AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports

TL;DR

AttacKG automatically extracts and aggregates structured attack behavior graphs from cyber threat intelligence reports, significantly improving the identification of attack techniques and supporting security tasks like attack detection.

Contribution

This paper introduces AttacKG, a novel method for converting unstructured CTI reports into comprehensive technique knowledge graphs, outperforming existing approaches in accuracy.

Findings

Effectively identifies 28,262 attack techniques from 1,515 reports.

Achieves high F1-scores of 0.887, 0.896, and 0.789 in entity, dependency, and technique extraction.

Outperforms state-of-the-art methods in extracting threat intelligence.

Abstract

Cyber attacks are becoming more sophisticated and diverse, making detection increasingly challenging. To combat these attacks, security practitioners actively summarize and exchange their knowledge about attacks across organizations in the form of cyber threat intelligence (CTI) reports. However, as CTI reports written in natural language texts are not structured for automatic analysis, the report usage requires tedious manual efforts of cyber threat intelligence recovery. Additionally, individual reports typically cover only a limited aspect of attack patterns (techniques) and thus are insufficient to provide a comprehensive view of attacks with multiple variants. To take advantage of threat intelligence delivered by CTI reports, we propose AttacKG to automatically extract structured attack behavior graphs from CTI reports and identify the adopted attack techniques. We then aggregate cyber threat intelligence across reports to collect different aspects of techniques and enhance attack behavior graphs into technique knowledge graphs (TKGs). In our evaluation against 1,515 real-world CTI reports from diverse intelligence sources, AttacKG effectively identifies 28,262 attack techniques with 8,393 unique Indicators of Compromises (IoCs). To further verify the accuracy of AttacKG in extracting threat intelligence, we run AttacKG on 16 manually labeled CTI reports. Empirical results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches Extractor and TTPDrill. Moreover, the unique technique-level intelligence will directly benefit downstream security tasks that rely on technique specifications, e.g., APT detection and cyber attack reconstruction.