Abstract
After Action Reports (AARs) provide incisive analysis of cyber-incidents. Extracting cyber-knowledge from these sources would provide security analysts with credible information, which they can use to detect or find patterns indicative of a cyber-attack. In this paper, we describe a system to extract information from AARs, aggregate the extracted information by fusing similar entities together, and represent that extracted information in a Cybersecurity Knowledge Graph (CKG). We extract entities by building a customized named entity recognizer called ‘Malware Entity Extractor’ (MEE). We then build a neural network to predict how pairs of ‘malware entities’ are related to each other. When we have predicted entity pairs and the relationship between them, we assert the ‘entity-relationship set’ in a CKG. Our next step in the process is to fuse similar entities, to improve our CKG. This fusion helps represent intelligence extracted from multiple documents and reports. The fused CKG has knowledge from multiple AARs, with relationships between entities extracted from separate reports. As a result of this fusion, a security analyst can execute queries and retrieve better answers on the fused CKG, than a knowledge graph with no fusion. We also showcase various reasoning capabilities that can be leveraged by a security analyst using our fused CKG.
Highlights
Every year thousands of malware are created and subsequently used to attack different organizations
WORK we describe After Action Reports (AARs) and talk about similar research conducted in this area
The standard way of querying a Cybersecurity Knowledge Graph (CKG) is through SPARQL [46] queries which we show
Summary
Every year thousands of malware are created and subsequently used to attack different organizations. Spear-phishing emails were used to steal login credentials and ex-filtrate sensitive data [48] To combat these malware-based attacks, security researchers retrieve malware samples from the ‘wild’. As a result of these studies , these security analysts produce ‘After Action Reports’ (AARs), which describe in great detail a particular malware sample, its means and consequences. These technical AARs are vital source of Cyber Threat Intelligence (CTI) and can augment other Open Source Intelligence (OSINT) sources to create a holistic picture of an attack. It may talk about what ‘vulnerabilities’ were targeted by the attacker agent, and what a user, or a potential victim, can do to prevent the attack
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
