TIM: threat context-enhanced TTP intelligence mining on unstructured threat data

You, Yizhe; Jiang, Zhengwei; Yang, Pengtao; Liu, Baoxu; Feng, Huanqing; Wang, Xuren; Li, Ning

doi:10.1186/s42400-021-00106-5

Cited by 20 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…You et al [5] proposed a TTP intelligence mining model that extracts and classifies TTP information from unstructured CTI reports. For this model, Sentence-BERT embeddings were used in the feature extraction step, and a twodimensional convolutional neural network and bidirectional long short-term memory network were used as classifiers, and a high F1 score of 0.97 was obtained.…”

Section: Related Workmentioning

confidence: 99%

“…is is because extracting TTP information from CTI data, which are often in the form of a report, is cost-sensitive and time-consuming because CTI reports, such as the advanced persistent threat (APT) report, are unstructured threat data provided in sentence form. Manually converting these explanatory TTP sentences into the TTP naming or ID format of the ATT&CK structure is time-consuming and requires strong expertise [5]. To address these problems, there have been several efforts since 2018 to identify (extract) TTP information from CTI reports or to automatically classify the tactics and techniques in TTP.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Comparative Experiment on TTP Classification with Class Imbalance Using Oversampling from CTI Dataset

Kim

2022

Security and Communication Networks

View full text Add to dashboard Cite

Cyber threat intelligence (CTI) refers to the real-time collection of threat information and analysis of these acquired data to identify the situation and attack mechanism of a security threat. In a CTI analysis, it is important to have a standardized attack model. Recently, the MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework has been widely used as the de facto standard security threat modeling technique. However, analyzing a large amount of data using the tactics, techniques, and procedures (TTP) of ATT&CK with a limited number of security personnel is time-consuming. To solve this cost-sensitive issue, research on automated classification of TTP from CTI data using artificial intelligence techniques is currently underway but remains challenging. This is because CTI data are domain-specific, and therefore, it is difficult to obtain labeling data to be used as training data for AI models. Hence, the distribution of training data related to TTP labeling is imbalanced. Thus, the current accuracy of ML-based TTP classification is still around 6080%. This study aims to improve the TTP classification accuracy from unstructured CTI data using machine learning while mainly focusing on solving the problems of small training datasets and TTP class imbalance. Therefore, we proposed a TTP classification method by applying easy data argumentation (EDA) and compared its performance with those of previous studies. By applying the proposed methodology, a 60–80% improvement was observed compared to the reference baseline model, TRAM. This indicates that the preprocessing methodology of applying the EDA technique is effective at improving the performance of TTP classification from unstructured CTI data in the CTI domain.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Comparative Experiment on TTP Classification with Class Imbalance Using Oversampling from CTI Dataset

Kim

2022

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Uma das maiores dificuldades no uso de NLP no domínio cibernético é a pouca disponibilidade de bases de dados consistentes e anotadas (Tikhomirov, et al, 2020). Conjuntos de dados relacionados a TTPs são ainda mais raros e essa escassez dificulta o avanço de pesquisas em classificação de TTPs (You, et al, 2022) (Riera, et al, 2022). A despeito da importância, ainda há pouca pesquisa voltada ao problema da extração de TTPs de textos não estruturados (Rahman, et al, 2020).…”

Section: Trabalhos Relacionadosunclassified

“…A pesquisa de Ayoade et al (2018), por sua vez, emprega métodos de correção de viés, de propagação de confiança e de estimativa de importância de pesos para fazer predições de táticas e técnicas presentes em relatórios de CTI. You et al (2022) propõem o framework Threat Intelligence Mining (TIM), desenvolvendo a ferramenta TCENet. A solução faz sua análise agrupando conjuntos de três sentenças de modo a buscar mais contexto.…”

Section: Trabalhos Relacionadosunclassified

See 1 more Smart Citation

Modelo De Classificação De TTP Baseado Em Transformadas Bert

2022

Proceedings of the Ibero American Conferences on Applied Computing 2022 and WWW/Internet 2022

View full text Add to dashboard Cite

Informações relativas às Táticas Técnicas e Procedimentos (TTP) observados em um ataque são costumeiramente apresentadas na forma de textos não estruturados. A aplicação de técnicas de aprendizagem de máquina junto ao Processamento de Linguagem Natural (NLP) pode auxiliar na identificação dessas TTP. Esse trabalho propõe o enfrentamento desse problema por meio da utilização de modelos BERT (Bidirectional Encoder Representations from Transformers), estado da arte no campo de NLP. O dataset utilizado inicialmente é a base de sentenças do instituto MITRE, sendo posteriormente realizada validação em conjunto de sentenças manualmente anotadas extraído de relatórios de CTI (Cyber Threat Intelligence) públicos. São testados onze modelos e também se conduz uma investigação dos efeitos de alguns parâmetros no ajuste fino do modelo. O objetivo é identificar o modelo e a combinação de parâmetros que melhor se adequam à tarefa de classificação de acordo com as convenções sobre TTP do framework ATT&CK do MITRE. Como resultado, verificou-se que os melhores modelos apresentaram acurácia de 0,8264 e 0,7875 nos dois conjuntos de dados utilizados, demonstrando a viabilidade e a relevância do uso dos modelos BERT nessa complexa tarefa do domínio cibernético.

show abstract