A System for Automated Security Knowledge Extraction

Edward Choi

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2022-141

May 18, 2022

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2022/EECS-2022-141.pdf

Complex cyber attacks have highly impacted many high-profile businesses. To remain aware of the fast-evolving threat landscape, open-source Cyber Threat Intelligence (OSCTI) has received growing attention from the community. Commonly, knowledge about threats is presented in a vast number of OSCTI reports. Despite the pressing need for high-quality OSCTI, current OSCTI management systems have primarily focused on isolated, low-level Indicators of Compromise (IOC). On the other hand, higher-level concepts (e.g., adversary tactics, techniques, and procedures) and their relationships have been overlooked, which contain crucial knowledge about threat behaviors that is critical to uncovering the complete threat scenario. To bridge the gap, we propose ThreatExtractor, a system for automated security knowledge extraction. In particular, ThreatExtractor automatically collects a large number of OSCTI reports from a variety of sources, uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors, and uses this knowledge in the form of entities and relations to construct a security knowledge graph. ThreatExtractor also provides a GUI that supports various types of interactivity to facilitate knowledge graph exploration.

Advisors: Dawn Song

BibTeX citation:

@mastersthesis{Choi:EECS-2022-141,
    Author= {Choi, Edward},
    Title= {A System for Automated Security Knowledge Extraction},
    School= {EECS Department, University of California, Berkeley},
    Year= {2022},
    Month= {May},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2022/EECS-2022-141.html},
    Number= {UCB/EECS-2022-141},
    Abstract= {Complex cyber attacks have highly impacted many high-profile businesses. To remain aware of the fast-evolving threat landscape, open-source Cyber Threat Intelligence (OSCTI) has received growing attention from the community. Commonly, knowledge about threats is presented in a vast number of OSCTI reports. Despite the pressing need for high-quality OSCTI, current OSCTI management systems have primarily focused on isolated, low-level Indicators of Compromise (IOC). On the other hand, higher-level concepts (e.g., adversary tactics, techniques, and procedures) and their relationships have been overlooked, which
contain crucial knowledge about threat behaviors that is critical to uncovering the complete threat scenario. To bridge the gap, we propose ThreatExtractor, a system for automated security knowledge extraction. In particular, ThreatExtractor automatically collects a large number of OSCTI reports from a variety of sources, uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors, and uses this knowledge in the form of entities and relations to construct a security knowledge graph. ThreatExtractor also provides a GUI that supports various types of interactivity to
facilitate knowledge graph exploration.},
}

EndNote citation:

%0 Thesis
%A Choi, Edward 
%T A System for Automated Security Knowledge Extraction
%I EECS Department, University of California, Berkeley
%D 2022
%8 May 18
%@ UCB/EECS-2022-141
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2022/EECS-2022-141.html
%F Choi:EECS-2022-141