Mining temporal attack patterns from cyberthreat intelligence reports

Cyberthreat intelligence (CTI) reports on past cyberattacks describe the sequence of actions of attackers in terms of time. The sequence contains temporal relations among attack actions, such as a malware is first downloaded and then executed . Information related to temporal relations enables cyber...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Knowledge and information systems Jg. 67; H. 10; S. 8941 - 8981
Hauptverfasser: Rahman, Md Rayhanur, Wroblewski, Brandon, Matthews, Quinn, Morgan, Brantley, Menzies, Timothy, Williams, Laurie
Format: Journal Article
Sprache:Englisch
Veröffentlicht: London Springer London 01.10.2025
Springer Nature B.V
Schlagworte:
Best practice
Computer Science
Countermeasures
Cybercrime
Cybersecurity
Data Mining and Knowledge Discovery
Database Management
Datasets
Graphical representations
Information retrieval
Information Storage and Retrieval
Information Systems and Communication Service
Information Systems Applications (incl.Internet)
Intelligence
IT in Business
Knowledge management
Knowledge representation
Large language models
Machine learning
Malware
Natural language processing
Tactics
Techniques
Temporal relation
attack graph
Procedures
MITRE ATT& CK
CTI reports
TimeML
Cyberthreat intelligence
Knowledge graph
ISSN:0219-1377, 0219-3116
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Cyberthreat intelligence (CTI) reports on past cyberattacks describe the sequence of actions of attackers in terms of time. The sequence contains temporal relations among attack actions, such as a malware is first downloaded and then executed . Information related to temporal relations enables cybersecurity practitioners to investigate past cyberattack incidents and analyze attackers’ behavior. However, cybersecurity practitioners must extract such information automatically, in a structured manner, through a common vocabulary to reduce human effort and enable sharing, and collaboration. The goal of this paper is to aid security practitioners in proactive defense against attacks by automatic information extraction of temporal relations among attack actions from cyberthreat intelligence reports . We propose ChronoCTI , an automated pipeline for extracting temporal relations among attack actions from CTI reports. The attack actions are represented as MITRE ATT&CK techniques, and the relations are represented as a knowledge graph. To construct ChronoCTI , we build a ground truth dataset of temporal relations and apply large language models, natural language processing, and machine learning techniques. ChronoCTI demonstrates higher precision but lower recall performance on a real-world dataset of 94 CTI reports. We apply ChronoCTI on a set of 713 CTI reports, where we identify 9 categories of temporal attack patterns consisting of 124 temporal attack patterns. We identify that the most prevalent pattern category is to trick victim users into executing malicious code to initiate the attack, followed by bypassing the anti-malware system in the victim software systems. Based on the observed patterns, we advocate for training users about cybersecurity best practices, introducing appropriate warning messages for end-users, introducing immutable operating systems, and enforcing multi-user authentications. Moreover, we advocate that practitioners leverage the automated mining capability of ChronoCTI and design countermeasures against recurring attack patterns.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0219-1377
0219-3116
DOI:10.1007/s10115-025-02491-6