Unveiling Cyber Threat Actors: A Hybrid Deep Learning Approach for Behavior-based Attribution-Reference-Cited by-同舟云学术

Unveiling Cyber Threat Actors: A Hybrid Deep Learning Approach for Behavior-based Attribution

Published:2024-07-02 Issue: Volume: Page:
ISSN:2576-5337
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Böge Emirhan¹^ORCID,Ertan Murat Bilgehan²^ORCID,Alptekin Halit³^ORCID,Çetin Orçun¹^ORCID

Affiliation:

1. Sabanci University, Türkiye

2. Vrije Universiteit Amsterdam, Netherlands

3. PRODAFT, Switzerland

Abstract

In this paper, we leverage natural language processing and machine learning algorithms to profile threat actors based on their behavioral signatures to establish identification for soft attribution. Our unique dataset comprises various actors and the commands they have executed, with a significant proportion using the Cobalt Strike framework in August 2020-October 2022. We implemented a hybrid deep learning structure combining transformers and convolutional neural networks to benefit global and local contextual information within the sequence of commands, which provides a detailed view of the behavioral patterns of threat actors. We evaluated our hybrid architecture against pre-trained transformer-based models such as BERT, RoBERTa, SecureBERT, and DarkBERT with our high-count, medium-count, and low-count datasets. Hybrid architecture has achieved F1-score of 95.11% and an accuracy score of 95.13% on the high-count dataset, F1-score of 93.60% and accuracy score of 93.77% on the medium-count dataset, and F1-score of 88.95% and accuracy score of 89.25% on the low-count dataset. Our approach has the potential to substantially reduce the workload of incident response experts who are processing the collected cybersecurity data to identify patterns.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3676284

Reference29 articles.

1. Ehsan Aghaei, Xi Niu, Waseem Shadid, and Ehab Al-Shaer. 2022. Securebert: a domain-specific language model for cybersecurity. In International Conference on Security and Privacy in Communication Systems. Springer, 39–56.

2. Aylin Caliskan Fabian Yamaguchi Edwin Dauber Richard Harang Konrad Rieck Rachel Greenstadt and Arvind Narayanan. 2015. When coding style survives compilation: de-anonymizing programmers from executable binaries. arXiv preprint arXiv:1512.08546.

3. Cybersecurity and Infrastructure Security Agency (CISA). 2023. #Stopransomware: royal ransomware. (2023). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a.

4. Jacob Devlin Ming-Wei Chang Kenton Lee and Kristina Toutanova. 2018. Bert: pre-training of deep bidirectional transformers for language understanding. (2018).

5. Juan Andres Guerrero-Saade. 2018. Draw me like one of your french apts—expanding our descriptive palette for cyber threat actors. In Virus Bulletin Conference, Montreal, 1–20.