Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence

Gao, Peng; Shao, Faming; Liu, Xiaoyuan; Xiao, Xusheng; Qin, Zheng; Xu, Fengyuan; Mittal, Prateek; Kulkarni, Sanjeev R.; Song, Dezhen

doi:10.1109/icde51399.2021.00024

Cited by 61 publications

(28 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The novel energy infrastructure offered by active buildings must provide means to enact effective threat hunting [91], digital forensics and CTI collection, where managers, analysts, cybersecurity officers and network administrators engage with anomalous behaviours to thwart cyber-attacks. The integration with smart features in sensing or tracking embedded into physical counterparts in the infrastructure will require advanced analysis mechanisms to cope with unusual surges in demand or abnormal happenstances.…”

Section: Discussionmentioning

confidence: 99%

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

2022

View full text Add to dashboard Cite

Active buildings can be briefly described as smart buildings with distributed and renewable energy resources able to energise other premises in their neighbourhood. As their energy capacity is significant, they can provide ancillary services to the traditional power grid. As such, they can be a worthy target of cyber-attacks potentially more devastating than if targeting traditional smart buildings. Furthermore, to handshake energy transfers, they need additional communications that add up to their attack surface. In such a context, security analysis would benefit from collection of cyber threat intelligence (CTI). To facilitate the analysis, we provide a base active building model in STIX in the tool cyberaCTIve that handles complex models. Active buildings are expected to implement standard network security measures, such as intrusion-detection systems. However, to timely respond to incidents, real-time detection should promptly update CTI, as it would significantly speed up the understanding of the nature of incidents and, as such, allow for a more effective response. To fill this gap, we propose an extension to the tool cyberaCTIve with a web service able to accept (incursion) feeds in real-time and apply the necessary modifications to a STIX model of interest.

show abstract

Section: Discussionmentioning

confidence: 99%

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

2022

View full text Add to dashboard Cite

show abstract

“…THREATRAP-TOR's functionalities include an unsupervised NLP pipeline for unstructured data, a domain specific query language, an automated TBQL query synthesis method, and a query engine for big data [170]. The researchers explain that THREATRAPTOR has been tested using a broad set of data from attack cases and has proved to be accurate and effective [171].…”

Section: Threat Intelligence Knowledge Basesmentioning

confidence: 99%

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

The threat hunting lifecycle is a complex atmosphere that requires special attention from professionals to maintain security. This paper is a collection of recent work that gives a holistic view of the threat hunting ecosystem, identifies challenges, and discusses the future with the integration of artificial intelligence (AI). We specifically establish a life cycle and ecosystem for privacy-threat hunting in addition to identifying the related challenges. We also discovered how critical the use of AI is in threat hunting. This work paves the way for future work in this area as it provides the foundational knowledge to make meaningful advancements for threat hunting.

show abstract

“…Yurekten et al [20] integrated the concepts of cyber entity intelligence, network function virtualization (NFC), and business function chaining (SFC) into an automated defense system of software-defined networks, which can evaluate defense strategies based on intelligence, in which one can choose to apply one or more network-level automated defense solutions to ensure that the defense system is scalable while increasing the intensity of attack processing. Gao et al [21] proposed a pipeline technology for extracting threat intelligence in entity intelligence and the correlation between intelligence and for drawing threat behavior maps for threat discovery. Rong et al [22] collected and correlated entity intelligence related to existing network attack methods to predict the network security status of a current system and achieve effective defense against network attacks.…”

Section: Anomaly Detection Based On Network Entity Intelligencementioning

confidence: 99%

Detecting ShadowsocksR User Based on Intelligence of Cyber Entities

Zhang¹,

Dong²,

Jin³

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

ShadowsocksR (SSR), as a typical emerging anonymous communication tool, may record user information on the SSR client or server, leading to the theft of the user’s privacy, and may be used by attackers to anonymize their internal network environment and organization, which will cause serious damage to data security and bring severe challenges to security defense and threat assessment within organizations. To solve the problem of accurately and effectively discovering SSR users within an organization in a real traffic environment, in this paper, we propose an SSR user detection method based on network entity intelligence as follows: (1) According to the communication characteristics of SSR users, relevant network entity intelligence information from inside and outside the organization is obtained, such as the distribution of IP addresses within and outside the organization, and the differences between SSR and non-SSR users are analyzed to construct a feature space. (2) The communication behaviors of SSR and non-SSR users are further analyzed and features are extracted from the perspective of traffic behavior analysis, and the feature space of the SSR user detection model is expanded. (3) A data-driven machine-learning-based approach is designed and implemented to provide suggestions for the automatic identification of SSR users based on the extracted feature vectors. Results show that the detection method proposed in this paper has a detection accuracy of more than 95% for SSR users in the experimental environment, can accurately distinguish between SSR communication and normal communication, and can achieve accurate SSR user detection.

show abstract

Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence

Cited by 61 publications

References 15 publications

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Detecting ShadowsocksR User Based on Intelligence of Cyber Entities

Contact Info

Product

Resources

About