Threat Intelligence Computing

Shu, Xiaokui; Araujo, Frederico; Schales, Douglas Lee; Stoecklin, Marc Ph.; Jang, Jiyong; Huang, Heqing; Rao, Josyula R.

doi:10.1145/3243734.3243829

Cited by 51 publications

(32 citation statements)

References 75 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is one of the important research contents in CTI analysis that reconstruct CTI knowledge by using the graph mode. Shu et al [10] used a graph model to organize multisource heterogeneous threat data, which formalize cyber threat intelligence computing into a new security paradigm. Ya et al [11] proposed an attack entities recognition method to construct a CTI knowledge graph.…”

Section: Related Workmentioning

confidence: 99%

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

Zhang

Shen

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

With the increasing complexity of network attacks, an active defense based on intelligence sharing becomes crucial. There is an important issue in intelligence analysis that automatically extracts threat actions from cyber threat intelligence (CTI) reports. To address this problem, we propose EX-Action, a framework for extracting threat actions from CTI reports. EX-Action finds threat actions by employing the natural language processing (NLP) technology and identifies actions by a multimodal learning algorithm. At the same time, a metric is used to evaluate the information completeness of the extracted action obtained by EX-Action. By the experiment on the CTI reports that consisted of sentences with complex structure, the experimental result indicates that EX-Action can achieve better performance than two state-of-the-art action extraction methods in terms of accuracy, recall, precision, and F1-score.

show abstract

Section: Related Workmentioning

confidence: 99%

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

Zhang

Shen

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Data-driven cyber security event prediction and analysis are hot topics in current cyber security research [1]. Xiaokui Shu introduces a new methodology that models threat discovery as a graph computation problem for threat intelligence [2]. As a semantic knowledge base, knowledge graph is a powerful tool for managing large-scale knowledge consists with entities and relations between them.…”

Section: Related Workmentioning

confidence: 99%

Distant Supervision for Relations Extraction via Deep Residual Learning and Multi-instance Attention in Cybersecurity

Shen

Qin

Wang

et al. 2021

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

A large number of open source threat intelligence resources provide regularly updated threat sources that can be applied to a variety of security analysis solutions. Fragmented security news, security forums, and vulnerability information are important sources of cyber threat intelligence, but it is difficult to correlate these multiple-source data. Cybersecurity knowledge graph is a powerful tool for data-driven thread intelligence computing. Relation extraction is a very important task in construction of cybersecurity knowledge graph from unstructured data. In order to reduce the influence of noisy data in deep learning model, we propose a distant supervised relation extraction model ResPCNN-ATT based on deep residual convolutional neural network and attention mechanism. This method takes word vector and position vector of the word as input of the model, extracts semantic features of texts through the piecewise convolutional neural network model PCNN, achieves the learning effect of less noisy data and better extracts deep semantic features in sentenses by using deep residuals Compared with other models, the model proposed in this paper achieves higher accuracy than other models.

show abstract

“…Gao et al [22], [23] present query languages for threat hunters, and a system for processing their queries. Shu et al [73] model threat hunting as a graph computation problem, and present a domain-specific language that simplifies the development of custom graph searches.…”

Section: Attack Detectionmentioning

confidence: 99%

Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

Hossain

Sheikhi

Sekar

2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We are witnessing a rapid escalation in targeted cyberattacks called Advanced and Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over extended time periods, and remain undetected for months. A common approach for retracing the attacker's steps is to start with one or more suspicious events from system logs, and perform a dependence analysis to uncover the rest of attacker's actions. The accuracy of this analysis suffers from the dependence explosion problem, which causes a very large number of benign events to be flagged as part of the attack. In this paper, we propose two novel techniques, tag attenuation and tag decay, to mitigate dependence explosion. Our techniques take advantage of common behaviors of benign processes, while providing a conservative treatment of processes and data with suspicious provenance. Our system, called MORSE, is able to construct a compact scenario graph that summarizes attacker activity by sifting through millions of system events in a matter of seconds. Our experimental evaluation, carried out using data from two government-agency sponsored red team exercises, demonstrates that our techniques are (a) effective in identifying stealthy attack campaigns, (b) reduce the false alarm rates by more than an order of magnitude, and (c) yield compact scenario graphs that capture the vast majority of the attack, while leaving out benign background activity.

show abstract

Threat Intelligence Computing

Cited by 51 publications

References 75 publications

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

Distant Supervision for Relations Extraction via Deep Residual Learning and Multi-instance Attention in Cybersecurity

Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

Contact Info

Product

Resources

About