ChronoCTI: Mining Knowledge Graph of Temporal Relations among Cyberattack Actions

Cyberthreat intelligence (CTI) reports on past cyberattacks describe the sequence of actions of attackers in terms of time. The sequence contains temporal relations among attack actions, such as \textit{a malware is first downloaded and then executed}. Information related to temporal relations enables cybersecurity practitioners to investigate past cyberattack incidents and analyze attackers' behavior. However, cybersecurity practitioners must extract such information automatically, in a structured manner, through a common vocabulary to reduce human effort and enable sharing and collaboration. \textit{The goal of this paper is to aid security practitioners in proactive defense against attacks by automatic information extraction of temporal relations among attack actions from cyberthreat intelligence reports}. We propose \textbf{ChronoCTI}, an automated pipeline for extracting temporal relations among attack actions from CTI reports. The attack actions are represented as MITRE ATT\&CK techniques, and the relations are represented as a knowledge graph. To construct \textbf{ChronoCTI}, we build a ground truth dataset of temporal relations and apply large language models, natural language processing, and machine learning techniques. \textbf{ChronoCTI} demonstrates higher precision but lower recall performance on a real-world dataset of 94 CTI reports. \textbf{ChronoCTI} achieves macro precision, recall, and F1 scores of 0.75, 0.46, and 0.54, respectively. ChronoCTI aids practitioners in analyzing large volumes of CTI reports, thinking like attackers, and knowing what malicious actions are likely to happen next, which enables the practitioners to assess imminent threats and strengthen their cybersecurity readiness.