Browse > Article
http://dx.doi.org/10.7472/jksii.2022.23.6.1

Cyber attack group classification based on MITRE ATT&CK model  

Choi, Chang-hee (Defense Cyber Technology Center, Agency for Defense Development)
Shin, Chan-ho (Defense Cyber Technology Center, Agency for Defense Development)
Shin, Sung-uk (Defense Cyber Technology Center, Agency for Defense Development)
Publication Information
Journal of Internet Computing and Services / v.23, no.6, 2022 , pp. 1-13 More about this Journal
Abstract
As the information and communication environment develops, the environment of military facilities is also development remarkably. In proportion to this, cyber threats are also increasing, and in particular, APT attacks, which are difficult to prevent with existing signature-based cyber defense systems, are frequently targeting military and national infrastructure. It is important to identify attack groups for appropriate response, but it is very difficult to identify them due to the nature of cyber attacks conducted in secret using methods such as anti-forensics. In the past, after an attack was detected, a security expert had to perform high-level analysis for a long time based on the large amount of evidence collected to get a clue about the attack group. To solve this problem, in this paper, we proposed an automation technique that can classify an attack group within a short time after detection. In case of APT attacks, compared to general cyber attacks, the number of attacks is small, there is not much known data, and it is designed to bypass signature-based cyber defense techniques. As an attack model, we used MITRE ATT&CK® which modeled many parts of cyber attacks. We design an impact score considering the versatility of the attack techniques and proposed a group similarity score based on this. Experimental results show that the proposed method classified the attack group with a 72.62% probability based on Top-5 accuracy.
Keywords
Cyber attack; attack group similarity; attack group classification; APT; MITRE ATT&CK;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Kapetanakis, S., Filippoupolitis, A., Loukas, G., and Murayziq, T., "Profiling cyber attackers using case-based reasoning", Proceedings of 19th UK workshop on case-based reasoning, pp. 39-48, 2014. https://researchgate.net/publication/301221761_Profiling_cyber_attackers_using_Case-based_Reasoning
2 Choi, C. H., Shin, C. H., Shin, S. U., Seo, S. Y., Lee, I. S., "Deep learning for estimating next action of cyber attack", Proceedings of Korea Institute of Military Science and Technology annual conference, pp. 1075-1076, 2021.
3 Al-Mohannadi, H., Mirza, Q., Namanya, A., Awan, I., Cullen, A., Disso, J., "Cyber-attack modeling analysis techniques:An overview", Proceedings of IEEE 4th international conference on future internet of things and cloud workshops, pp. 69-76, 2016. https://doi.org/10.1109/W-FiCloud.2016.29   DOI
4 MITRE ATT&CK, https://attack.mitre.org
5 Liu, D., Zhang, H., Yu, H., Liu, X., Zhao, Y., Lv, G., "Research and application of APT attack defense and detection technology based on big data technology", Proceedings of IEEE 9th International Conference on Electronics Information and Emergency Communication, pp. 1-4, 2019. https://doi.org/10.1109/ICEIEC.2019.8784483   DOI
6 Kim, H., Kwon, H. J., and Kim, K. K., "Modified cyber kill chain model for multimedia service environments", Journal of Multimedia Tools and Application, vol .78 no. 3, pp. 3153-3170, 2019. https://doi.org/10.1007/s11042-018-5897-5   DOI
7 Choi, C. H., Shin, S. U., Shin, C. H., "Performance evaluation method of cyber attack behaviour forecasting based on mitigation", Proceedings of International Conference on information and communication Technology Convergence, pp. 13-15, 2021. https://doi.org/10.1109/ICTC52510.2021.9620951   DOI
8 Choi, C. H., Shin, C. H., Shin, S. U., "Cyber attack group classification based on TTP information", Proceedings of Internet Computing and Service spring conference, vol. 23, no. 1, pp. 7-8, 2021.
9 Hutchins, E. M. Cloppert, M. J., and Amin, R., M. "Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chain", Journal of Leading Issues in Information Warfare & Security Research, vol. 1 no. 1, pp. 80, 2011. https://lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
10 M. Gul and E. Kugu, "A Survey on anti-forensics techniques,", Proceedings of International Artificial Intelligence and Data Processing Symposium, pp. 1-6, 2017. https://doi.org/10.1109/IDAP.2017.8090341   DOI
11 Son, K. H., Kim, B. I., and Lee, T. J., "Cyber-attack group analysis method based on association of cyber-attack information", Transaction on Internet and Information Systems, vol. 14, no. 1, pp.260-280, 2020. https://doi.org/10.3837/tiis.2020.01.015   DOI
12 Hwang, C. W., Kim, D. Y., and Lee, T. J., "Semi-supervised based unknown attack detection in EDR environment", Transactions on Internet and Information Systems. vol. 14, no. 12, pp. 4909-4926, 2020. https://doi.org/10.3837/tiis.2020.12.016   DOI
13 Han, M. L., Han, H. Ch., Kang, A. R., Kwak, B. I., Mohaisen, A., and Kim H. K., "WHAP: Web-hacking profiling using case-based reasoning", Proceedings of IEEE Conference on Communication and Network Security pp., 344-345, 2016. https://doi.org/10.1109/CNS.2016.7860503   DOI
14 Choi, C. H., Lee, H. S., Jung, I. H., Park, J. H., and Yoon, H. S.,"E-mail Clustering for Cyber Attack Attribution", Proceedings of Korea Institute of Military Science and Technology annual conference, pp.1289-1290, 2018.
15 Kawai, M., Ota, K., and Dong, M., "Improved malgan: Avoiding malware detector by leaning cleanware features", Proceedings of IEEE International Conference on Artificial Intelligence in Information and Communication, pp. 40-45, 2019. https://doi.org/10.1109/ICAIIC.2019.8669079   DOI
16 Milajerdi, S. M., Gjomemo, R., Eshete, B., Sekar, R., and Venkatakrishnan, V. N., "Holmes: real-time apt detection through correlation of suspicious information flows.", Proceedings of IEEE Symposium on Security and Privacy, pp. 1137-115. 2019. https://doi.org/10.1109/SP.2019.00026   DOI
17 Watters, P., McCombie, S., Layton, R., and Pieprzyk J., "Characterising and predicting cyber attacks using the cyber attacker model profile(CAMP)", Journal of Money Laundering Control, vol. 15, pp. 430-441, 2012. https://doi.org/10.1108/13685201211266015   DOI
18 Stahl, A., and Roth-Berghofer, T., "Rapid prototyping of CBR Applications with the Open Source Tool my CBR", Proceedings of the 9th European Conference on Advances in Case-Based Reasoning, pp. 615-629, 2008. https://doi.org/10.1007/978-3-540-85502-6_42   DOI
19 Jung, I. H., Lee, H. S, Choi, C. H., and Yoon, H. S., "A Study for Creator System Information Identification Based on Document Type Malware", Proceedings of Korea Institute of Military Science and Technology annual conference, pp.1504-1505, 2018
20 Cho, H. S., Lee, S. G., Kim, B. I., Shin, Y. S., and Lee, T. J., "The study of prediction of same attack group by comparing similarity of domain", Proceedings of International conference on information and communication technology convergence, pp. 1220-1222, 2015. https://doi.org/10.1109/ICTC.2015.7354779   DOI
21 Kim, W. J., Park, C. W., Lee, S. J., and Lim J. S., "Methods for Classification and Attack Prediction of Attack Groups based on Framework of Cyber Defense Operations", Journal of KIISE:Computing Practices and Letters. vol. 20, no.6, pp.317-328, 2014. http://www.dbpia.co.kr/journal/articleDetail?nodeId=NODE02432562
22 Shin, Y. S., Kim, K. M., Lee, J., Lee, K. H., "ART: Automated reclassification for threat actors based on ATT&CK matrix similarity", Proceedings of World Automation Congress, pp.15-20, 2021. https://doi.org/10.23919/WAC50355.2021.9559514   DOI
23 APT & CyberCriminal Campaign Collections, https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
24 Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., and Niu, X., "TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI Sources", 33rd annual computer security applications conference, pp. 103-115, 2017. https://doi.org/10.1145/3134600.3134646   DOI
25 Mikolov, T., Chen, K., Corrado, G., and Dean, J., "Efficient estimation of word representations in vector space", arXiv preprint arXiv:1301.3781, 2013. https://doi.org/10.48550/arXiv.1301.3781   DOI
26 Choi, C. H., Lee, H. S., Jung, I. H., Yoo, C. G., and Yoon, H. S., "Statistical Analysis of EML Header for Cyber Attacker Tracing", Proceedings of Korea Institute of Military Science and Technology annual conference, pp.1141-1142, 2017.
27 Jung, I. H., Lee, H. S, Choi, C. H., Yoo, C. G., and Yoon, H. S., "A Study for Specific information identification of attackers through document type malware analysis", Proceedings of Korea Institute of Military Science and Technology annual conference, pp.1185-1186, 2017.
28 Choi, C. H., Shin, C. H., Shin, S. U., Seo, S. Y., Lee, I. S., "Cyber Attack Group Classification using Siamese LSTM", Proceedings of Korea Institute of Military Science and Technology annual conference, pp. 1425-1426, 2022.
29 APTNotes, https://github.com/aptnotes/data,
30 APT report collected blackorbird, https://github.com/blackorbird/APT_REPORT
31 Legoy, V., Caselli, M., Seifert, C., and Peter, A, "Automated retrieval of ATT&CK tactics and techniques for cyber threat reports.", arXiv preprint arXiv:2004.14322, 2020. https://doi.org/10.48550/arXiv.2004.14322   DOI
32 Scikit-learn, https://scikit-learn.org
33 Threat Report ATT&CK Mapping(TRAM), https://github.com/center-for-threat-informed-defense/tram/
34 XGBoost, https://github.com/dmlc/xgboost