Harnessing TI Feeds for Exploitation Detection

arXiv - CS - Information Retrieval Pub Date : 2024-09-12 DOI:arxiv-2409.07709

Kajal Patel, Zubair Shafiq, Mateus Nogueira, Daniel Sadoc Menasché, Enrico Lovat, Taimur Kashif, Ashton Woiwood, Matheus Martins

{"title":"Harnessing TI Feeds for Exploitation Detection","authors":"Kajal Patel, Zubair Shafiq, Mateus Nogueira, Daniel Sadoc Menasché, Enrico Lovat, Taimur Kashif, Ashton Woiwood, Matheus Martins","doi":"arxiv-2409.07709","DOIUrl":null,"url":null,"abstract":"Many organizations rely on Threat Intelligence (TI) feeds to assess the risk\nassociated with security threats. Due to the volume and heterogeneity of data,\nit is prohibitive to manually analyze the threat information available in\ndifferent loosely structured TI feeds. Thus, there is a need to develop\nautomated methods to vet and extract actionable information from TI feeds. To\nthis end, we present a machine learning pipeline to automatically detect\nvulnerability exploitation from TI feeds. We first model threat vocabulary in\nloosely structured TI feeds using state-of-the-art embedding techniques\n(Doc2Vec and BERT) and then use it to train a supervised machine learning\nclassifier to detect exploitation of security vulnerabilities. We use our\napproach to identify exploitation events in 191 different TI feeds. Our\nlongitudinal evaluation shows that it is able to accurately identify\nexploitation events from TI feeds only using past data for training and even on\nTI feeds withheld from training. Our proposed approach is useful for a variety\nof downstream tasks such as data-driven vulnerability risk assessment.","PeriodicalId":501281,"journal":{"name":"arXiv - CS - Information Retrieval","volume":"117 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Information Retrieval","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.07709","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Many organizations rely on Threat Intelligence (TI) feeds to assess the risk associated with security threats. Due to the volume and heterogeneity of data, it is prohibitive to manually analyze the threat information available in different loosely structured TI feeds. Thus, there is a need to develop automated methods to vet and extract actionable information from TI feeds. To this end, we present a machine learning pipeline to automatically detect vulnerability exploitation from TI feeds. We first model threat vocabulary in loosely structured TI feeds using state-of-the-art embedding techniques (Doc2Vec and BERT) and then use it to train a supervised machine learning classifier to detect exploitation of security vulnerabilities. We use our approach to identify exploitation events in 191 different TI feeds. Our longitudinal evaluation shows that it is able to accurately identify exploitation events from TI feeds only using past data for training and even on TI feeds withheld from training. Our proposed approach is useful for a variety of downstream tasks such as data-driven vulnerability risk assessment.

查看原文本刊更多论文

利用 TI 数据源进行开发检测

许多组织依靠威胁情报（TI）信息源来评估与安全威胁相关的风险。由于数据量大且异构，要手动分析结构松散的 TI 源中的威胁信息非常困难。因此，有必要开发自动化方法，从 TI 源中审核和提取可操作的信息。为此，我们提出了一种机器学习管道，用于自动检测技术信息源中的漏洞利用情况。我们首先使用最先进的嵌入技术（Doc2Vec 和 BERT）对结构松散的 TI feed 中的威胁词汇进行建模，然后使用它来训练监督机器学习分类器，以检测安全漏洞的利用情况。我们使用该方法识别了 191 个不同 TI 源中的利用事件。我们的纵向评估结果表明，该方法仅使用过去的数据进行训练，就能准确识别 TI feed 中的利用事件，甚至能识别未进行训练的 TI feed 中的利用事件。我们提出的方法适用于各种下游任务，如数据驱动的漏洞风险评估。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Information Retrieval

自引率

0.00%

发文量