Loading…

Attack Tactic Labeling for Cyber Threat Hunting

Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers&...

Full description

Saved in:
Bibliographic Details
Main Authors: Lin, Sheng-Xiang, Li, Zong-Jyun, Chen, Tzu-Yang, Wu, Dong-Jie
Format: Conference Proceeding
Language:English
Subjects:
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers' behaviors and footprints, it is crucial to provide additional information such as attack tactics, techniques, and procedures in detecting attacks. In this study, we propose a mechanism for labeling attack tactics of network intrusion detection system (NIDS) rules on the basis of text mining and machine learning. The proposed approach can help security experts determine the current attack state and infer its purpose, making it possible to detect complex attacks (e.g., APT). Besides, we refer to the ATT&CK framework developed by MITRE (a leading organization in information security) to strengthen the reliability of labeling results. The experiment result shows that the accuracy of our proposed mechanism can effectively boost the performance of the labeling attack tactic. The experimental result shows that the F1 score of our approach is more than 90% and up to approximately 96%, which can effectively assist cyber security experts in tactic labeling and provides a solid base for further alert correlation. Moreover, we also compare our approach with one of the well-known TTP labeling tools, rcATT; the result shows that our approach's accuracy, precision, recall, and F1 score are all significantly better than rcATT.
ISSN:1738-9445
DOI:10.23919/ICACT53585.2022.9728949