Attack scenario reconstruction via fusing heterogeneous threat intelligence

Abstract

Nowadays, new-generation threats often use multiple means or perform several steps to intrude into networks and ultimately reach their objective. These new threats have multi-staged, and we can understand their intrusion pattern from the kill-chain defensive model. This paper focuses on fusing heterogeneous threat intelligence collected from security information and event management systems to reconstruct multi-step attack scenarios and discover critical attack paths. However, the need for an agreed-upon vocabulary to represent the heterogeneous threat intelligence makes it difficult to model the attack scenarios accurately and efficiently. Therefore, we devise a heterogeneous threat intelligence fusing approach for real-time reconstruction of the attack scenarios. Firstly, we use structured threat information expression (STIX) to format heterogeneous threat intelligence (TI). We analyze the causal relationship of each heterogeneous threat intelligence and piece them together. Then, we model the multi-stage attack scenario reconstruction as a community discovery problem. We mine the attack scenarios with semantic correlation weight and a community detection algorithm. We finally use the open-source benchmark datasets (DARPA 2000, CICIDS 2017) and the real Internet traffic captured from the China Education Research Network backbone (CERNET) to evaluate our work. Extensive results demonstrate that our proposal can accurately reconstruct multi-step attack scenarios and discover covert C&C channels.