利用惡意攻擊樣板比對評量資安威脅情資報告品質

Abstract

惡意程式的資安威脅情報（CTI）記錄入侵指標（IoCs）和惡意活動，對於偵測和應對網路威脅的環節扮演了至關重要的角色。然而，目前現有研究很少涉及文本報告的評估，我們需要解決評估層面、自動化和基本事實等方面的議題。在這篇論文中，我們引入了基於系統物件和行為層次的 CTI 文件質量評估概念，並使用評估指標和視覺的攻擊圖譜來進行評估。我們的評估系統是客觀、自動化和有效率的，並通過案例研究來展示其流程、功能和效能。此外，我們還提供了一個嶄新的、整理有序的資安威脅情報文件數據集，以及一個 Syscall SynonymBase，用於彌合 Linux 系統呼叫和自然語言之間的語意隔閡。

Malware Cyber Threat Intelligence (CTI) reports – which record the Indicators of Compromise (IoCs) and malicious activities – playing a crucial role in detecting and responding to cyber threats. Text report evaluation is an area that is not often covered by existing research and we need to overcome evaluation aspect issue, automation issue and ground truth issue. In this paper, we introduce concepts of measuring the quality of individual CTI document based on system object and behavior levels with quality metrics and visual representations. Our evaluation system is objective, automated, and distinguished, and we demonstrate its pipeline, functionality, and effectiveness through case studies. We also contribute a new, well-sorted malware CTI documents dataset and a Syscall SynonymBase that bridge the semantic gap between Linux system call and natural language.