Cyber Threat Attribution with Multi-View Heuristic Analysis

Sahoo, Dilip

doi:10.1007/978-3-030-74753-4_4

Cited by 8 publications

(2 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the analysis of malware homology, it is a common strategy for attackers to employ various malware variants as a means to circumvent detection and obscure classification. To tackle this challenge, Sahoo et al [10] developed multi-view descriptions of malware by extracting and mixing opcodes, bytecodes, and header features. These descriptions serve to counteract obfuscation techniques effectively.…”

Section: Malware-based Methodsmentioning

confidence: 99%

“…However, existing research has not fully capitalized on threat intelligence in the proactive detection of coordinated cyber attackers. Typically, the attribution process for a cyber attack commences with a technical analysis of the data produced during the incident [6], often focusing on malware sample investigation [7][8][9][10][11][12][13]. Malware utilized in APT campaigns facilitates remote manipulation and data theft from infected devices, highlighting its crucial role in delineating APT group profiles.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

IPAttributor: Cyber Attacker Attribution with Threat Intelligence-Enriched Intrusion Data

Xiang,

Liu,

Zeng

et al. 2024

Mathematics

View full text Add to dashboard Cite

In the dynamic landscape of cyberspace, organizations face a myriad of coordinated advanced threats that challenge the traditional defense paradigm. Cyber Threat Intelligence (CTI) plays a crucial role, providing in-depth insights into adversary groups and enhancing the detection and neutralization of complex cyber attacks. However, attributing attacks poses significant challenges due to over-reliance on malware samples or network detection data alone, which falls short of comprehensively profiling attackers. This paper proposes an IPv4-based threat attribution model, IPAttributor, that improves attack characterization by merging a real-world network behavior dataset comprising 39,707 intrusion entries with commercial threat intelligence from three distinct sources, offering a more nuanced context. A total of 30 features were utilized from the enriched dataset for each IP to create a feature matrix to assess the similarities and linkage of associated IPs, and a dynamic weighted threat segmentation algorithm was employed to discern attacker communities. The experiments affirm the efficacy of our method in pinpointing attackers sharing a common origin, achieving the highest accuracy of 88.89%. Our study advances the relatively underexplored line of work of cyber attacker attribution, with a specific interest in IP-based attribution strategies, thereby enhancing the overall understanding of the attacker’s group regarding their capabilities and intentions.

show abstract

Section: Malware-based Methodsmentioning

confidence: 99%