AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Zhenyuan Li; Jun Zeng; Yan Chen; Zhenkai Liang

doi:10.1007/978-3-031-17140-6_29

AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

Zhenyuan Li, Jun Zeng, Yan Chen^*, Zhenkai Liang

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.

Original language	English (US)
Title of host publication	Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Editors	Vijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	589-609
Number of pages	21
ISBN (Print)	9783031171390
DOIs	https://doi.org/10.1007/978-3-031-17140-6_29
State	Published - 2022
Event	27th European Symposium on Research in Computer Security, ESORICS 2022 - Virtual, Online Duration: Sep 26 2022 → Sep 30 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13554 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	27th European Symposium on Research in Computer Security, ESORICS 2022
City	Virtual, Online
Period	9/26/22 → 9/30/22

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-031-17140-6_29

Cite this

Li, Z., Zeng, J., Chen, Y., & Liang, Z. (2022). AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. In V. Atluri, R. Di Pietro, C. D. Jensen, & W. Meng (Eds.), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings (pp. 589-609). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13554 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-17140-6_29

Li, Zhenyuan ; Zeng, Jun ; Chen, Yan et al. / AttacKG : Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. editor / Vijayalakshmi Atluri ; Roberto Di Pietro ; Christian D. Jensen ; Weizhi Meng. Springer Science and Business Media Deutschland GmbH, 2022. pp. 589-609 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ee4e08a7a684445b8fd205639368e526,

title = "AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports",

abstract = "Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.",

author = "Zhenyuan Li and Jun Zeng and Yan Chen and Zhenkai Liang",

note = "Funding Information: Acknowledgement. This paper is supported in part by National Science Foundation with the Award Number (FAIN) 2148177, and by the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF-NCL-P2-0001) and administered by the National Cybersecurity R&D Directorate. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore. Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 27th European Symposium on Research in Computer Security, ESORICS 2022 ; Conference date: 26-09-2022 Through 30-09-2022",

year = "2022",

doi = "10.1007/978-3-031-17140-6_29",

language = "English (US)",

isbn = "9783031171390",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "589--609",

editor = "Vijayalakshmi Atluri and {Di Pietro}, Roberto and Jensen, {Christian D.} and Weizhi Meng",

booktitle = "Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings",

address = "Germany",

}

Li, Z, Zeng, J, Chen, Y & Liang, Z 2022, AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. in V Atluri, R Di Pietro, CD Jensen & W Meng (eds), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13554 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 589-609, 27th European Symposium on Research in Computer Security, ESORICS 2022, Virtual, Online, 9/26/22. https://doi.org/10.1007/978-3-031-17140-6_29

AttacKG : Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. / Li, Zhenyuan; Zeng, Jun; Chen, Yan et al.

Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. ed. / Vijayalakshmi Atluri; Roberto Di Pietro; Christian D. Jensen; Weizhi Meng. Springer Science and Business Media Deutschland GmbH, 2022. p. 589-609 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13554 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - AttacKG

T2 - 27th European Symposium on Research in Computer Security, ESORICS 2022

AU - Li, Zhenyuan

AU - Zeng, Jun

AU - Chen, Yan

AU - Liang, Zhenkai

N1 - Funding Information: Acknowledgement. This paper is supported in part by National Science Foundation with the Award Number (FAIN) 2148177, and by the National Research Foundation, Prime Ministers Office, Singapore under its National Cybersecurity R&D Program (Award No. NRF-NCL-P2-0001) and administered by the National Cybersecurity R&D Directorate. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore. Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

PY - 2022

Y1 - 2022

N2 - Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.

AB - Cyber attacks are becoming more sophisticated and diverse, making attack detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (e.g., techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. In this paper, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the associated attack techniques. We then aggregate threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises. To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Experimental results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches. Moreover, our TKGs directly benefit downstream security practices built atop attack techniques, e.g., advanced persistent threat detection and cyber attack reconstruction.

UR - http://www.scopus.com/inward/record.url?scp=85140470249&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85140470249&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-17140-6_29

DO - 10.1007/978-3-031-17140-6_29

M3 - Conference contribution

AN - SCOPUS:85140470249

SN - 9783031171390

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 589

EP - 609

BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings

A2 - Atluri, Vijayalakshmi

A2 - Di Pietro, Roberto

A2 - Jensen, Christian D.

A2 - Meng, Weizhi

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 26 September 2022 through 30 September 2022

ER -

Li Z, Zeng J, Chen Y, Liang Z. AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. In Atluri V, Di Pietro R, Jensen CD, Meng W, editors, Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 589-609. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-17140-6_29