請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/90489完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 孫雅麗 | zh_TW |
| dc.contributor.advisor | Yea-Li Sun | en |
| dc.contributor.author | 楊柏睿 | zh_TW |
| dc.contributor.author | Bo-Ruei Yang | en |
| dc.date.accessioned | 2023-10-03T16:18:59Z | - |
| dc.date.available | 2023-11-09 | - |
| dc.date.copyright | 2023-10-03 | - |
| dc.date.issued | 2023 | - |
| dc.date.submitted | 2023-08-10 | - |
| dc.identifier.citation | MITRE, 25 4 2022. [Online]. Available: https://attack.mitre.org/versions/v11/.
“2023 Threat Detection Report,” Red Canary, 2023. [Online]. Available: https://redcanary.com/threat-detection-report/techniques/. [Accessed: 15 7 2023]. Yizhe You, Jun Jiang, Zhengwei Jiang, Peian Yang, Baoxu Liu, Huamin Feng, Xuren Wang and Ning Li, “TIM: threat context-enhanced TTP intelligence mining on unstructured threat data,” Cybersecurity, 1 2 2022. K. Satvat, R. Gjomemo and V. Venkatakrishnan, “EXTRACTOR: Extracting Attack Behavior from Threat Reports,” 2021 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 598-615, 2021. Zhenyuan Li, Jun Zeng, Yan Chen, Zhenkai Liang, “AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports.,” Computer Security – ESORICS 2022, pp. 589-609, 25 9 2022. “THREAT REPORT ATT&CK MAPPER (TRAM),” MITRE ATT&CK®, 30 9 2021. [Online]. Available: https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/threat-report-attck-mapper-tram/. Jon Baker, Richard Struse, “TRAM: Advancing Research into Automated TTP Identification in Threat Reports,” 30 9 2021. [Online]. Available: https://medium.com/mitre-engenuity/tram-advancing-research-into-automated-ttp-identification-in-threat-reports-2d868fecc791. Valentine Legoy, Marco Caselli, Christin Seifert, Andreas Peter, “Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports,” 29 4 2020. [Online]. Available: https://doi.org/10.48550/arXiv.2004.14322. Grigorescu, Octavian; Nica, Andreea; Dascalu, Mihai; Rughinis, Razvan, “CVE2ATT&CK: BERT-Based Mapping of CVEs to MITRE ATT&CK Techniques,” 31 8 2022. [Online]. Available: https://doi.org/10.3390/a15090314. B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington and C. B. Thomas, “MITRE ATT&CK®: Design and Philosophy,” 3 2020. [Online]. Available: https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf. A. Pennington, “Bringing PRE into Enterprise,” 27 10 2020. [Online]. Available: https://medium.com/mitre-attack/the-retirement-of-pre-attack-4b73ffecd3d3. Jacob Devlin, Ming-Wei Chang, Kenton Lee, Kristina Toutanova, “BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding.,” 11 10 2018. [Online]. Available: https://doi.org/10.48550/arXiv.1810.04805. Nils Reimers, Iryna Gurevych, “Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks,” 27 8 2019. [Online]. Available: https://doi.org/10.48550/arXiv.1908.10084. NLTK, “NLTK,” [Online]. Available: https://www.nltk.org. Fireeye, “APT37 (REAPER) The Overlooked North Korean Actor,” 2018. [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf. K. ZYKOV, “Hello! My name is Dtrack,” 23 9 2019. [Online]. Available: https://securelist.com/my-name-is-dtrack/93338/. M. Grootendorst, “BERTopic: Neural topic modeling with a class-based TF-IDF procedure,” 11 3 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2203.05794. M. Grootendorst, “BERTopic,” 2023. [Online]. Available: https://maartengr.github.io/BERTopic/index.html. lloydlabs, “[Part 1] - Analysing the new Linux/AES.DDoS IoT malware,” 19 11 2017. [Online]. Available: https://blog.syscall.party/2017/11/19/aes-ddos-analysis-part-1.html. K. I. Titiwa, "Backdoor.Linux.DOFLOO.AB - Threat Encyclopedia," Trend Micro, 5 6 2022. [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.Linux.DOFLOO.AB/. P. Paganini, “AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server,” 18 4 2019. [Online]. Available: https://securityaffairs.co/84591/malware/aesddos-bot-atlassian-confluence.html. S. Gatlan, “Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware,” 14 6 2019. [Online]. Available: https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/. | - |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/90489 | - |
| dc.description.abstract | 在網路世界,資訊安全攻擊事件層出不窮,攻擊者組合必要的攻擊手法(Attack Techniques),執行攻擊活動(如:日常的DDoS攻擊到長期的持續性滲透威脅(Advanced Persistent Threat, APT)),達到其目的。一個攻擊手法可能被使用在多種的攻擊事件中,相關的報告文件可能很多。對資安專家如要瞭解或是辨識某一攻擊手法的特徵,則必須一一閱讀參考文件,耗時費力。從2019年10月推出的ATT&CK第三版(ATT&CK v3)到2022年4月推出的 ATT&CK第十一版(ATT&CK v11),攻擊手法的數量從223個增加到576個,可見ATT&CK彙整的攻擊手法數量上升快速,以人工方式逐一了解攻擊手法的特徵較不切實際。
本文聚焦在MITRE ATT&CK Framework v11,提出一套自動化攻擊手法特徵描述擷取方法,在非結構化文本中,擷取Linux平台中281個攻擊手法的特徵描述集。再透過特徵描述集訓練MITRE ATT&CK Framework攻擊手法辨識模型,為解決資料集小以及資料不平衡問題,本文提出a cascade of classifiers模型架構,以攻擊手法資料量分成18個組,每一組訓練一個classifier。 本文對特徵描述集的分析以及深度學習模型實驗結果顯示,MITRE ATT&CK提供的敘述具語義模糊性(Language Ambiguity),是使用或處理MITRE ATT&CK文本需要關切的議題。另外,深度學習模型的實驗證明,(1)本文擷取的特徵描述集使深度學習模型學習到攻擊手法的特徵,特徵描述對解釋攻擊手法是有效的;(2) a cascade of classifiers可以在本文擷取的特徵描述集學習到攻擊手法的特徵,獲得良好的辨識表現。 | zh_TW |
| dc.description.abstract | In the digital realm, attack incidents in cyber security are incessant. Attackers combine essential attack techniques and execute attack campaign, ranging from routine DDoS attacks to Advanced Persistent Threats (APT), in order to fulfill their objectives. A single attack technique might be employed across multiple incidents. For cybersecurity experts looking to understand or identify the characteristics of a particular attack technique, it becomes a laborious task, necessitating them to sift through reference documents one by one. From the introduction of ATT&CK v3 in October 2019 to ATT&CK v11 released in April 2022, the number of attack techniques surged from 223 to 576. This rapid growth in the compilation of techniques by ATT&CK makes it impractical to manually delve into the characteristic descriptions of each.
This study focuses on the MITRE ATT&CK Framework v11 and proposes an automated method for extracting characteristics description sets of attack techniques. Within unstructured texts, it captures characteristic descriptions for 281 attack techniques specific to the Linux platform. Using these sets, a model to identify MITRE ATT&CK Framework attack techniques is trained. To address challenges with small datasets and data imbalance, this study introduces a 'cascade of classifiers' architecture. Our analysis of the characteristic description set and experimental results with the deep learning model reveals that the narratives provided by MITRE ATT&CK carry language ambiguity, a critical concern when handling or utilizing MITRE ATT&CK texts. Additionally, the deep learning experiments demonstrate that: (1) the characteristic descriptions extracted in this study enable the deep learning model to discern the characteristics of attack techniques, proving the descriptions' effectiveness; (2) the cascade of classifiers, within the framework of the extracted descriptions, successfully grasps the characteristics of attack techniques, yielding commendable identification performance. | en |
| dc.description.provenance | Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-10-03T16:18:59Z No. of bitstreams: 0 | en |
| dc.description.provenance | Made available in DSpace on 2023-10-03T16:18:59Z (GMT). No. of bitstreams: 0 | en |
| dc.description.tableofcontents | 目錄
摘要 i Abstract ii 目錄 iv 第一章、介紹與文獻探討 1 1.1 研究動機 1 1.2 研究目的 2 1.3 研究貢獻 2 1.4 文獻探討 3 第二章、背景知識 6 2.1 MITRE ATT&CK Framework [10] 6 2.1.1 攻擊戰略(Tactic) 6 2.1.2 攻擊手法(Technique) 9 2.1.3 攻擊案例(Procedure example) 11 2.2 Bidirectional Encoder Representations from Transformer(BERT) 12 第三章、研究方法—資安攻擊手法自動化特徵擷取 14 3.1 資料來源(Data Sources) 14 3.1.1 攻擊手法的摘要描述(Abstract in Techniques) 14 3.1.2 攻擊手法的攻擊案例敘述(Procedure examples in Techniques) 15 3.1.3 攻擊手法的CVE敘述(CVE in Techniques’ procedure examples) 15 3.1.4 攻擊手法的參考文件敘述(References in Techniques’ procedure examples) 16 3.2 特徵擷取方法—語義相似度比較 17 3.2.1 前置作業 18 3.2.2 語義相似度比對—應用Sentence-BERT與餘弦相似度(Cosine Similarity) 19 3.2.3 特徵描述集之分析 20 第四章、研究方法—AI辨識模型建立 31 4.1 資料集分析與前置作業 31 4.1.1 資料集分析 31 4.1.2 前置作業 32 4.2 A cascade of classifiers模型架構 33 4.3 訓練階段 37 4.4 測試階段 39 4.4.1 語言模糊性(Language Ambiguity) 39 4.4.2 後處理規則 42 4.4.3 測試階段輸出範例 44 第五章、效能評估 47 5.1 AI辨識模型效能評估 47 5.2 門檻值(threshold)評估 53 5.3 CTI文件標記 54 第六章、結論 57 參考文獻 58 附錄 61 | - |
| dc.language.iso | zh_TW | - |
| dc.subject | 自然語言處理 | zh_TW |
| dc.subject | MITRE ATT&CK | zh_TW |
| dc.subject | 深度學習 | zh_TW |
| dc.subject | 攻擊手法特徵 | zh_TW |
| dc.subject | MITRE ATT&CK | en |
| dc.subject | Deep Learning | en |
| dc.subject | Attack Technique Characteristic Descriptions | en |
| dc.subject | Natural Language Processing | en |
| dc.title | MITRE ATT&CK Framework 資安攻擊手法自動化特徵擷取與AI辨識模型建立 | zh_TW |
| dc.title | Extract Signature of Cyber-Attack Techniques Based on MITRE ATT&CK Framework and Build MITRE ATT&CK Technique Classifier | en |
| dc.type | Thesis | - |
| dc.date.schoolyear | 111-2 | - |
| dc.description.degree | 碩士 | - |
| dc.contributor.oralexamcommittee | 陳孟彰;陳俊良;李育杰;黃意婷 | zh_TW |
| dc.contributor.oralexamcommittee | Meng-Chang Chen;Jiann-Liang Chen;Yuh-Jye Lee;Yi-Ting Huang | en |
| dc.subject.keyword | MITRE ATT&CK,深度學習,自然語言處理,攻擊手法特徵, | zh_TW |
| dc.subject.keyword | MITRE ATT&CK,Deep Learning,Natural Language Processing,Attack Technique Characteristic Descriptions, | en |
| dc.relation.page | 83 | - |
| dc.identifier.doi | 10.6342/NTU202303779 | - |
| dc.rights.note | 同意授權(限校園內公開) | - |
| dc.date.accepted | 2023-08-11 | - |
| dc.contributor.author-college | 管理學院 | - |
| dc.contributor.author-dept | 資訊管理學系 | - |
| dc.date.embargo-lift | 2024-08-08 | - |
| 顯示於系所單位: | 資訊管理學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-111-2.pdf 授權僅限NTU校內IP使用(校園外請利用VPN校外連線服務) | 5.59 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。