NO-DOUBT: Attack attribution based on threat intelligence reports

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

18 Scopus citations

Abstract

The task of attack attribution, i.e., identifying the entity responsible for an attack, is complicated and usually requires the involvement of an experienced security expert. Prior attempts to automate attack attribution apply various machine learning techniques on features extracted from the malware's code and behavior in order to identify other similar malware whose authors are known. However, the same malware can be reused by multiple actors, and the actor who performed an attack using a malware might differ from the malware's author. Moreover, information collected during an incident may contain many clues about the identity of the attacker in addition to the malware used. In this paper, we propose a method of attack attribution based on textual analysis of threat intelligence reports, using state of the art algorithms and models from the fields of machine learning and natural language processing (NLP). We have developed a new text representation algorithm which captures the context of the words and requires minimal feature engineering. Our approach relies on vector space representation of incident reports derived from a small collection of labeled reports and a large corpus of general security literature. Both datasets have been made available to the research community. Experimental results show that the proposed representation can attribute attacks more accurately than the baselines' representations. In addition, we show how the proposed approach can be used to identify novel previously unseen threat actors and identify similarities between known threat actors.

Original languageEnglish
Title of host publication2019 IEEE International Conference on Intelligence and Security Informatics, ISI 2019
EditorsXiaolong Zheng, Ahmed Abbasi, Michael Chau, Alan Wang, Lina Zhou
PublisherInstitute of Electrical and Electronics Engineers
Pages80-85
Number of pages6
ISBN (Electronic)9781728125046
DOIs
StatePublished - 1 Jul 2019
Event17th IEEE International Conference on Intelligence and Security Informatics, ISI 2019 - Shenzhen, China
Duration: 1 Jul 20193 Jul 2019

Publication series

Name2019 IEEE International Conference on Intelligence and Security Informatics, ISI 2019

Conference

Conference17th IEEE International Conference on Intelligence and Security Informatics, ISI 2019
Country/TerritoryChina
CityShenzhen
Period1/07/193/07/19

Keywords

  • Classification
  • Security analytics
  • Text
  • Threat intelligence

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Vision and Pattern Recognition
  • Information Systems and Management
  • Information Systems

Fingerprint

Dive into the research topics of 'NO-DOUBT: Attack attribution based on threat intelligence reports'. Together they form a unique fingerprint.

Cite this