EXTRACTOR: Extracting Attack Behavior from Threat Reports

04/17/2021
by   Kiavash Satvat, et al.
0

The knowledge on attacks contained in Cyber Threat Intelligence (CTI) reports is very important to effectively identify and quickly respond to cyber threats. However, this knowledge is often embedded in large amounts of text, and therefore difficult to use effectively. To address this challenge, we propose a novel approach and tool called EXTRACTOR that allows precise automatic extraction of concise attack behaviors from CTI reports. EXTRACTOR makes no strong assumptions about the text and is capable of extracting attack behaviors as provenance graphs from unstructured text. We evaluate EXTRACTOR using real-world incident reports from various sources as well as reports of DARPA adversarial engagements that involve several attack campaigns on various OS platforms of Windows, Linux, and FreeBSD. Our evaluation results show that EXTRACTOR can extract concise provenance graphs from CTI reports and show that these graphs can successfully be used by cyber-analytics tools in threat-hunting.

READ FULL TEXT

page 12

page 18

research
11/13/2021

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Cyber attacks are becoming more sophisticated and diverse, making detect...
research
09/30/2019

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

Cyber threat intelligence (CTI) is being used to search for indicators o...
research
11/01/2022

Looking Beyond IoCs: Automatically Extracting Attack Patterns from External CTI

Public and commercial companies extensively share cyber threat intellige...
research
07/25/2023

EmphasisChecker: A Tool for Guiding Chart and Caption Emphasis

Recent work has shown that when both the chart and caption emphasize the...
research
07/29/2022

GoodFATR: A Platform for Automated Threat Report Collection and IOC Extraction

To adapt to a constantly evolving landscape of cyber threats, organizati...
research
10/05/2022

From Threat Reports to Continuous Threat Intelligence: A Comparison of Attack Technique Extraction Methods from Textual Artifacts

The cyberthreat landscape is continuously evolving. Hence, continuous mo...
research
09/06/2023

CVE-driven Attack Technique Prediction with Semantic Information Extraction and a Domain-specific Language Model

This paper addresses a critical challenge in cybersecurity: the gap betw...

Please sign up or login with your details

Forgot password? Click here to reset