

Abstract:The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent dures (TTP) from Cyber Threat Intelligence (CTI) can facilitate APT actors??? profiling for an immediate response. However, it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature. Based on the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) of threat behavior description, this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network (HTN) and Graph Convolutional Network (GCN) to solve this issue. It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence. With the help of the Bidirectional Encoder Representation from Transformers (BERT) pretraining model to analyze the contextual semantics of cyber threat intelligence, the task of threat behavior identification is transformed into a text classification task, which automatically extracts attack behavior in CTI, then identifies the malware and advanced threat actors. The experimental results show that F1 achieve 94.86% and 92.15% for the multi-label classification tasks of tactics and techniques. Extend the experiment to verify the method???s effectiveness in identifying the malware and threat actors in APT attacks. The F1 for malware and advanced threat actors identification task reached 98.45% and 99.48%, which are better than the benchmark model in the experiment and achieve state of the art. The model can effectively model threat intelligence text features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.

Jian Wang,Tiantian Zhu,Chunlin Xiong,Yan Chen

2024-11-13

Abstract:The construction of attack technique knowledge graphs aims to transform various types of attack knowledge into structured representations for more effective attack procedure modeling. Existing methods typically rely on textual data, such as Cyber Threat Intelligence (CTI) reports, which are often coarse-grained and unstructured, resulting in incomplete and inaccurate knowledge graphs. To address these issues, we expand attack knowledge sources by incorporating audit logs and static code analysis alongside CTI reports, providing finer-grained data for constructing attack technique knowledge graphs. We propose MultiKG, a fully automated framework that integrates multiple threat knowledge sources. MultiKG processes data from CTI reports, dynamic logs, and static code separately, then merges them into a unified attack knowledge graph. Through system design and the utilization of the Large Language Model (LLM), MultiKG automates the analysis, construction, and merging of attack graphs across these sources, producing a fine-grained, multi-source attack knowledge graph. We implemented MultiKG and evaluated it using 1,015 real attack techniques and 9,006 attack intelligence entries from CTI reports. Results show that MultiKG effectively extracts attack knowledge graphs from diverse sources and aggregates them into accurate, comprehensive representations. Through case studies, we demonstrate that our approach directly benefits security tasks such as attack reconstruction and detection.

Cryptography and Security

Tao Leng,Lixin Zhao,Yuedong Pan,Aimin Yu,Ziyuan Zhu,Lijun Cai,Dan Meng

DOI: https://doi.org/10.1109/iscc61673.2024.10733636

2024-01-01

Abstract:The initial manifestations of fileless attacks were predominantly document-based attacks, extensively leveraged in Advanced Persistent Threat (APT) campaigns and cybercriminal activities. Malicious documents leveraging macros, DDE, template injection, and other attack vectors evade conventional signature-based detection techniques. Additionally, the constant influx of new samples undermines models trained only on single attack vector features. Herein, we introduce DocInspect, a methodological framework predicated on the multi-feature fusion of complex attack vectors. Through observational analyses of attack vectors, static analysis extracts keywords and indicators of compromise from vectors like macro code, simulated execution retrieves shellcode function calls and parameters, and deceptive images and text are concurrently extracted. These multi-dimensional features are then fused to construct feature vectors. Ultimately, leveraging the Extra Trees model on our latest sample set, we achieve an F1 score of 99.96%, while demonstrating commendable robustness.

Tiantian Zhu,Jie Ying,Tieming Chen,Chunlin Xiong,Wenrui Cheng,Qixuan Yuan,Aohan Zheng,Mingqi Lv,Yan Chen

2024-05-05

Abstract:Advanced Persistent Threat (APT) attacks have caused significant damage worldwide. Various Endpoint Detection and Response (EDR) systems are deployed by enterprises to fight against potential threats. However, EDR suffers from high false positives. In order not to affect normal operations, analysts need to investigate and filter detection results before taking countermeasures, in which heavy manual labor and alarm fatigue cause analysts miss optimal response time, thereby leading to information leakage and destruction. Therefore, we propose Endpoint Forecasting and Interpreting (EFI), a real-time attack forecast and interpretation system, which can automatically predict next move during post-exploitation and explain it in technique-level, then dispatch strategies to EDR for advance reinforcement. First, we use Cyber Threat Intelligence (CTI) reports to extract the attack scene graph (ASG) that can be mapped to low-level system logs to strengthen attack samples. Second, we build a serialized graph forecast model, which is combined with the attack provenance graph (APG) provided by EDR to generate an attack forecast graph (AFG) to predict the next move. Finally, we utilize the attack template graph (ATG) and graph alignment plus algorithm for technique-level interpretation to automatically dispatch strategies for EDR to reinforce system in advance. EFI can avoid the impact of existing EDR false positives, and can reduce the attack surface of system without affecting the normal operations. We collect a total of 3,484 CTI reports, generate 1,429 ASGs, label 8,000 sentences, tag 10,451 entities, and construct 256 ATGs. Experimental results on both DARPA Engagement and large scale CTI dataset show that the alignment score between the AFG predicted by EFI and the real attack graph is able to exceed 0.8, the forecast and interpretation precision of EFI can reach 91.8%.

Cryptography and Security

Nan Xiao,Bo Lang,Ting Wang,Yikai Chen

2024-02-20

Abstract:Threat actor attribution is a crucial defense strategy for combating advanced persistent threats (APTs). Cyber threat intelligence (CTI), which involves analyzing multisource heterogeneous data from APTs, plays an important role in APT actor attribution. The current attribution methods extract features from different CTI perspectives and employ machine learning models to classify CTI reports according to their threat actors. However, these methods usually extract only one kind of feature and ignore heterogeneous information, especially the attributes and relations of indicators of compromise (IOCs), which form the core of CTI. To address these problems, we propose an APT actor attribution method based on multimodal and multilevel feature fusion (APT-MMF). First, we leverage a heterogeneous attributed graph to characterize APT reports and their IOC information. Then, we extract and fuse multimodal features, including attribute type features, natural language text features and topological relationship features, to construct comprehensive node representations. Furthermore, we design multilevel heterogeneous graph attention networks to learn the deep hidden features of APT report nodes; these networks integrate IOC type-level, metapath-based neighbor node-level, and metapath semantic-level attention. Utilizing multisource threat intelligence, we construct a heterogeneous attributed graph dataset for verification purposes. The experimental results show that our method not only outperforms the existing methods but also demonstrates its good interpretability for attribution analysis tasks.

Cryptography and Security,Machine Learning

Nidhi Rastogi,Sharmishtha Dutta,Mohammed J. Zaki,Alex Gittens,Charu Aggarwal

DOI: https://doi.org/10.48550/arXiv.2102.05571

2023-01-19

Abstract:Threat intelligence on malware attacks and campaigns is increasingly being shared with other security experts for a cost or for free. Other security analysts use this intelligence to inform them of indicators of compromise, attack techniques, and preventative actions. Security analysts prepare threat analysis reports after investigating an attack, an emerging cyber threat, or a recently discovered vulnerability. Collectively known as cyber threat intelligence (CTI), the reports are typically in an unstructured format and, therefore, challenging to integrate seamlessly into existing intrusion detection systems. This paper proposes a framework that uses the aggregated CTI for analysis and defense at scale. The information is extracted and stored in a structured format using knowledge graphs such that the semantics of the threat intelligence can be preserved and shared at scale with other security analysts. Specifically, we propose the first semi-supervised open-source knowledge graph-based framework, TINKER, to capture cyber threat information and its context. Following TINKER, we generate a Cyberthreat Intelligence Knowledge Graph (CTI-KG) and demonstrate the usage using different use cases.

Cryptography and Security,Artificial Intelligence,Information Retrieval,Machine Learning