TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network

Abstract

The cybersecurity report provides unstructured actionable cyber threat intelligence (CTI) with detailed threat attack procedures and indicators of compromise (IOCs), e.g., malware hash or URL (uniform resource locator) of command and control server. The actionable CTI, integrated into intrusion detection systems, can not only prioritize the most urgent threats based on the campaign stages of attack vectors (i.e., IOCs) but also take appropriate mitigation measures based on contextual information of the alerts. However, the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence. In this paper, we propose a trigger-enhanced actionable CTI discovery system (TriCTI) to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing (NLP) technology. Specifically, we introduce the “campaign trigger” for an effective explanation of the campaign stages to improve the performance of the classification model. The campaign trigger phrases are the keywords in the sentence that imply the campaign stage. The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords. We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets. Compared with state-of-the-art text classification models, such as BERT, the trigger-enhanced classification model has better performance with accuracy (86.99%) and F1 score (87.02%). We run TriCTI on more than 29k cybersecurity reports, from which we automatically and efficiently collect 113,543 actionable CTI. In particular, we verify the actionability of discovered CTI by using large-scale field data from VirusTotal (VT). The results demonstrate that the threat intelligence provided by VT lacks a part of the threat context for IOCs, such as the Actions on Objectives campaign stage. As a comparison, our proposed method can completely identify the actionable CTI in all campaign stages. Accordingly, cyber threats can be identified and resisted at any campaign stage with the discovered actionable CTI.