DroidTTP: Mapping android applications with TTP for Cyber Threat Intelligence

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-07-14 DOI:10.1016/j.jisa.2025.104162

Dincy R. Arikkat , Vinod P. , Rafidha Rehiman K.A. , Serena Nicolazzo , Marco Arazzi , Antonino Nocera , Mauro Conti

{"title":"DroidTTP: Mapping android applications with TTP for Cyber Threat Intelligence","authors":"Dincy R. Arikkat , Vinod P. , Rafidha Rehiman K.A. , Serena Nicolazzo , Marco Arazzi , Antonino Nocera , Mauro Conti","doi":"10.1016/j.jisa.2025.104162","DOIUrl":null,"url":null,"abstract":"<div><div>The widespread use of Android devices for sensitive operations has made them prime targets for sophisticated cyber threats, including Advanced Persistent Threats (APT). Traditional malware detection methods focus primarily on malware classification, often failing to reveal the Tactics, Techniques, and Procedures (TTPs) used by attackers. To address this issue, we propose DroidTTP, a novel system for mapping Android malware to attack behaviors. We curated a dataset linking Android applications to Tactics and Techniques and developed an automated mapping approach using the Problem Transformation Approach and Large Language Models (LLMs). Our pipeline includes dataset construction, feature selection, data augmentation, model training, and explainability via SHAP. Furthermore, we explored the use of LLMs for TTP prediction using both Retrieval Augmented Generation and fine-tuning strategies. The Label Powerset XGBoost model achieved the best performance, with Jaccard Similarity scores of 0.9893 for Tactic classification and 0.9753 for Technique classification. The fine-tuned LLaMa model also performed competitively, achieving 0.9583 for Tactics and 0.9348 for Techniques. Although XGBoost slightly outperformed LLMs, the narrow performance gap highlights the potential of LLM-based approaches for Tactic and Technique prediction.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104162"},"PeriodicalIF":3.8000,"publicationDate":"2025-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001991","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The widespread use of Android devices for sensitive operations has made them prime targets for sophisticated cyber threats, including Advanced Persistent Threats (APT). Traditional malware detection methods focus primarily on malware classification, often failing to reveal the Tactics, Techniques, and Procedures (TTPs) used by attackers. To address this issue, we propose DroidTTP, a novel system for mapping Android malware to attack behaviors. We curated a dataset linking Android applications to Tactics and Techniques and developed an automated mapping approach using the Problem Transformation Approach and Large Language Models (LLMs). Our pipeline includes dataset construction, feature selection, data augmentation, model training, and explainability via SHAP. Furthermore, we explored the use of LLMs for TTP prediction using both Retrieval Augmented Generation and fine-tuning strategies. The Label Powerset XGBoost model achieved the best performance, with Jaccard Similarity scores of 0.9893 for Tactic classification and 0.9753 for Technique classification. The fine-tuned LLaMa model also performed competitively, achieving 0.9583 for Tactics and 0.9348 for Techniques. Although XGBoost slightly outperformed LLMs, the narrow performance gap highlights the potential of LLM-based approaches for Tactic and Technique prediction.

查看原文本刊更多论文

DroidTTP：为网络威胁情报绘制使用TTP的android应用程序

Android设备在敏感操作中的广泛使用，使其成为复杂网络威胁的主要目标，包括高级持续威胁（APT）。传统的恶意软件检测方法主要侧重于恶意软件分类，通常无法揭示攻击者使用的战术、技术和程序（TTPs）。为了解决这个问题，我们提出了DroidTTP，这是一个将Android恶意软件映射到攻击行为的新系统。我们策划了一个将Android应用程序与战术和技术联系起来的数据集，并使用问题转换方法和大型语言模型（llm）开发了一种自动映射方法。我们的管道包括数据集构建、特征选择、数据增强、模型训练和通过SHAP的可解释性。此外，我们探索了llm在TTP预测中的使用，包括检索增强生成和微调策略。Label Powerset XGBoost模型表现最佳，策略分类的Jaccard Similarity得分为0.9893，技术分类的Jaccard Similarity得分为0.9753。微调后的LLaMa模型也表现得很有竞争力，战术得分为0.9583，技术得分为0.9348。虽然XGBoost的性能略优于llm，但这一微弱的性能差距凸显了基于llm的战术和技术预测方法的潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.