Zheng-Shao Chen;R. Vaitheeshwari;Eric Hsiao-Kuang Wu;Ying-Dar Lin;Ren-Hung Hwang;Po-Ching Lin;Yuan-Cheng Lai;Asad Ali
{"title":"通过加权相似性测量网络威胁情报对 APT 集团进行聚类","authors":"Zheng-Shao Chen;R. Vaitheeshwari;Eric Hsiao-Kuang Wu;Ying-Dar Lin;Ren-Hung Hwang;Po-Ching Lin;Yuan-Cheng Lai;Asad Ali","doi":"10.1109/ACCESS.2024.3469552","DOIUrl":null,"url":null,"abstract":"Advanced Persistent Threat (APT) groups pose significant cybersecurity threats due to their sophisticated and persistent nature. This study introduces a novel methodology to understand their collaborative patterns and shared objectives, which is crucial for developing robust defense mechanisms. We utilize MITRE ATT&CK Techniques, software, target nations, and industries as our primary features to understand the characteristics of APT groups. Since essential information is often buried within the unstructured data of Cyber Threat Intelligence (CTI) reports, we employ Natural Language Processing (NLP) and Named Entity Recognition (NER) to extract relevant data. To analyze and interpret the complex relationships between APT groups, we compute similarity among the features using weighted cosine similarity metrics and Machine Learning (ML) models, enhanced by feature crosses and feature selection strategies. Subsequently, hierarchical clustering is used to group APTs based on their similarity scores, helping to identify common behaviors and uncover deeper relationships. Our methodology demonstrates notable clustering performance, with a silhouette coefficient of 0.76, indicating strong intra-cluster similarity. The Adjusted Rand Index (ARI) of 0.63, though moderate, effectively measures agreement between our clustering and the ground truth. These metrics provide robust validation, surpassing commonly recognized benchmarks for effective clustering in cybersecurity. Our methodology successfully classifies 23 distinct APT groups into six clusters, highlighting the importance of techniques and industry features in the clustering process. Notably, techniques such as T1059 (Command and Scripting Interpreter) and T1036 (Masquerading) are prevalently deployed, observed in 18 out of 23 APT groups across all six clusters.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":null,"pages":null},"PeriodicalIF":3.4000,"publicationDate":"2024-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10697172","citationCount":"0","resultStr":"{\"title\":\"Clustering APT Groups Through Cyber Threat Intelligence by Weighted Similarity Measurement\",\"authors\":\"Zheng-Shao Chen;R. Vaitheeshwari;Eric Hsiao-Kuang Wu;Ying-Dar Lin;Ren-Hung Hwang;Po-Ching Lin;Yuan-Cheng Lai;Asad Ali\",\"doi\":\"10.1109/ACCESS.2024.3469552\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Advanced Persistent Threat (APT) groups pose significant cybersecurity threats due to their sophisticated and persistent nature. This study introduces a novel methodology to understand their collaborative patterns and shared objectives, which is crucial for developing robust defense mechanisms. We utilize MITRE ATT&CK Techniques, software, target nations, and industries as our primary features to understand the characteristics of APT groups. Since essential information is often buried within the unstructured data of Cyber Threat Intelligence (CTI) reports, we employ Natural Language Processing (NLP) and Named Entity Recognition (NER) to extract relevant data. To analyze and interpret the complex relationships between APT groups, we compute similarity among the features using weighted cosine similarity metrics and Machine Learning (ML) models, enhanced by feature crosses and feature selection strategies. Subsequently, hierarchical clustering is used to group APTs based on their similarity scores, helping to identify common behaviors and uncover deeper relationships. Our methodology demonstrates notable clustering performance, with a silhouette coefficient of 0.76, indicating strong intra-cluster similarity. The Adjusted Rand Index (ARI) of 0.63, though moderate, effectively measures agreement between our clustering and the ground truth. These metrics provide robust validation, surpassing commonly recognized benchmarks for effective clustering in cybersecurity. Our methodology successfully classifies 23 distinct APT groups into six clusters, highlighting the importance of techniques and industry features in the clustering process. Notably, techniques such as T1059 (Command and Scripting Interpreter) and T1036 (Masquerading) are prevalently deployed, observed in 18 out of 23 APT groups across all six clusters.\",\"PeriodicalId\":13079,\"journal\":{\"name\":\"IEEE Access\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":3.4000,\"publicationDate\":\"2024-09-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10697172\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Access\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10697172/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10697172/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Clustering APT Groups Through Cyber Threat Intelligence by Weighted Similarity Measurement
Advanced Persistent Threat (APT) groups pose significant cybersecurity threats due to their sophisticated and persistent nature. This study introduces a novel methodology to understand their collaborative patterns and shared objectives, which is crucial for developing robust defense mechanisms. We utilize MITRE ATT&CK Techniques, software, target nations, and industries as our primary features to understand the characteristics of APT groups. Since essential information is often buried within the unstructured data of Cyber Threat Intelligence (CTI) reports, we employ Natural Language Processing (NLP) and Named Entity Recognition (NER) to extract relevant data. To analyze and interpret the complex relationships between APT groups, we compute similarity among the features using weighted cosine similarity metrics and Machine Learning (ML) models, enhanced by feature crosses and feature selection strategies. Subsequently, hierarchical clustering is used to group APTs based on their similarity scores, helping to identify common behaviors and uncover deeper relationships. Our methodology demonstrates notable clustering performance, with a silhouette coefficient of 0.76, indicating strong intra-cluster similarity. The Adjusted Rand Index (ARI) of 0.63, though moderate, effectively measures agreement between our clustering and the ground truth. These metrics provide robust validation, surpassing commonly recognized benchmarks for effective clustering in cybersecurity. Our methodology successfully classifies 23 distinct APT groups into six clusters, highlighting the importance of techniques and industry features in the clustering process. Notably, techniques such as T1059 (Command and Scripting Interpreter) and T1036 (Masquerading) are prevalently deployed, observed in 18 out of 23 APT groups across all six clusters.
IEEE AccessCOMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC
CiteScore
9.80
自引率
7.70%
发文量
6673
审稿时长
6 weeks
期刊介绍:
IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest.
IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on:
Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals.
Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering.
Development of new or improved fabrication or manufacturing techniques.
Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.