论文标题
通过网络威胁智能实现有效的网络威胁狩猎
Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence
论文作者
论文摘要
基于日志的网络威胁狩猎已成为应对复杂攻击的重要解决方案。但是,现有的方法需要对手动查询构建进行非平凡的努力,并忽略了开源网络威胁智能(OSCTI)提供的丰富外部威胁知识。为了弥合差距,我们提出了ThreAtraptor,该系统促进了使用OSCTI在计算机系统中狩猎威胁的系统。推迟者在系统审核框架基于系统审核框架上,提供(1)一种无监督,轻巧且准确的NLP管道,从非结构化的OSCTI文本中提取结构化的威胁行为,(2)一种简洁而表达的域特异性查询语言,TBQL,tbql,以寻求恶意系统和询问Query Synation Insomations Insomations Intressy and Query Synation Intifation a自动合成概率,THESS的自动构造theistry for nosationals Intifation theiss andisation foreys tosationals Intive a自动合成。 (4)有效的查询执行引擎,用于搜索大审核日志记录数据。对广泛攻击案件的评估证明了养牛者在实际威胁狩猎中的准确性和效率。
Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
