Enabling efficient cyber threat hunting with cyber threat intelligence

Peng Gao; Fei Shao; Xiaoyuan Liu; Xusheng Xiao; Zheng Qin; Fengyuan Xu; Prateek Mittal; Sanjeev R. Kulkarni; Dawn Song

doi:10.1109/ICDE51399.2021.00024

Enabling efficient cyber threat hunting with cyber threat intelligence

Peng Gao, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Zheng Qin, Fengyuan Xu, Prateek Mittal, Sanjeev R. Kulkarni, Dawn Song

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

44 Scopus citations

Abstract

Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

Original language	English (US)
Title of host publication	Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021
Publisher	IEEE Computer Society
Pages	193-204
Number of pages	12
ISBN (Electronic)	9781728191843
DOIs	https://doi.org/10.1109/ICDE51399.2021.00024
State	Published - Apr 2021
Event	37th IEEE International Conference on Data Engineering, ICDE 2021 - Virtual, Chania, Greece Duration: Apr 19 2021 → Apr 22 2021

Publication series

Name	Proceedings - International Conference on Data Engineering
Volume	2021-April
ISSN (Print)	1084-4627

Conference

Conference	37th IEEE International Conference on Data Engineering, ICDE 2021
Country/Territory	Greece
City	Virtual, Chania
Period	4/19/21 → 4/22/21

All Science Journal Classification (ASJC) codes

Software
Signal Processing
Information Systems

Access to Document

10.1109/ICDE51399.2021.00024

Cite this

Gao, P., Shao, F., Liu, X., Xiao, X., Qin, Z., Xu, F., Mittal, P., Kulkarni, S. R., & Song, D. (2021). Enabling efficient cyber threat hunting with cyber threat intelligence. In Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021 (pp. 193-204). Article 9458828 (Proceedings - International Conference on Data Engineering; Vol. 2021-April). IEEE Computer Society. https://doi.org/10.1109/ICDE51399.2021.00024

@inproceedings{d64491f05f194ef1b4c5e1a7626fcbd7,

title = "Enabling efficient cyber threat hunting with cyber threat intelligence",

abstract = "Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.",

author = "Peng Gao and Fei Shao and Xiaoyuan Liu and Xusheng Xiao and Zheng Qin and Fengyuan Xu and Prateek Mittal and Kulkarni, {Sanjeev R.} and Dawn Song",

note = "Funding Information: Peng Gao, Xiaoyuan Liu, and Dawn Song are supported in part by DARPA N66001-15-C-4066 and the Center for Long-Term Cybersecurity. Fei Shao and Xusheng Xiao are supported in part by NSF CNS-2028748. Zheng Qin and Fengyuan Xu are supported in part by NSFC- 61872180, Jiangsu {"}Shuang-Chuang{"} Program, and Jiangsu {"}Six-Talent-Peaks{"} Program. Prateek Mittal is supported in part by NSF CNS-1553437 and CNS-1704105, the ARL s Army Artificial Intelligence Innovation Institute (A2I2), the Office of Naval Research Young Investigator Award, and the Army Research Office Young Investigator Prize. Sanjeev R. Kulkarni is supported in part by the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370. Funding Information: We have proposed THREATRAPTOR, a system that facilitates cyber threat hunting in computer systems using OSCTI. Acknowledgement. Peng Gao, Xiaoyuan Liu, and Dawn Song are supported in part by DARPA N66001-15-C-4066 and the Center for Long-Term Cybersecurity. Fei Shao and Xusheng Xiao are supported in part by NSF CNS-2028748. Zheng Qin and Fengyuan Xu are supported in part by NSFC-61872180, Jiangsu {"}Shuang-Chuang{"} Program, and Jiangsu {"}Six-Talent-Peaks{"} Program. Prateek Mittal is supported in part by NSF CNS-1553437 and CNS-1704105, the ARL{\textquoteright}s Army Artificial Intelligence Innovation Institute (A2I2), the Office of Naval Research Young Investigator Award, and the Army Research Office Young Investigator Prize. Sanjeev R. Kulkarni is supported in part by the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370. Publisher Copyright: {\textcopyright} 2021 IEEE.; 37th IEEE International Conference on Data Engineering, ICDE 2021 ; Conference date: 19-04-2021 Through 22-04-2021",

year = "2021",

month = apr,

doi = "10.1109/ICDE51399.2021.00024",

language = "English (US)",

series = "Proceedings - International Conference on Data Engineering",

publisher = "IEEE Computer Society",

pages = "193--204",

booktitle = "Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021",

address = "United States",

}

Gao, P, Shao, F, Liu, X, Xiao, X, Qin, Z, Xu, F, Mittal, P , Kulkarni, SR & Song, D 2021, Enabling efficient cyber threat hunting with cyber threat intelligence. in Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021., 9458828, Proceedings - International Conference on Data Engineering, vol. 2021-April, IEEE Computer Society, pp. 193-204, 37th IEEE International Conference on Data Engineering, ICDE 2021, Virtual, Chania, Greece, 4/19/21. https://doi.org/10.1109/ICDE51399.2021.00024

Enabling efficient cyber threat hunting with cyber threat intelligence. / Gao, Peng; Shao, Fei; Liu, Xiaoyuan et al.
Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021. IEEE Computer Society, 2021. p. 193-204 9458828 (Proceedings - International Conference on Data Engineering; Vol. 2021-April).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Enabling efficient cyber threat hunting with cyber threat intelligence

AU - Gao, Peng

AU - Shao, Fei

AU - Liu, Xiaoyuan

AU - Xiao, Xusheng

AU - Qin, Zheng

AU - Xu, Fengyuan

AU - Mittal, Prateek

AU - Kulkarni, Sanjeev R.

AU - Song, Dawn

N1 - Funding Information: Peng Gao, Xiaoyuan Liu, and Dawn Song are supported in part by DARPA N66001-15-C-4066 and the Center for Long-Term Cybersecurity. Fei Shao and Xusheng Xiao are supported in part by NSF CNS-2028748. Zheng Qin and Fengyuan Xu are supported in part by NSFC- 61872180, Jiangsu "Shuang-Chuang" Program, and Jiangsu "Six-Talent-Peaks" Program. Prateek Mittal is supported in part by NSF CNS-1553437 and CNS-1704105, the ARL s Army Artificial Intelligence Innovation Institute (A2I2), the Office of Naval Research Young Investigator Award, and the Army Research Office Young Investigator Prize. Sanjeev R. Kulkarni is supported in part by the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370. Funding Information: We have proposed THREATRAPTOR, a system that facilitates cyber threat hunting in computer systems using OSCTI. Acknowledgement. Peng Gao, Xiaoyuan Liu, and Dawn Song are supported in part by DARPA N66001-15-C-4066 and the Center for Long-Term Cybersecurity. Fei Shao and Xusheng Xiao are supported in part by NSF CNS-2028748. Zheng Qin and Fengyuan Xu are supported in part by NSFC-61872180, Jiangsu "Shuang-Chuang" Program, and Jiangsu "Six-Talent-Peaks" Program. Prateek Mittal is supported in part by NSF CNS-1553437 and CNS-1704105, the ARL’s Army Artificial Intelligence Innovation Institute (A2I2), the Office of Naval Research Young Investigator Award, and the Army Research Office Young Investigator Prize. Sanjeev R. Kulkarni is supported in part by the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370. Publisher Copyright: © 2021 IEEE.

PY - 2021/4

Y1 - 2021/4

N2 - Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

AB - Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

UR - http://www.scopus.com/inward/record.url?scp=85103751464&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85103751464&partnerID=8YFLogxK

U2 - 10.1109/ICDE51399.2021.00024

DO - 10.1109/ICDE51399.2021.00024

M3 - Conference contribution

AN - SCOPUS:85103751464

T3 - Proceedings - International Conference on Data Engineering

SP - 193

EP - 204

BT - Proceedings - 2021 IEEE 37th International Conference on Data Engineering, ICDE 2021

PB - IEEE Computer Society

T2 - 37th IEEE International Conference on Data Engineering, ICDE 2021

Y2 - 19 April 2021 through 22 April 2021

ER -

Enabling efficient cyber threat hunting with cyber threat intelligence

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this