Skip to main content

Advertisement

Springer Nature Link
Log in

Architecting threat hunting system based on the DODAF framework

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

The importance of large data analytic systems for cyber security is expanding. Thus, collecting systematically, thoroughly assessing, and synthesizing the literature on architectural techniques for developing such systems is critical. There is a general lack of an overview of architectural techniques for developing threat intelligence systems. Threat hunting is an analyst-centric process that helps organizations discover hidden advanced threats that miss by automatic preventative and investigative systems. The Department of Defense Architecture Framework (DODAF) establishes a modeling framework for capturing high-level system design and operational requirements. This paper presents different threat hunting system viewpoints using the DODAF attribute-based method. The proposed architecture enriches by state-of-the-art MITRE’s ATT&CK and D3FEND frameworks. Also, we proposed a unique approach to infer malicious threats category associations by comparing suspicious and malicious events' similarities. Using ATT&CK’s rich techniques made the similarity between malicious and suspicious files more accurate. Finally, we used a survey questionnaire approach to collect relational data to assess the impact of qualitative attributes on the development of threat hunting processes. We evaluated the proposed hunting architecture using twelve essential quality attributes indirectly. We believe that the proposed method can reduce the architectural shortcomings in threat hunting systems development.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data availability

All data generated or analyzed during this study are included in this published article. Analyzed techniques of Wannacry ransomware supporting Table 2 are publicly available on the Any Run website and are available in the ATT&CK MATRIX section at https://app.any.run/tasks/66f00cc0-a177-432a-b471-685d5a70b8c9. Analyzed techniques of Hydra malware supporting Table 2 are publicly available on the Any Run website and are available in the ATT&CK MATRIX section at https://app.any.run/tasks/d650c063-37b6-4cdd-89b4-d60c956031ac. Analyzed techniques of suspicious file supporting Table 3 are publicly available on the Any Run website and are available in the ATT&CK MATRIX section at https://app.any.run/tasks/c8ad2625-f4c8-4212-82d6-de7769338e9d.

References

  1. Cole E (2016) Threat hunting: open season on the adversary. SANS Institute Information Reading Room

  2. DoDAF Architecture Framework Version 2.02. U.S. Department of Defense. https://doi.org/https://dodcio.defense.gov/Library/DoD-Architecture-Framework. Accessed 18 Apr 2022

  3. DoDAF Architecting. AcqNotes. https://doi.org/https://acqnotes.com/acqnote/tasks/architecting-overview. Accessed 18 Apr 2022

  4. Vance A (2016) Securing enterprise architecture with DoD architectural framework (DoDAF). In: Presented at the International Conference on Cyber Conflict (CyCon)

  5. Ring SJ, Nicholson D, Thilenius J, Harris S (2007) Activity-based methodology for development and analysis of integrated DoD architecture. In: Handbook of enterprise systems architecture in practice: IGI Global, pp 85–113

  6. Brown S, Carlin S, Torres-Negron I (2017) Next-generation defensive cyber operations (DCO) platform. J Inform Warfare 16(2):43–55

    Google Scholar 

  7. Meland PH, Nesheim DA, Bernsmed K, Sindre G (2022) Assessing cyber threats for storyless systems. J Inform Secur Appl 64:103050

    Google Scholar 

  8. Gao P et al (2021) Enabling efficient cyber threat hunting with cyber threat intelligence. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), IEEE, pp 193–204

    Chapter  Google Scholar 

  9. Shlapentokh-Rothman M (2020) Unifying public threat knowledge for cyber hunting. Massachusetts Institute of Technology

  10. Milajerdi SM, Eshete B, Gjomemo R, Venkatakrishnan V (2019) Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp 1795–1812

  11. Silva A, Gondim J, Albuquerque R, Villalba L (2020) A methodology to evaluate standards and platforms within cyber threat intelligence. Future Internet 12(6):108

    Article  Google Scholar 

  12. Puzis R, Zilberman P, Elovici Y (2020) ATHAFI: Agile threat hunting and forensic investigation. arXiv preprint https://doi.org/arXiv:2003.03663

  13. Ullah F, Babar MA (2019) Architectural tactics for big data cybersecurity analytics systems: a review. J Syst Softw 151:81–118

    Article  Google Scholar 

  14. Saaty TL (1994) Fundamentals of decision making and priority theory with the analytic hierarchy process. RWS publications

  15. Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG, Thomas CB (2018) Mitre attack: design and philosophy. Technical report

  16. Kaloroumakis PE, Smith MJ (2021) Toward a knowledge graph of cybersecurity countermeasures. The MITRE Corporation

  17. Shu X, Coccoli P (2021) Kestrel threat hunting language

  18. Xiong W, Legrand E, Åberg O, Lagerström R (2021) Cyber security threat modeling based on the MITRE enterprise ATT&CK matrix. Softw Syst Model, pp 1–21

  19. Guide to cyber threat modelling (2020) Cybersecurity Agency of Singapore

  20. Mavroeidis V, Jøsang A (2018) Data-driven threat hunting using sysmon. In: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp 82–88

  21. Muckin M, Fitch SC (2019) A threat-driven approach to cyber security. Lockheed Martin Corporation

  22. Collins M Chapter 1. Threat hunting and its goals. Oreilly. https://doi.org/https://www.oreilly.com/library/view/threat-hunting/9781492028260/ch01.html. (Accessed 8 Apr 2022)

  23. Wafula K, Wang Y (2019) CARVE: a scientific method-based threat hunting hypothesis development model. In: 2019 IEEE International Conference on Electro Information Technology (EIT), IEEE,pp 1–6

    Google Scholar 

  24. Soliman HM, Salmon G, Sovilj D, Rao M (2021) RANK: AI-assisted end-to-end architecture for detecting persistent attacks in enterprise networks. arXiv preprint https://doi.org/arXiv:2101.02573

  25. Konev A, Shelupanov A, Kataev M, Ageeva V, Nabieva A (2022) A survey on threat-modeling techniques: protected objects and classification of threats. Symmetry 14(3):549

    Article  Google Scholar 

  26. Lee J, Moon D, Kim I, Lee Y (2019) A semantic approach to improving machine readability of a large-scale attack graph. J Supercomput 75(6):3028–3045

    Article  Google Scholar 

  27. Al-Shaer R, Spring JM, Christou E (2020) Learning the associations of mitre att&ck adversarial techniques. In: 2020 IEEE Conference on Communications and Network Security (CNS), IEEE, pp 1–9

    Google Scholar 

  28. Shin Y, Kim K, Lee JJ, Lee K (2021) ART: automated reclassification for threat actors based on ATT&CK matrix similarity. In: 2021 world automation congress (WAC), IEEE, pp 15–20

    Chapter  Google Scholar 

  29. (2021) Zero trust reference architecture. U.S Department of Defence (DOD)

  30. Pan X, Yin B, Hu J (2011) Modeling and simulation for SoS based on the DoDAF framework. In: The Proceedings of 2011 9th International Conference on Reliability, Maintainability and Safety, IEEE, pp 1283–1287

    Chapter  Google Scholar 

  31. Pan X, Yin B, Hu J (2011) Modeling and simulation for SoS based on The DODAF framework. In: International Conference on Reliability, Maintainability and Safety

  32. Richards J (2014) Using the department of defense architecture framework to develop security requirements. SANS institute

  33. Software | MITRE ATTACK The MITRE corporation. https://doi.org/https://attack.mitre.org/software/. Accessed 19 Apr 2022

  34. Wannacry ransomware analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/66f00cc0-a177-432a-b471-685d5a70b8c9/. Accessed 25 Apr 2022

  35. Hydra malware analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/d650c063-37b6-4cdd-89b4-d60c956031ac/. Accessed 25 Apr 2022

  36. Executer.exe analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/c8ad2625-f4c8-4212-82d6-de7769338e9d/. Accessed 5 Apr 2022

  37. Shahid A et al (2020) Insights into relevant knowledge extraction techniques: a comprehensive review. J Supercomput 76(3):1695–1733

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran, Iran

    Ali Aghamohammadpour & Ebrahim Mahdipour

  2. Department of Computer Engineering, Faculty of Engineering, Central Tehran Branch, Islamic Azad University, Tehran, Iran

    Iman Attarzadeh

Authors
  1. Ali Aghamohammadpour
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Ebrahim Mahdipour
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Iman Attarzadeh
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Ebrahim Mahdipour.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Aghamohammadpour, A., Mahdipour, E. & Attarzadeh, I. Architecting threat hunting system based on the DODAF framework. J Supercomput 79, 4215–4242 (2023). https://doi.org/10.1007/s11227-022-04808-6

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-022-04808-6

Keywords