Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence
- URL: http://arxiv.org/abs/2010.13637v2
- Date: Thu, 25 Feb 2021 06:20:46 GMT
- Title: Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence
- Authors: Peng Gao, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Zheng Qin, Fengyuan
Xu, Prateek Mittal, Sanjeev R. Kulkarni, Dawn Song
- Abstract summary: ThreatRaptor is a system that facilitates threat hunting in computer systems using open-source Cyber Threat Intelligence (OSCTI)
It extracts structured threat behaviors from unstructured OSCTI text and uses a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities.
Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
- Score: 94.94833077653998
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Log-based cyber threat hunting has emerged as an important solution to
counter sophisticated attacks. However, existing approaches require non-trivial
efforts of manual query construction and have overlooked the rich external
threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To
bridge the gap, we propose ThreatRaptor, a system that facilitates threat
hunting in computer systems using OSCTI. Built upon system auditing frameworks,
ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP
pipeline that extracts structured threat behaviors from unstructured OSCTI
text, (2) a concise and expressive domain-specific query language, TBQL, to
hunt for malicious system activities, (3) a query synthesis mechanism that
automatically synthesizes a TBQL query for hunting, and (4) an efficient query
execution engine to search the big audit logging data. Evaluations on a broad
set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in
practical threat hunting.
Related papers
- Countering Autonomous Cyber Threats [40.00865970939829]
Foundation Models present dual-use concerns broadly and within the cyber domain specifically.
Recent research has shown the potential for these advanced models to inform or independently execute offensive cyberspace operations.
This work evaluates several state-of-the-art FMs on their ability to compromise machines in an isolated network and investigates defensive mechanisms to defeat such AI-powered attacks.
arXiv Detail & Related papers (2024-10-23T22:46:44Z) - LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI [24.312198733476063]
Open-source cyber threat intelligence (OS-CTI) is a valuable resource for threat hunters.
Previous studies aimed at automating OSCTI analysis failed to provide actionable outputs.
We propose LLMCloudHunter, a novel framework that automatically generates generic-signature detection rule candidates from OSCTI data.
arXiv Detail & Related papers (2024-07-06T21:43:35Z) - On the Security Risks of Knowledge Graph Reasoning [71.64027889145261]
We systematize the security threats to KGR according to the adversary's objectives, knowledge, and attack vectors.
We present ROAR, a new class of attacks that instantiate a variety of such threats.
We explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries.
arXiv Detail & Related papers (2023-05-03T18:47:42Z) - ThreatKG: An AI-Powered System for Automated Open-Source Cyber Threat Intelligence Gathering and Management [65.0114141380651]
ThreatKG is an automated system for OSCTI gathering and management.
It efficiently collects a large number of OSCTI reports from multiple sources.
It uses specialized AI-based techniques to extract high-quality knowledge about various threat entities.
arXiv Detail & Related papers (2022-12-20T16:13:59Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - Automating Cyber Threat Hunting Using NLP, Automated Query Generation,
and Genetic Perturbation [8.669461942767098]
We have developed the WILEE system that cyber threat hunting by translating high-level threat descriptions into many possible concrete implementations.
Both the (high-level) abstract and (low-level) concrete implementations are represented using a custom domain specific language.
WILEE uses the implementations along with other logic, also written in the DSL, to automatically generate queries to confirm (or refute) any hypotheses tied to the potential adversarial.
arXiv Detail & Related papers (2021-04-23T13:19:12Z) - EXTRACTOR: Extracting Attack Behavior from Threat Reports [6.471387545969443]
We propose a novel approach and tool called provenanceOR that allows precise automatic extraction of concise attack behaviors from CTI reports.
provenanceOR makes no strong assumptions about the text and is capable of extracting attack behaviors as graphs from unstructured text.
Our evaluation results show that provenanceOR can extract concise graphs from CTI reports and can successfully be used by cyber-analytics tools in threat-hunting.
arXiv Detail & Related papers (2021-04-17T18:51:00Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z) - A System for Efficiently Hunting for Cyber Threats in Computer Systems
Using Threat Intelligence [78.23170229258162]
We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI.
ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
arXiv Detail & Related papers (2021-01-17T19:44:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.