Abstract
In the ever-evolving landscape of cyber security, threat hunting has emerged as a proactive defense line to detect advanced threats. To evade detection, the attackers constantly change their techniques and tactics creating new attack variants. However, the manual creation and execution of testflows to test the attacks and their variants generated by threat hunting systems remain a strenuous task that requires elusive knowledge and is time-consuming. This paper introduces Accurify, a solution that automates the generation of new testflows to test the existence of attack variants using machine reasoning. Accurify leverages case-based machine reasoning to find similar already-encountered cases from a security playbook and then reuses them to generate and adjust new testflows tailored to the attack variant in question. By analyzing historical threat data and incorporating real-time threat intelligence feeds, Accurify can generate new testflows for attack variants with high accuracy and precision, validated using real-world dataset. By automating the testflow generation, Accurify enhances the effectiveness of threat hunting and frees security professionals to focus on strategic aspects of cybersecurity operations.
The research reported in this article is supported by Ericsson Research and the Security Research Centre of Concordia University. This support stems from a collaborative partnership with the National Cybersecurity Consortium (NCC) under the Cyber Security Innovation Network (CSIN).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
Neo4j Graph Data Platform: www.neo4j.com.
- 5.
MITRE ATT &CK CTI: www.github.com/mitre/cti/.
References
A framework for cyber threat hunting. Technical report, Sqrrl Data, Inc. (2018)
Technical Requirements for the ArcSight Platform. Micro Focus ArcSight (2021)
APT41: A Dual Espionage and Cyber Crime Operation (2022)
ArcSight’s Latest and Greatest (2022)
Falcon Insight: Endpoint Detection and Response (EDR) (2022)
Alshamrani, A., et al.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE COMST 21(2), 1851–1877 (2019)
Araujo, F., et al.: Evidential Cyber Threat Hunting. SDM (2021)
Church, K.W.: Word2Vec. Nat. Lang. Eng. 23(1), 155–162 (2017)
Dehaerne, E., et al.: Code generation using machine learning: a systematic review. IEEE Access 10, 82434–82455 (2022)
Di Tizio, G., et al.: Software updates strategies: a quantitative evaluation against advanced persistent threats. IEEE TSE 49(3), 1359–1373 (2023)
Fensel, D., et al.: Knowledge Graphs. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-37439-6
Fraser, G., et al.: Does automated unit test generation really help software testers? A controlled empirical study. ACM TOSEM 24(4), 1–49 (2015)
Gao, X., et al.: A survey of graph edit distance. Pattern Anal. Appl. 13, 113–129 (2010)
Grzesik, A., et al.: On tripartite common graphs. Combin. Probab. Comput. 31(5), 907–923 (2022)
Ho, G., et al.: Hopper: modeling and detecting lateral movement. In: USENIX Security (2021)
IACD: Integrated Adaptive Cyber Defense (IACD) Playbooks (2017)
Kaiser, F.K., et al.: Attack hypotheses generation based on threat intelligence knowledge graph. IEEE TDSC (2023)
Kryukov, R., et al.: Mapping the security events to the MITRE ATT & CK attack patterns to forecast attack propagation. In: ADIoT Workshop (2022)
McLachlan, G.J.: Mahalanobis distance. Resonance 4(6), 20–26 (1999)
Milani Fard, A., et al.: Leveraging existing tests in automated test generation for web applications. In: ACM/IEEE ASE (2014)
Navarro, J., et al.: A systematic survey on multi-step attack detection. Comput. Secur. 76, 214–249 (2018)
Nour, B., et al.: A survey on threat hunting in enterprise networks. IEEE COMST (2023)
Ontañón, S.: An overview of distance and similarity functions for structured data. Artif. Intell. Rev. 53(7), 5309–5351 (2020)
Puzis, R., et al.: ATHAFI: Agile Threat Hunting And Forensic Investigation. arXiv preprint (2020)
Qamar, S., et al.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)
Schlette, D., et al.: Do you play it by the books? A study on incident response playbooks and influencing factors. In: IEEE S &P (2023)
Team, G.C.A.: Threat Horizons - April 2023 Threat Horizons Report (2023)
Tomita, T., et al.: Template-based Monte-Carlo test generation for simulink models. In: CyPhy Workshop (2019)
Xia, P., et al.: Learning similarity with cosine similarity ensemble. Inf. Sci. 307, 39–52 (2015)
Yujian, L., et al.: A normalized Levenshtein distance metric. IEEE TPAMI 29(6), 1091–1095 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Nour, B., Pourzandi, M., Kamran Qureshi, R., Debbabi, M. (2024). Accurify: Automated New Testflows Generation for Attack Variants in Threat Hunting. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14552. Springer, Cham. https://doi.org/10.1007/978-3-031-57540-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-57540-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57539-6
Online ISBN: 978-3-031-57540-2