Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques

Zhiqiang Hao; Chuanyi Li; Xiao Fu; Bin Luo; Xiaojiang Du

doi:10.1007/978-3-031-70903-6_4

Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques

Zhiqiang Hao, Chuanyi Li, Xiao Fu, Bin Luo, Xiaojiang Du

Department of Electrical and Computer Engineering

Nanjing University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

With the advancement of cyber technology, proactive security methods such as adversary emulation and leveraging Cyber Threat Intelligence (CTI) have become increasingly essential. Currently, some methods have achieved automatic mapping of unstructured text Cyber Threat Intelligence to attack techniques that could facilitate proactive security. However, these methods do not consider the semantic relationships between CTI and attack techniques at different abstraction levels, which leads to poor performance in the classification. In this work, we propose a Hierarchy-aware method for Mapping of CTI to Attack Techniques (HMCAT). Specifically, HMCAT first extracts Indicators of Compromise (IOC) entities in the CTI with two steps, then projects the CTI with IOC entities and the corresponding attack technique into a joint embedding space. Finally, HMCAT captures the semantics relationship among text descriptions, coarse-grained techniques, fine-grained techniques and unrelated techniques through a hierarchy-aware mapping loss. Meanwhile, we also propose a data augmentation technique based on in-context learning to solve the problem of long-tailed distribution in the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) datasets, which could further improve the performance of mapping. Experimental results demonstrate that HMCAT significantly outperforms previous ML and DL methods, improving precision, recall and F-Measure by 6.6%, 13.9% and 9.9% respectively.

Original language	English
Title of host publication	Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
Editors	Joaquin Garcia-Alfaro, Rafał Kozik, Michał Choraś, Sokratis Katsikas
Pages	65-85
Number of pages	21
DOIs	https://doi.org/10.1007/978-3-031-70903-6_4
State	Published - 2024
Event	29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: 16 Sep 2024 → 20 Sep 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14985 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th European Symposium on Research in Computer Security, ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	16/09/24 → 20/09/24

Keywords

Attack Techniques
CTI
IOC Entities

Access to Document

10.1007/978-3-031-70903-6_4

Cite this

Hao, Z., Li, C., Fu, X., Luo, B., & Du, X. (2024). Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques. In J. Garcia-Alfaro, R. Kozik, M. Choraś, & S. Katsikas (Eds.), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings (pp. 65-85). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14985 LNCS). https://doi.org/10.1007/978-3-031-70903-6_4

Hao, Zhiqiang ; Li, Chuanyi ; Fu, Xiao et al. / Leveraging Hierarchies : HMCAT for Efficiently Mapping CTI to Attack Techniques. Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. editor / Joaquin Garcia-Alfaro ; Rafał Kozik ; Michał Choraś ; Sokratis Katsikas. 2024. pp. 65-85 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{26d0788b908a49789c6c66a9a1917174,

title = "Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques",

abstract = "With the advancement of cyber technology, proactive security methods such as adversary emulation and leveraging Cyber Threat Intelligence (CTI) have become increasingly essential. Currently, some methods have achieved automatic mapping of unstructured text Cyber Threat Intelligence to attack techniques that could facilitate proactive security. However, these methods do not consider the semantic relationships between CTI and attack techniques at different abstraction levels, which leads to poor performance in the classification. In this work, we propose a Hierarchy-aware method for Mapping of CTI to Attack Techniques (HMCAT). Specifically, HMCAT first extracts Indicators of Compromise (IOC) entities in the CTI with two steps, then projects the CTI with IOC entities and the corresponding attack technique into a joint embedding space. Finally, HMCAT captures the semantics relationship among text descriptions, coarse-grained techniques, fine-grained techniques and unrelated techniques through a hierarchy-aware mapping loss. Meanwhile, we also propose a data augmentation technique based on in-context learning to solve the problem of long-tailed distribution in the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) datasets, which could further improve the performance of mapping. Experimental results demonstrate that HMCAT significantly outperforms previous ML and DL methods, improving precision, recall and F-Measure by 6.6%, 13.9% and 9.9% respectively.",

keywords = "Attack Techniques, CTI, IOC Entities",

author = "Zhiqiang Hao and Chuanyi Li and Xiao Fu and Bin Luo and Xiaojiang Du",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.; 29th European Symposium on Research in Computer Security, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2024",

doi = "10.1007/978-3-031-70903-6_4",

language = "English",

isbn = "9783031709029",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "65--85",

editor = "Joaquin Garcia-Alfaro and Rafa{\l} Kozik and Micha{\l} Chora{\'s} and Sokratis Katsikas",

booktitle = "Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings",

}

Hao, Z, Li, C, Fu, X, Luo, B & Du, X 2024, Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques. in J Garcia-Alfaro, R Kozik, M Choraś & S Katsikas (eds), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14985 LNCS, pp. 65-85, 29th European Symposium on Research in Computer Security, ESORICS 2024, Bydgoszcz, Poland, 16/09/24. https://doi.org/10.1007/978-3-031-70903-6_4

Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques. / Hao, Zhiqiang; Li, Chuanyi; Fu, Xiao et al.
Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. ed. / Joaquin Garcia-Alfaro; Rafał Kozik; Michał Choraś; Sokratis Katsikas. 2024. p. 65-85 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14985 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Leveraging Hierarchies

T2 - 29th European Symposium on Research in Computer Security, ESORICS 2024

AU - Hao, Zhiqiang

AU - Li, Chuanyi

AU - Fu, Xiao

AU - Luo, Bin

AU - Du, Xiaojiang

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

PY - 2024

Y1 - 2024

N2 - With the advancement of cyber technology, proactive security methods such as adversary emulation and leveraging Cyber Threat Intelligence (CTI) have become increasingly essential. Currently, some methods have achieved automatic mapping of unstructured text Cyber Threat Intelligence to attack techniques that could facilitate proactive security. However, these methods do not consider the semantic relationships between CTI and attack techniques at different abstraction levels, which leads to poor performance in the classification. In this work, we propose a Hierarchy-aware method for Mapping of CTI to Attack Techniques (HMCAT). Specifically, HMCAT first extracts Indicators of Compromise (IOC) entities in the CTI with two steps, then projects the CTI with IOC entities and the corresponding attack technique into a joint embedding space. Finally, HMCAT captures the semantics relationship among text descriptions, coarse-grained techniques, fine-grained techniques and unrelated techniques through a hierarchy-aware mapping loss. Meanwhile, we also propose a data augmentation technique based on in-context learning to solve the problem of long-tailed distribution in the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) datasets, which could further improve the performance of mapping. Experimental results demonstrate that HMCAT significantly outperforms previous ML and DL methods, improving precision, recall and F-Measure by 6.6%, 13.9% and 9.9% respectively.

AB - With the advancement of cyber technology, proactive security methods such as adversary emulation and leveraging Cyber Threat Intelligence (CTI) have become increasingly essential. Currently, some methods have achieved automatic mapping of unstructured text Cyber Threat Intelligence to attack techniques that could facilitate proactive security. However, these methods do not consider the semantic relationships between CTI and attack techniques at different abstraction levels, which leads to poor performance in the classification. In this work, we propose a Hierarchy-aware method for Mapping of CTI to Attack Techniques (HMCAT). Specifically, HMCAT first extracts Indicators of Compromise (IOC) entities in the CTI with two steps, then projects the CTI with IOC entities and the corresponding attack technique into a joint embedding space. Finally, HMCAT captures the semantics relationship among text descriptions, coarse-grained techniques, fine-grained techniques and unrelated techniques through a hierarchy-aware mapping loss. Meanwhile, we also propose a data augmentation technique based on in-context learning to solve the problem of long-tailed distribution in the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) datasets, which could further improve the performance of mapping. Experimental results demonstrate that HMCAT significantly outperforms previous ML and DL methods, improving precision, recall and F-Measure by 6.6%, 13.9% and 9.9% respectively.

KW - Attack Techniques

KW - CTI

KW - IOC Entities

UR - http://www.scopus.com/inward/record.url?scp=85204364165&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85204364165&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-70903-6_4

DO - 10.1007/978-3-031-70903-6_4

M3 - Conference contribution

AN - SCOPUS:85204364165

SN - 9783031709029

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 65

EP - 85

BT - Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings

A2 - Garcia-Alfaro, Joaquin

A2 - Kozik, Rafał

A2 - Choraś, Michał

A2 - Katsikas, Sokratis

Y2 - 16 September 2024 through 20 September 2024

ER -

Hao Z, Li C, Fu X, Luo B, Du X. Leveraging Hierarchies: HMCAT for Efficiently Mapping CTI to Attack Techniques. In Garcia-Alfaro J, Kozik R, Choraś M, Katsikas S, editors, Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. 2024. p. 65-85. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-70903-6_4