DroidTTP: Mapping Android Applications with TTP for Cyber Threat Intelligence
Dincy R Arikkat, Vinod P., Rafidha Rehiman K. A., Serena Nicolazzo, Marco Arazzi, Antonino Nocera, Mauro Conti
TL;DR
DroidTTP addresses the need for cyber threat attribution of Android apps by mapping their behaviors to MITRE ATT&CK Tactics and Techniques. The work develops a novel dataset linking TTPs to Android applications and evaluates multi-label classification via Problem Transformation Approaches, alongside LLM-based RAG and fine-tuning strategies. Key findings show that a Label Powerset approach with XGBoost achieves high Jaccard similarity for both Tactics and Techniques, while LLM methods offer competitive performance and valuable interpretability via SHAP analyses. The framework advances practical threat intelligence by enabling deeper attacker-behavior insights, with potential extensions to real-time dashboards and CTI integrations such as STIX/TAXII.
Abstract
The widespread adoption of Android devices for sensitive operations like banking and communication has made them prime targets for cyber threats, particularly Advanced Persistent Threats (APT) and sophisticated malware attacks. Traditional malware detection methods rely on binary classification, failing to provide insights into adversarial Tactics, Techniques, and Procedures (TTPs). Understanding malware behavior is crucial for enhancing cybersecurity defenses. To address this gap, we introduce DroidTTP, a framework mapping Android malware behaviors to TTPs based on the MITRE ATT&CK framework. Our curated dataset explicitly links MITRE TTPs to Android applications. We developed an automated solution leveraging the Problem Transformation Approach (PTA) and Large Language Models (LLMs) to map applications to both Tactics and Techniques. Additionally, we employed Retrieval-Augmented Generation (RAG) with prompt engineering and LLM fine-tuning for TTP predictions. Our structured pipeline includes dataset creation, hyperparameter tuning, data augmentation, feature selection, model development, and SHAP-based model interpretability. Among LLMs, Llama achieved the highest performance in Tactic classification with a Jaccard Similarity of 0.9583 and Hamming Loss of 0.0182, and in Technique classification with a Jaccard Similarity of 0.9348 and Hamming Loss of 0.0127. However, the Label Powerset XGBoost model outperformed LLMs, achieving a Jaccard Similarity of 0.9893 for Tactic classification and 0.9753 for Technique classification, with a Hamming Loss of 0.0054 and 0.0050, respectively. While XGBoost showed superior performance, the narrow margin highlights the potential of LLM-based approaches in TTP classification.