Unraveling Threat Intelligence Through the Lens of Malicious URL
Campaigns
- URL: http://arxiv.org/abs/2208.12449v1
- Date: Fri, 26 Aug 2022 06:10:13 GMT
- Title: Unraveling Threat Intelligence Through the Lens of Malicious URL
Campaigns
- Authors: Mahathir Almashor, Ejaz Ahmed, Benjamin Pick, Sharif Abuadbba, Jason
Xue, Raj Gaire, Shuo Wang, Seyit Camtepe, Surya Nepal
- Abstract summary: We analyse suspicious URLs from SIEM alerts via the perspective of malicious URL campaigns.
By first grouping URLs within 311M records gathered from VirusTotal into 2.6M suspicious clusters, we discovered 77.8K malicious campaigns.
We find 9.9M unique attributable to 18.3K multi-URL campaigns, and that only 2.97% of campaigns were found by security vendors.
- Score: 21.185063151766798
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The daily deluge of alerts is a sombre reality for Security Operations Centre
(SOC) personnel worldwide. They are at the forefront of an organisation's
cybersecurity infrastructure, and face the unenviable task of prioritising
threats amongst a flood of abstruse alerts triggered by their Security
Information and Event Management (SIEM) systems. URLs found within malicious
communications form the bulk of such alerts, and pinpointing pertinent patterns
within them allows teams to rapidly deescalate potential or extant threats.
This need for vigilance has been traditionally filled with machine-learning
based log analysis tools and anomaly detection concepts. To sidestep machine
learning approaches, we instead propose to analyse suspicious URLs from SIEM
alerts via the perspective of malicious URL campaigns. By first grouping URLs
within 311M records gathered from VirusTotal into 2.6M suspicious clusters, we
thereafter discovered 77.8K malicious campaigns. Corroborating our suspicions,
we found 9.9M unique URLs attributable to 18.3K multi-URL campaigns, and that
worryingly, only 2.97% of campaigns were found by security vendors. We also
confer insights on evasive tactics such as ever lengthier URLs and more diverse
domain names, with selected case studies exposing other adversarial techniques.
By characterising the concerted campaigns driving these URL alerts, we hope to
inform SOC teams of current threat trends, and thus arm them with better threat
intelligence.
Related papers
- DomURLs_BERT: Pre-trained BERT-based Model for Malicious Domains and URLs Detection and Classification [4.585051136007553]
We introduce DomURLs_BERT, a pre-trained BERT-based encoder for detecting and classifying suspicious/malicious domains and URLs.
The proposed encoder outperforms state-of-the-art character-based deep learning models and cybersecurity-focused BERT models across multiple tasks and datasets.
arXiv Detail & Related papers (2024-09-13T18:59:13Z) - Uncovering Semantics and Topics Utilized by Threat Actors to Deliver Malicious Attachments and URLs [2.052800997441997]
This study employs BERTopic unsupervised topic modeling to identify common semantics and themes embedded in email.
We preprocess emails by extracting and sanitizing content and employ multilingual embedding models like BGE-M3 for dense representations.
Our research will evaluate and compare different clustering algorithms on topic quantity, coherence, and diversity metrics.
arXiv Detail & Related papers (2024-07-11T23:04:16Z) - LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI [24.312198733476063]
Open-source cyber threat intelligence (OS-CTI) is a valuable resource for threat hunters.
Previous studies aimed at automating OSCTI analysis failed to provide actionable outputs.
We propose LLMCloudHunter, a novel framework that automatically generates generic-signature detection rule candidates from OSCTI data.
arXiv Detail & Related papers (2024-07-06T21:43:35Z) - OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection [2.182419181054266]
We present a method for an efficient cross-host attack correlation across multiple hosts.
Our approach relies on an observation that attackers have a few strategic mission objectives on every host that they infiltrate.
We implement our approach in a tool called Ostinato and successfully evaluate it in threat hunting scenarios involving DARPA-led red team engagements.
arXiv Detail & Related papers (2023-12-14T20:13:19Z) - On the Security Risks of Knowledge Graph Reasoning [71.64027889145261]
We systematize the security threats to KGR according to the adversary's objectives, knowledge, and attack vectors.
We present ROAR, a new class of attacks that instantiate a variety of such threats.
We explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries.
arXiv Detail & Related papers (2023-05-03T18:47:42Z) - Certifiably Robust Policy Learning against Adversarial Communication in
Multi-agent Systems [51.6210785955659]
Communication is important in many multi-agent reinforcement learning (MARL) problems for agents to share information and make good decisions.
However, when deploying trained communicative agents in a real-world application where noise and potential attackers exist, the safety of communication-based policies becomes a severe issue that is underexplored.
In this work, we consider an environment with $N$ agents, where the attacker may arbitrarily change the communication from any $CfracN-12$ agents to a victim agent.
arXiv Detail & Related papers (2022-06-21T07:32:18Z) - Characterizing Malicious URL Campaigns [16.807162826069185]
URLs are central to a myriad of cyber-security threats, from phishing to the distribution of malware.
Their inherent ease of use and familiarity is continuously abused by attackers to evade defences and deceive end-users.
We refer to such behaviours as campaigns, with the hypothesis being that attacks are often coordinated to maximize success rates and develop evasion tactics.
arXiv Detail & Related papers (2021-08-29T01:00:44Z) - TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack.
Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets.
TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
arXiv Detail & Related papers (2021-03-10T19:03:38Z) - A System for Efficiently Hunting for Cyber Threats in Computer Systems
Using Threat Intelligence [78.23170229258162]
We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI.
ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
arXiv Detail & Related papers (2021-01-17T19:44:09Z) - Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence [94.94833077653998]
ThreatRaptor is a system that facilitates threat hunting in computer systems using open-source Cyber Threat Intelligence (OSCTI)
It extracts structured threat behaviors from unstructured OSCTI text and uses a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities.
Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
arXiv Detail & Related papers (2020-10-26T14:54:01Z) - Adversarial Machine Learning Attacks and Defense Methods in the Cyber
Security Domain [58.30296637276011]
This paper summarizes the latest research on adversarial attacks against security solutions based on machine learning techniques.
It is the first to discuss the unique challenges of implementing end-to-end adversarial attacks in the cyber security domain.
arXiv Detail & Related papers (2020-07-05T18:22:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.