AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Zhenyuan Li, Jun Zeng, Yan Chen*, Zhenkai Liang

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.

Original languageEnglish (US)
Title of host publicationComputer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
EditorsVijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
PublisherSpringer Science and Business Media Deutschland GmbH
Pages589-609
Number of pages21
ISBN (Print)9783031171390
DOIs
StatePublished - 2022
Event27th European Symposium on Research in Computer Security, ESORICS 2022 - Virtual, Online
Duration: Sep 26 2022Sep 30 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13554 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference27th European Symposium on Research in Computer Security, ESORICS 2022
CityVirtual, Online
Period9/26/229/30/22

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint

Dive into the research topics of 'AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports'. Together they form a unique fingerprint.

Cite this