APT-scope：从丰富的异构网络威胁情报信息网络中预测高级持续性威胁团体的新型框架

IF 5.1 2区工程技术 Q1 ENGINEERING, MULTIDISCIPLINARY

Engineering Science and Technology-An International Journal-Jestech Pub Date : 2024-08-17 DOI:10.1016/j.jestch.2024.101791

Burak Gulbay , Mehmet Demirci

{"title":"APT-scope：从丰富的异构网络威胁情报信息网络中预测高级持续性威胁团体的新型框架","authors":"Burak Gulbay , Mehmet Demirci","doi":"10.1016/j.jestch.2024.101791","DOIUrl":null,"url":null,"abstract":"<div><p>Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.</p></div>","PeriodicalId":48609,"journal":{"name":"Engineering Science and Technology-An International Journal-Jestech","volume":"57 ","pages":"Article 101791"},"PeriodicalIF":5.1000,"publicationDate":"2024-08-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2215098624001770/pdfft?md5=4453f6fe710a101ee3a1311326fc57a1&pid=1-s2.0-S2215098624001770-main.pdf","citationCount":"0","resultStr":"{\"title\":\"APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence\",\"authors\":\"Burak Gulbay , Mehmet Demirci\",\"doi\":\"10.1016/j.jestch.2024.101791\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.</p></div>\",\"PeriodicalId\":48609,\"journal\":{\"name\":\"Engineering Science and Technology-An International Journal-Jestech\",\"volume\":\"57 \",\"pages\":\"Article 101791\"},\"PeriodicalIF\":5.1000,\"publicationDate\":\"2024-08-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2215098624001770/pdfft?md5=4453f6fe710a101ee3a1311326fc57a1&pid=1-s2.0-S2215098624001770-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Engineering Science and Technology-An International Journal-Jestech\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2215098624001770\",\"RegionNum\":2,\"RegionCategory\":\"工程技术\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"ENGINEERING, MULTIDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Engineering Science and Technology-An International Journal-Jestech","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2215098624001770","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

摘要

对于政府、企业和威胁情报研究机构来说，应对不断扩大的高级持续威胁（APT）形势至关重要。防御者通常依赖表格形式的资产，如日志、警报、防火墙规则等；而攻击者则利用基于图形的思维方式。在这项工作中，我们提出了一个名为 APT-Scope 的新型多阶段框架，该框架采用综合方法对合格的真实世界数据进行网络威胁情报 (CTI) 分析。APT-Scope 工作流程包括数据收集、丰富和分析阶段，其中实体之间的关系用于构建异构信息网络（HIN）。我们使用 DNS 和 Whois 查询、端口扫描、SSL 脚印、通过 SpaCy 进行命名实体识别等额外的主动数据收集技术对 CTI 进行了丰富，并构建了一个机器学习管道，使用 FastRP 和 Logistic 回归预测实体之间的关系。通过分析生成的 HIN，我们发现了 APT 集团的别名，并预测了未知实施者 APT 攻击的威胁行为者。我们观察到的 AUCPR 指标为训练得分 = 96.57%，测试得分 = 92.36%。我们的工作有助于监督整个 APT 格局，指导当前和未来的 CTI 行动并做出战略决策。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence

Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Engineering Science and Technology-An International Journal-Jestech Materials Science-Electronic, Optical and Magnetic Materials

CiteScore

11.20

自引率

3.50%

发文量

153

审稿时长

22 days

期刊介绍： Engineering Science and Technology, an International Journal (JESTECH) (formerly Technology), a peer-reviewed quarterly engineering journal, publishes both theoretical and experimental high quality papers of permanent interest, not previously published in journals, in the field of engineering and applied science which aims to promote the theory and practice of technology and engineering. In addition to peer-reviewed original research papers, the Editorial Board welcomes original research reports, state-of-the-art reviews and communications in the broadly defined field of engineering science and technology. The scope of JESTECH includes a wide spectrum of subjects including: -Electrical/Electronics and Computer Engineering (Biomedical Engineering and Instrumentation; Coding, Cryptography, and Information Protection; Communications, Networks, Mobile Computing and Distributed Systems; Compilers and Operating Systems; Computer Architecture, Parallel Processing, and Dependability; Computer Vision and Robotics; Control Theory; Electromagnetic Waves, Microwave Techniques and Antennas; Embedded Systems; Integrated Circuits, VLSI Design, Testing, and CAD; Microelectromechanical Systems; Microelectronics, and Electronic Devices and Circuits; Power, Energy and Energy Conversion Systems; Signal, Image, and Speech Processing) -Mechanical and Civil Engineering (Automotive Technologies; Biomechanics; Construction Materials; Design and Manufacturing; Dynamics and Control; Energy Generation, Utilization, Conversion, and Storage; Fluid Mechanics and Hydraulics; Heat and Mass Transfer; Micro-Nano Sciences; Renewable and Sustainable Energy Technologies; Robotics and Mechatronics; Solid Mechanics and Structure; Thermal Sciences) -Metallurgical and Materials Engineering (Advanced Materials Science; Biomaterials; Ceramic and Inorgnanic Materials; Electronic-Magnetic Materials; Energy and Environment; Materials Characterizastion; Metallurgy; Polymers and Nanocomposites)