An Ontology-driven Knowledge Graph for Android Malware

Christian, Ryan; Dutta, Sharmishtha; Park, Youngja; Rastogi, Nidhi

doi:10.1145/3460120.3485353

Cited by 8 publications

(5 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Top document node in Figure 9: the filename is rkinstaller.exe and the full sha256 hash is given in the virustotal link 8 . Right document node in Figure 9: no associated filename and the full sha256 hash is given in the virustotal link 9 . Bottom document node in Figure 9: the filename is rkinstaller364.exe and the full sha256 hash is given in the virustotal link 10 .…”

Section: Malware Hash Files: Code and Resource Re-usementioning

confidence: 99%

“…The term potential IoC is important because it specifies that the text is potentially useful and quite unstructured, but there is a pattern match in the data that does fit a particular form (for example, an IP address, or a CVE). Graphs are a natural way to express these types of higher order connections and are used in a variety of cybersecurity contexts [9,10]. These types of networks, when they are intended for providing semantic meaning between heterogeneous data types are also referred to as knowledge graphs [11][12][13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

Pelofske¹,

Liebrock²,

Urias³

2023

Preprint

View full text Add to dashboard Cite

Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. However the scale of information that is relevant for information security on the internet is always increasing, and is intractable for analysts to parse comprehensively. Therefore methods of condensing the available open source intelligence, and automatically developing connections between disparate sources of information, is incredibly valuable. In this research, we present a system which constructs a Neo4j graph database formed by shared connections between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (e.g., Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (e.g., IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (e.g., CVEs and MITRE ATT&CK Technique ID's), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IoCs is detailed, including the addition of machine learning and metadata which can be used for filtering of the data for a specific domain (for example a specific natural language) when needed. Examples of utilizing the graph database for querying connections between known malicious IoCs and open source intelligence documents, including threat reports, are shown. We show that this type of relationship querying can allow for more effective use of open source intelligence for threat hunting, malware family clustering, and vulnerability analysis.

show abstract

Section: Malware Hash Files: Code and Resource Re-usementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

Pelofske¹,

Liebrock²,

Urias³

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…A pre-trained transformer-based relation classification model takes sentences from CTI reports in this format as input data and predicts the relation between e 1 and e 2 through a linear layer. Our relation extraction approach only considers pairs of entities that may have a valid relationship based on the adopted ontology [11], [33]. For instance, we may establish a relationship between a pair of entities of type Malware and Application (e.g., ⟨M alware, targets, Application⟩) but not consider a relationship between entities of type Application and Time.…”

Section: Adding Relationship To Conceptsmentioning

confidence: 99%

“…The class definitions for entities-Malware, Attack Pattern, Location, OS, Application, are mapped to existing threat intelligence ontology classes [11], [33] but modified for CTI and also follow the STIX2.1 framework. Relationships between them are defined by the same ontologies.…”

Section: Introductionmentioning

confidence: 99%

Cyber Threat Intelligence for SOC Analysts

Rastogi,

Alam

2023

Proceedings 2023 Workshop on Security Operation Center Operations and Construction

View full text Add to dashboard Cite

knowledge-driven threat intelligence models that incorporate domain knowledge and relevant contextual information. This work will also result in faster attack detection and mitigation and better allocation of defensive resources. Toward these goals, this project is exploring the following two research directions:1) Enable the inclusion of domain security knowledge catering to different context vs. data relevance needs. A key challenge is to combine external abstract threat knowledge with internal, domain-specific knowledge. 2) Enable robust adaptation of time and trust varying, dynamically changing cyber threat knowledge in domainspecific information sources. A key challenge is to extract meaningful information with confidence. 3) Overcome the lack of evaluation mechanisms for context. A key challenge is combining ML's precision and accuracy to the ranked inferences of knowledge graphs applicable to given organizational policies and trustworthiness. This paper discusses ongoing research capturing the first goal and leaves the other two for future work.

show abstract

“…For our case, the CyNER model, which is an open-source Python module developed for cybersecurity named entity recognition, is a perfoct depiction of a NER model as it combines the transformer-based models for extracting entities in cybersecurity, NER models for generic entity types, and heuristics for identifying various indicators of compromise. The categorization of events as classes and extraction of malware attack information from a threat intelligence corpus has been reported in previous research, such as MALOnt2.0[22] and MALOnt. These approaches allows the combination of predictions from different approaches to meet specific needs.…”

mentioning

confidence: 96%

An Improved Knowledge Graph Representation for Ransomware Attacks Using LSTM-Based Named Entity Relation Technique and Twitter Data

Munshid

2024

jes

View full text Add to dashboard Cite

This research aims to examine the challenges associated with ransomware knowledge and develop a knowledge graph of ransomware attacks utilizing Twitter data. Ransomware is a constantly evolving global threat. The three main steps involved in the development of a knowledge graph from informal text are data collection and preprocessing, features extraction, and relation extraction. A ransomware ontology previously proposed has been used in this work for the extraction of the ransomware entities from unstructured data; this is aimed at making it fit the attacks reported on Twitter. The next process is the identification of the existing relationships in the dataset for the knowledge graph construction; the output of the process, which is the developed knowledge graph is evaluated for accuracy using a tracing technique to demonstrate its efficacy.

show abstract

An Ontology-driven Knowledge Graph for Android Malware

Cited by 8 publications

References 2 publications

Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

Cyber Threat Intelligence for SOC Analysts

An Improved Knowledge Graph Representation for Ransomware Attacks Using LSTM-Based Named Entity Relation Technique and Twitter Data

Contact Info

Product

Resources

About