As cloud service becomes more and more capable, available and powerful, wiseCIO has emerged from an innovative roadmap toward archival Content Management Service (aCMS) and massive Content Delivery Service (mCDS) in s...As cloud service becomes more and more capable, available and powerful, wiseCIO has emerged from an innovative roadmap toward archival Content Management Service (aCMS) and massive Content Delivery Service (mCDS) in support of Anything-as-a-Service (XaaS) via Digital Archiving and Transformed Analytics (DATA);DATA aims to automate UBC with FAST solutions throughout a feasible, analytical, scalable and testable approach. This paper, based on the novel wiseCIO (web-based intelligent service engaging Cloud Intelligence Outlet), presents digital archiving and transformed analytics via machine learning automata for intelligent UBC processes to liaise with Universal interface for human-computer interaction, enable Brewing aggregation (differing from traditional web browsing), and engage Centered user experience. As one of the most practical aspects of artificial intelligence, machine learning is applied to analytical model building and massive and/or multidimensional Online Analytical Processing (mOLAP) for more intelligent cloud service with little explicit coding required. DATA is central to useful information via archival transformation and analytics, and utilizable intelligence for Business, Education and Entertainment (iBEE) in support of decision-making. As a result, DATA orchestrates wiseCIO to promote ACTiVE XaaS that enables accessibility, contextuality and traceability of information for vast engagement with various cloud services, such as aCMS (archival Content Management Service), COSA (Context-Oriented Screening Aggregation), DASH (Deliveries Assembled for fast Search and Hits), OLAS (Online Learning via Analytical Synthesis), REAP (Rapid Extension and Active Presentation), and SPOT (Special Points On Top) with great ease.展开更多
The cybersecurity report provides unstructured actionable cyber threat intelligence(CTI)with detailed threat attack procedures and indicators of compromise(IOCs),e.g.,malware hash or URL(uniform resource locator)of co...The cybersecurity report provides unstructured actionable cyber threat intelligence(CTI)with detailed threat attack procedures and indicators of compromise(IOCs),e.g.,malware hash or URL(uniform resource locator)of command and control server.The actionable CTI,integrated into intrusion detection systems,can not only prioritize the most urgent threats based on the campaign stages of attack vectors(i.e.,IOCs)but also take appropriate mitigation measures based on contextual information of the alerts.However,the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence.In this paper,we propose a trigger-enhanced actionable CTI discovery system(TriCTI)to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing(NLP)technology.Specifically,we introduce the“campaign trigger”for an effective explanation of the campaign stages to improve the performance of the classification model.The campaign trigger phrases are the keywords in the sentence that imply the campaign stage.The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords.We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets.Compared with state-of-the-art text classification models,such as BERT,the trigger-enhanced classification model has better performance with accuracy(86.99%)and F1 score(87.02%).We run TriCTI on more than 29k cybersecurity reports,from which we automatically and efficiently collect 113,543 actionable CTI.In particular,we verify the actionability of discovered CTI by using large-scale field data from VirusTotal(VT).The results demonstrate that the threat intelligence provided by VT lacks a part of the threat context for IOCs,such as the Actions on Objectives campaign stage.As a comparison,our proposed method can completely identify the actionable CTI in all campaign stages.Accordingly,cyber threats can be identified and resisted at any campaign stage with the discovered actionable CTI.展开更多
文摘As cloud service becomes more and more capable, available and powerful, wiseCIO has emerged from an innovative roadmap toward archival Content Management Service (aCMS) and massive Content Delivery Service (mCDS) in support of Anything-as-a-Service (XaaS) via Digital Archiving and Transformed Analytics (DATA);DATA aims to automate UBC with FAST solutions throughout a feasible, analytical, scalable and testable approach. This paper, based on the novel wiseCIO (web-based intelligent service engaging Cloud Intelligence Outlet), presents digital archiving and transformed analytics via machine learning automata for intelligent UBC processes to liaise with Universal interface for human-computer interaction, enable Brewing aggregation (differing from traditional web browsing), and engage Centered user experience. As one of the most practical aspects of artificial intelligence, machine learning is applied to analytical model building and massive and/or multidimensional Online Analytical Processing (mOLAP) for more intelligent cloud service with little explicit coding required. DATA is central to useful information via archival transformation and analytics, and utilizable intelligence for Business, Education and Entertainment (iBEE) in support of decision-making. As a result, DATA orchestrates wiseCIO to promote ACTiVE XaaS that enables accessibility, contextuality and traceability of information for vast engagement with various cloud services, such as aCMS (archival Content Management Service), COSA (Context-Oriented Screening Aggregation), DASH (Deliveries Assembled for fast Search and Hits), OLAS (Online Learning via Analytical Synthesis), REAP (Rapid Extension and Active Presentation), and SPOT (Special Points On Top) with great ease.
基金Our research was supported by the National Key Research and Development Program of China(Nos.2019QY1301,2018YFB0805005,2018YFC0824801).
文摘The cybersecurity report provides unstructured actionable cyber threat intelligence(CTI)with detailed threat attack procedures and indicators of compromise(IOCs),e.g.,malware hash or URL(uniform resource locator)of command and control server.The actionable CTI,integrated into intrusion detection systems,can not only prioritize the most urgent threats based on the campaign stages of attack vectors(i.e.,IOCs)but also take appropriate mitigation measures based on contextual information of the alerts.However,the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence.In this paper,we propose a trigger-enhanced actionable CTI discovery system(TriCTI)to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing(NLP)technology.Specifically,we introduce the“campaign trigger”for an effective explanation of the campaign stages to improve the performance of the classification model.The campaign trigger phrases are the keywords in the sentence that imply the campaign stage.The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords.We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets.Compared with state-of-the-art text classification models,such as BERT,the trigger-enhanced classification model has better performance with accuracy(86.99%)and F1 score(87.02%).We run TriCTI on more than 29k cybersecurity reports,from which we automatically and efficiently collect 113,543 actionable CTI.In particular,we verify the actionability of discovered CTI by using large-scale field data from VirusTotal(VT).The results demonstrate that the threat intelligence provided by VT lacks a part of the threat context for IOCs,such as the Actions on Objectives campaign stage.As a comparison,our proposed method can completely identify the actionable CTI in all campaign stages.Accordingly,cyber threats can be identified and resisted at any campaign stage with the discovered actionable CTI.
