EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning

With the increasing complexity of network attacks, an active defense based on intelligence sharing becomes crucial. There is an important issue in intelligence analysis that automatically extracts threat actions from cyber threat intelligence (CTI) reports. To address this problem, we propose EX-Action, a framework for extracting threat actions from CTI reports. EX-Action finds threat actions by employing the natural language processing (NLP) technology and identifies actions by a multimodal learning algorithm. At the same time, a metric is used to evaluate the information completeness of the extracted action obtained by EX-Action. By the experiment on the CTI reports that consisted of sentences with complex structure, the experimental result indicates that EX-Action can achieve better performance than two state-of-the-art action extraction methods in terms of accuracy, recall, precision, and F1-score.

[1]  Bhavani M. Thuraisingham,et al.  Automated Threat Report Classification over Multi-Source Data , 2018, 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC).

[2]  Yan Jia,et al.  A Practical Approach to Constructing a Knowledge Graph for Cybersecurity , 2018 .

[3]  Ehab Al-Shaer,et al.  TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources , 2017, ACSAC.

[4]  Ming Du,et al.  PRTIRG: A Knowledge Graph for People-Readable Threat Intelligence Recommendation , 2019, KSEM.

[5]  Xin Jin,et al.  A network security entity recognition method based on feature template and CNN-BiLSTM-CRF , 2019, Frontiers Inf. Technol. Electron. Eng..

[6]  Vivien Petras,et al.  Selecting a text similarity measure for a content-based recommender system , 2019, Electron. Libr..

[7]  Tudor Dumitras,et al.  ChainSmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[8]  Xiaoyong Li,et al.  AITI: An Automatic Identification Model of Threat Intelligence Based on Convolutional Neural Network , 2020, ICIAI.

[9]  Ehab Al-Shaer,et al.  Data-driven analytics for cyber-threat intelligence and information sharing , 2017, Comput. Secur..

[10]  Tudor Dumitras,et al.  FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature , 2016, CCS.

[11]  Ehab Al-Shaer,et al.  Using Entropy and Mutual Information to Extract Threat Actions from Cyber Threat Intelligence , 2018, 2018 IEEE International Conference on Intelligence and Security Informatics (ISI).

[12]  Pornpimol Charoentong,et al.  TIminer: NGS data mining pipeline for cancer immunology and immunotherapy , 2017, Bioinform..

[13]  Jiyong Jang,et al.  Threat Intelligence Computing , 2018, CCS.

[14]  Hyoungshick Kim,et al.  CyTIME: Cyber Threat Intelligence ManagEment framework for automatically generating security rules , 2018, CFI.

[15]  Christopher D. Manning,et al.  The Stanford Typed Dependencies Representation , 2008, CF+CDPE@COLING.

[16]  Sagar Samtani,et al.  Cybersecurity as an Industry: A Cyber Threat Intelligence Perspective , 2020, The Palgrave Handbook of International Cybercrime and Cyberdeviance.

[17]  Brian J. d'Auriol,et al.  A novel feature selection method based on normalized mutual information , 2011, Applied Intelligence.

[18]  Peter E. Latham,et al.  Mutual Information , 2006 .

[19]  Juan Enrique Ramos,et al.  Using TF-IDF to Determine Word Relevance in Document Queries , 2003 .

[20]  Fengyuan Xu,et al.  Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence , 2021, 2021 IEEE 37th International Conference on Data Engineering (ICDE).

[21]  Zhou Li,et al.  Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence , 2016, CCS.

[22]  Mihai Surdeanu,et al.  The Stanford CoreNLP Natural Language Processing Toolkit , 2014, ACL.