{"title":"Attack Hypothesis Generation","authors":"Aviad Elitzur, Rami Puzis, Polina Zilberman","doi":"10.1109/EISIC49498.2019.9108886","DOIUrl":null,"url":null,"abstract":"In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATT&CK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.","PeriodicalId":117256,"journal":{"name":"2019 European Intelligence and Security Informatics Conference (EISIC)","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 European Intelligence and Security Informatics Conference (EISIC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EISIC49498.2019.9108886","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATT&CK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
