Improving Automated Labeling for ATT&CK Tactics in Malware Threat Reports-Reference-Cited by-同舟云学术

Improving Automated Labeling for ATT&CK Tactics in Malware Threat Reports

Published:2023-05-17 Issue: Volume: Page:
ISSN:2692-1626
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Domschot Eva¹,Ramyaa Ramyaa¹,Smith Michael R.²

Affiliation:

1. New Mexico Institute of Mining and Technology, USA

2. Sandia National Laboratories, USA

Abstract

Once novel malware is detected, threat reports are written by security companies that discover it. The reports often vary in the terminology describing the behavior of the malware making comparisons of reports of the same malware from different companies difficult. To aid in the automated discovery of novel malware, it was recently proposed that novel malware could be detected by identifying behaviors. This assumes that a core set of behaviors are present in most, if not all, malware variants. However, there is a lack of malware datasets that are labeled with behaviors. Motivated by a need to label malware with a common set of behaviors, this work examines automating the process of labeling malware with behaviors identified in malware threat reports despite the variability of terminology. To do so, we examine several techniques from the natural language processing (NLP) domain. We find that most state-of-the-art word embedding NLP methods require large amounts of data and are trained on generic corpora of text data—missing the nuances related to information security. To address this, we use simple feature selection techniques. We find that simple feature selection techniques generally outperform word embedding methods and achieve an increase of 6% in the F .5 -score over prior work when used to predict MITRE ATT&CK tactics in threat reports. Our work indicates that feature selection, which has commonly been overlooked by sophisticated methods in NLP tasks, is beneficial for information security related tasks, where more sophisticated NLP methodologies are not able to pick out relevant information security terms.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Computer Science Applications,Hardware and Architecture,Safety Research,Information Systems,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3594553

Reference39 articles.

1. 2019. Credential Access. https://attack.mitre.org/tactics/TA0006/ 2019. Credential Access. https://attack.mitre.org/tactics/TA0006/

2. 2021. Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products. https://success.trendmicro.com/dcx/s/solution/1117391-preventing-wannacry-wcry-ransomware-attacks-using-trend-micro-products?language=en_US&sfdcIFrameOrigin=null 2021. Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products. https://success.trendmicro.com/dcx/s/solution/1117391-preventing-wannacry-wcry-ransomware-attacks-using-trend-micro-products?language=en_US&sfdcIFrameOrigin=null

3. Mutual information-based feature selection for intrusion detection systems

4. Benjamin Ampel Sagar Samtani Steven Ullman and Benjamin Ampel. 2021. Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach. Benjamin Ampel Sagar Samtani Steven Ullman and Benjamin Ampel. 2021. Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach.

5. Yevonnael Andrew , Charles Lim , and Eka Budiarto . 2022 . Mapping Linux Shell Commands to MITRE ATT&CK using NLP-Based Approach . In 2022 International Conference on Electrical Engineering and Informatics (ICELTICs). 37–42 . https://doi.org/10.1109/ICELTICs56128.2022.9932097 10.1109/ICELTICs56128.2022.9932097 Yevonnael Andrew, Charles Lim, and Eka Budiarto. 2022. Mapping Linux Shell Commands to MITRE ATT&CK using NLP-Based Approach. In 2022 International Conference on Electrical Engineering and Informatics (ICELTICs). 37–42. https://doi.org/10.1109/ICELTICs56128.2022.9932097