Mining Temporal Attack Patterns from Cyberthreat Intelligence Reports
- URL: http://arxiv.org/abs/2401.01883v1
- Date: Wed, 3 Jan 2024 18:53:22 GMT
- Title: Mining Temporal Attack Patterns from Cyberthreat Intelligence Reports
- Authors: Md Rayhanur Rahman, Brandon Wroblewski, Quinn Matthews, Brantley
Morgan, Tim Menzies, Laurie Williams
- Abstract summary: Defending from cyberattacks requires practitioners to operate on high-level adversary behavior.
We propose ChronoCTI, an automated pipeline for mining temporal attack patterns from cyberthreat intelligence (CTI) reports.
- Score: 9.589390721223147
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Defending from cyberattacks requires practitioners to operate on high-level
adversary behavior. Cyberthreat intelligence (CTI) reports on past cyberattack
incidents describe the chain of malicious actions with respect to time. To
avoid repeating cyberattack incidents, practitioners must proactively identify
and defend against recurring chain of actions - which we refer to as temporal
attack patterns. Automatically mining the patterns among actions provides
structured and actionable information on the adversary behavior of past
cyberattacks. The goal of this paper is to aid security practitioners in
prioritizing and proactive defense against cyberattacks by mining temporal
attack patterns from cyberthreat intelligence reports. To this end, we propose
ChronoCTI, an automated pipeline for mining temporal attack patterns from
cyberthreat intelligence (CTI) reports of past cyberattacks. To construct
ChronoCTI, we build the ground truth dataset of temporal attack patterns and
apply state-of-the-art large language models, natural language processing, and
machine learning techniques. We apply ChronoCTI on a set of 713 CTI reports,
where we identify 124 temporal attack patterns - which we categorize into nine
pattern categories. We identify that the most prevalent pattern category is to
trick victim users into executing malicious code to initiate the attack,
followed by bypassing the anti-malware system in the victim network. Based on
the observed patterns, we advocate organizations to train users about
cybersecurity best practices, introduce immutable operating systems with
limited functionalities, and enforce multi-user authentications. Moreover, we
advocate practitioners to leverage the automated mining capability of ChronoCTI
and design countermeasures against the recurring attack patterns.
Related papers
- Towards in-situ Psychological Profiling of Cybercriminals Using Dynamically Generated Deception Environments [0.0]
Cybercrime is estimated to cost the global economy almost $10 trillion annually.
Traditional perimeter security approach to cyber defence has so far proved inadequate to combat the growing threat of cybercrime.
Deceptive techniques aim to mislead attackers, diverting them from critical assets whilst simultaneously gathering cyber threat intelligence on the threat actor.
This article presents a proof-of-concept system that has been developed to capture the profile of an attacker in-situ, during a simulated cyber-attack in real time.
arXiv Detail & Related papers (2024-05-19T09:48:59Z) - Use of Graph Neural Networks in Aiding Defensive Cyber Operations [2.1874189959020427]
Graph Neural Networks have emerged as a promising approach for enhancing the effectiveness of defensive measures.
We look into the application of GNNs in aiding to break each stage of one of the most renowned attack life cycles, the Lockheed Martin Cyber Kill Chain.
arXiv Detail & Related papers (2024-01-11T05:56:29Z) - BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive
Learning [85.2564206440109]
This paper reveals the threats in this practical scenario that backdoor attacks can remain effective even after defenses.
We introduce the emphtoolns attack, which is resistant to backdoor detection and model fine-tuning defenses.
arXiv Detail & Related papers (2023-11-20T02:21:49Z) - Attention-Enhancing Backdoor Attacks Against BERT-based Models [54.070555070629105]
Investigating the strategies of backdoor attacks will help to understand the model's vulnerability.
We propose a novel Trojan Attention Loss (TAL) which enhances the Trojan behavior by directly manipulating the attention patterns.
arXiv Detail & Related papers (2023-10-23T01:24:56Z) - Looking Beyond IoCs: Automatically Extracting Attack Patterns from
External CTI [3.871148938060281]
LADDER is a framework that can extract text-based attack patterns from cyberthreat intelligence reports at scale.
We present several use cases to demonstrate the application of LADDER in real-world scenarios.
arXiv Detail & Related papers (2022-11-01T12:16:30Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - Fixed Points in Cyber Space: Rethinking Optimal Evasion Attacks in the
Age of AI-NIDS [70.60975663021952]
We study blackbox adversarial attacks on network classifiers.
We argue that attacker-defender fixed points are themselves general-sum games with complex phase transitions.
We show that a continual learning approach is required to study attacker-defender dynamics.
arXiv Detail & Related papers (2021-11-23T23:42:16Z) - Reinforcement Learning for Feedback-Enabled Cyber Resilience [24.92055101652206]
Cyber resilience provides a new security paradigm that complements inadequate protection with resilience mechanisms.
A Cyber-Resilient Mechanism ( CRM) adapts to the known or zero-day threats and uncertainties in real-time.
We review the literature on RL for cyber resiliency and discuss the cyber-resilient defenses against three major types of vulnerabilities.
arXiv Detail & Related papers (2021-07-02T01:08:45Z) - Adversarial Machine Learning Attacks and Defense Methods in the Cyber
Security Domain [58.30296637276011]
This paper summarizes the latest research on adversarial attacks against security solutions based on machine learning techniques.
It is the first to discuss the unique challenges of implementing end-to-end adversarial attacks in the cyber security domain.
arXiv Detail & Related papers (2020-07-05T18:22:40Z) - NAttack! Adversarial Attacks to bypass a GAN based classifier trained to
detect Network intrusion [0.3007949058551534]
Before the rise of machine learning, network anomalies which could imply an attack, were detected using well-crafted rules.
With the advancements of machine learning for network anomaly, it is not easy for a human to understand how to bypass a cyber-defence system.
In this paper, we show that even if we build a classifier and train it with adversarial examples for network data, we can use adversarial attacks and successfully break the system.
arXiv Detail & Related papers (2020-02-20T01:54:45Z) - Adversarial vs behavioural-based defensive AI with joint, continual and
active learning: automated evaluation of robustness to deception, poisoning
and concept drift [62.997667081978825]
Recent advancements in Artificial Intelligence (AI) have brought new capabilities to behavioural analysis (UEBA) for cyber-security.
In this paper, we present a solution to effectively mitigate this attack by improving the detection process and efficiently leveraging human expertise.
arXiv Detail & Related papers (2020-01-13T13:54:36Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.