{"title":"APT-scope:从丰富的异构网络威胁情报信息网络中预测高级持续性威胁团体的新型框架","authors":"Burak Gulbay , Mehmet Demirci","doi":"10.1016/j.jestch.2024.101791","DOIUrl":null,"url":null,"abstract":"<div><p>Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.</p></div>","PeriodicalId":48609,"journal":{"name":"Engineering Science and Technology-An International Journal-Jestech","volume":"57 ","pages":"Article 101791"},"PeriodicalIF":5.1000,"publicationDate":"2024-08-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2215098624001770/pdfft?md5=4453f6fe710a101ee3a1311326fc57a1&pid=1-s2.0-S2215098624001770-main.pdf","citationCount":"0","resultStr":"{\"title\":\"APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence\",\"authors\":\"Burak Gulbay , Mehmet Demirci\",\"doi\":\"10.1016/j.jestch.2024.101791\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.</p></div>\",\"PeriodicalId\":48609,\"journal\":{\"name\":\"Engineering Science and Technology-An International Journal-Jestech\",\"volume\":\"57 \",\"pages\":\"Article 101791\"},\"PeriodicalIF\":5.1000,\"publicationDate\":\"2024-08-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2215098624001770/pdfft?md5=4453f6fe710a101ee3a1311326fc57a1&pid=1-s2.0-S2215098624001770-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Engineering Science and Technology-An International Journal-Jestech\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2215098624001770\",\"RegionNum\":2,\"RegionCategory\":\"工程技术\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"ENGINEERING, MULTIDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Engineering Science and Technology-An International Journal-Jestech","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2215098624001770","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}
APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence
Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.
期刊介绍:
Engineering Science and Technology, an International Journal (JESTECH) (formerly Technology), a peer-reviewed quarterly engineering journal, publishes both theoretical and experimental high quality papers of permanent interest, not previously published in journals, in the field of engineering and applied science which aims to promote the theory and practice of technology and engineering. In addition to peer-reviewed original research papers, the Editorial Board welcomes original research reports, state-of-the-art reviews and communications in the broadly defined field of engineering science and technology.
The scope of JESTECH includes a wide spectrum of subjects including:
-Electrical/Electronics and Computer Engineering (Biomedical Engineering and Instrumentation; Coding, Cryptography, and Information Protection; Communications, Networks, Mobile Computing and Distributed Systems; Compilers and Operating Systems; Computer Architecture, Parallel Processing, and Dependability; Computer Vision and Robotics; Control Theory; Electromagnetic Waves, Microwave Techniques and Antennas; Embedded Systems; Integrated Circuits, VLSI Design, Testing, and CAD; Microelectromechanical Systems; Microelectronics, and Electronic Devices and Circuits; Power, Energy and Energy Conversion Systems; Signal, Image, and Speech Processing)
-Mechanical and Civil Engineering (Automotive Technologies; Biomechanics; Construction Materials; Design and Manufacturing; Dynamics and Control; Energy Generation, Utilization, Conversion, and Storage; Fluid Mechanics and Hydraulics; Heat and Mass Transfer; Micro-Nano Sciences; Renewable and Sustainable Energy Technologies; Robotics and Mechatronics; Solid Mechanics and Structure; Thermal Sciences)
-Metallurgical and Materials Engineering (Advanced Materials Science; Biomaterials; Ceramic and Inorgnanic Materials; Electronic-Magnetic Materials; Energy and Environment; Materials Characterizastion; Metallurgy; Polymers and Nanocomposites)
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
