Go to DBLP homepageTTPatternMiner: Automated Learning and Characterization of Attack Pattern from Malicious Cyber Campaign
Abstract: With the development of advanced persistent threats (APT), sophisticated attacks happen frequently nowadays in the form of cyber threat campaigns. Threat reports that offer a comprehensive analysis of malicious operations have emerged as essential resources for analyzing and understanding the dynamics of these attacks. However, it is non-trivial to automatically extract and identify attack patterns from threat reports. The existing research mainly explores rule-based threat entity extraction, ignoring a critical aspect of attack behavior analysis. This paper presents TTPatternMiner, an innovative tool for operationalizing threat intelligence data through identifying unique adversarial attack patterns, thus developing a valuable knowledge base for security analysis. In contrast to low-level indicators, which are very unlikely to be used repetitively, TTPatternMiner is designed to employ robust threat characterization. Along with technique and tactic, which are more standardized attributes of threat execution, TTPatternMiner extracts unique attack pattern entities corresponding to a more granular context to threat propagation. The proposed tool has been evaluated with real-world incident reports from various sources involving multiple threat campaigns happened in the wild. The evaluation result indicates TTPatternMiner as a novel, effective framework for revealing standard and non-standard attack patterns from cyber threat campaigns.
Loading