CYTAG: Multi-Source Behavioral Aggregation of Natural Language Cyber Threat Intelligence

Abstract

The current state-of-the-art in extracting machine-readable attack behavior graphs from natural language cyber threat intelligence (CTI) reports relies on one prominent CTI source such as a high-profile advanced persistent threat (APT) report. This thesis hypothesizes that multiple CTI sources offer complementary fragments of attack behavior due to factors such as variation in analysis details of an attack, polymorphic nature of malicious behavior manifestations, and experience and resources available to the analyst(s) who produce a CTI report. To test this hypothesis, this work proposes a systematic attack behavior graph aggregation approach, called CYTAG, that significantly enhances the fidelity of an attack graph given multiple CTI sources about a given attack such as an APT. CYTAG achieves this while preserving attack semantics and minimizing redundancy of nodes and edges in the aggregated attack graph. Evaluation of CYTAG on CTI reports covering multiple years and comparing its attack graph aggregation results with state-of-the- art attack behavior extraction approach suggests that CYTAG significantly improves the detection and forensics arsenal of cyber threat hunters with reasonable aggregation performance overhead.