Attack hypothesis generation

Aviad Elitzur; Rami Puzis; Polina Zilberman

doi:10.1109/EISIC49498.2019.9108886

Attack hypothesis generation

Aviad Elitzur, Rami Puzis, Polina Zilberman

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

21 Scopus citations

Abstract

In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATTCK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.

Original language	English
Title of host publication	Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019
Editors	Joel Brynielsson
Publisher	Institute of Electrical and Electronics Engineers
Pages	40-47
Number of pages	8
ISBN (Electronic)	9781728167350
DOIs	https://doi.org/10.1109/EISIC49498.2019.9108886
State	Published - 1 Nov 2019
Event	2019 European Intelligence and Security Informatics Conference, EISIC 2019 - Oulu, Finland Duration: 26 Nov 2019 → 27 Nov 2019

Publication series

Name	Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019

Conference

Conference	2019 European Intelligence and Security Informatics Conference, EISIC 2019
Country/Territory	Finland
City	Oulu
Period	26/11/19 → 27/11/19

Keywords

Attack hypothesis
Knowledge graphs
Threat intelligence

ASJC Scopus subject areas

Artificial Intelligence
Computer Science Applications
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/EISIC49498.2019.9108886

Cite this

Elitzur, A., Puzis, R., & Zilberman, P. (2019). Attack hypothesis generation. In J. Brynielsson (Ed.), Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019 (pp. 40-47). Article 9108886 (Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/EISIC49498.2019.9108886

@inproceedings{90da38e15923471d945b33f256af96d7,

title = "Attack hypothesis generation",

abstract = "In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATTCK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.",

keywords = "Attack hypothesis, Knowledge graphs, Threat intelligence",

author = "Aviad Elitzur and Rami Puzis and Polina Zilberman",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.; 2019 European Intelligence and Security Informatics Conference, EISIC 2019 ; Conference date: 26-11-2019 Through 27-11-2019",

year = "2019",

month = nov,

day = "1",

doi = "10.1109/EISIC49498.2019.9108886",

language = "English",

series = "Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019",

publisher = "Institute of Electrical and Electronics Engineers",

pages = "40--47",

editor = "Joel Brynielsson",

booktitle = "Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019",

address = "United States",

}

Elitzur, A, Puzis, R & Zilberman, P 2019, Attack hypothesis generation. in J Brynielsson (ed.), Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019., 9108886, Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019, Institute of Electrical and Electronics Engineers, pp. 40-47, 2019 European Intelligence and Security Informatics Conference, EISIC 2019, Oulu, Finland, 26/11/19. https://doi.org/10.1109/EISIC49498.2019.9108886

Attack hypothesis generation. / Elitzur, Aviad; Puzis, Rami; Zilberman, Polina.
Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019. ed. / Joel Brynielsson. Institute of Electrical and Electronics Engineers, 2019. p. 40-47 9108886 (Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Attack hypothesis generation

AU - Elitzur, Aviad

AU - Puzis, Rami

AU - Zilberman, Polina

PY - 2019/11/1

Y1 - 2019/11/1

N2 - In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATTCK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.

AB - In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATTCK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.

KW - Attack hypothesis

KW - Knowledge graphs

KW - Threat intelligence

UR - http://www.scopus.com/inward/record.url?scp=85087061462&partnerID=8YFLogxK

U2 - 10.1109/EISIC49498.2019.9108886

DO - 10.1109/EISIC49498.2019.9108886

M3 - Conference contribution

AN - SCOPUS:85087061462

T3 - Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019

SP - 40

EP - 47

BT - Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019

A2 - Brynielsson, Joel

PB - Institute of Electrical and Electronics Engineers

T2 - 2019 European Intelligence and Security Informatics Conference, EISIC 2019

Y2 - 26 November 2019 through 27 November 2019

ER -

Elitzur A, Puzis R, Zilberman P. Attack hypothesis generation. In Brynielsson J, editor, Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019. Institute of Electrical and Electronics Engineers. 2019. p. 40-47. 9108886. (Proceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019). doi: 10.1109/EISIC49498.2019.9108886

Attack hypothesis generation

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this