Visible to the public Learning APT Chains From Cyber Threat Intelligence


With the rapidly evolving cyber attacks, cybersecurity specialists are actively using cyber threat intelligence to identify and respond to cyber attacks in a timely manner. However, this information will be highly useful for attack detection and mitigation if we can construct structured cyber threat intelligence and accurately generate TTP Chains to understand the steps of cyber attacks. In this poster, we present our preliminary Natural Language Processing (NLP) analysis to characterize the temporal relationship of attack actions of an APT attack to extract and construct the reported TTP chains using the popular standard, MITRE ATT&CK [1], and the Structured Sharing Language, STIX 2 [5], a machine readable language that will help automated the process of understanding and responding to the cyber attacks shared in unstructured text via blogs, emails, and social media.


Ghaith Husari is a fifth-year Ph.D. candidate in Computing and Information Systems at the University of North Carolina at Charlotte, where he has been a member of the Center of Cybersecurity Analytics and Automation (CCAA) center since 2014. His research focuses on data-driven analytics for extracting threat actions and attack patterns from unstructured text of cyber threat Intelligence by applying Natural Language Processing, Information Retrieval, Data Mining techniques. His research tool, TTPDrill (Handsfree TTP mining from Unstructured CTI) was demonstrated at RSA 18 (attended by ~45,000 CEOs and researchers) and was rated as Best Research Project in NSF CCAA by the members of the center. He received his Master's degree in Artificial Intelligence (2012) and Bachelors degree in Software Engineering (2007).

Creative Commons 2.5
Preview: Preview | Thumbnail | Medium | Image

Other available formats:     

Learning APT Chains From Cyber Threat Intelligence