ChronoCTI: Mining Knowledge Graph of Temporal Relations among Cyberattack Actions in the proceedings of International Conference on Data Mining 2024

Cyberthreat intelligence (CTI) reports on past cyberattacks describe the sequence of actions of attackers in terms of time. The sequence contains temporal relations among attack actions, such as \textit{a malware is first downloaded and then executed}. Information related to temporal relations enables cybersecurity practitioners to investigate past cyberattack incidents and analyze attackers' behavior. However, cybersecurity practitioners must extract such information automatically, in a structured manner, through a common vocabulary to reduce human effort and enable sharing and collaboration. \textit{The goal of this paper is to aid security practitioners in proactive defense against attacks by automatic information extraction of temporal relations among attack actions from cyberthreat intelligence reports}. We propose \textbf{ChronoCTI}, an automated pipeline for extracting temporal relations among attack actions from CTI reports. The attack actions are represented as MITRE ATT\&amp;CK techniques, and the relations are represented as a knowledge graph. To construct \textbf{ChronoCTI}, we build a ground truth dataset of temporal relations and apply large language models, natural language processing, and machine learning techniques. \textbf{ChronoCTI} demonstrates higher precision but lower recall performance on a real-world dataset of 94 CTI reports. \textbf{ChronoCTI} achieves macro precision, recall, and F1 scores of 0.75, 0.46, and 0.54, respectively. ChronoCTI aids practitioners in analyzing large volumes of CTI reports, thinking like attackers, and knowing what malicious actions are likely to happen next, which enables the practitioners to assess imminent threats and strengthen their cybersecurity readiness.<br><br>

网络威胁情报（Cyberthreat Intelligence, CTI）报告针对过往网络攻击事件，以时间维度刻画攻击者的行为序列。该序列包含攻击动作间的时序关联关系，例如「恶意软件先被下载，随后执行」。此类时序关联相关信息，可协助网络安全从业者回溯过往网络攻击事件、分析攻击者的行为模式。然而，当前从业者亟需通过通用词汇库以结构化方式自动提取此类信息，以降低人力成本并实现信息共享与协作。本研究旨在通过从网络威胁情报报告中自动提取攻击动作间的时序关联关系，助力安全从业者主动防御网络攻击。为此，我们提出**ChronoCTI**——一款可从CTI报告中提取攻击动作时序关联关系的自动化处理流水线。其中，攻击动作以MITRE ATT&CK技术表示，关联关系则以知识图谱形式呈现。为构建ChronoCTI，我们首先搭建了时序关联关系的标准真值数据集，并应用了大语言模型、自然语言处理及机器学习技术。在包含94份CTI报告的真实数据集上，ChronoCTI展现出更高的精确率，但召回率相对较低。其宏精确率、宏召回率与宏F1值分别为0.75、0.46与0.54。ChronoCTI可帮助从业者分析海量CTI报告，以攻击者视角梳理攻击逻辑，并预判后续可能发生的恶意动作，从而使从业者能够评估即时威胁、提升网络安全防御准备水平。