Upload File

extractor: extracting attack behavior graphs from threat

  • Home
  • Documents
  • EXTRACTOR: Extracting Attack Behavior Graphs from Threat
9
EXTRACTOR: Extracting Attack Behavior Graphs from Threat Reports ksatva2, rgjome1, [email protected] University of Illinois at Chicago 1 f Kiavash Satvat Rigel Gjomemo V.N. Venkatakrishnan

Upload: others

Post on 16-Oct-2021

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Reports

ksatva2, rgjome1, [email protected]

University of Illinois at Chicago1

f

Kiavash Satvat Rigel Gjomemo V.N. Venkatakrishnan

Page 2: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

2

f

A significant amount of knowledge is available in Cyber Threat Intelligence (CTI) reports.

Cyber Threat Intelligence Reports

Page 3: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Human-intensive Effort for Creation of Detection Rules

f

Wouldn’t it be great to automate and scale?

Intrusion Detection Systems

CTI Reports

Page 4: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

What is being done automatically?

• Search for fragmented Indicators of Compromise (IOC)• Hash values, file/process names, IP addresses, domain names

Limitation:• Updated or re-purposed attacks and malware polymorphism• Use of legitimate-looking names (like svchost in Windows)• Easy for the attacker to mutate and evade detection systems!

What if we can learn more than just isolated IOCs?Something which is harder to evade!...

f

Page 5: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Problem Statement

• Extract actionable provenance graphs of attack behavior from natural language CTI reports• Actionable: Provenance graphs can be directly used to perform threat

hunting• Behavior: connected events and entities, not single IOCs

f

Extractor Input

Page 6: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Challenges and Approach

f

• Verbosity

• Inter vs Intra verbosity

• Relationships Extraction (Subject, Verb, Object)

• Causality and flow of attack

• CTI Language Complexities

• Domain specific vocabulary

• Ellipsis subjects and objects

• Pronoun

• Passive vs active

EXTRACTOR

Page 7: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Evaluation

f

EXTRACTOR

8 DARPA Transparent

Computing

Engagement 2

Large-Scale Evaluation

POIROT

2.

3.

Precision Recall F1-Score

0.89 0.94 0.92

1.

Detection False Positive

0

# reports Similarity Score

Microsoft 4020 91%

TrendMicro 11600 85%

Technical description

vs

solution section

Threat Hunting Tool

EXTRACTOR

POIROT

Precision Recall F1-Score

0.96 0.93 0.94

Detection False Positive

0

Threat Hunting Tool

6 public CTI reports

EXTRACTOR

Page 8: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Sample Attack

Behavior Graphs

from Public CTI

Reports

Source code:

https://github.com/ksatvat/

EXTRACTOR

8

f

https://github.com/ksatvat/EXTRACTOR
Page 9: EXTRACTOR: Extracting Attack Behavior Graphs from Threat

Questions?

f


A Semantic Best-Effort Approach for Extracting Structured Discourse Graphs from Wikipedia

Web crawler with email extractor and image extractor

UniMac UW Series Hardmount Washer-Extractorsdocs.alliancelaundry.com/adv_pdf/au07-204.pdfWasher-Extractors 35lbWasher-Extractor 60lbWasher-Extractor 80lbWasher-Extractor 100lbWasher-Extractor

ASE 200 Accelerated Solvent Extractor Operator's …...1 • Introduction The ASE® 200 Accelerated Solvent Extractor is an automated system for extracting organic compounds from a

PSF Extractor

Guide2source Extractor

52 Extracting Prologs The Prolog Extractor will search recursively for files with valid filename extensions. The beginning and end delimiters are: !F77

Extracting social graphs from the Web

Conditioned Slicing for Efficient Multiway Decision …thescipub.com/PDF/jcssp.2013.314.326.pdfMultiway Decision Graphs Model-Checker ... an efficient extractor for MDG Hardware Descrpiton

Extractor System

Powerteam Extractor

Extractor Centrifugo

Extracting, Aligning, and Linking Data to Build Knowledge Graphs

Guia Extractor

35lbWasher-Extractor 60lbWasher-Extractor 80lbWasher-Extractor 100lbWasher-Extractor ...docs.alliancelaundry.com/adv_pdf/au09-205.pdf · 2009. 5. 21. · UWSeriesHardmount Washer-Extractors

Portable Carpet Extractor Extractor Portátil de Alfombras

HAZUS-MH Data Extractor - Western Geographic … Data... · Web viewThe HAZUS-MH Data Extractor tool is a software application used for extracting data from HAZUS-MH data sources,

Extractor As

Centrifugal Extractor

EXTRACTION · Continuous Liquid/Liquid Extraction with Built-in SLOW-DRY® Concentrator This extractor is designed for EPA priority pollutant samples where the extracting solvent

Outline Extractor

Extractor hood

Extractores hidráulicos y mecánicos › data › products › files › 14715357841.pdf · extractor de agarre, un extractor de cruceta, un extractor de copa de cojinete y un extractor

Extractor Greench

Liquid extractor

Comment Extractor

SysInfoTools PDF Image Extractor v2 · SysInfoTools PDF Image Extractor v2.0 3 SysInfoTools PDF Image Extractor comes with one of the best solutions for the pdf image extracting issues

extractor radial

Level 1 2 - MALAWI OIL SEED CROPS EXTENSION ...os.aiccafrica.org/media/extracting and refining oil.pdfDual expeller Oil Extractor Oil extractors are machines that remove oil from the

Automatic Juice Extractor Extractor de jugo automtico

MirkaDust Extractor

Algorithms for Extracting Timeliness Graphs

Extracting and Analyzing Hidden Graphs from Relational ... · Extracting and Analyzing Hidden Graphs from Relational Databases Konstantinos Xirogiannopoulos University of Maryland,

Katz® Extractor - InHealthKatz Extractor Instructions for Use 37900-01A I 3 TABLE OF CONTENTS ENG Katz Extractor 4 SQI Ekstraktori Katz 6 9 Katz Extractor ARA BUL Katz Extractor 10

Classical Planning: Planning graphs, Graphplanpsznza/G52PAS/lecture12.pdfClassical Planning: Planning graphs, Graphplan 18. Extracting solution Backward search problem: The initial