Advanced Cyber Threat Intelligence Analysis – From Relationship Mapping to Threat Prioritization

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：10

、訪客IP：3.19.76.4

姓名

詹德蘭(Vaitheeshwari Rajendran) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Advanced Cyber Threat Intelligence Analysis – From Relationship Mapping to Threat Prioritization)

相關論文

★ 具多重樹狀結構之可靠性群播傳輸	★ 在嵌入式行動裝置上設計與開發跨平台Widget
★ 在 ARM 架構之嵌入式系統上實作輕量化的手持多媒體播放裝置圖形使用者介面函式庫	★ 基於網路行動裝置所設計可擴展的服務品質感知GStreamer模組
★ 針對行動網路裝置開發可擴展且跨平台之GSM/HSDPA引擎	★ 於單晶片多媒體裝置進行有效率之多格式解碼管理
★ IMS客戶端設計與即時通訊模組研發：個人資訊交換模組與即時訊息模組實作	★ 在可攜式多媒體裝置上實作人性化的嵌入式小螢幕網頁瀏覽器
★ 以IMS為基礎之及時語音影像通話引擎的實作:使用開放原始碼程式庫	★ 電子書嵌入式開發: 客制化下載服務實作, 資料儲存管理設計
★ 於數位機上盒實現有效率訊框參照處理與多媒體詮釋資料感知的播放器設計	★ 具數位安全性的電子書開發：有效率的更新模組與資料庫實作
★ 適用於異質無線寬頻系統的新世代IMS客戶端軟體研發	★ 在可攜式數位機上盒上設計並實作重配置的圖形使用者介面
★ Friendly GUI design and possibility support for E-book Reader based Android client	★ Effective GUI Design and Memory Usage Management for Android-based Services

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2027-1-22以後開放)

摘要(中)

网?威?情?（CTI）?告提供了?网?安全威?和攻?的重要?解，但由于?些?告的复?性和?微差?，提取??因果因素和优先排序攻?技?仍然具有挑?性。??的方法面??如缺乏???据和?告中不一致的??使用等??。?了解??些挑?，我?提出了TRACE（技??系分析和因果因素提取），?是一种利用CTI?告提取与?抗技?相?的因果因素并生成?合因果?的新框架。TRACE?合了模式提取和??方法，克服了?有方法的局限性。利用增?知?映射和深度??技?的基于句子的?向??器表示??器（SBERT）嵌入，TRACE在?告中??并建模攻?技?之?的因果?系。我?在CTI?告?据集上?行的??表明，TRACE在??因果因素方面表?出色，F1得分?0.87。

在TRACE成功的基?上，我?引入了FOCUS（?略分析下的网?安全优化框架），?是一?旨在优先排序CTI?告中的攻?技?的精?框架。FOCUS利用SecureBERT模型和?有?件?机?（CRF）?的BiLSTM分?器?分析妥?指?（IoC），并?攻?技?和通用弱?枚?（CWE）?体?行句子???。我?的方法包括提取???、注?句子以及??与IoC相?的句子?行??。在?CTI?告中提取?体方面，FOCUS取得了卓越的F1得分90%，?著提升了??分析方法，通?有效分析超?930份?告?优先排序网?威?。我?基于?体的???系?建?体的?序流，并提出了七?度量?准??算CTI?告中技?的重要性。?种复?的方法?合了??分析和定性?估，以?算威?优先?，提供一??洁、优先的威?清?，以支持更有效的网?安全策略。

摘要(英)

Cyber Threat Intelligence (CTI) reports provide critical insights into cybersecurity threats and attacks, yet extracting key causal factors and prioritizing attack techniques remains challenging due to the complexity and nuances of these reports. Traditional methodologies grapple with issues such as the lack of labeled data and inconsistent vocabulary usage across reports. To address these challenges, we propose TRACE (Technique Relationship Analysis and Causal Factor Extraction). This novel framework leverages CTI reports to extract causal factors related to adversarial techniques and generate a comprehensive causal graph. TRACE combines pattern extraction and tagging methods to overcome the limitations of existing approaches. Utilizing Sentence-based BERT embeddings enhanced with knowledge mappings and deep learning techniques, TRACE discovers and models causal relationships between attack techniques in the reports. Our experiments on a dataset of CTI reports demonstrated TRACE′s superior performance with a 0.87 F1 score in predicting causal factors.
Building on the success of TRACE, we introduce FOCUS (Framework for Optimizing Cybersecurity Under Strategic Analysis), a streamlined framework designed to prioritize attack techniques within CTI reports. FOCUS leverages the SecureBERT model and a BiLSTM classifier with a Conditional Random Fields layer to analyze Indicators of Compromise (IoC) and perform sentence-level prediction of attack techniques and Common Weakness Enumeration (CWE) entities. Our method involves extracting keywords, annotating sentences, and tagging IoC-associated sentences for training. Achieving an exceptional F1 score of 90% in entity extraction from CTI reports, FOCUS significantly enhances traditional analytical methods by effectively analyzing over 930 reports to prioritize cyber threats. We create a sequential flow of entities based on their temporal relations and propose seven metrics to calculate the significance of a technique in the CTI report. This sophisticated method combines both statistical analysis and qualitative assessments to calculate threat priorities, providing a concise, prioritized list of threats to support more effective cybersecurity strategies.

關鍵字(中)

★ 攻?优先?
★ 因果分析
★ 通用弱?枚?（CWE）
★ CTI
★ ?据?件
★ IoC分析
★ MITRE ATT&CK技?
★ MITRE?据源
★ SecureBERT

關鍵字(英)

★ Attack prioritization
★ causal analysis
★ Common Weakness Enumeration (CWE)
★ CTI
★ data components
★ IoC analysis
★ MITRE ATT&CK techniques
★ MITRE data source
★ SecureBERT

論文目次

摘要 i
Abstract ii
Acknowledgments iii
Table of Contents iv
List of Figures vi
List of Tables vii
1 Introduction 1
1.1 Importance of Cyber Threat Intelligence 1
1.2 Challenges in CTI Analysis 1
1.3 Challenges in Automating Knowledge Extraction 3
1.4 Research Gaps 3
1.4.1 Extraction of Causal Factors and CWE 3
1.4.2 Sequential Attack Flow and Prioritization 4
1.5 Proposed Solutions 4
1.5.1 TRACE Framework 4
1.5.2 FOCUS Framework 5
1.6 Contributions 5
1.7 Dissertation’s Structure 6
2 The TRACE Framework 7
2.1 TRACE Overview 7
2.2 Background and Related Work 8
2.2.1 The Causal Factors 8
2.2.2 Related Work 9
2.3 Problem Formulation 12
2.4 TRACE System Design 13
2.4.1 Label Generation 14
2.4.2 CTI Report Processing 17
2.4.3 CTI Report Tagging 17
2.4.4 Prediction of CWE and CoA IDs 19
2.5 TRACE Implementation 19
2.5.1 Feature Extraction 19
2.5.2 SBERT Initialization 20
2.5.3 BiLSTM Layer Integration and Training 22
2.5.4 Graph Generation 24
2.6 Results and Evaluation 26
2.6.1 Dataset Description 26
2.6.2 Implementation Aspects and Hyperparameter Setup 26
2.6.3 Evaluation Metrics 27
2.6.4 Performance of TRACE Training and Validation 28
2.6.5 Performance of TRACE Prediction 31
2.6.6 Graph Generation – Case Study 32
3 The FOCUS Framework 35
3.1 FOCUS Overview 35
3.2 Background and Related Work 37
3.2.1 MITRE ATT&CK Framework 37
3.2.2 The Sequential Attack Flow 37
3.2.3 The Priority-based Attack Flow 38
3.2.4 Related Work 39
3.3 Problem Formulation 41
3.4 System Design and Implementation 42
3.4.1 CTI Report Collection 42
3.4.2 IoC Behavioral Pattern Extraction 43
3.4.3 Entity Extraction 45
3.4.4 Sequential Flow Generation 47
3.4.5 Weight Metrics Formulation 49
3.4.6 Quantitative Assessment of Weight Metrics 51
3.4.7 Priority-based Flowchart Generation 53
3.5 Results and Discussions 54
3.5.1 Dataset Description 54
3.5.2 Performance of Various Models on Entity Extraction 55
3.5.3 Validation of Entity Extraction 57
3.5.4 Performance of Temporal Relation Classifier 57
3.5.5 Weight Metric Calculation 58
3.5.6 Case Study: Priority-based Flowchart Construction 60
4 Conclusion and Future Work 63
4.1 TRACE Framework 63
4.2 FOCUS Framework 63
4.3 Integration or Correlation Between TRACE and FOCUS 64
4.4 Future Work 64
References 66

參考文獻

1. Insights into Cyber threat Intelligence: https://www.techtarget.com/whatis/definition/threat-intelligence-cyber-threat-intelligence
2. D. Biancho, “The Pyramid of Pain,” http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html, 2014.
3. X. Liao, K. Yuan, X. Wang, Z. Li, L. Xing, and R. Beyah, “Acing the ioc game: Toward automatic discovery and analysis of open-source cyber threat intelligence,” vol. 24-28-October-2016. Association for Computing Machinery, 10 2016, pp. 755–766.
4. M. T. Alam, D. Bhusal, Y. Park, and N. Rastogi, “Cyner: A python library for cybersecurity named entity recognition,” 4 2022. [Online]. Available: http://arxiv.org/abs/2204.05754
5. G. Husari, E. Al-Shaer, M. Ahmed, B. Chu, and X. Niu, “Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources,” vol. Part F132521. Association for Computing Machinery, 12 2017, pp. 103–115.
6. V. Legoy, M. Caselli, C. Seifert, and A. Peter, “Automated retrieval of att&ck tactics and techniques for cyber threat reports,” 4 2020. [Online]. Available: http://arxiv.org/abs/2004.14322
7. MITRE Engenuity, “Threat Report ATT&CK Mapping (TRAM).” [Online]. Available: https://mitre-engenuity.org/blog/2021/09/30/ threat-report-attck-mapper-tram/
8. Microsoft, “MitreMap - Inferring MITRE Technique from Threat Intel Data .” [Online]. Available: https://github.com/Azure/Azure-Sentinel-Notebooks/tree/ master/mitremap-notebook
9. MITRE ATT&CK Framework - https://attack.mitre.org/
10. G. Husari, X. Niu, B. Chu and E. Al-Shaer, "Using Entropy and Mutual Information to Extract Threat Actions from Cyber Threat Intelligence," 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), Miami, FL, USA, 2018, pp. 1-6, doi: 10.1109/ISI.2018.8587343.
11. Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of att&ck tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322 (2020)
12. Zhu, Z., Dumitras, T.: ChainSmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: IEEE European Symposium on Security and Privacy (2018)
13. Zhang, S., Chen, P., Bai, G., Wang, S., Zhang, M., Li, S. and Zhao, C., 2022. An Automatic Assessment Method of Cyber Threat Intelligence Combined with ATT&CK Matrix. Wireless Communications and Mobile Computing, 2022.
14. Li, Z., Zeng, J., Chen, Y. and Liang, Z., 2022, September. AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports. In Computer Security–ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part I (pp. 589-609). Cham: Springer International Publishing.
15. Satvat, K., Gjomemo, R. and Venkatakrishnan, V.N., 2021, September. Extractor: Extracting attack behavior from threat reports. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 598-615). IEEE.
16. Alam, M.T., Bhusal, D., Park, Y. and Rastogi, N., 2022. Looking Beyond IoCs: Automatically Extracting Attack Patterns from External CTI. arXiv preprint arXiv:2211.01753.
17. Kaiser, F.K., Dardik, U., Elitzur, A., Zilberman, P., Daniel, N., Wiens, M., Schultmann, F., Elovici, Y. and Puzis, R., 2023. Attack Hypotheses Generation Based on Threat Intelligence Knowledge Graph. IEEE Transactions on Dependable and Secure Computing.
18. Gao, P., Liu, X., Choi, E., Ma, S., Yang, X., Ji, Z., Zhang, Z. and Song, D., 2022. ThreatKG: A Threat Knowledge Graph for Automated Open-Source Cyber Threat Intelligence Gathering and Management. arXiv preprint arXiv:2212.10388.
19. Ren, Y., Xiao, Y., Zhou, Y., Zhang, Z. and Tian, Z., 2022. CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution. IEEE Transactions on Knowledge and Data Engineering.
20. Nadeem, A., Verwer, S., Moskal, S. and Yang, S.J., 2021. Alert-driven attack graph generation using s-pdfa. IEEE Transactions on Dependable and Secure Computing, 19(2), pp.731-746.
21. Li, T., Jiang, Y., Lin, C., Obaidat, M.S., Shen, Y. and Ma, J., 2022. Deepag: Attack graph construction and threats prediction with bi-directional deep learning. IEEE Transactions on Dependable and Secure Computing, 20(1), pp.740-757.
22. Haddad, Ashraf, Najwa Aaraj, Preslav Nakov, and Septimiu Fabian Mare. "Automated Mapping of CVE Vulnerability Records to MITRE CWE Weaknesses." arXiv preprint arXiv:2304.11130 (2023).
23. Aghaei, E., 2022. Automated Classification and Mitigation of Cybersecurity Vulnerabilities (Doctoral dissertation, The University of North Carolina at Charlotte).
24. Aghaei, E., Shadid, W. and Al-Shaer, E., 2020. Threatzoom: CVE2CWE using hierarchical neural network. arXiv preprint arXiv:2009.11501.
25. Ampel, B., Samtani, S., Ullman, S. and Chen, H., 2021. Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach. arXiv preprint arXiv:2108.01696.
26. Kanakogi, Kenta, Hironori Washizaki, Yoshiaki Fukazawa, Shinpei Ogata, Takao Okubo, Takehisa Kato, Hideyuki Kanuka, Atsuo Hazeyama, and Nobukazu Yoshioka. 2022. "Comparative Evaluation of NLP-Based Approaches for Linking CAPEC Attack Patterns from CVE Vulnerability Information" Applied Sciences 12, no. 7: 3400. https://doi.org/10.3390/app12073400
27. Constantin Adam, Muhammed Fatih Bulut, Daby Sow, Steven Ocepek, ChrisBedell, and Lilian Ngweta. 2022. Attack Techniques and Threat Identification for Vulnerabilities. In Proceedings of ACM Conference (Conference’17). ACM, New York, NY, USA.
28. Common Attack Pattern Enumeration and Classification, https://capec.mitre.org/index.html
29. Common Weakness Enumeration, https://cwe.mitre.org/
30. Z. Li, J. Zeng, Y. Chen, and Z. Liang, “AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports,” European Symposium on Research in Computer Security (pp. 589-609). Cham: Springer International Publishing, 2022.
31. Kiavash Satvat, Rigel Gjomemo, and V. N. Venkatakrishnan. 2021. Extractor: Extracting attack behavior from threat reports. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 598–615.
32. Rahman, M.R., Wroblewski, B., Matthews, Q., Morgan, B., Menzies, T. and Williams, L., 2024. Mining Temporal Attack Patterns from Cyberthreat Intelligence Reports. arXiv preprint arXiv:2401.01883.
33. Y. Ren, Y. Xiao, Y. Zhou, Z. Zhang, and Z. Tian, “CSKG4APT: A cybersecurity knowledge graph for advanced persistent threat organization attribution,” IEEE Transactions on Knowledge and Data Engineering, 2022.
34. Data Source- MITRE ATT&CK, https://attack.mitre.org/datasources/
35. NVD CWE-CVE mappings: https://www.kaggle.com/datasets/krooz0/cve-and-cwe-mapping-dataset?resource=download
36. Threat Informed Defense mappings: https://github.com/center-for-threat-informed-defense/attack_to_cve
37. Hu Xu, Bing Liu, Lei Shu, and Philip S Yu. Bert post-training for review reading comprehension and aspect-based sentiment analysis. arXiv preprint arXiv:1904.02232, 2019.
38. Bhavika Bhutani, Neha Rastogi, Priyanshu Sehgal, and Archana Purwar. Fake news detection using sentiment analysis. In 2019 twelfth international conference on contemporary computing (IC3), pages 1–5. IEEE, 2019.
39. Ming Ding, Chang Zhou, Hongxia Yang, and Jie Tang. Cogltx: Applying bert to long texts. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 12792–12804. Curran Associates, Inc., 2020.
40. Jinghui Lu, Maeve Henchion, Ivan Bacher, and Brian Mac Namee. A sentence-level hierarchical bert model for document classification with limited labelled data. In International Conference on Discovery Science, pages 231–241. Springer, 2021.
41. CyberMonitor. Apt & cybercriminals campaign collection, 2022
42. NVD CWE Slice: https://nvd.nist.gov/vuln/categories
43. MITRE Engenuity,” Attack Flow”.[online] Available: https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/attack-flow/
44. MITRE Engenuity, “Top ATT&CK Techniques”.[online] Available: https://top-attack-techniques.mitre-engenuity.org/methodology
45. “Indicators of Compromise”. [online] Available: https://mschalocy.medium.com/indicators-of-compromise-b6173ea9ebab
46. S. N. G. Gourisetti, M. Mylrea, and H. Patangia, “Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis,” Future Generation Computer Systems, vol. 105, pp. 410–431, 4 2020.
47. N. Al-Safwani, Y. Fazea, and H. Ibrahim, “Iscp: In-depth model for selecting critical security controls,” Computers and Security, vol. 77, pp. 565–577, 8 2018.
48. E. Hadar, D. Kravchenko, and A. Basovskiy, “Cyber digital twin simulator for automatic gathering and prioritization of security controls’ requirements,” vol. 2020-August. IEEE Computer Society, 8 2020, pp. 250–259.
49. T. Llanso, “Ciam: A data-driven approach for selecting and prioritizing security ’ controls,” 2012, pp. 91–98.
50. R. Kwon, T. Ashley, J. Castleberry, P. McKenzie, and S. N. G. Gourisetti, “Cyber threat dictionary using mitre attck matrix and nist cybersecurity framework mapping.” Institute of Electrical and Electronics Engineers Inc., 10 2020, pp. 106–112
51. A. Winters, “Automated control prioritization based on generating sector-based threat profiles”, 2023. (Master′s thesis, University of Twente).
52. IOC Extraction Tool . “CYOBSTRACT” [online] Available: https://github.com/cmu-sei/cyobstract
53. J. Pustejovsky, J. M. Castano, R. Ingria, R. Sauri, R. J. Gaizauskas, A. Setzer, G. Katz, and D. R. Radev, “Timeml: Robust specification of event and temporal expressions in text.” New directions in question answering, vol. 3, pp. 28–34, 2003.
54. R. Kerkdijk, S. Tesink, F. Fransen, and F. Falconieri, “Evidence-Based Prioritization of Cybersecurity Threats”, 2021.
55. Real Intrusions by real Attackers, https://thedfirreport.com/
56. SecureBERT: https://github.com/ehsanaghaei/SecureBERT
57. J. Lafferty, A. McCallum, and F. Pereira, “Conditional random fields: Probabilistic models for segmenting and labeling sequence data”, In Icml (Vol. 1, No. 2, p. 3), 2001.
58. J. Devlin, M. W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” arXiv preprint arXiv:1810.04805, 2018.
59. J. Ramos, “Using tf-idf to determine word relevance in document queries”, Proceedings of the first instructional conference on machine learning , Vol. 242, No. 1, pp. 29-48, 2003.
60. L. Ma and Y. Zhang, “Using Word2Vec to process big text data”, IEEE International Conference on Big Data (Big Data), pp. 2895-2897, 2015.
61. I. Beltagy, K. Lo, and A. Cohan, “SciBERT: A pretrained language model for scientific text”, 2019. arXiv preprint arXiv:1903.10676.
62. Zichao Yang, Diyi Yang, Chris Dyer, Xiaodong He, Alex Smola, and Eduard Hovy, "Hierarchical attention networks for document classification”, Proceedings of the 2016 conference of the North American chapter of the association for computational linguistics: human language technologies, pages 1480–1489, 2016.
63. Y. T. Huang et al., "MITREtrieval: Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology," in IEEE Transactions on Network and Service Management, 2024, doi: 10.1109/TNSM.2024.3401200.
64. Tesla cloud systems exploited by hackers to mine cryptocurrency, https://www.zdnet.com/article/tesla-systems-used-by-hackers-to-mine-cryptocurrency/

指導教授

吳曉光(Eric Hsiao-Kuang Wu)

審核日期

2025-1-22

推文