TriCTI:an actionable cyber threat intelligence discovery system via trigger-enhanced neural network  被引量：7

作　　者：Jian Lu Junjie Yan Jun Jiang Yitong He Xuren Wang Zhengwei jiang Peian Yang Ning Li 

机构地区：[1]Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China [2]School of Cyber Security,University of Chinese Academy of Sciences,Bejing 100029,China [3]College of Information Engineering,Capital Normal University,Beijing 100048,China

出　　处：《Cybersecurity》2022年第3期18-33,共16页网络空间安全科学与技术（英文）

基　　金：Our research was supported by the National Key Research and Development Program of China(Nos.2019QY1301,2018YFB0805005,2018YFC0824801).

摘　　要：The cybersecurity report provides unstructured actionable cyber threat intelligence(CTI)with detailed threat attack procedures and indicators of compromise(IOCs),e.g.,malware hash or URL(uniform resource locator)of command and control server.The actionable CTI,integrated into intrusion detection systems,can not only prioritize the most urgent threats based on the campaign stages of attack vectors(i.e.,IOCs)but also take appropriate mitigation measures based on contextual information of the alerts.However,the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence.In this paper,we propose a trigger-enhanced actionable CTI discovery system(TriCTI)to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing(NLP)technology.Specifically,we introduce the“campaign trigger”for an effective explanation of the campaign stages to improve the performance of the classification model.The campaign trigger phrases are the keywords in the sentence that imply the campaign stage.The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords.We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets.Compared with state-of-the-art text classification models,such as BERT,the trigger-enhanced classification model has better performance with accuracy(86.99%)and F1 score(87.02%).We run TriCTI on more than 29k cybersecurity reports,from which we automatically and efficiently collect 113,543 actionable CTI.In particular,we verify the actionability of discovered CTI by using large-scale field data from VirusTotal(VT).The results demonstrate that the threat intelligence provided by VT lacks a part of

关 键 词：Actionable cyber threat intelligence Campaign trigger Indicators of compromise(IOCs) Natural language processing(NLP) 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]