Automated Threat Report Classification over Multi-Source Data

Ayoade, Gbadebo; Chandra, Swarup; Khan, Latifur; Hamlen, Kevin W.; Thuraisingham, Bhavani

doi:10.1109/cic.2018.00040

Cited by 27 publications

(21 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The statistics of reports used by previous documentlevel TTP mining methods (Ayoade et al 2018;Legoy (1) Li et al 2019) and our annotated dataset are shown in Table 3.…”

Section: Data Sourcementioning

confidence: 99%

“…Several existing TTP classification methods (Ayoade et al 2018;Legoy 2019;Li et al 2019;Niakanlahiji et al 2018) are at the document level, which may cause lowaccuracy problems since the articles may consist of different kinds of TTPs. These methods also have limitations that can only provide static names with a confidence coefficient without providing more details, such as related TTP elements, which are also significant to cyber defenders.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

TIM: threat context-enhanced TTP intelligence mining on unstructured threat data

et al. 2022

View full text Add to dashboard Cite

TTPs (Tactics, Techniques, and Procedures), which represent an attacker’s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration test and compensate for defense deficiency. However, most TTP intelligence is described in unstructured threat data, such as APT analysis reports. Manually converting natural language TTPs descriptions to standard TTP names, such as ATT&CK TTP names and IDs, is time-consuming and requires deep expertise. In this paper, we define the TTP classification task as a sentence classification task. We annotate a new sentence-level TTP dataset with 6 categories and 6061 TTP descriptions from 10761 security analysis reports. We construct a threat context-enhanced TTP intelligence mining (TIM) framework to mine TTP intelligence from unstructured threat data. The TIM framework uses TCENet (Threat Context Enhanced Network) to find and classify TTP descriptions, which we define as three continuous sentences, from textual data. Meanwhile, we use the element features of TTP in the descriptions to enhance the TTPs classification accuracy of TCENet. The evaluation result shows that the average classification accuracy of our proposed method on the 6 TTP categories reaches 0.941. The evaluation results also show that adding TTP element features can improve our classification accuracy compared to using only text features. TCENet also achieved the best results compared to the previous document-level TTP classification works and other popular text classification methods, even in the case of few-shot training samples. Finally, the TIM framework organizes TTP descriptions and TTP elements into STIX 2.1 format as final TTP intelligence for sharing the long-period and essential attack behavior characteristics of attackers. In addition, we transform TTP intelligence into sigma detection rules for attack behavior detection. Such TTP intelligence and rules can help defenders deploy long-term effective threat detection and perform more realistic attack simulations to strengthen defense.

show abstract

“…The statistics of reports used by previous documentlevel TTP mining methods (Ayoade et al 2018;Legoy (1) Li et al 2019) and our annotated dataset are shown in Table 3.…”

Section: Data Sourcementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

TIM: threat context-enhanced TTP intelligence mining on unstructured threat data

et al. 2022

View full text Add to dashboard Cite

show abstract

“…In Wang et al [22], a method was proposed, which utilized TF-IDF scores of article contexts, combined with chi-square statistics, as the feature, and trained the SVM model as the classifier. An automated threat report classification method over company OSTIPs was discussed by Ayoade et al [23], and the method also utilized the TF-IDF scores as the classification feature. However, the bias-corrected classifier they trained can promote its accuracy and adaptive ability on article classification.…”

Section: Related Workmentioning

confidence: 99%

“…Dependency parsers mainly utilized NER techniques and machine learning methods. Mavroeidis et al [27] and Ayoade et al [23] proposed different CTI information extraction by building cybersecurity threat intelligence ontology. Iqbal and Anwar [28] demonstrated a combined ontological model of CKC [29] and POP [30] which can help extract CTI information from APT event-related articles.…”

Section: Related Workmentioning

confidence: 99%

An Automatic Generation Approach of the Cyber Threat Intelligence Records Based on Multi-Source Information Fusion

Sun

Yang

et al. 2021

Future Internet

View full text Add to dashboard Cite

With the progressive deterioration of cyber threats, collecting cyber threat intelligence (CTI) from open-source threat intelligence publishing platforms (OSTIPs) can help information security personnel grasp public opinions with specific pertinence, handle emergency events, and even confront the advanced persistent threats. However, due to the explosive growth of information shared on multi-type OSTIPs, manually collecting the CTI has had low efficiency. Articles published on the OSTIPs are unstructured, leading to an imperative challenge to automatically gather CTI records only through natural language processing (NLP) methods. To remedy these limitations, this paper proposes an automatic approach to generate the CTI records based on multi-type OSTIPs (GCO), combing the NLP method, machine learning method, and cybersecurity threat intelligence knowledge. The experiment results demonstrate that the proposed GCO outperformed some state-of-the-art approaches on article classification and cybersecurity intelligence details (CSIs) extraction, with accuracy, precision, and recall all over 93%; finally, the generated records in the Neo4j-based CTI database can help reveal malicious threat groups.

show abstract

“…Zhu et al [17] proposed an approach to bridge measurement data with manual analysis and train a multiclass classifier to extract IOCs and further categorize them into different stages. Ayoade et al [18] have leveraged natural language processing techniques to extract attacker's actions from threat report documents generated by different organizations and then automatically classify them into standardized tactics and techniques.…”

Section: Related Workmentioning

confidence: 99%

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

Zhang

Shen

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

With the increasing complexity of network attacks, an active defense based on intelligence sharing becomes crucial. There is an important issue in intelligence analysis that automatically extracts threat actions from cyber threat intelligence (CTI) reports. To address this problem, we propose EX-Action, a framework for extracting threat actions from CTI reports. EX-Action finds threat actions by employing the natural language processing (NLP) technology and identifies actions by a multimodal learning algorithm. At the same time, a metric is used to evaluate the information completeness of the extracted action obtained by EX-Action. By the experiment on the CTI reports that consisted of sentences with complex structure, the experimental result indicates that EX-Action can achieve better performance than two state-of-the-art action extraction methods in terms of accuracy, recall, precision, and F1-score.

show abstract

Automated Threat Report Classification over Multi-Source Data

Cited by 27 publications

References 8 publications

TIM: threat context-enhanced TTP intelligence mining on unstructured threat data

TIM: threat context-enhanced TTP intelligence mining on unstructured threat data

An Automatic Generation Approach of the Cyber Threat Intelligence Records Based on Multi-Source Information Fusion

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

Contact Info

Product

Resources

About