Design And Implementation Of APT Group Attack Technique Extraction System Based On Threat Intelligence Analysis

APT(Advanced Persistent Threat)refers to an attack form where attackers utilize advanced technological means to conduct long-term sustained network penetration against specific targets,usually with the aim of stealing state secrets and important business information of enterprises,as well as damaging critical infrastructure.APT has characteristics such as strong stealth,highly targeted,long duration,and complex attack methods,posing a serious threat to national political and economic security.Threat intelligence is a report generated by research institutions and security companies after conducting professional analysis of occurred attacks.Making full use of key message in threat intelligence can play a positive role in the detection and prevention of advanced and sustainable threats.The ATT&CK(Adversarial Tactics,Techniques and Common Knowledge)framework proposed by MITRE Corporation summarizes the discovered attack tactics and techniques of various APT groups in the form of a matrix.The matrix has been widely used in the in-depth analysis and research of APT groups,achieving good results.However,due to the alternate development of attack and defense technologies,continuous updates of attack methods and growth of APT groups,the update speed of the matrix cannot meet the current needs of APT attack analysis.How to effectively and automatically analyze threat intelligence,extract attack tactics and techniques and maintain the timeliness of the matrix has become a research hot spot in the industry.Therefore,this paper presents a system for extracting attack techniques of APT group based on threat intelligence analysis.The system automatically acquires threat intelligence,classifies it according to APT group,and employs a text-matching mechanism to extract attack techniques from threat intelligence statements.In instances where the extracted technique matrix of APT group lacks specific attack techniques,manual assistance is introduced for verification.Then the accepted manual verification will be integrated into the matrix.The main work of this paper includes:(1)Addressing issues such as the high complexity of expressing attack techniques and the lack of specific writing standards in threat intelligence,introducing an improved universal sentence vector encoding method.To achieve a coding standard more suitable for this paper’s application scenario,this method utilizes procedure examples of MITRE as training samples.These sentences,labeled with IDs,are fed into a general sentence encoding model to obtain original sentence vectors.The self-masking mechanism deeply explores features in the original sentence vectors.By utilizing a clustering loss function,the encoder converges towards the center of the same technique category while widening the distance between the different,then it generates new sentence vectors,subsequently merging them for output.This method enriches the semantic dimensions of sentence vectors,offering a better representation for sentences containing attack techniques.(2)Tackling issues within threat intelligence involving the diverse forms of attack technique-related statements,proposing a dual-strategy evidence fusion-based attack technique extraction mechanism.The mechanism analyzes the correlation between threat intelligence statements and attack technique description statements from the MITRE official website.It examines both keyword-based similarity and semantic similarity based on sentence vectors,merging evidence from both strategies to leverage their respective advantages.Since some intelligence statements contain multiple attack techniques,outputting only one label for each statement may lead to numerous omissions.This mechanism allows the output of one or more labels for each statement,with the addition of human judgment ensuring comprehensive extraction.(3)Designing and implementing an APT group attack technique extraction system based on threat intelligence analysis.The paper provides a detailed design and implementation of functional modules for the system,including collection,classification,storage and preprocessing of data,attack technique extraction and matrix supplementation.Finally,system testing was conducted,demonstrating the system’s capability to autonomously crawl and process threat intelligence,classify and store it according to APT group,extract attack techniques from intelligence statements,and supplement APT group technique matrix.The system gathered 7780 instances of threat intelligence for 248 APT groups,showing its effectiveness in supplementing real APT group technique matrix.