skip to main content
10.1145/3029806.3029811acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

Mining Attributed Graphs for Threat Intelligence

Published: 22 March 2017 Publication History

Abstract

Understanding and fending off attack campaigns against organizations, companies and individuals, has become a global struggle. As today's threat actors become more determined and organized, isolated efforts to detect and reveal threats are no longer effective. Although challenging, this situation can be significantly changed if information about security incidents is collected, shared and analyzed across organizations. To this end, different exchange data formats such as STIX, CyBOX, or IODEF have been recently proposed and numerous CERTs are adopting these threat intelligence standards to share tactical and technical threat insights. However, managing, analyzing and correlating the vast amount of data available from different sources to identify relevant attack patterns still remains an open problem.
In this paper we present Mantis, a platform for threat intelligence that enables the unified analysis of different standards and the correlation of threat data trough a novel type-agnostic similarity algorithm based on attributed graphs. Its unified representation allows the security analyst to discover similar and related threats by linking patterns shared between seemingly unrelated attack campaigns through queries of different complexity.
We evaluate the performance of Mantis as an information retrieval system for threat intelligence in different experiments. In an evaluation with over 14,000 CyBOX objects, the platform enables retrieving relevant threat reports with a mean average precision of 80%, given only a single object from an incident, such as a file or an HTTP request. We further illustrate the performance of this analysis in two case studies with the attack campaigns Stuxnet and Regin.

References

[1]
S. Barnum. Standardizing cyber threat intelligence information with the structured threat information expression (STIX). Technical report, MITRE Corporation, 2014.
[2]
U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of Network and Distributed System Security Symposium (NDSS), 2009.
[3]
E. W. Burger, M. D. Goodman, P. Kampanakis, and K. A. Zhu. Taxonomy model for cyber threat intelligence information exchange technologies. In Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security, pages 51--60. ACM, 2014.
[4]
S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. Mast: Triage for market-scale mobile malware analysis. In Proc. of ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC), 2013.
[5]
M. S. Charikar. Similarity estimation techniques from rounding algorithms. In Proceedings of the thiry-fourth annual ACM symposium on Theory of computing, pages 380--388. ACM, 2002.
[6]
CIF. Collective intelligence framework. http://csirtgadgets.org/collective-intelligence-framework, visited August, 2016.
[7]
CRITS. Collaborative research into threats. http://crits.github.io, visited July, 2016.
[8]
M. Damashek. Gauging similarity with n-grams: Language-independent categorization of text. Science, 267 (5199): 843--848, 1995.
[9]
R. Danyliw, J. Meijer, and Y. Demchenko. The incident object description exchange format (IODEF). Technical report, IETF RFC 5070, 2007.
[10]
G. Fisk, C. Ardi, N. Pickett, J. Heidemann, M. Fisk, and C. Papadopoulos. Privacy principles for sharing cyber security data. In Proceedings of the IEEE International Workshop on Privacy Engineering, May 2015.
[11]
P. Fonash. Using automated cyber threat exchange to turn the tide against ddos. http://rsaconference.com, 2014.
[12]
H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural detection of android malware using embedded call graphs. In Proceedings of the 2013 ACM workshop on Artificial intelligence and security, pages 45--54. ACM, 2013.
[13]
C. Goodwin, J. P. Nicholas, J. Bryant, K. Ciglic, A. Kleiner, C. Kutterer, A. Massagli, A. Mckay, P. Mckitrick, J. Neutze, T. Storch, and K. Sullivan. A framework for cybersecurity information sharing and risk reduction. Technical report, Microsoft Corporation, 2015.
[14]
M. Graziano, D. Canali, L. Bilge, A. Lanzi, and D. Balzarotti. Needles in a haystack: Mining information from public dynamic analysis sandboxes for malware intelligence. In USENIX, 2015.
[15]
R. W. Hamming. Error-detecting and error-correcting codes. Bell System Technical Journal, 29 (2): 147--160, 1950.
[16]
J. L. Hernandez-Ardieta, J. E. Tapiador, and G. Suarez-Tangil. Information sharing models for cooperative cyber defence. In Cyber Conflict (CyCon), 2013 5th International Conference on, pages 1--28. IEEE, 2013.
[17]
J. Jang, D. Brumley, and S. Venkataraman. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proc. of ACM Conference on Computer and Communications Security (CCS), pages 309--320, 2011.
[18]
P. Kampanakis. Security automation and threat information-sharing options. Security & Privacy, IEEE, 12 (5): 42--51, 2014.
[19]
Kaspersky. The Regin Platform: Nation-State Ownage of GSM Networks. Kaspersky Lab, November 2014.
[20]
M. Korczynski, A. Hamieh, J. H. Huh, H. Holm, S. R. Rajagopalan, and N. H. Fefferman. DIAMoND: Distributed intrusion/anomaly monitoring for nonparametric detection. In Proceedings the 24th International Conference on Computer Communications and Networks, pages 1--8, 2015.
[21]
J. Krinke. Identifying similar code with program dependence graphs. In Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01), 2001.
[22]
R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security and Privacy, 9 (3), May 2011.
[23]
Mandiant. Sophisticated indicators for the modern threat landscape: An introduction to OpenIOC. Technical report, Mandiant Whitepaper, 2013.
[24]
Mandiant. APT1: Exposing one of China's cyber espionage units. Technical report, Mandiant Intelligence Center, 2013.
[25]
G. S. Manku, A. Jain, and A. Das Sarma. Detecting near-duplicates for web crawling. In Proceedings of the 16th international conference on World Wide Web, pages 141--150. ACM, 2007.
[26]
e, et al.}manning2008C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008.
[27]
M. Orlando. Threat intelligence is dead. long live threat intelligence! http://rsaconference.com, 2015.
[28]
OTX. Open threat exchange. https://www.alienvault.com/open-threat-exchange, visited August, 2016.
[29]
A. Sæbjørnsen, J. Willcock, T. Panas, D. Quinlan, and Z. Su. Detecting code clones in binary executables. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, 2009.
[30]
G. Salton, A. Wong, and C. Yang. A vector space model for automatic indexing. Communications of the ACM, 18 (11): 613--620, 1975.
[31]
O. Serrano, L. Dandurand, and S. Brown. On the design of a cyber security data sharing system. In Proceedings of the ACM Workshop on Information Sharing & Collaborative Security, pages 61--69. ACM, 2014.
[32]
Spamfighter/Der Spiegel. Top german official infected by regin malware. http://www.spamfighter.com/News-19917-Top-German-Official-Infected-by-Regin-Malware.htm, visited August, 2016.
[33]
J. Steinberger, A. Sperotto, M. Golling, and H. Baier. How to exchange security events' overview and evaluation of formats and protocols. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 261--269. IEEE, 2015.
[34]
Symantec. Stuxnet 0.5: The Missing Link. Symantec Security Response, February 2013.
[35]
Symantec. Regin: Top-tier espionage tool enables stealthy surveillance. Symantec Security Response, August 2015.
[36]
The Guardian. Uk company's spyware used against bahrain activist. https://www.theguardian.com/world/2013/may/12/uk-company-spyware-bahrain-claim, visited August, 2016.
[37]
The New York Times. Computer systems used by clinton campaign are said to be hacked, apparently by russians. http://www.nytimes.com/2016/07/30/us/politics/clinton-campaign-hacked-russians.html, visited August, 2016.
[38]
M. S. Uddin, C. K. Roy, K. A. Schneider, and A. Hindle. On the effectiveness of simhash for detecting near-miss clones in large scale software systems. In WCRE, 2011.
[39]
VirusTotal. https://www.virustotal.com/.
[40]
K. Wang, J. Parekh, and S. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Adances in Intrusion Detection (RAID), pages 226--248, 2006.
[41]
B. Woods, S. Perl, and B. Lindauer. Data mining for efficient collaborative information discovery categories and subject descriptors. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security. ACM, 2015.

Cited By

View all
  • (2024)Generating ICS vulnerability playbooks with open standardsInternational Journal of Information Security10.1007/s10207-023-00760-523:2(1215-1230)Online publication date: 1-Apr-2024
  • (2023)Privacy-preserving correlation of cross-organizational cyber threat intelligence with private graph intersectionsComputers and Security10.1016/j.cose.2023.103505135:COnline publication date: 1-Dec-2023
  • (2023)An autoML network traffic analyzer for cyber threat detectionInternational Journal of Information Security10.1007/s10207-023-00703-022:5(1511-1530)Online publication date: 21-May-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy
March 2017
382 pages
ISBN:9781450345231
DOI:10.1145/3029806
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. advanced persistent threat
  2. graph mining
  3. information retrieval
  4. threat intelligence

Qualifiers

  • Short-paper

Conference

CODASPY '17
Sponsor:

Acceptance Rates

CODASPY '17 Paper Acceptance Rate 21 of 134 submissions, 16%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)17
  • Downloads (Last 6 weeks)0
Reflects downloads up to 22 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Generating ICS vulnerability playbooks with open standardsInternational Journal of Information Security10.1007/s10207-023-00760-523:2(1215-1230)Online publication date: 1-Apr-2024
  • (2023)Privacy-preserving correlation of cross-organizational cyber threat intelligence with private graph intersectionsComputers and Security10.1016/j.cose.2023.103505135:COnline publication date: 1-Dec-2023
  • (2023)An autoML network traffic analyzer for cyber threat detectionInternational Journal of Information Security10.1007/s10207-023-00703-022:5(1511-1530)Online publication date: 21-May-2023
  • (2022)Privacy-Preserving Polyglot Sharing and Analysis of Confidential Cyber Threat IntelligenceProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538982(1-11)Online publication date: 23-Aug-2022
  • (2022)HinCTI: A Cyber Threat Intelligence Modeling and Identification System Based on Heterogeneous Information NetworkIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2020.298701934:2(708-722)Online publication date: 1-Feb-2022
  • (2022)Cyber Threat Intelligence Entity Extraction Based on Deep Learning and Field Knowledge Engineering2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776139(406-413)Online publication date: 4-May-2022
  • (2021)Cyber Threat Intelligence Framework for Incident Response in an Energy Cloud PlatformElectronics10.3390/electronics1003023910:3(239)Online publication date: 21-Jan-2021
  • (2021)From Threat Data to Actionable Intelligence: An Exploratory Analysis of the Intelligence Cycle Implementation in Cyber Threat Intelligence Sharing PlatformsProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470048(1-9)Online publication date: 17-Aug-2021
  • (2021)TagVetProceedings of the 14th European Workshop on Systems Security10.1145/3447852.3458719(34-40)Online publication date: 26-Apr-2021
  • (2021)A Method for Extracting Unstructured Threat Intelligence Based on Dictionary Template and Reinforcement Learning2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD49262.2021.9437858(262-267)Online publication date: 5-May-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media