Mapping Exploit Code on Paste Sites to the MITRE ATT&CK Framework: A Multi-label Transformer Approach

Benjamin Ampel, Tala Vahedi, Sagar Samtani, Hsinchun Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cyber-criminals often use information-sharing platforms such as paste sites (e.g., Pastebin) to share vast amounts of malicious text content, such as exploit source code. Careful analysis of malicious paste site content can provide Cyber Threat Intelligence (CTI) about potential threats. In this research, we propose a Convolutional BiLSTM Transformer multi-label classification method that automatically maps paste site exploit source code to the MITRE ATT&CK framework to identify adversarial techniques in support of proactive CTI. The Convolutional BiLSTM Transformer combines a convolutional neural network layer placed before a Transformer block, a concatenated pooling from a global max pooling and global average, and a BiLSTM pair-wise function within the Transformer to capture word and sequence orders. We conducted an multi-label classification experiment where our proposed Convolutional BiLSTM Transformer model achieved state-of-the-art results in terms of accuracy, recall, F1-score, and hamming loss. The results of a case study showed the tactics and tools that are used by malicious actors on paste sites.

Original languageEnglish (US)
Title of host publicationProceedings - 2023 IEEE International Conference on Intelligence and Security Informatics, ISI 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9798350337730
DOIs
StatePublished - 2023
Event20th IEEE International Conference on Intelligence and Security Informatics, ISI 2023 - Charlotte, United States
Duration: Oct 2 2023Oct 3 2023

Publication series

NameProceedings - 2023 IEEE International Conference on Intelligence and Security Informatics, ISI 2023

Conference

Conference20th IEEE International Conference on Intelligence and Security Informatics, ISI 2023
Country/TerritoryUnited States
CityCharlotte
Period10/2/2310/3/23

Keywords

  • BiLSTM
  • Cyber threat intelligence
  • convolutional
  • exploit linking
  • exploits
  • paste sites
  • transformer model

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Mapping Exploit Code on Paste Sites to the MITRE ATT&CK Framework: A Multi-label Transformer Approach'. Together they form a unique fingerprint.

Cite this