TTPXHunter: Automated Threat Intelligence Extraction Methodology

Automated extraction of threat intelligence using TTPXHunter significantly enhances cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors.

I. Abstract Understanding adversaries' modus operandi aids in employing efficient defensive strategies. TTPXHunter automates the extraction of threat intelligence in terms of Tactics, Techniques, and Procedures (TTPs) from cyber threat reports. The methodology leverages cyber domain-specific natural language processing to enhance threat analysis significantly. II. Introduction Advanced Persistent Threats (APTs) pose a significant challenge to global security. Countering APTs requires detailed extraction and analysis of threat intelligence related to APTs. TTPXHunter extends TTPHunter's capabilities to recognize an array of 193 TTPs. III. Background MITRE ATT&CK Framework provides a standardized lexicon for classifying attackers' tactics, techniques, and procedures. BERT language model plays a vital role in extracting threat intelligence from cybersecurity texts. TTPHunter leverages BERT to extract TTPs from threat reports. IV. Proposed Methodology: TTPXHunter TTPXHunter refines and expands to recognize 193 TTPs using domain-specific language models. Contextual data augmentation method is employed to address the limited dataset problem. Preprocessing and fine-tuning steps are crucial for optimizing the model's performance. V. Experiments and Results Evaluation on augmented sentence-based and report-based datasets. TTPXHunter outperforms state-of-the-art methods in terms of precision, recall, F1-score, and hamming loss. Comparison with TRAM, TTPHunter, and other methods showcases the efficiency of TTPXHunter. VI. Limitations & Future Directions Continuous updates to the MITRE ATT&CK framework may require retraining the model. Extending TTPXHunter's capability to handle one-to-many mappings can enhance performance. VII. Conclusion TTPXHunter significantly enhances threat intelligence extraction, aiding various cybersecurity teams. The methodology offers a comprehensive toolset for identifying, understanding, and countering cyber threats.

이 연구는 TTPXHunter가 92.42%의 f1-score를 달성하고, 보고서 데이터 세트에서 97.09%의 f1-score를 달성했다. TTPXHunter는 39,296개의 샘플을 포함하는 증가된 문장-TTP 데이터 세트와 149개의 실제 사이버 위협 인텔리전스 보고서-TTP 데이터 세트를 생성했다.

"TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors." "The methodology leverages cyber domain-specific natural language processing to enhance threat analysis significantly."