Hailiang Tang , Dawei Lin , Wanyu Li , Wenxiao Zhang , Jun Zhao
{"title":"Cyber threat indicators extraction based on contextual knowledge prompt","authors":"Hailiang Tang , Dawei Lin , Wanyu Li , Wenxiao Zhang , Jun Zhao","doi":"10.1016/j.comnet.2024.110839","DOIUrl":null,"url":null,"abstract":"<div><div>Extracting Indicators of Compromise (IOC) from security-related social data (e.g., security blogs, hacker forums) is crucial for predicting cyber risks and mitigating cyber attacks proactively. However, existing IOC extraction approaches suffer from two serious limitations. First, they fail to learn the multiculti-granular and fine-grained IOC features, resulting in high false positives. Second, current methods cannot incorporate symbolic rules and contextual knowledge, resulting in poor interpretability. In this paper, we propose AIIOC, an <u>A</u>ccurate and <u>I</u>nterpretable <u>I</u> <u>O</u> <u>C</u> extraction model based on contextual knowledge prompts. Particularly, AIIOC first proposes a multi-granularity attention mechanism to learn fine-grained IOC features and boost the accuracy of IOC identification. Additionally, AIIOC designs a novel sequence labeling method that integrates symbolic rules and contextual knowledge prompts, which can encode symbolic rules and contextual semantics of IOC in trainable recurrent neural networks to improve both accuracy and interpretability. Experimental results on two real-world datasets verify that AIIOC outperforms state-of-the-art methods and showcases promising interpretability by incorporating symbolic rules and contextual knowledge prompts.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"254 ","pages":"Article 110839"},"PeriodicalIF":4.4000,"publicationDate":"2024-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624006716","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0
Abstract
Extracting Indicators of Compromise (IOC) from security-related social data (e.g., security blogs, hacker forums) is crucial for predicting cyber risks and mitigating cyber attacks proactively. However, existing IOC extraction approaches suffer from two serious limitations. First, they fail to learn the multiculti-granular and fine-grained IOC features, resulting in high false positives. Second, current methods cannot incorporate symbolic rules and contextual knowledge, resulting in poor interpretability. In this paper, we propose AIIOC, an Accurate and Interpretable IOC extraction model based on contextual knowledge prompts. Particularly, AIIOC first proposes a multi-granularity attention mechanism to learn fine-grained IOC features and boost the accuracy of IOC identification. Additionally, AIIOC designs a novel sequence labeling method that integrates symbolic rules and contextual knowledge prompts, which can encode symbolic rules and contextual semantics of IOC in trainable recurrent neural networks to improve both accuracy and interpretability. Experimental results on two real-world datasets verify that AIIOC outperforms state-of-the-art methods and showcases promising interpretability by incorporating symbolic rules and contextual knowledge prompts.
从与安全相关的社交数据(如安全博客、黑客论坛)中提取 "破坏指标"(IOC)对于预测网络风险和主动减轻网络攻击至关重要。然而,现有的 IOC 提取方法存在两个严重的局限性。首先,它们无法学习多文化粒度和细粒度的 IOC 特征,导致高误报率。其次,目前的方法不能结合符号规则和上下文知识,导致可解释性差。在本文中,我们提出了基于上下文知识提示的精确可解释 I O C 提取模型 AIIOC。特别是,AIIOC 首先提出了一种多粒度关注机制,以学习细粒度的 IOC 特征,提高 IOC 识别的准确性。此外,AIIOC 还设计了一种整合了符号规则和语境知识提示的新型序列标注方法,可将 IOC 的符号规则和语境语义编码到可训练的递归神经网络中,从而提高准确性和可解释性。在两个真实世界数据集上的实验结果验证了 AIIOC 的性能优于最先进的方法,并通过整合符号规则和上下文知识提示展示了良好的可解释性。
期刊介绍:
Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.