在TRACE成功的基础上,我们引入了FOCUS(战略分析下的网络安全优化框架),这是一个旨在优先排序CTI报告中的攻击技术的精简框架。FOCUS利用SecureBERT模型和带有条件随机场(CRF)层的BiLSTM分类器来分析妥协指标(IoC),并对攻击技术和通用弱点枚举(CWE)实体进行句子级预测。我们的方法包括提取关键词、注释句子以及标记与IoC相关的句子进行训练。在从CTI报告中提取实体方面,FOCUS取得了卓越的F1得分90%,显著提升了传统分析方法,通过有效分析超过930份报告来优先排序网络威胁。我们基于实体的时间关系创建实体的顺序流,并提出了七个度量标准来计算CTI报告中技术的重要性。这种复杂的方法结合了统计分析和定性评估,以计算威胁优先级,提供一个简洁、优先的威胁清单,以支持更有效的网络安全策略。 ;Cyber Threat Intelligence (CTI) reports provide critical insights into cybersecurity threats and attacks, yet extracting key causal factors and prioritizing attack techniques remains challenging due to the complexity and nuances of these reports. Traditional methodologies grapple with issues such as the lack of labeled data and inconsistent vocabulary usage across reports. To address these challenges, we propose TRACE (Technique Relationship Analysis and Causal Factor Extraction). This novel framework leverages CTI reports to extract causal factors related to adversarial techniques and generate a comprehensive causal graph. TRACE combines pattern extraction and tagging methods to overcome the limitations of existing approaches. Utilizing Sentence-based BERT embeddings enhanced with knowledge mappings and deep learning techniques, TRACE discovers and models causal relationships between attack techniques in the reports. Our experiments on a dataset of CTI reports demonstrated TRACE′s superior performance with a 0.87 F1 score in predicting causal factors. Building on the success of TRACE, we introduce FOCUS (Framework for Optimizing Cybersecurity Under Strategic Analysis), a streamlined framework designed to prioritize attack techniques within CTI reports. FOCUS leverages the SecureBERT model and a BiLSTM classifier with a Conditional Random Fields layer to analyze Indicators of Compromise (IoC) and perform sentence-level prediction of attack techniques and Common Weakness Enumeration (CWE) entities. Our method involves extracting keywords, annotating sentences, and tagging IoC-associated sentences for training. Achieving an exceptional F1 score of 90% in entity extraction from CTI reports, FOCUS significantly enhances traditional analytical methods by effectively analyzing over 930 reports to prioritize cyber threats. We create a sequential flow of entities based on their temporal relations and propose seven metrics to calculate the significance of a technique in the CTI report. This sophisticated method combines both statistical analysis and qualitative assessments to calculate threat priorities, providing a concise, prioritized list of threats to support more effective cybersecurity strategies.
