Loading…
Attack Tactic Labeling for Cyber Threat Hunting
Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers&...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Conference Proceeding |
| Language: | English |
| Subjects: | |
| Online Access: | Request full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | |
|---|---|
| cites | |
| container_end_page | 39 |
| container_issue | |
| container_start_page | 34 |
| container_title | |
| container_volume | |
| creator | Lin, Sheng-Xiang Li, Zong-Jyun Chen, Tzu-Yang Wu, Dong-Jie |
| description | Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers' behaviors and footprints, it is crucial to provide additional information such as attack tactics, techniques, and procedures in detecting attacks. In this study, we propose a mechanism for labeling attack tactics of network intrusion detection system (NIDS) rules on the basis of text mining and machine learning. The proposed approach can help security experts determine the current attack state and infer its purpose, making it possible to detect complex attacks (e.g., APT). Besides, we refer to the ATT&CK framework developed by MITRE (a leading organization in information security) to strengthen the reliability of labeling results. The experiment result shows that the accuracy of our proposed mechanism can effectively boost the performance of the labeling attack tactic. The experimental result shows that the F1 score of our approach is more than 90% and up to approximately 96%, which can effectively assist cyber security experts in tactic labeling and provides a solid base for further alert correlation. Moreover, we also compare our approach with one of the well-known TTP labeling tools, rcATT; the result shows that our approach's accuracy, precision, recall, and F1 score are all significantly better than rcATT. |
| doi_str_mv | 10.23919/ICACT53585.2022.9728949 |
| format | conference_proceeding |
| fullrecord | <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_9728949</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9728949</ieee_id><sourcerecordid>9728949</sourcerecordid><originalsourceid>FETCH-LOGICAL-i133t-425a05f5ff1513aebc3353b1dad8903c01ce3f80ee0b8e92a1f2b757a57c847a3</originalsourceid><addsrcrecordid>eNotj8FKAzEURaMgWOp8gZv8wEzfy0tIsiyDWqHgZlyXl_RFR2uVmbjo31uwq7s4cDhXKY3QGYoYV8_9uh8cueA6A8Z00ZsQbbxSTfQRMQRrAgS6Vgv0FNporbtVzTx_AAABAhhaqNW6Vs6feuBcx6y3nOQwHt90-Z50f0oy6eF9Eq5683usZ3CnbgofZmkuu1Svjw9Dv2m3L0_noG07IlFtrXEMrrhS0CGxpEzkKOGe9yECZcAsVAKIQAoSDWMxyTvPzudgPdNS3f97RxHZ_UzjF0-n3eUi_QEUM0T0</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Attack Tactic Labeling for Cyber Threat Hunting</title><source>IEEE Xplore All Conference Series</source><creator>Lin, Sheng-Xiang ; Li, Zong-Jyun ; Chen, Tzu-Yang ; Wu, Dong-Jie</creator><creatorcontrib>Lin, Sheng-Xiang ; Li, Zong-Jyun ; Chen, Tzu-Yang ; Wu, Dong-Jie</creatorcontrib><description>Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers' behaviors and footprints, it is crucial to provide additional information such as attack tactics, techniques, and procedures in detecting attacks. In this study, we propose a mechanism for labeling attack tactics of network intrusion detection system (NIDS) rules on the basis of text mining and machine learning. The proposed approach can help security experts determine the current attack state and infer its purpose, making it possible to detect complex attacks (e.g., APT). Besides, we refer to the ATT&CK framework developed by MITRE (a leading organization in information security) to strengthen the reliability of labeling results. The experiment result shows that the accuracy of our proposed mechanism can effectively boost the performance of the labeling attack tactic. The experimental result shows that the F1 score of our approach is more than 90% and up to approximately 96%, which can effectively assist cyber security experts in tactic labeling and provides a solid base for further alert correlation. Moreover, we also compare our approach with one of the well-known TTP labeling tools, rcATT; the result shows that our approach's accuracy, precision, recall, and F1 score are all significantly better than rcATT.</description><identifier>EISSN: 1738-9445</identifier><identifier>EISBN: 9791188428083</identifier><identifier>DOI: 10.23919/ICACT53585.2022.9728949</identifier><language>eng</language><publisher>Global IT Research Institute - GiRI</publisher><subject>APT detection ; Cyber kill chain ; Cyber threat hunting ; Information security ; Machine learning ; Machine learning algorithms ; Malicious Traffic Detection ; Network intrusion detection ; Organizations ; Solids ; Tactic labeling ; Text mining</subject><ispartof>2022 24th International Conference on Advanced Communication Technology (ICACT), 2022, p.34-39</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9728949$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,27925,54555,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9728949$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Lin, Sheng-Xiang</creatorcontrib><creatorcontrib>Li, Zong-Jyun</creatorcontrib><creatorcontrib>Chen, Tzu-Yang</creatorcontrib><creatorcontrib>Wu, Dong-Jie</creatorcontrib><title>Attack Tactic Labeling for Cyber Threat Hunting</title><title>2022 24th International Conference on Advanced Communication Technology (ICACT)</title><addtitle>ICACT</addtitle><description>Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers' behaviors and footprints, it is crucial to provide additional information such as attack tactics, techniques, and procedures in detecting attacks. In this study, we propose a mechanism for labeling attack tactics of network intrusion detection system (NIDS) rules on the basis of text mining and machine learning. The proposed approach can help security experts determine the current attack state and infer its purpose, making it possible to detect complex attacks (e.g., APT). Besides, we refer to the ATT&CK framework developed by MITRE (a leading organization in information security) to strengthen the reliability of labeling results. The experiment result shows that the accuracy of our proposed mechanism can effectively boost the performance of the labeling attack tactic. The experimental result shows that the F1 score of our approach is more than 90% and up to approximately 96%, which can effectively assist cyber security experts in tactic labeling and provides a solid base for further alert correlation. Moreover, we also compare our approach with one of the well-known TTP labeling tools, rcATT; the result shows that our approach's accuracy, precision, recall, and F1 score are all significantly better than rcATT.</description><subject>APT detection</subject><subject>Cyber kill chain</subject><subject>Cyber threat hunting</subject><subject>Information security</subject><subject>Machine learning</subject><subject>Machine learning algorithms</subject><subject>Malicious Traffic Detection</subject><subject>Network intrusion detection</subject><subject>Organizations</subject><subject>Solids</subject><subject>Tactic labeling</subject><subject>Text mining</subject><issn>1738-9445</issn><isbn>9791188428083</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2022</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotj8FKAzEURaMgWOp8gZv8wEzfy0tIsiyDWqHgZlyXl_RFR2uVmbjo31uwq7s4cDhXKY3QGYoYV8_9uh8cueA6A8Z00ZsQbbxSTfQRMQRrAgS6Vgv0FNporbtVzTx_AAABAhhaqNW6Vs6feuBcx6y3nOQwHt90-Z50f0oy6eF9Eq5683usZ3CnbgofZmkuu1Svjw9Dv2m3L0_noG07IlFtrXEMrrhS0CGxpEzkKOGe9yECZcAsVAKIQAoSDWMxyTvPzudgPdNS3f97RxHZ_UzjF0-n3eUi_QEUM0T0</recordid><startdate>20220213</startdate><enddate>20220213</enddate><creator>Lin, Sheng-Xiang</creator><creator>Li, Zong-Jyun</creator><creator>Chen, Tzu-Yang</creator><creator>Wu, Dong-Jie</creator><general>Global IT Research Institute - GiRI</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20220213</creationdate><title>Attack Tactic Labeling for Cyber Threat Hunting</title><author>Lin, Sheng-Xiang ; Li, Zong-Jyun ; Chen, Tzu-Yang ; Wu, Dong-Jie</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i133t-425a05f5ff1513aebc3353b1dad8903c01ce3f80ee0b8e92a1f2b757a57c847a3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2022</creationdate><topic>APT detection</topic><topic>Cyber kill chain</topic><topic>Cyber threat hunting</topic><topic>Information security</topic><topic>Machine learning</topic><topic>Machine learning algorithms</topic><topic>Malicious Traffic Detection</topic><topic>Network intrusion detection</topic><topic>Organizations</topic><topic>Solids</topic><topic>Tactic labeling</topic><topic>Text mining</topic><toplevel>online_resources</toplevel><creatorcontrib>Lin, Sheng-Xiang</creatorcontrib><creatorcontrib>Li, Zong-Jyun</creatorcontrib><creatorcontrib>Chen, Tzu-Yang</creatorcontrib><creatorcontrib>Wu, Dong-Jie</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE/IET Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Lin, Sheng-Xiang</au><au>Li, Zong-Jyun</au><au>Chen, Tzu-Yang</au><au>Wu, Dong-Jie</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Attack Tactic Labeling for Cyber Threat Hunting</atitle><btitle>2022 24th International Conference on Advanced Communication Technology (ICACT)</btitle><stitle>ICACT</stitle><date>2022-02-13</date><risdate>2022</risdate><spage>34</spage><epage>39</epage><pages>34-39</pages><eissn>1738-9445</eissn><eisbn>9791188428083</eisbn><abstract>Recently, the cyber attack has become more complex and targeted, making traditional security defense mechanisms based on the "Indicator of Compromise" ineffective. Furthermore, fail to consider attack kill chain may lead to a high false-positive rate for attack detection. To trace hackers' behaviors and footprints, it is crucial to provide additional information such as attack tactics, techniques, and procedures in detecting attacks. In this study, we propose a mechanism for labeling attack tactics of network intrusion detection system (NIDS) rules on the basis of text mining and machine learning. The proposed approach can help security experts determine the current attack state and infer its purpose, making it possible to detect complex attacks (e.g., APT). Besides, we refer to the ATT&CK framework developed by MITRE (a leading organization in information security) to strengthen the reliability of labeling results. The experiment result shows that the accuracy of our proposed mechanism can effectively boost the performance of the labeling attack tactic. The experimental result shows that the F1 score of our approach is more than 90% and up to approximately 96%, which can effectively assist cyber security experts in tactic labeling and provides a solid base for further alert correlation. Moreover, we also compare our approach with one of the well-known TTP labeling tools, rcATT; the result shows that our approach's accuracy, precision, recall, and F1 score are all significantly better than rcATT.</abstract><pub>Global IT Research Institute - GiRI</pub><doi>10.23919/ICACT53585.2022.9728949</doi><tpages>6</tpages></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | EISSN: 1738-9445 |
| ispartof | 2022 24th International Conference on Advanced Communication Technology (ICACT), 2022, p.34-39 |
| issn | 1738-9445 |
| language | eng |
| recordid | cdi_ieee_primary_9728949 |
| source | IEEE Xplore All Conference Series |
| subjects | APT detection Cyber kill chain Cyber threat hunting Information security Machine learning Machine learning algorithms Malicious Traffic Detection Network intrusion detection Organizations Solids Tactic labeling Text mining |
| title | Attack Tactic Labeling for Cyber Threat Hunting |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-28T07%3A34%3A21IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Attack%20Tactic%20Labeling%20for%20Cyber%20Threat%20Hunting&rft.btitle=2022%2024th%20International%20Conference%20on%20Advanced%20Communication%20Technology%20(ICACT)&rft.au=Lin,%20Sheng-Xiang&rft.date=2022-02-13&rft.spage=34&rft.epage=39&rft.pages=34-39&rft.eissn=1738-9445&rft_id=info:doi/10.23919/ICACT53585.2022.9728949&rft.eisbn=9791188428083&rft_dat=%3Cieee_CHZPO%3E9728949%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i133t-425a05f5ff1513aebc3353b1dad8903c01ce3f80ee0b8e92a1f2b757a57c847a3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=9728949&rfr_iscdi=true |