RAF-AG: Report analysis framework for attack path generation

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-09-19 DOI:10.1016/j.cose.2024.104125

Khang Mai , Jongmin Lee , Razvan Beuran , Ryosuke Hotchi , Sian En Ooi , Takayuki Kuroda , Yasuo Tan

{"title":"RAF-AG: Report analysis framework for attack path generation","authors":"Khang Mai , Jongmin Lee , Razvan Beuran , Ryosuke Hotchi , Sian En Ooi , Takayuki Kuroda , Yasuo Tan","doi":"10.1016/j.cose.2024.104125","DOIUrl":null,"url":null,"abstract":"<div><div>Information sharing is a key practice in cybersecurity for coping with the ever-changing cyberattacks that are targeting computer systems. Thus, when cyber incidents happen, cyber threat intelligence (CTI) reports are prepared and shared among cybersecurity practitioners to help them get up-to-date information about those incidents. However, reading and analyzing the report text to comprehend the included information is a cumbersome process. Although techniques based on deep learning were proposed to speed up report analysis in order to obtain the enclosed essential information, such as attack path, training data insufficiency makes these methods inefficient in practical circumstances.</div><div>This paper presents RAF-AG, a report analysis framework for attack path generation. To analyze CTI reports, RAF-AG utilizes the sentence dependency tree for entity and relation extraction, and a weak supervision approach for entity labeling. This is followed by graph building and graph alignment for generating the attack paths. Our approach resolves the data insufficiency problem in the cybersecurity domain by lowering the need for expert involvement. We evaluated RAF-AG by comparing the generated attack paths with those produced by AttacKG, a state-of-the-art automatic report analysis framework. RAF-AG was able to identify cyberattack steps by matching their appearance order inside the report, and link them with techniques from the MITRE ATT&CK knowledge base with an improved F1 score compared to AttacKG (0.708 versus 0.393).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104125"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824004309/pdfft?md5=26c50ae3a8d396148c6a891e5ef0b300&pid=1-s2.0-S0167404824004309-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004309","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Information sharing is a key practice in cybersecurity for coping with the ever-changing cyberattacks that are targeting computer systems. Thus, when cyber incidents happen, cyber threat intelligence (CTI) reports are prepared and shared among cybersecurity practitioners to help them get up-to-date information about those incidents. However, reading and analyzing the report text to comprehend the included information is a cumbersome process. Although techniques based on deep learning were proposed to speed up report analysis in order to obtain the enclosed essential information, such as attack path, training data insufficiency makes these methods inefficient in practical circumstances.

This paper presents RAF-AG, a report analysis framework for attack path generation. To analyze CTI reports, RAF-AG utilizes the sentence dependency tree for entity and relation extraction, and a weak supervision approach for entity labeling. This is followed by graph building and graph alignment for generating the attack paths. Our approach resolves the data insufficiency problem in the cybersecurity domain by lowering the need for expert involvement. We evaluated RAF-AG by comparing the generated attack paths with those produced by AttacKG, a state-of-the-art automatic report analysis framework. RAF-AG was able to identify cyberattack steps by matching their appearance order inside the report, and link them with techniques from the MITRE ATT&CK knowledge base with an improved F1 score compared to AttacKG (0.708 versus 0.393).

查看原文本刊更多论文

RAF-AG：用于生成攻击路径的报告分析框架

信息共享是网络安全的关键做法，以应对针对计算机系统的不断变化的网络攻击。因此，当网络事件发生时，网络安全从业人员会编写和共享网络威胁情报（CTI）报告，以帮助他们获得有关这些事件的最新信息。然而，阅读和分析报告文本以理解其中的信息是一个繁琐的过程。虽然有人提出了基于深度学习的技术来加快报告分析速度，以获取所包含的基本信息，如攻击路径，但训练数据的不足使得这些方法在实际情况下效率低下。为了分析 CTI 报告，RAF-AG 利用句子依赖树进行实体和关系提取，并采用弱监督方法进行实体标注。然后通过图构建和图对齐生成攻击路径。我们的方法降低了对专家参与的需求，从而解决了网络安全领域的数据不足问题。我们将 RAF-AG 生成的攻击路径与最先进的自动报告分析框架 AttacKG 生成的攻击路径进行了比较，从而对 RAF-AG 进行了评估。RAF-AG 能够通过匹配报告中的出现顺序来识别网络攻击步骤，并将它们与 MITRE ATT&CK 知识库中的技术联系起来，与 AttacKG 相比，RAF-AG 的 F1 分数有所提高（0.708 对 0.393）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.