Focusing on the Weakest Link: A Similarity Analysis on Phishing Campaigns Based on the ATT&amp;CK Matrix

Shin, Youngsup; Kim, Kyoungmin; Lee, Jemin Justin; Lee, Kyung-Ho

doi:10.1155/2022/1699657

Cited by 11 publications

(5 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In other words, several classes that, even intuitively, are expected to be disjoint are not disjoint, including DIGITAL ARTIFACT and PHYSI-CAL ARTIFACT (for example, HARDWARE DEVICE), PHYSICAL OBJECT and DIGITAL OBJECT, DIGITAL ARTIFACT and DIGITAL EVENT, PHYSICAL LOCATION and PHYS-ICAL OBJECT, among others. Actually, similar issues have been found in other large ontologies, such as Schema.org 11 , where, for example, LOCALBUSINESS is both a PLACE and an ORGANIZATION 12 . In this case specifically, under UFO assumptions, ORGANI-ZATION and PLACE can be seen as different OBJECTS with different unique principles of identity, so they cannot be a subtype of one another [32,2].…”

Section: General Semantic Issues Within D3fendsupporting

confidence: 57%

“…D3FEND's primary goal is to help to standardize the vocabulary used to describe defensive cybersecurity technology functionality. A number of recent cybersecurity studies make use of it for the process of identification and assessment of cyber threats, and response against them [10,11,12,13,14], among other applications, including the design of a game to support security education and risk assessment [15]. D3FEND is also an example of an ontology developed without an explicit tie to an upper ontology, and to the best of our knowledge, there is no systemic ontological analysis of this artifact, whose validity seems to be taken for granted.…”

Section: Introductionmentioning

confidence: 99%

“…While this paper was being reviewed, another version of D3FEND was released in January 2023, named '0.12.0-BETA-2', which fixed some of the issues that we identified in our analysis, including the logical inconsistency found by the reasoners. Nonetheless, our main argument about the importance of ontological foundations in the ontology engineering practice still holds.11 See: https://schema.org/ 12. LOCALBUSINESS in Schema.org: https://schema.org/LocalBusiness.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Boosting D3FEND: Ontological Analysis and Recommendations

Oliveira,

Engelberg,

Barcelos

et al. 2023

Frontiers in Artificial Intelligence and Applications

View full text Add to dashboard Cite

Formal Ontology is a discipline whose business is to develop formal theories about general aspects of reality such as identity, dependence, parthood, truthmaking, causality, etc. A foundational ontology is a specific consistent set of these ontological theories that support activities such as domain analysis, conceptual clarification, and meaning negotiation. A (well-founded) core ontology specifies, under a foundational ontology, the central concepts and relations of a given domain. Foundational and core ontologies can be seen as ontology engineering frameworks to systematically address the laborious task of building large (more specific) domain ontologies. However, both in research and industry, it is common that ontologies as computational artifacts are built without the aid of any framework of this kind, often yielding modeling mistakes and representation gaps. In this paper, we analyze a case in the domain of cybersecurity, namely, the case of D3FEND - an OWL knowledge graph of cybersecurity countermeasure techniques proposed by the MITRE Corporation. Based on the Reference Ontology for Security Engineering (ROSE), a core ontology of the security domain founded in the Unified Foundational Ontology (UFO), our investigation reveals a number of semantic issues and opportunities for improvement in D3FEND, including missing concepts, semantic overload of terms, and lacking constraints that cause an under-specification of the model. As a result of our ontological analysis, we propose several suggestions for the appropriate redesign of D3FEND to overcome those issues.

show abstract

Section: General Semantic Issues Within D3fendsupporting

confidence: 57%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Boosting D3FEND: Ontological Analysis and Recommendations

Oliveira,

Engelberg,

Barcelos

et al. 2023

Frontiers in Artificial Intelligence and Applications

View full text Add to dashboard Cite

show abstract

“…Para cada una de las técnicas, MITRE proporciona información sobre posibles mecanismos para su detección y/o mitigación. Estudios recientes como (Xiong et al, 2022), (Liu, Wang y Chen, 2022) y (Shin et al, 2022) también basan sus soluciones en estas matrices.…”

Section: Introductionunclassified

Propuesta De Un Enfoque Basado en El Aprendizaje Automático Para La Detección De Intrusiones en Redes De Tecnología De Operación

2022

Proceedings of the Ibero American Conferences on Applied Computing 2022 and WWW/Internet 2022

View full text Add to dashboard Cite

“…Since TTP information is a simple string, the embedding process is required to use it for training. Previous studies have used very simple embeddings such as onehot vectorization [3], [10]. Although they tried to reflect tactical information in the vectorization process, this approach has the limitation that it does not reflect any statistical information of TTP data.…”

mentioning

confidence: 99%

Exploiting TTP Co-Occurrence via GloVe-Based Embedding With MITRE ATT&CK Framework

Shin,

Lee,

Choi

2023

IEEE Access

View full text Add to dashboard Cite

The digital transformation of various systems has brought great convenience to our daily lives, but it has also increased the level of cyberattacks. As the number of cyberattacks has increased, so has the number of reports analyzing them, MITRE publishes the ATT&CK Matrix which analyzes the tactics and techniques of attacks based on real-world examples. As the flow of attacks has become more understandable through TTP information, researchers have been using it with deep learning models to detect or predict attacks, which makes embedding essential to train the model. In previous studies on embedding TTPs, embedding is limited to simple statistical methods such as one-hot encoding and TF-IDF. Such methods do not consider the order of TTPs and the conceptual similarity between TTPs, therefore do not capture the rich information that TTPs contain. In this paper, we propose embedding TTP with GloVe, a method using a co-occurrence matrix. To properly evaluate the semantic embedding performance of TTP, we also propose a measurement called Tactic Match Rate (TMR). In the experimental results, 8 out of 14 tactics showed a TMR of more than 0.5. Especially the ''TA0007 (Discovery)'' tactic showed the highest TMR of 0.87. Through correlation analysis, the experimental result shows that the reason for the different embedding performances of the tactic is affected by the frequency of the technique in the same tactic, with at most a 0.96 score. We also experimentally demonstrated that the neutrality of TTP affects learning performance.

show abstract

Focusing on the Weakest Link: A Similarity Analysis on Phishing Campaigns Based on the ATT&CK Matrix

Cited by 11 publications

References 25 publications

Boosting D3FEND: Ontological Analysis and Recommendations

Boosting D3FEND: Ontological Analysis and Recommendations

Propuesta De Un Enfoque Basado en El Aprendizaje Automático Para La Detección De Intrusiones en Redes De Tecnología De Operación

Exploiting TTP Co-Occurrence via GloVe-Based Embedding With MITRE ATT&CK Framework

Contact Info

Product

Resources

About