CTIMiner: Cyber Threat Intelligence Mining Using Adaptive Multi-task Adversarial Active Learning

CTIMiner: Cyber Threat Intelligence Mining Using Adaptive Multi-task Adversarial Active Learning

연구 분야: Safety

학회: International Conference on Digital Forensics and Cyber Crime

To timely respond to and prevent cyber attacks, security practitioners need to require effective threat information (i.e., attack clues against the attackers). Cyber Threat Intelligence (CTI) provides important evidential knowledge about attackers and is critical to the shift from reactive to proactive defense against cyber attacks. Attack detection based on Indicators of Compromise (IOCs), a type of CTI, is vulnerable to the limitation of insufficient context of attack scenarios. However, automated threat detection involving annotating CTI demands specialized security expertise and high costs. Most of the existing uncertainty-based sample methods tend to introduce vulnerability to outliers. Furthermore, the conventional pipeline models of acquiring CTI result in error propagation. To address these issues, we propose an adaptive multi-task adversarial active learning model called CTIMiner. CTIMiner is designed to extract CTI with rich attack contexts from CTI analysis reports, providing robust decision support for the defense. CTIMiner mitigates the outlier vulnerabilities and costly labeling via the adversarial sampling strategy. Also, we design an adaptive multi-task learning setup to alleviate the challenges of error propagation and sub-task loss balancing. Experimental results on two datasets demonstrate that CTIMiner can enhance the F1 score by 7.3% compared with the state-of-the-art methods. We also discuss the benefit of CTIMiner through the downstream security task.