Threat Behavior Textual Search by Attention Graph Isomorphism

TL;DR

This work addresses the challenge of threat intelligence search in the presence of obfuscated malware and unstructured reports by introducing attention-graph isomorphism, which builds domain-specific semantic graphs from Transformer self-attention. The approach leverages a large, unlabeled CTI corpus and a subgraph-isomorphism-based similarity to compare threat reports, achieving substantial gains over keyword and embedding baselines. In real-world forensics, it improves attack-origin attribution (8/10 correct) versus Google (3/10) and IoC-based methods (2/10), while maintaining practical efficiency through graph caching and sentence clustering. The combination of a large multi-vendor dataset, unsupervised attention-driven graph construction, and robust evaluation demonstrates a promising path for faster and more accurate cyber threat investigation, with an accompanying dataset release to enable further research.

Abstract

Cyber attacks cause over \$1 trillion loss every year. An important task for cyber security analysts is attack forensics. It entails understanding malware behaviors and attack origins. However, existing automated or manual malware analysis can only disclose a subset of behaviors due to inherent difficulties (e.g., malware cloaking and obfuscation). As such, analysts often resort to text search techniques to identify existing malware reports based on the symptoms they observe, exploiting the fact that malware samples share a lot of similarity, especially those from the same origin. In this paper, we propose a novel malware behavior search technique that is based on graph isomorphism at the attention layers of Transformer models. We also compose a large dataset collected from various agencies to facilitate such research. Our technique outperforms state-of-the-art methods, such as those based on sentence embeddings and keywords by 6-14%. In the case study of 10 real-world malwares, our technique can correctly attribute 8 of them to their ground truth origins while using Google only works for 3 cases.

Figures (6)

• Figure 1: Motivation example: searching a real-world attack on an Indian nuclear plant. The arrow from left to right denotes the timeline. The attack happened in 2019 (the right-most spot on the timeline with a bug symbol). A few other attacks by the same threat actor were conducted before the 2019 attack and denoted by the blue, orange and green durations along the timeline. The large box " Security Analyses on Day-0" in the middle denotes the multiple methods the analyst could have used to analyze and search the attack. The boxes in the bottom show the real analysis reports of the attack there were produced long after the attack in 2020. Most of the information in those reports is covered by the past reports A-1, A-2, and A-3 retrieved by our method, illustrating that with our method, the attack could have been easily analyzed and attributed.
• Figure 2: Figures show self-attention maps on examples (top). Based on word-to-word correlations in attention map, above examples show that we can extract the core representation of behaviors (bottom) from plain text.
• Figure 3: Inaccuracies in use of dependency trees (from two sentences in Figure \ref{['fig:heat-map-example']}). A dependency tree shows semantically correlated, but broken clauses (red boxes) due to no syntactic relation (left). Also it may incur false positive correlations (blue arrows) due to multiple equivalent neighbors (right).
• Figure 4: The utilization of self-attention for search.
• Figure 5: Search Result for Attack Origin Identification. In each figure, a red cross on the line (+---+---+) denotes the target origin of a malware. In each row (i.e., a malware), the actor with the largest number of search results is marked by a red square ($\square$). Therefore, a co-location of the two symbols tells the success of origin identification ($\hbox{$\mathrel{\young(+)}$}$).