TY - JOUR
T1 - MITREtrieval
T2 - Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology
AU - Huang, Yi Ting
AU - Vaitheeshwari, R.
AU - Chen, Meng Chang
AU - Lin, Ying Dar
AU - Hwang, Ren Hung
AU - Lin, Po Ching
AU - Lai, Yuan Cheng
AU - Wu, Eric Hsiao Kuang
AU - Chen, Chung Hsuan
AU - Liao, Zi Jie
AU - Chen, Chung Kuan
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2024
Y1 - 2024
N2 - Cyber Threat Intelligence (CTI) plays a crucial role in understanding and preemptively defending against emerging threats. Typically disseminated through unstructured reports, CTI encompasses detailed insights into threat actors, their actions, and attack patterns. The MITRE ATTandCK framework offers a comprehensive catalog of adversary tactics, techniques, and procedures (TTPs), serving as a valuable resource for deciphering attacker behavior and enhancing defensive measures. Addressing the challenge of time-consuming manual analysis of MITRE TTPs in unstructured CTI reports, this paper presents MITREtrieval, a novel system that leverages deep learning and ontology to efficiently extract MITRE techniques. This approach mitigates issues related to the implicit nature of TTPs, textual semantic dependencies, and the scarcity of adequately labeled datasets, enabling more effective analysis even with limited sample sizes. Our approach combines a sophisticated sentence-level BERT deep learning model with ontology knowledge to address sparse data challenges, using a voting algorithm to merge outcomes. This results in a more accurate classification of MITRE techniques, capturing contextual nuances effectively. Our evaluation confirms MITREtrieval's effectiveness in identifying techniques, regardless of their representation in training samples. MITREtrieval has surpassed benchmarks, achieving F2 scores of 58%, 62%, and 69% in multi-label technique identification across 113, 46, and 23 CTI reports, respectively, thereby streamlining CTI analysis and improving threat intelligence.
AB - Cyber Threat Intelligence (CTI) plays a crucial role in understanding and preemptively defending against emerging threats. Typically disseminated through unstructured reports, CTI encompasses detailed insights into threat actors, their actions, and attack patterns. The MITRE ATTandCK framework offers a comprehensive catalog of adversary tactics, techniques, and procedures (TTPs), serving as a valuable resource for deciphering attacker behavior and enhancing defensive measures. Addressing the challenge of time-consuming manual analysis of MITRE TTPs in unstructured CTI reports, this paper presents MITREtrieval, a novel system that leverages deep learning and ontology to efficiently extract MITRE techniques. This approach mitigates issues related to the implicit nature of TTPs, textual semantic dependencies, and the scarcity of adequately labeled datasets, enabling more effective analysis even with limited sample sizes. Our approach combines a sophisticated sentence-level BERT deep learning model with ontology knowledge to address sparse data challenges, using a voting algorithm to merge outcomes. This results in a more accurate classification of MITRE techniques, capturing contextual nuances effectively. Our evaluation confirms MITREtrieval's effectiveness in identifying techniques, regardless of their representation in training samples. MITREtrieval has surpassed benchmarks, achieving F2 scores of 58%, 62%, and 69% in multi-label technique identification across 113, 46, and 23 CTI reports, respectively, thereby streamlining CTI analysis and improving threat intelligence.
KW - Cybersecurity
KW - deep learning
KW - MITRE ATTandCK
KW - natural language processing
KW - ontology
KW - threat intelligence
UR - http://www.scopus.com/inward/record.url?scp=85194886784&partnerID=8YFLogxK
U2 - 10.1109/TNSM.2024.3401200
DO - 10.1109/TNSM.2024.3401200
M3 - 期刊論文
AN - SCOPUS:85194886784
SN - 1932-4537
VL - 21
SP - 4871
EP - 4887
JO - IEEE Transactions on Network and Service Management
JF - IEEE Transactions on Network and Service Management
IS - 4
ER -