ChronoCTI: Mining Knowledge Graph of Temporal Relations among Cyberattack Actionsin the proceedings of International Conference on Data Mining 2024

Cyberthreat intelligence (CTI) reports on past cyberattacks describe the sequence of actions of attackers in terms of time. The sequence contains temporal relations among attack actions, such as \textit{a malware is first downloaded and then executed}. Information related to temporal relations enables cybersecurity practitioners to investigate past cyberattack incidents and analyze attackers' behavior. However, cybersecurity practitioners must extract such information automatically, in a structured manner, through a common vocabulary to reduce human effort and enable sharing and collaboration. \textit{The goal of this paper is to aid security practitioners in proactive defense against attacks by automatic information extraction of temporal relations among attack actions from cyberthreat intelligence reports}. We propose \textbf{ChronoCTI}, an automated pipeline for extracting temporal relations among attack actions from CTI reports. The attack actions are represented as MITRE ATT\&CK techniques, and the relations are represented as a knowledge graph. To construct \textbf{ChronoCTI}, we build a ground truth dataset of temporal relations and apply large language models, natural language processing, and machine learning techniques. \textbf{ChronoCTI} demonstrates higher precision but lower recall performance on a real-world dataset of 94 CTI reports. \textbf{ChronoCTI} achieves macro precision, recall, and F1 scores of 0.75, 0.46, and 0.54, respectively. ChronoCTI aids practitioners in analyzing large volumes of CTI reports, thinking like attackers, and knowing what malicious actions are likely to happen next, which enables the practitioners to assess imminent threats and strengthen their cybersecurity readiness.

针对过往网络攻击的网络威胁情报（Cyberthreat Intelligence, CTI）报告，会按时间维度还原攻击者的行动序列。该序列包含各攻击行动间的时序关联，例如「某恶意软件先被下载，随后执行」。此类时序关联信息可帮助网络安全从业者开展过往网络攻击事件的溯源调查，分析攻击者的行为模式。然而，当前从业者亟需通过标准化术语体系，以结构化方式自动提取此类信息，以降低人力投入并实现情报共享与协同协作。本研究的目标，是通过自动提取网络威胁情报报告中攻击行动间的时序关联信息，助力安全从业者开展主动防御。我们提出了**ChronoCTI**——一款用于从CTI报告中提取攻击行动时序关联的自动化处理流水线。攻击行动以MITRE ATT&CK技术作为表征形式，时序关联则以知识图谱进行表示。为构建**ChronoCTI**，我们首先构建了时序关联基准真值数据集，并应用了大语言模型（Large Language Model, LLM）、自然语言处理与机器学习技术。在包含94份CTI报告的真实数据集上，**ChronoCTI**展现出更高的精确率（precision），但召回率（recall）表现相对较低。**ChronoCTI**的宏精确率、宏召回率与宏F1值分别为0.75、0.46与0.54。**ChronoCTI**可帮助从业者分析海量CTI报告，以攻击者视角推演攻击流程，并预判后续可能发生的恶意行为，从而助力从业者评估即时威胁、强化网络安全防御准备水平。