{"title":"利用Bert从APT报告构建TTPS","authors":"Li Zongxun, Li Yujun, Zhang Haojie, Li Juan","doi":"10.1109/ICCWAMTIP53232.2021.9674158","DOIUrl":null,"url":null,"abstract":"With the ongoing usage of networks, the number of Advanced Persistent Threat (APT) attacks has grown in recent years. When compared to real-time APT attack detection, analyzing APT reports enables faster dissemination of cyber threat intelligence (CTI) and identification of APT attacks. Thus, this paper proposes a model for automatically extracting threat actions and generating Tactics, Techniques and Procedures (TTPs) from APT reports. The model analyzes the semantics of APT reports and extracts threat actions automatically based on BERT-BiLSTM-CRF that can accurately capture the semantics of sentences. A sentence containing a threat action is fed into the trained model, and the model marks the threat action contained in the sentence. Then, we leverage existing knowledge to build a cyber threat ontology, obtain complete attack information by mapping threat actions to the ontology, and generate high-level Indicators of Compromise (IOC) and generate TTPs. Threat actions are mapped to this ontology to construct TTPs. In comparison to traditional approaches, our method achieves an average of 96% precision on the test dataset.","PeriodicalId":358772,"journal":{"name":"2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Construction of TTPS From APT Reports Using Bert\",\"authors\":\"Li Zongxun, Li Yujun, Zhang Haojie, Li Juan\",\"doi\":\"10.1109/ICCWAMTIP53232.2021.9674158\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the ongoing usage of networks, the number of Advanced Persistent Threat (APT) attacks has grown in recent years. When compared to real-time APT attack detection, analyzing APT reports enables faster dissemination of cyber threat intelligence (CTI) and identification of APT attacks. Thus, this paper proposes a model for automatically extracting threat actions and generating Tactics, Techniques and Procedures (TTPs) from APT reports. The model analyzes the semantics of APT reports and extracts threat actions automatically based on BERT-BiLSTM-CRF that can accurately capture the semantics of sentences. A sentence containing a threat action is fed into the trained model, and the model marks the threat action contained in the sentence. Then, we leverage existing knowledge to build a cyber threat ontology, obtain complete attack information by mapping threat actions to the ontology, and generate high-level Indicators of Compromise (IOC) and generate TTPs. Threat actions are mapped to this ontology to construct TTPs. In comparison to traditional approaches, our method achieves an average of 96% precision on the test dataset.\",\"PeriodicalId\":358772,\"journal\":{\"name\":\"2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP)\",\"volume\":\"46 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCWAMTIP53232.2021.9674158\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCWAMTIP53232.2021.9674158","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
With the ongoing usage of networks, the number of Advanced Persistent Threat (APT) attacks has grown in recent years. When compared to real-time APT attack detection, analyzing APT reports enables faster dissemination of cyber threat intelligence (CTI) and identification of APT attacks. Thus, this paper proposes a model for automatically extracting threat actions and generating Tactics, Techniques and Procedures (TTPs) from APT reports. The model analyzes the semantics of APT reports and extracts threat actions automatically based on BERT-BiLSTM-CRF that can accurately capture the semantics of sentences. A sentence containing a threat action is fed into the trained model, and the model marks the threat action contained in the sentence. Then, we leverage existing knowledge to build a cyber threat ontology, obtain complete attack information by mapping threat actions to the ontology, and generate high-level Indicators of Compromise (IOC) and generate TTPs. Threat actions are mapped to this ontology to construct TTPs. In comparison to traditional approaches, our method achieves an average of 96% precision on the test dataset.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
