A System for Automated Open-Source Threat Intelligence Gathering and Management

Gao, Peng; Liu, Xiaoyuan; Choi, Edward; Soman, Bhavna; Mishra, Chinmaya; Farris, Kate; Song, Dezhen

doi:10.48550/arxiv.2101.07769

Cited by 3 publications

(9 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The use of CTI is an integral component of such systems. Knowledge graphs for cybersecurity have been used before to represent various entities [31]- [33]. Open source CTI has been used to build Cybersecurity Knowledge Graphs (CKG) and other agents to aid cybersecurity analysts working in an organization [3]- [10].…”

Section: Ai-based Cyber Systems and Knowledge Graphsmentioning

confidence: 99%

“…With the fake CTI examples in Table I we can easily simulate a data poisoning attack where the fake CTI is used as training input to subvert knowledge extraction pipelines such as those described by Piplai et al [32], Mittal et al [3], [4], Gao et al [33], [50], and Arnold et al [10]. Here an attacker can skillfully position fake CTI on multiple OSINT sources like Twitter, Stack Overflow, dark web forums, and blogs.…”

Section: Data Poisoning Using Fake Ctimentioning

confidence: 99%

“…A CTI ingestion pipeline described in Piplai et al [32] and similar systems [10], [33], [50] take a CTI source as an input and produces a CKG as an output. The CKG contains cyber entities and their existing relationships.…”

Section: A Processing Fake Ctimentioning

confidence: 99%

“…Once these knowledge representations are poisoned, additional defense systems can also be adversely impacted by fake cybersecurity information. For example, many of the insights generated by knowledge graphs are useful to other systems like AI-based intrusion detection systems [35], [36], [52], or alert-generators [3], [33], reaching a larger breadth of linked systems and cybersecurity professionals.…”

Section: B Effects Of Fake Cti Ingestionmentioning

confidence: 99%

See 3 more Smart Citations

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Ranade¹,

Piplai²,

Mittal³

et al. 2021

Preprint

View full text Add to dashboard Cite

Cyber-defense systems are being developed to automatically ingest Cyber Threat Intelligence (CTI) that contains semi-structured data and/or text to populate knowledge graphs. A potential risk is that fake CTI can be generated and spread through Open-Source Intelligence (OSINT) communities or on the Web to effect a data poisoning attack on these systems. Adversaries can use fake CTI examples as training input to subvert cyber defense systems, forcing the model to learn incorrect inputs to serve their malicious needs.In this paper, we automatically generate fake CTI text descriptions using transformers. We show that given an initial prompt sentence, a public language model like GPT-2 with fine-tuning, can generate plausible CTI text with the ability of corrupting cyber-defense systems. We utilize the generated fake CTI text to perform a data poisoning attack on a Cybersecurity Knowledge Graph (CKG) and a cybersecurity corpus. The poisoning attack introduced adverse impacts such as returning incorrect reasoning outputs, representation poisoning, and corruption of other dependent AI-based cyber defense systems. We evaluate with traditional approaches and conduct a human evaluation study with cybersecurity professionals and threat hunters. Based on the study, professional threat hunters were equally likely to consider our fake generated CTI as true.

show abstract

Section: Ai-based Cyber Systems and Knowledge Graphsmentioning

confidence: 99%

Section: Data Poisoning Using Fake Ctimentioning

confidence: 99%

Section: A Processing Fake Ctimentioning

confidence: 99%

Section: B Effects Of Fake Cti Ingestionmentioning

confidence: 99%

See 2 more Smart Citations

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Ranade¹,

Piplai²,

Mittal³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…For example, significant inconsistency was detected between reports from the CVE and NVD databases [8], which may cause system administrators to retrieve outdated or incorrect security alerts, exposing systems under their watch to hazard; inconsistency was also detected between two entries created by the same vendor Samsung in [10]; Second, the extracted entries can be used in other downstream applications. For example, we can leverage different categories of entries (e.g., vendor name, vulnerability types, attacker name) to construct a knowledge ontology for modeling the interplay between security entries [16,2]. The extracted entries have also been used for automatically generating a natural language summarization of the original report by leveraging a template [38].…”

Section: Introductionmentioning

confidence: 99%

Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models

Yang

Dineen

Lin

et al. 2021

Preprint

View full text Add to dashboard Cite

Public security vulnerability reports (e.g., CVE reports) play an important role in the maintenance of computer and network systems. Security companies and administrators rely on information from these reports to prioritize tasks on developing and deploying patches to their customers. Since these reports are unstructured texts, automatic information extraction (IE) can help scale up the processing by converting the unstructured reports to structured forms, e.g., software names and versions [8] and vulnerability types [38]. Existing works on automated IE for security vulnerability reports often rely on a large number of labeled training samples [8,18,48]. However, creating massive labeled training set is both expensive and time consuming. In this work, for the first time, we propose to investigate this problem where only a small number of labeled training samples are available. In particular, we investigate the performance of fine-tuning several state-of-the-art pre-trained language models on our small training dataset. The results show that with pre-trained language models and carefully tuned hyperparameters, we have reached or slightly outperformed the state-of-the-art system [8] on this task. Consistent with previous two-step process of first fine-tuning on main category and then transfer learning to others as in [7], if otherwise following our proposed approach, the number of required labeled samples substantially decrease in both stages: 90% reduction in fine-tuning from 5758 to 576, and 88.8% reduction in transfer learning with 64 labeled samples per category. Our experiments thus demonstrate the effectiveness of few-sample learning on NER for security vulnerability report. This result opens up multiple research opportunities for few-sample learning for security vulnerability reports, which is discussed in the paper. Our implementation for few-sample vulnerability entity tagger in security reports could be found at https://github.com/guanqun-yang/FewVulnerability.

show abstract

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Ranade

Piplai

Mittal

et al. 2021

2021 International Joint Conference on Neural Networks (IJCNN)

View full text Add to dashboard Cite

Cyber-defense systems are being developed to automatically ingest Cyber Threat Intelligence (CTI) that contains semi-structured data and/or text to populate knowledge graphs. A potential risk is that fake CTI can be generated and spread through Open-Source Intelligence (OSINT) communities or on the Web to effect a data poisoning attack on these systems. Adversaries can use fake CTI examples as training input to subvert cyber defense systems, forcing their models to learn incorrect inputs to serve the attackers' malicious needs.In this paper, we show how to automatically generate fake CTI text descriptions using transformers. Given an initial prompt sentence, a public language model like GPT-2 with fine-tuning can generate plausible CTI text that can mislead cyber-defense systems. We use the generated fake CTI text to perform a data poisoning attack on a Cybersecurity Knowledge Graph (CKG) and a cybersecurity corpus. The attack introduced adverse impacts such as returning incorrect reasoning outputs, representation poisoning, and corruption of other dependent AI-based cyber defense systems. We evaluate with traditional approaches and conduct a human evaluation study with cybersecurity professionals and threat hunters. Based on the study, professional threat hunters were equally likely to consider our fake generated CTI and authentic CTI as true.

show abstract

A System for Automated Open-Source Threat Intelligence Gathering and Management

Cited by 3 publications

References 10 publications

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-Trained Language Models

Generating Fake Cyber Threat Intelligence Using Transformer-Based Models

Contact Info

Product

Resources

About