A system for efficiently hunting for cyber threats in computer systems using threat intelligence

Peng Gao; Fei Shao; Xiaoyuan Liu; Xusheng Xiao; Haoyuan Liu; Zheng Qin; Fengyuan Xu; Prateek Mittal; Sanjeev R. Kulkarni; Dawn Song

doi:10.1109/ICDE51399.2021.00309

A system for efficiently hunting for cyber threats in computer systems using threat intelligence

Peng Gao, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Haoyuan Liu, Zheng Qin, Fengyuan Xu, Prateek Mittal, Sanjeev R. Kulkarni, Dawn Song

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

14 Scopus citations

Abstract

Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.

Original language	English (US)
Title of host publication	Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021
Publisher	IEEE Computer Society
Pages	2705-2708
Number of pages	4
ISBN (Electronic)	9781728191843
DOIs	https://doi.org/10.1109/ICDE51399.2021.00309
State	Published - Apr 2021
Event	37th IEEE International Conference on Data Engineering, ICDE 2021 - Virtual, Chania, Greece Duration: Apr 19 2021 → Apr 22 2021

Publication series

Name	Proceedings - International Conference on Data Engineering
Volume	2021-April
ISSN (Print)	1084-4627

Conference

Conference	37th IEEE International Conference on Data Engineering, ICDE 2021
Country/Territory	Greece
City	Virtual, Chania
Period	4/19/21 → 4/22/21

All Science Journal Classification (ASJC) codes

Software
Signal Processing
Information Systems

Access to Document

10.1109/ICDE51399.2021.00309

Cite this

Gao, P., Shao, F., Liu, X., Xiao, X., Liu, H., Qin, Z., Xu, F., Mittal, P., Kulkarni, S. R., & Song, D. (2021). A system for efficiently hunting for cyber threats in computer systems using threat intelligence. In Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021 (pp. 2705-2708). Article 9458871 (Proceedings - International Conference on Data Engineering; Vol. 2021-April). IEEE Computer Society. https://doi.org/10.1109/ICDE51399.2021.00309

@inproceedings{303719f9bbce48fa8d57684533c2d8d9,

title = "A system for efficiently hunting for cyber threats in computer systems using threat intelligence",

abstract = "Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.",

author = "Peng Gao and Fei Shao and Xiaoyuan Liu and Xusheng Xiao and Haoyuan Liu and Zheng Qin and Fengyuan Xu and Prateek Mittal and Kulkarni, {Sanjeev R.} and Dawn Song",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE.; 37th IEEE International Conference on Data Engineering, ICDE 2021 ; Conference date: 19-04-2021 Through 22-04-2021",

year = "2021",

month = apr,

doi = "10.1109/ICDE51399.2021.00309",

language = "English (US)",

series = "Proceedings - International Conference on Data Engineering",

publisher = "IEEE Computer Society",

pages = "2705--2708",

booktitle = "Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021",

address = "United States",

}

Gao, P, Shao, F, Liu, X, Xiao, X, Liu, H, Qin, Z, Xu, F, Mittal, P , Kulkarni, SR & Song, D 2021, A system for efficiently hunting for cyber threats in computer systems using threat intelligence. in Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021., 9458871, Proceedings - International Conference on Data Engineering, vol. 2021-April, IEEE Computer Society, pp. 2705-2708, 37th IEEE International Conference on Data Engineering, ICDE 2021, Virtual, Chania, Greece, 4/19/21. https://doi.org/10.1109/ICDE51399.2021.00309

A system for efficiently hunting for cyber threats in computer systems using threat intelligence. / Gao, Peng; Shao, Fei; Liu, Xiaoyuan et al.
Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021. IEEE Computer Society, 2021. p. 2705-2708 9458871 (Proceedings - International Conference on Data Engineering; Vol. 2021-April).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A system for efficiently hunting for cyber threats in computer systems using threat intelligence

AU - Gao, Peng

AU - Shao, Fei

AU - Liu, Xiaoyuan

AU - Xiao, Xusheng

AU - Liu, Haoyuan

AU - Qin, Zheng

AU - Xu, Fengyuan

AU - Mittal, Prateek

AU - Kulkarni, Sanjeev R.

AU - Song, Dawn

PY - 2021/4

Y1 - 2021/4

N2 - Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.

AB - Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.

UR - http://www.scopus.com/inward/record.url?scp=85105112296&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85105112296&partnerID=8YFLogxK

U2 - 10.1109/ICDE51399.2021.00309

DO - 10.1109/ICDE51399.2021.00309

M3 - Conference contribution

AN - SCOPUS:85105112296

T3 - Proceedings - International Conference on Data Engineering

SP - 2705

EP - 2708

BT - Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021

PB - IEEE Computer Society

T2 - 37th IEEE International Conference on Data Engineering, ICDE 2021

Y2 - 19 April 2021 through 22 April 2021

ER -

Gao P, Shao F, Liu X, Xiao X, Liu H, Qin Z et al. A system for efficiently hunting for cyber threats in computer systems using threat intelligence. In Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021. IEEE Computer Society. 2021. p. 2705-2708. 9458871. (Proceedings - International Conference on Data Engineering). doi: 10.1109/ICDE51399.2021.00309

A system for efficiently hunting for cyber threats in computer systems using threat intelligence

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this