A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise

Abstract Cyber threat attribution identifies the source of a malicious cyber activity, which in turn informs cyber security mitigation responses and strategies. Such responses and strategies are crucial for deterring future attacks, particularly in the financial and critical infrastructure sectors. However, existing approaches generally rely on manual analysis of attack indicators obtained through approaches such as trace-back, firewalls, intrusion detection and honeypot deployments. These attack indicators, also known as low-level Indicators of Compromise (IOCs), are rarely re-used and can be easily modified and disguised resulting in a deceptive and biased cyber threat attribution. Cyber attackers, particularly financially-motivated actors, can use common high-level attack patterns that evolve less frequently as compared to the low-level IOCs. To attribute cyber threats effectively, it is necessary to identify them based on the high-level adversary’s attack patterns (e.g. tactics, techniques and procedures - TTPs, software tools and malware) employed in different phases of the cyber kill chain. Identification of high-level attack patterns is time-consuming, requiring forensic investigation of the victim network(s) and other resources. In the rare case that attack patterns are reported in cyber threat intelligence (CTI) reports, the format is textual and unstructured typically taking the form of lengthy incident reports prepared for human consumption (e.g. prepared for C-level and senior management executives), which cannot be directly interpreted by machines. Thus, in this paper we propose a framework to automate cyber threat attribution. Specifically, we profile cyber threat actors (CTAs) based on their attack patterns extracted from CTI reports, using the distributional semantics technique of Natural Language Processing. Using these profiles, we train and test five machine learning classifiers on 327 CTI reports collected from publicly available incident reports that cover events from May 2012 to February 2018. It is observed that the CTA profiles obtained attribute cyber threats with a high precision (i.e. 83% as compared to other publicly available CTA profiles, where the precision is 33%). The Deep Learning Neural Network (DLNN) based classifier also attributes cyber threats with a higher accuracy (i.e. 94% as compared to other classifiers).

[1]  Marc Dacier,et al.  On a multicriteria clustering approach for attack attribution , 2010, SKDD.

[2]  Stephanie Forrest,et al.  Strategic aspects of cyberattack, attribution, and blame , 2017, Proceedings of the National Academy of Sciences.

[3]  H. Dua,et al.  The eye of the tiger , 2010, British Journal of Ophthalmology.

[4]  Qiang Li,et al.  Framework of Cyber Attack Attribution Based on Threat Intelligence , 2016, InterIoT/SaSeIoT.

[5]  Gregory N. Larsen,et al.  Techniques for Cyber Attack Attribution , 2003 .

[6]  Eric F Mejia,et al.  ACT AND ACTOR ATTRIBUTION IN CYBERSPACE: A PROPOSED ANALYTIC FRAMEWORK , 2014 .

[7]  Robert C. Atkinson,et al.  Threat analysis of IoT networks using artificial neural network intrusion detection system , 2016, 2016 International Symposium on Networks, Computers and Communications (ISNCC).

[8]  Urban Bilstrup,et al.  Behind the Mask - Attribution of antagonists in cyberspace and its implications on international conflicts and security issues , 2015 .

[9]  D. Clark Untangling Attribution , 2010 .

[10]  N. Campbell,et al.  Scientific Inference , 1931, Nature.

[11]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[12]  Richard E. Overill,et al.  Detection of known and unknown DDoS attacks using Artificial Neural Networks , 2016, Neurocomputing.

[13]  Paulo Shakarian,et al.  Cyber-deception and attribution in capture-the-flag exercises , 2015, 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[14]  Jürgen Schmidhuber,et al.  Deep learning in neural networks: An overview , 2014, Neural Networks.

[15]  Je-Won Kang,et al.  Intrusion Detection System Using Deep Neural Network for In-Vehicle Network Security , 2016, PloS one.

[16]  Kim-Kwang Raymond Choo Cyber threat landscape faced by financial and insurance industry , 2011 .

[17]  Tim Watson,et al.  A taxonomy of technical attribution techniques for cyber attacks , 2012 .

[19]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[20]  Carrie Gates,et al.  Attribution requirements for next generation Internets , 2011, 2011 IEEE International Conference on Technologies for Homeland Security (HST).

[21]  Paulo Shakarian,et al.  Cyber Attribution: An Argumentation-Based Approach , 2015, Cyber Warfare.

[22]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.