MITRE ATT＆CK Framework 資安攻擊手法自動化特徵擷取與AI辨識模型建立

Abstract

在網路世界，資訊安全攻擊事件層出不窮，攻擊者組合必要的攻擊手法（Attack Techniques），執行攻擊活動（如：日常的DDoS攻擊到長期的持續性滲透威脅（Advanced Persistent Threat, APT）），達到其目的。一個攻擊手法可能被使用在多種的攻擊事件中，相關的報告文件可能很多。對資安專家如要瞭解或是辨識某一攻擊手法的特徵，則必須一一閱讀參考文件，耗時費力。從2019年10月推出的ATT&CK第三版（ATT&CK v3）到2022年4月推出的 ATT&CK第十一版（ATT&CK v11），攻擊手法的數量從223個增加到576個，可見ATT&CK彙整的攻擊手法數量上升快速，以人工方式逐一了解攻擊手法的特徵較不切實際。 本文聚焦在MITRE ATT&CK Framework v11，提出一套自動化攻擊手法特徵描述擷取方法，在非結構化文本中，擷取Linux平台中281個攻擊手法的特徵描述集。再透過特徵描述集訓練MITRE ATT&CK Framework攻擊手法辨識模型，為解決資料集小以及資料不平衡問題，本文提出a cascade of classifiers模型架構，以攻擊手法資料量分成18個組，每一組訓練一個classifier。 本文對特徵描述集的分析以及深度學習模型實驗結果顯示，MITRE ATT&CK提供的敘述具語義模糊性（Language Ambiguity），是使用或處理MITRE ATT&CK文本需要關切的議題。另外，深度學習模型的實驗證明，(1)本文擷取的特徵描述集使深度學習模型學習到攻擊手法的特徵，特徵描述對解釋攻擊手法是有效的；(2) a cascade of classifiers可以在本文擷取的特徵描述集學習到攻擊手法的特徵，獲得良好的辨識表現。

In the digital realm, attack incidents in cyber security are incessant. Attackers combine essential attack techniques and execute attack campaign, ranging from routine DDoS attacks to Advanced Persistent Threats (APT), in order to fulfill their objectives. A single attack technique might be employed across multiple incidents. For cybersecurity experts looking to understand or identify the characteristics of a particular attack technique, it becomes a laborious task, necessitating them to sift through reference documents one by one. From the introduction of ATT&CK v3 in October 2019 to ATT&CK v11 released in April 2022, the number of attack techniques surged from 223 to 576. This rapid growth in the compilation of techniques by ATT&CK makes it impractical to manually delve into the characteristic descriptions of each.

This study focuses on the MITRE ATT&CK Framework v11 and proposes an automated method for extracting characteristics description sets of attack techniques. Within unstructured texts, it captures characteristic descriptions for 281 attack techniques specific to the Linux platform. Using these sets, a model to identify MITRE ATT&CK Framework attack techniques is trained. To address challenges with small datasets and data imbalance, this study introduces a 'cascade of classifiers' architecture.

Our analysis of the characteristic description set and experimental results with the deep learning model reveals that the narratives provided by MITRE ATT&CK carry language ambiguity, a critical concern when handling or utilizing MITRE ATT&CK texts. Additionally, the deep learning experiments demonstrate that: (1) the characteristic descriptions extracted in this study enable the deep learning model to discern the characteristics of attack techniques, proving the descriptions' effectiveness; (2) the cascade of classifiers, within the framework of the extracted descriptions, successfully grasps the characteristics of attack techniques, yielding commendable identification performance.