{"title":"Prediction of Infected Devices Using the Quantification Theory Type 3 Based on MITRE ATT&CK Technique","authors":"Yosuke Katano, Yukihiro Kozai, Satoshi Okada, Takuho Mitsunaga","doi":"10.1109/ICOCO56118.2022.10031822","DOIUrl":null,"url":null,"abstract":"Reports of cyber attacks are increasing every year. Although many companies, groups, and organizations have taken various measures against cyber attacks, such as security education and attack detection systems. However, it is still practically challenging to prevent security incidents completely and proactively. In addition, attackers continue to attack internally after their initial intrusion. In other words, it is essential to prevent the attacker’s intrusion and quickly identify and stop the damage after the intrusion. However, it takes time and effort to quickly identify the infection status from a large number of logs. The purpose of this research is to identify the infection status of an organization quickly. We hypothesized that the behavior of the initially infected device and the secondary one by lateral movement would be similar. To put it differently, we thought it was possible to detect laterally moved devices based on the similarity between an initially infected device and a secondary one. In this research, we propose a method to find a device secondarily infected by lateral movement. We determine the similarity between the initially infected device and the secondary one by embodying the device’s behavior in terms of MITRE ATT&CK’s Technique. Our experiment results show a substantial similarity between the initially infected device and the secondary one by lateral movement.","PeriodicalId":319652,"journal":{"name":"2022 IEEE International Conference on Computing (ICOCO)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE International Conference on Computing (ICOCO)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICOCO56118.2022.10031822","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Reports of cyber attacks are increasing every year. Although many companies, groups, and organizations have taken various measures against cyber attacks, such as security education and attack detection systems. However, it is still practically challenging to prevent security incidents completely and proactively. In addition, attackers continue to attack internally after their initial intrusion. In other words, it is essential to prevent the attacker’s intrusion and quickly identify and stop the damage after the intrusion. However, it takes time and effort to quickly identify the infection status from a large number of logs. The purpose of this research is to identify the infection status of an organization quickly. We hypothesized that the behavior of the initially infected device and the secondary one by lateral movement would be similar. To put it differently, we thought it was possible to detect laterally moved devices based on the similarity between an initially infected device and a secondary one. In this research, we propose a method to find a device secondarily infected by lateral movement. We determine the similarity between the initially infected device and the secondary one by embodying the device’s behavior in terms of MITRE ATT&CK’s Technique. Our experiment results show a substantial similarity between the initially infected device and the secondary one by lateral movement.