2 research outputs found
An Argumentation-Based Reasoner to Assist Digital Investigation and Attribution of Cyber-Attacks
We expect an increase in the frequency and severity of cyber-attacks that
comes along with the need for efficient security countermeasures. The process
of attributing a cyber-attack helps to construct efficient and targeted
mitigating and preventive security measures. In this work, we propose an
argumentation-based reasoner (ABR) as a proof-of-concept tool that can help a
forensics analyst during the analysis of forensic evidence and the attribution
process. Given the evidence collected from a cyber-attack, our reasoner can
assist the analyst during the investigation process, by helping him/her to
analyze the evidence and identify who performed the attack. Furthermore, it
suggests to the analyst where to focus further analyses by giving hints of the
missing evidence or new investigation paths to follow. ABR is the first
automatic reasoner that can combine both technical and social evidence in the
analysis of a cyber-attack, and that can also cope with incomplete and
conflicting information. To illustrate how ABR can assist in the analysis and
attribution of cyber-attacks we have used examples of cyber-attacks and their
analyses as reported in publicly available reports and online literature. We do
not mean to either agree or disagree with the analyses presented therein or
reach attribution conclusions
APT-MMF: An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion
Threat actor attribution is a crucial defense strategy for combating advanced
persistent threats (APTs). Cyber threat intelligence (CTI), which involves
analyzing multisource heterogeneous data from APTs, plays an important role in
APT actor attribution. The current attribution methods extract features from
different CTI perspectives and employ machine learning models to classify CTI
reports according to their threat actors. However, these methods usually
extract only one kind of feature and ignore heterogeneous information,
especially the attributes and relations of indicators of compromise (IOCs),
which form the core of CTI. To address these problems, we propose an APT actor
attribution method based on multimodal and multilevel feature fusion (APT-MMF).
First, we leverage a heterogeneous attributed graph to characterize APT reports
and their IOC information. Then, we extract and fuse multimodal features,
including attribute type features, natural language text features and
topological relationship features, to construct comprehensive node
representations. Furthermore, we design multilevel heterogeneous graph
attention networks to learn the deep hidden features of APT report nodes; these
networks integrate IOC type-level, metapath-based neighbor node-level, and
metapath semantic-level attention. Utilizing multisource threat intelligence,
we construct a heterogeneous attributed graph dataset for verification
purposes. The experimental results show that our method not only outperforms
the existing methods but also demonstrates its good interpretability for
attribution analysis tasks