SeqMask: Behavior Extraction Over Cyber Threat Intelligence Via Multi-Instance Learning

• Published in: Computer journal Vol. 67; no. 1; pp. 253 - 273
• Main Authors: Ge, Wenhan, Wang, Junfeng
• Format: Journal Article
• Language: English
• Published: Oxford University Press 17.01.2024
• Subjects: Information Extraction; Multi-Instance Learning; Cyber Threat Intelligence; Behavior Analysis; Tactics, Techniques and Procedures (TTPs)
• ISSN: 0010-4620; 1460-2067
• DOI: 10.1093/comjnl/bxac172

Identification and extraction of Tactics, Techniques and Procedures (TTPs) for Cyber Threat Intelligence (CTI) restore the full picture of cyber attacks and guide the analysts to assess the system risk. Existing frameworks can hardly provide uniform and complete processing mechanisms for TTPs information extraction without adequate knowledge background. A multi-instance learning approach named SeqMask is proposed in this paper as a solution. SeqMask extracts behavior keywords from CTI evaluated by the semantic impact, and predicts TTPs labels by conditional probabilities. Still, the framework has two mechanisms to determine the validity of keywords. One using expert experience verification. The other verifies the distortion of the classification effect by blocking existing keywords. In the experiments, SeqMask reached 86.07% and 73.99% in F1 scores for TTPs classifications. For the top 20% of keywords, the expert approval rating is 92.20%, where the average repetition of keywords whose scores between 100% and 90% is 60.02%. Particularly, when the top 65% of the keywords were blocked, the F1 decreased to about 50%; when removing the top 50%, the F1 was under 31%. Further, we also validate the possibility of extracting TTPs from full-size CTI and malware whose F1 are improved by 2.16% and 0.81%.