Clustering Using a Similarity Measure Approach Based on Semantic Analysis of Adversary Behaviors

Rapidly growing shared information for threat intelligence not only helps security analysts reduce time on tracking attacks, but also bring possibilities to research on adversaries’ thinking and decisions, which is important for the further analysis of attackers’ habits and preferences. In this paper, we analyze current models and frameworks used in threat intelligence that suited to different modeling goals, and propose a three-layer model (Goal, Behavior, Capability) to study the statistical characteristics of APT groups. Based on the proposed model, we construct a knowledge network composed of adversary behaviors, and introduce a similarity measure approach to capture similarity degree by considering different semantic links between groups. After calculating similarity degrees, we take advantage of Girvan–Newman algorithm to discover community groups, clustering result shows that community structures and boundaries do exist by analyzing the behavior of APT groups.

[1]  Brian W. Kernighan,et al.  An efficient heuristic procedure for partitioning graphs , 1970, Bell Syst. Tech. J..

[2]  Cumberland Emergency,et al.  Framework for Improving Critical Infrastructure Cybersecurity News From Down Under , 2014 .

[3]  Vasileios Mavroeidis,et al.  Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence , 2017, 2017 European Intelligence and Security Informatics Conference (EISIC).

[4]  Yizhou Sun,et al.  Meta-Path-Based Search and Mining in Heterogeneous Information Networks , 2013 .

[5]  Robin A. Gandhi,et al.  Dimensions of Cyber-Attacks: Cultural, Social, Economic, and Political , 2011, IEEE Technology and Society Magazine.

[6]  Ni Lao,et al.  Fast query execution for retrieval models based on path-constrained random walks , 2010, KDD.

[7]  M E J Newman,et al.  Finding and evaluating community structure in networks. , 2003, Physical review. E, Statistical, nonlinear, and soft matter physics.

[8]  Alex Pothen,et al.  PARTITIONING SPARSE MATRICES WITH EIGENVECTORS OF GRAPHS* , 1990 .

[9]  Philip S. Yu,et al.  PathSim , 2011, Proc. VLDB Endow..

[10]  Jennifer Widom,et al.  SimRank: a measure of structural-context similarity , 2002, KDD.

[11]  Shamik Sural,et al.  Similarity between Euclidean and cosine angle distance for nearest neighbor queries , 2004, SAC '04.

[12]  Jennifer Widom,et al.  Scaling personalized web search , 2003, WWW '03.

[13]  Gregory A. Witte,et al.  Framework for Improving Critical Infrastructure Cybersecurity | NIST , 2014 .

[14]  Franz Schweiggert,et al.  TitleFinder: extracting the headline of news web pages based on cosine similarity and overlap scoring similarity , 2012, WIDM '12.