Abstract
The exponential growth of cyberattacks in recent years has highlighted the inadequacy of existing detection mechanisms and therefore the need to develop more relevant predictive models and methods in the field of Cyber Threat Intelligence (CTI). Many cybersecurity systems use behavioral indicators of compromise (IoCs), such as tactics, techniques, and procedures (TTPs), to design their defense strategies and detect future attacks attempts in an early stage. Typically, behavioral IoCs are gathered from unstructured incident reports, often written in natural language, and are typically extracted with manual analysis by cybersecurity experts. However, due to the huge number of reports daily released, this task has become more difficult and time-consuming to make it effective. In this paper, we propose a framework based on Bidirectional Encoder Representations from Transformers (BERT) to identify and recognize behavioral IoCs in incident reports. The results of our contribution showed a significant improvement of the F1-score compared to the state-of-the-art works.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alves, F., Ferreira, P.M., Bessani, A.: Design of a classification model for a Twitter-based streaming threat monitor. In: 2019 49th annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 9–14. IEEE (2019)
Asiri, M., Saxena, N., Gjomemo, R., Burnap, P.: Understanding indicators of compromise against cyber-attacks in industrial control systems: a security perspective. ACM Trans. Cyber-phys. Syst. 7(2), 1–33 (2023)
Brown, S., Gommers, J., Serrano, O.: From cyber security information sharing to threat management. In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, pp. 43–49 (2015)
CrowdStrike, Inc. https://www.crowdstrike.com/
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
FireEye, Inc. https://www.fireeye.com/
Fujii, S., Kawaguchi, N., Shigemoto, T., Yamauchi, T.: CyNER: information extraction from unstructured text of CTI sources with noncontextual IOCs. In: Cheng, CM., Akiyama, M. (eds.) Advances in Information and Computer Security, IWSEC 2022. LNCS, vol. 13504, pp. 85–104. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15255-9_5
Ghazi, Y., Anwar, Z., Mumtaz, R., Saleem, S., Tahir, A.: A supervised machine learning based approach for automatically extracting high-level threat intelligence from unstructured sources. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 129–134. IEEE (2018)
Jang, B., Kim, M., Harerimana, G., Kang, S., Kim, J.W.: Bi-LSTM model to increase accuracy in text classification: combining Word2vec CNN and attention mechanism. Appl. Sci. 10(17), 5841 (2020)
Lehto, M.: Apt cyber-attack modelling: building a general model. In: International Conference on Cyber Warfare and Security, vol. 17, pp. 121–129. Academic Conferences International Limited (2022)
Ma, P., Jiang, B., Lu, Z., Li, N., Jiang, Z.: Cybersecurity named entity recognition using bidirectional long short-term memory with conditional random fields. Tsinghua Sci. Technol. 26(3), 259–265 (2020)
Mohammad, R.M., Thabtah, F., McCluskey, L.: Intelligent rule-based phishing websites classification. IET Inf. Secur. 8(3), 153–160 (2014)
Peters, M.E., et al.: Deep contextualized word representations. In: Proceedings of the 2018 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT), Volume 1 (Long Papers) (2018)
Radford, A., Narasimhan, K., Salimans, T., Sutskever, I., et al.: Improving language understanding by generative pre-training (2018)
Roy, A., Park, Y., Pan, S.: Learning domain-specific word embeddings from sparse cybersecurity texts. arXiv preprint arXiv:1709.07470 (2017)
Sapienza, A., Ernala, S.K., Bessi, A., Lerman, K., Ferrara, E.: DISCOVER: mining online chatter for emerging cyber threats. In: Companion Proceedings of the The Web Conference 2018, pp. 983–990 (2018)
Shahi, M.A.H.: Tactics, techniques and procedures (TTPs) to augment cyber threat intelligence (CTI): a comprehensive study (2018)
Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: MITRE ATT &CK: Design and Philosophy. Technical report. The MITRE Corporation (2018)
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Processing Systems, vol. 30 (2017)
Acknowledgments
I am grateful to Prof. Kamel ADI for his mentorship and guidance throughout this paper. I also extend my thanks to the members of the Computer Security Research Laboratory (LRSI) at the University of Quebec in Outaouais for their collaborative support and insightful discussions that greatly enhanced this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bekhouche, M.E.A., Adi, K. (2024). A BERT-Based Framework for Automated Extraction of Behavioral Indicators of Compromise from Security Incident Reports. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)