Prediction of Infected Devices Using the Quantification Theory Type 3 Based on MITRE ATT&CK Technique

Yosuke Katano, Yukihiro Kozai, Satoshi Okada, Takuho Mitsunaga
{"title":"Prediction of Infected Devices Using the Quantification Theory Type 3 Based on MITRE ATT&CK Technique","authors":"Yosuke Katano, Yukihiro Kozai, Satoshi Okada, Takuho Mitsunaga","doi":"10.1109/ICOCO56118.2022.10031822","DOIUrl":null,"url":null,"abstract":"Reports of cyber attacks are increasing every year. Although many companies, groups, and organizations have taken various measures against cyber attacks, such as security education and attack detection systems. However, it is still practically challenging to prevent security incidents completely and proactively. In addition, attackers continue to attack internally after their initial intrusion. In other words, it is essential to prevent the attacker’s intrusion and quickly identify and stop the damage after the intrusion. However, it takes time and effort to quickly identify the infection status from a large number of logs. The purpose of this research is to identify the infection status of an organization quickly. We hypothesized that the behavior of the initially infected device and the secondary one by lateral movement would be similar. To put it differently, we thought it was possible to detect laterally moved devices based on the similarity between an initially infected device and a secondary one. In this research, we propose a method to find a device secondarily infected by lateral movement. We determine the similarity between the initially infected device and the secondary one by embodying the device’s behavior in terms of MITRE ATT&CK’s Technique. Our experiment results show a substantial similarity between the initially infected device and the secondary one by lateral movement.","PeriodicalId":319652,"journal":{"name":"2022 IEEE International Conference on Computing (ICOCO)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE International Conference on Computing (ICOCO)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICOCO56118.2022.10031822","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Reports of cyber attacks are increasing every year. Although many companies, groups, and organizations have taken various measures against cyber attacks, such as security education and attack detection systems. However, it is still practically challenging to prevent security incidents completely and proactively. In addition, attackers continue to attack internally after their initial intrusion. In other words, it is essential to prevent the attacker’s intrusion and quickly identify and stop the damage after the intrusion. However, it takes time and effort to quickly identify the infection status from a large number of logs. The purpose of this research is to identify the infection status of an organization quickly. We hypothesized that the behavior of the initially infected device and the secondary one by lateral movement would be similar. To put it differently, we thought it was possible to detect laterally moved devices based on the similarity between an initially infected device and a secondary one. In this research, we propose a method to find a device secondarily infected by lateral movement. We determine the similarity between the initially infected device and the secondary one by embodying the device’s behavior in terms of MITRE ATT&CK’s Technique. Our experiment results show a substantial similarity between the initially infected device and the secondary one by lateral movement.
基于MITRE攻击& ck技术的量化理论3型感染设备预测
关于网络攻击的报道每年都在增加。尽管许多公司、团体和组织已经采取了各种措施来应对网络攻击,例如安全教育和攻击检测系统。然而,如何全面、主动地预防安全事件,在实践中仍具有一定的挑战性。此外,攻击者在初次入侵后还会继续进行内部攻击。也就是说,防止攻击者的入侵,并在入侵后快速识别和停止破坏是至关重要的。但是,从大量的日志中快速识别感染状态需要花费大量的时间和精力。本研究的目的是快速识别组织的感染状态。我们假设最初受感染的设备和通过横向移动的继发设备的行为是相似的。换句话说,我们认为可以根据最初受感染的设备和次要设备之间的相似性来检测横向移动的设备。在这项研究中,我们提出了一种方法来寻找继发感染横向运动的装置。我们根据MITRE at&ck的技术体现设备的行为,确定最初受感染设备与次要设备之间的相似性。我们的实验结果表明,最初感染的设备与通过横向移动的次要设备之间存在实质性的相似性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信