TY - GEN
T1 - Mapping Exploit Code on Paste Sites to the MITRE ATT&CK Framework
T2 - 20th IEEE International Conference on Intelligence and Security Informatics, ISI 2023
AU - Ampel, Benjamin
AU - Vahedi, Tala
AU - Samtani, Sagar
AU - Chen, Hsinchun
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Cyber-criminals often use information-sharing platforms such as paste sites (e.g., Pastebin) to share vast amounts of malicious text content, such as exploit source code. Careful analysis of malicious paste site content can provide Cyber Threat Intelligence (CTI) about potential threats. In this research, we propose a Convolutional BiLSTM Transformer multi-label classification method that automatically maps paste site exploit source code to the MITRE ATT&CK framework to identify adversarial techniques in support of proactive CTI. The Convolutional BiLSTM Transformer combines a convolutional neural network layer placed before a Transformer block, a concatenated pooling from a global max pooling and global average, and a BiLSTM pair-wise function within the Transformer to capture word and sequence orders. We conducted an multi-label classification experiment where our proposed Convolutional BiLSTM Transformer model achieved state-of-the-art results in terms of accuracy, recall, F1-score, and hamming loss. The results of a case study showed the tactics and tools that are used by malicious actors on paste sites.
AB - Cyber-criminals often use information-sharing platforms such as paste sites (e.g., Pastebin) to share vast amounts of malicious text content, such as exploit source code. Careful analysis of malicious paste site content can provide Cyber Threat Intelligence (CTI) about potential threats. In this research, we propose a Convolutional BiLSTM Transformer multi-label classification method that automatically maps paste site exploit source code to the MITRE ATT&CK framework to identify adversarial techniques in support of proactive CTI. The Convolutional BiLSTM Transformer combines a convolutional neural network layer placed before a Transformer block, a concatenated pooling from a global max pooling and global average, and a BiLSTM pair-wise function within the Transformer to capture word and sequence orders. We conducted an multi-label classification experiment where our proposed Convolutional BiLSTM Transformer model achieved state-of-the-art results in terms of accuracy, recall, F1-score, and hamming loss. The results of a case study showed the tactics and tools that are used by malicious actors on paste sites.
KW - BiLSTM
KW - Cyber threat intelligence
KW - convolutional
KW - exploit linking
KW - exploits
KW - paste sites
KW - transformer model
UR - http://www.scopus.com/inward/record.url?scp=85178642279&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85178642279&partnerID=8YFLogxK
U2 - 10.1109/ISI58743.2023.10297272
DO - 10.1109/ISI58743.2023.10297272
M3 - Conference contribution
AN - SCOPUS:85178642279
T3 - Proceedings - 2023 IEEE International Conference on Intelligence and Security Informatics, ISI 2023
BT - Proceedings - 2023 IEEE International Conference on Intelligence and Security Informatics, ISI 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 2 October 2023 through 3 October 2023
ER -