MITREtrieval: Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology

Yi Ting Huang, R. Vaitheeshwari, Meng Chang Chen, Ying Dar Lin, Ren Hung Hwang, Po Ching Lin, Yuan Cheng Lai, Eric Hsiao Kuang Wu, Chung Hsuan Chen, Zi Jie Liao, Chung Kuan Chen

Research output: Contribution to journalArticlepeer-review

Abstract

Cyber Threat Intelligence (CTI) plays a crucial role in understanding and preemptively defending against emerging threats. Typically disseminated through unstructured reports, CTI encompasses detailed insights into threat actors, their actions, and attack patterns. The MITRE ATTandCK framework offers a comprehensive catalog of adversary tactics, techniques, and procedures (TTPs), serving as a valuable resource for deciphering attacker behavior and enhancing defensive measures. Addressing the challenge of time-consuming manual analysis of MITRE TTPs in unstructured CTI reports, this paper presents MITREtrieval, a novel system that leverages deep learning and ontology to efficiently extract MITRE techniques. This approach mitigates issues related to the implicit nature of TTPs, textual semantic dependencies, and the scarcity of adequately labeled datasets, enabling more effective analysis even with limited sample sizes. Our approach combines a sophisticated sentence-level BERT deep learning model with ontology knowledge to address sparse data challenges, using a voting algorithm to merge outcomes. This results in a more accurate classification of MITRE techniques, capturing contextual nuances effectively. Our evaluation confirms MITREtrieval's effectiveness in identifying techniques, regardless of their representation in training samples. MITREtrieval has surpassed benchmarks, achieving F2 scores of 58%, 62%, and 69% in multi-label technique identification across 113, 46, and 23 CTI reports, respectively, thereby streamlining CTI analysis and improving threat intelligence.

Original languageEnglish
Pages (from-to)4871-4887
Number of pages17
JournalIEEE Transactions on Network and Service Management
Volume21
Issue number4
DOIs
StatePublished - 2024

Keywords

  • Cybersecurity
  • deep learning
  • MITRE ATTandCK
  • natural language processing
  • ontology
  • threat intelligence

Fingerprint

Dive into the research topics of 'MITREtrieval: Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology'. Together they form a unique fingerprint.

Cite this