Abstract
In the fast-evolving world of Cybersecurity, an analyst often has the difficult task of responding to new threats and attack campaigns within a limited amount of time. If an analyst fails to do so, this can lead to severe consequences for the system under attack. In this work, we are motivated to aid the security analyst by introducing a tool which will help to produce a swift and effective response to incoming threats. If an analyst identifies the nature of an incoming attack, our system can produce a ranked list of solutions for the analyst to quickly try out, saving both effort and time. Currently, the security analyst is typically left to manually produce a solution by consulting existing frameworks and knowledge bases, such as the ATT &CK and D3FEND frameworks by the MITRE Corporation. To solve these challenges, our tool leverages state-of-the-art machine learning frameworks to provide a comprehensive solution for security analysts. Our tool uses advanced natural language processing techniques, including a large language model (RoBERTa), to derive meaningful semantic associations between descriptions of offensive techniques and defensive countermeasures. Experimental results confirm that our proposed method can provide useful suggestions to the security analyst with good accuracy, especially in comparison to baseline approaches which fail to exhibit the semantic and contextual understanding necessary to make such associations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akbar, K.A., Wang, Y., Islam, M.S., Singhal, A., Khan, L., Thuraisingham, B.: Identifying tactics of advanced persistent threats with limited attack traces. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds.) ICISS 2021. LNCS, vol. 13146, pp. 3–25. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92571-0_1
Ayoade, G., et al.: Evolving advanced persistent threat detection using provenance graph and metric learning. In: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2020). https://doi.org/10.1109/CNS48642.2020.9162264
Ayoade, G., Chandra, S., Khan, L., Hamlen, K., Thuraisingham, B.: Automated threat report classification over multi-source data. In: 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), pp. 236–245 (2018). https://doi.org/10.1109/CIC.2018.00040
Booth, H., Rike, D., Witte, G.: The national vulnerability database (NVD): Overview (2013-12-18 2013). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=915172
Debnath, B., et al.: Loglens: a real-time log analysis system. In: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pp. 1052–1062 (2018). https://doi.org/10.1109/ICDCS.2018.00105
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. In: NAACL (2019)
Face, H.: RoBERTae (2019). https://huggingface.co/docs/transformers/model_doc/roberta. Accessed 26 Mar 2022
GloVe: Global vectors for word representation (2014). https://nlp.stanford.edu/projects/glove/. Accessed 21 Mar 2022
Han, J., Khan, L., Masud, M., Gao, J., Thuraisingham, B.: Systems and methods for detecting a novel data class, October 2015, 9165051
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1, 80 (2011)
Jibilian, I., Canales, K.: The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal (2021). https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12. Accessed 13-April 2022
Liu, Y., et al.: RoBERTa: a robustly optimized BERT pretraining approach. arXiv:abs/1907.11692 (2019)
Masud, M.M., Gao, J., Khan, L., Han, J., Thuraisingham, B.: Classification and novel class detection in data streams with active mining. In: Zaki, M.J., Yu, J.X., Ravindran, B., Pudi, V. (eds.) PAKDD 2010. LNCS (LNAI), vol. 6119, pp. 311–324. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13672-6_31
Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space (2013)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. CoRR abs/1310.4546 (2013). http://arxiv.org/abs/1310.4546
MITRE: CVE. https://cve.mitre.org/
MITRE: Enterprise matrix (2015–2021). https://attack.mitre.org/matrices/enterprise/. Accessed 10 Mar 2022
MITRE: D3fend (2021). https://d3fend.mitre.org. Accessed 10 Mar 2022
OpenCV: Zero-shot learning : An introduction (2020). https://learnopencv.com/zero-shot-learning-an-introduction/. Accessed 13 Mar 2022
OpenIOC: Open indicator of compromise (2013). https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html. Accessed 18 June 2021
Pennington, J., Socher, R., Manning, C.D.: Glove: Global vectors for word representation. In: Empirical Methods in Natural Language Processing (EMNLP), pp. 1532–1543 (2014). http://www.aclweb.org/anthology/D14-1162
Sammut, C., Webb, G.I. (eds.): TF-IDF, pp. 986–987. Springer, US, Boston, MA (2010). https://doi.org/10.1007/978-0-387-30164-8_832
STIX: Structured threat information expression (2021). https://oasis-open.github.io/cti-documentation. Accessed 18 June 2021
Strom, B.E., et al.: Finding cyber threats with ATT &CK - based analytics, June 2017. https://www.mitre.org/publications/technical-papers/finding-cyber-threats-with-attck-based-analytics
TAXII: Trusted automated exchange of intelligence information (2021). https://oasis-open.github.io/cti-documentation. Accessed 18 June 2021
Zou, Q., Singhal, A., Sun, X., Liu, P.: Deep learning for detecting network attacks: an end to end approach. No. 12840, DBSec 2021: Data and Applications Security and Privacy XXXV, Virtual, US (2021-07-19 04:07:00 2021). https://doi.org/10.1007/978-3-030-81242-3_13, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=930878
Acknowledgement
The research reported herein was supported in part by NSF awards DMS-1737978, DGE-2039542, OAC-1828467, OAC-1931541, and DGE-1906630, ONR awards N00014-17-1-2995 and N00014-20-1-2738, Army Research Office Contract No. W911NF2110032, DARPA FA8750-19-C-0006, and IBM faculty award (Research).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Akbar, K.A., Halim, S.M., Hu, Y., Singhal, A., Khan, L., Thuraisingham, B. (2022). Knowledge Mining in Cybersecurity: From Attack to Defense. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-10684-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10683-5
Online ISBN: 978-3-031-10684-2
eBook Packages: Computer ScienceComputer Science (R0)