RAF-AG: Report analysis framework for attack path generation

Abstract

Information sharing is a key practice in cybersecurity for coping with the ever-changing cyberattacks that are targeting computer systems. Thus, when cyber incidents happen, cyber threat intelligence (CTI) reports are prepared and shared among cybersecurity practitioners to help them get up-to-date information about those incidents. However, reading and analyzing the report text to comprehend the included information is a cumbersome process. Although techniques based on deep learning were proposed to speed up report analysis in order to obtain the enclosed essential information, such as attack path, training data insufficiency makes these methods inefficient in practical circumstances.This paper presents RAF-AG, a report analysis framework for attack path generation. To analyze CTI reports, RAF-AG utilizes the sentence dependency tree for entity and relation extraction, and a weak supervision approach for entity labeling. This is followed by graph building and graph alignment for generating the attack paths. Our approach resolves the data insufficiency problem in the cybersecurity domain by lowering the need for expert involvement. We evaluated RAF-AG by comparing the generated attack paths with those produced by AttacKG, a state-of-the-art automatic report analysis framework. RAF-AG was able to identify cyberattack steps by matching their appearance order inside the report, and link them with techniques from the MITRE ATT&CK knowledge base with an improved F1 score compared to AttacKG (0.708 versus 0.393).