Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports

Nanda Rani, Bikash Saha, Vikas Maurya, Sandeep Kumar Shukla

TL;DR

TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors, and automates threat intelligence analysis and provides a crucial tool for cybersecurity professionals to combat cyber threats.

Abstract

Understanding the modus operandi of adversaries aids organizations in employing efficient defensive strategies and sharing intelligence in the community. This knowledge is often present in unstructured natural language text within threat analysis reports. A translation tool is needed to interpret the modus operandi explained in the sentences of the threat report and translate it into a structured format. This research introduces a methodology named TTPXHunter for the automated extraction of threat intelligence in terms of Tactics, Techniques, and Procedures (TTPs) from finished cyber threat reports. It leverages cyber domain-specific state-of-the-art natural language processing (NLP) to augment sentences for minority class TTPs and refine pinpointing the TTPs in threat analysis reports significantly. The knowledge of threat intelligence in terms of TTPs is essential for comprehensively understanding cyber threats and enhancing detection and mitigation strategies. We create two datasets: an augmented sentence-TTP dataset of 39,296 samples and a 149 real-world cyber threat intelligence report-to-TTP dataset. Further, we evaluate TTPXHunter on the augmented sentence dataset and the cyber threat reports. The TTPXHunter achieves the highest performance of 92.42% f1-score on the augmented dataset, and it also outperforms existing state-of-the-art solutions in TTP extraction by achieving an f1-score of 97.09% when evaluated over the report dataset. TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors. This advancement automates threat intelligence analysis, providing a crucial tool for cybersecurity professionals fighting cyber threats.

TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports

TL;DR

TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors, and automates threat intelligence analysis and provides a crucial tool for cybersecurity professionals to combat cyber threats.

Abstract

Understanding the modus operandi of adversaries aids organizations in employing efficient defensive strategies and sharing intelligence in the community. This knowledge is often present in unstructured natural language text within threat analysis reports. A translation tool is needed to interpret the modus operandi explained in the sentences of the threat report and translate it into a structured format. This research introduces a methodology named TTPXHunter for the automated extraction of threat intelligence in terms of Tactics, Techniques, and Procedures (TTPs) from finished cyber threat reports. It leverages cyber domain-specific state-of-the-art natural language processing (NLP) to augment sentences for minority class TTPs and refine pinpointing the TTPs in threat analysis reports significantly. The knowledge of threat intelligence in terms of TTPs is essential for comprehensively understanding cyber threats and enhancing detection and mitigation strategies. We create two datasets: an augmented sentence-TTP dataset of 39,296 samples and a 149 real-world cyber threat intelligence report-to-TTP dataset. Further, we evaluate TTPXHunter on the augmented sentence dataset and the cyber threat reports. The TTPXHunter achieves the highest performance of 92.42% f1-score on the augmented dataset, and it also outperforms existing state-of-the-art solutions in TTP extraction by achieving an f1-score of 97.09% when evaluated over the report dataset. TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors. This advancement automates threat intelligence analysis, providing a crucial tool for cybersecurity professionals fighting cyber threats.
Paper Structure (20 sections, 4 equations, 9 figures, 4 tables)

This paper contains 20 sections, 4 equations, 9 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. MITRE ATT&CK Framework
  5. BERT Language Model
  6. TTPHunter
  7. Proposed Methodology: TTPXHunter
  8. Contextual Data Augmentation
  9. Prepossessing & Fine-Tuning
  10. TTP Extraction
  11. Experiments and Results
  12. Dataset
  13. Augmented Sentence-TTP Dataset
  14. Report-TTP Dataset
  15. Evaluation
  16. ...and 5 more sections

Figures (9)

  • Figure 1: TTPXHunter Architecture
  • Figure 2: Data Augmentation Steps
  • Figure 3: Fine tuning-steps
  • Figure 4: Performance Comparison between TRAM Tram and TTPXHunter over Augmented Dataset
  • Figure 5: Performance Comparison between TTPHunter Rani2023TTPHunter and TTPXHunter over TTPHunter's 50-TTP set
  • ...and 4 more figures