CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution

Open-source cyber threat intelligence (OSCTI) is becoming more influential in obtaining current network security information. Most studies on cyber threat intelligence (CTI) focus on automating the extraction of threat entities from public sources that describe attack events. The cybersecurity knowl...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on knowledge and data engineering 2023-06, Vol.35 (6), p.5695-5709
Main Authors: Ren, Yitong, Xiao, Yanjun, Zhou, Yinghai, Zhang, Zhiyong, Tian, Zhihong
Format: Article
Language:English
Subjects:
Algorithms
APT organization attribution
Behavioral sciences
Computer security
Cyber threat intelligence
Cybersecurity
cybersecurity knowledge graph
Data encryption
Data mining
Decision analysis
diamond model
Intelligence
Intelligence gathering
Knowledge
Knowledge representation
Natural language processing
Network security
Organizations
Standards organizations
Threat evaluation
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Open-source cyber threat intelligence (OSCTI) is becoming more influential in obtaining current network security information. Most studies on cyber threat intelligence (CTI) focus on automating the extraction of threat entities from public sources that describe attack events. The cybersecurity knowledge graph aims to change the expression of threat knowledge so that security researchers can accurately and efficiently obtain various types of threat information for preliminary intelligent decisions. The attribution technology can not only assist security analysts in detecting advanced persistent threats, but can also identify the same threat from different attack events. Therefore, it is important to trace the attack threat actor. In this study, we used the knowledge graph technology, considered the latest research on cyber threat attack attribution, and thoroughly examined key related technologies and theories in the process of constructing and applying the advanced persistent threat (APT) knowledge graph from OSCTI. We designed a cybersecurity platform named CSKG4APT based on a knowledge graph. Inspired by the theory of ontology, we constructed CSKG4APT as an APT knowledge graph model based on real APT attack scenarios. We then designed an APT threat knowledge extraction algorithm for completing and updating the knowledge graph using deep learning and expert knowledge. Finally, we proposed a practical APT attack attribution method with attribution and countermeasures. CSKG4APT is not a passive defense method in traditional network confrontation but one that integrates a large amount of fragmented intelligence and can actively adjust its defense strategy. It lays the foundation for further dominance in network attack and defense.
ISSN:1041-4347
1558-2191
DOI:10.1109/TKDE.2022.3175719