IPAttributor: Cyber Attacker Attribution with Threat Intelligence-Enriched Intrusion Data
Abstract
:1. Introduction
- Threat Intelligence Enrichment: The paper enhances the analytical dataset by integrating and evaluating intelligence-based features, which are extracted from commercial threat intelligence, and behavior-based features, which are extracted from network intrusion data. This enriched dataset provides a comprehensive foundation for nuanced attack characterization and analysis.
- Cyber Attacker Attribution Model: A robust model for cyber attacker attribution is proposed, specifically focusing on APT groups. Our model capitalizes on the detailed features identified within the enriched dataset, employing pairwise similarity analyses and clustering techniques to discern and delineate attacker communities. This approach facilitates the efficient and precise pinpointing of the origins and associations of these groups.
- Empirical Validation with Real-world Data: Extensive experiments are conducted using a real-world dataset that includes a substantial number of alarm entries, combined with paid commercial threat intelligence. These experiments validate the effectiveness of the proposed approach, demonstrating its ability to accurately attribute cyber attacks and uncover the dynamics of attacker groups in a practical setting.
2. Related Work
2.1. Malware-Based Methods
2.2. Behavior-Based Methods
2.3. Intelligence-Based Methods
3.4. Similarity Computation
3.5. Attacker Attribution
Algorithm 1 Dynamic weighted threat segmentation algorithm |
Input: Dataset ; each is a multi-featured representation of an IP. |
Security threshold ; heuristic parameter for the optimization algorithm. Number of clusters . Output: Clustering result . Optimal weights . Procedure: 1: Initialize weights randomly within range , ensure sum to 1 2: for , where do 3: 4: end for 5: Apply heuristic optimization 6: with optimized weights after convergence 7: Initialize centroids 8: repeat 9: Assign to cluster if 10: Update 11: if 12: break 13: until clusters are stable 14: for each do: 15: Optimize using the updated similarity matrix 16: end for 17: return final clusters and optimal weights |
4. Evaluation
4.1. Environment
4.2. Dataset
4.3. Evaluation Metrics
4.4. Similarity Computation Results
4.5. Attacker Attribution Results
4.5.1. Clustering Comparison
4.5.2. Optimal Attribution Results
4.6. Similarity Computation Case Analysis
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Milajerdi, S.M.; Gjomemo, R.; Eshete, B.; Sekar, R.; Venkatakrishnan, V.N. HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 20–22 May 2019. [Google Scholar]
- Ren, Y.; ** Method. J. Cyber Secur. 2023, 2023, 66–80. [Google Scholar]
- Wang, Y.; Huan, P.; **g, T.; Song, Y. Same origin attack analysis based on features of industrial control system function code. Comput. Eng. 2020, 46, 36–42. [Google Scholar]
- Zhang, X.; Zhang, H.; Ma, J.; Sun, P.; Wang, J. Cyber attack attribution method based on signaling game model. Comput. Eng. Des. 2023, 44, 1616–1620. [Google Scholar]
- Noor, U.; Anwar, Z.; Amjad, T.; Choo, K.-K.R. A Machine Learning-Based FinTech Cyber Threat Attribution Framework Using High-Level Indicators of Compromise. Future Gener. Comput. Syst. 2019, 96, 227–242. [Google Scholar] [CrossRef]
- Wang, T.; Yan, H.; Lang, B. Threat intelligence report attribution based on attention mechanism. J. Bei**g Univ. Aeronaut. Astronaut. 2022, 2022, 1–13. [Google Scholar]
- **ao, N.; Lang, B.; Wang, T.; Chen, Y. An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion. ar**v 2024, ar**v:2402.12743. [Google Scholar]
- Perry, L.; Shapira, B.; Puzis, R. NO-DOUBT: Attack Attribution Based On Threat Intelligence Reports. In Proceedings of the 2019 IEEE International Conference on Intelligence and Security Informatics (ISI), Shenzhen, China, 1–3 July 2019. [Google Scholar]
- Naveen, S.; Puzis, R.; Angappan, K. Deep Learning for Threat Actor Attribution from Threat Reports. In Proceedings of the 2020 4th International Conference on Computer, Communication and Signal Processing (ICCCSP), Chennai, India, 28–29 September 2020. [Google Scholar]
- Mikolov, T.; Chen, K.; Corrado, G.; Dean, J. Efficient Estimation of Word Representations in Vector Space. ar**v 2013, ar**v:1301.3781. [Google Scholar]
- Leskovec, J.; Rajaraman, A.; Ullman, J. Mining of Massive Data Sets; Cambridge University Press: Cambridge, UK, 2020. [Google Scholar]
- Nie, F.; Wang, X.; Huang, H. Clustering and Projected Clustering with Adaptive Neighbors. In Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, New York, NY, USA, 24–27 August 2014. [Google Scholar]
Feature Category | Feature Type | Feature |
---|---|---|
intelligence feature | basic | location |
carrier | ||
threat type | malicious label | |
ttps | ||
http request | ||
appear time | occurrences | |
attack feature | network | ips |
ports | ||
execution | payload | |
behavior | ||
temporal pattern | time | |
frequency |
IP 1 111.XXX.XXX.136 | IP 2 122.XXX.XXX.163 | IP 3 111.XXX.XXX.148 | IP 4 101.XXX.XXX.111 | |
---|---|---|---|---|
Acc | 77.78% | 66.67% | 88.89% | 77.78% |
Average Acc | 77.78% |
Source IP | Attack Behavior | Carrier Information | Threat Types |
---|---|---|---|
111. XXX. XXX.148 | ‘IP Pool Scan’ | ‘China Mobile’ | [‘SSH’, ‘Web App Attack’] |
111. XXX. XXX.151 | ‘Normal Access Behavior’ | ‘China Mobile’ | [‘Web Spam’, ‘SSH’, ‘Web App Attack’] |
111. XXX. XXX.150 | ‘Normal Access Behavior’ | ‘China Mobile’ | [‘Brute-Force’, ‘SSH’, ‘Web App Attack’] |
111. XXX. XXX.139 | ‘IP Pool Scan’ | ‘China Mobile’ | [‘DDos Attack’, ‘Port Scan’] |
111. XXX. XXX.152 | ‘IP Pool Scan’ | ‘China Mobile’ | [‘Hacking’, ‘Web App Attack’, ‘Port Scan’] |
123. XXX. XXX.17 | ‘IP Pool Scan’ | ‘China Telecom’ | [‘SSH’] |
52. XXX. XXX.65 | ‘Normal Access Behavior’ | ‘Ningxia West Cloud Data’ | [‘SSH’, ‘Port Scan’, ‘Web App Attack’] |
162. XXX. XXX.6 | ‘Normal Access Behavior’ | ‘DigitalOcean, LLC’ | [‘SSH’, ‘Port Scan’, ‘Exploited Host’] |
111. XXX. XXX.160 | ‘Normal Access Behavior’ | ‘China Mobile’ | [‘Web App Attack’, ‘SSH’] |
111. XXX. XXX.169 | ‘Normal Access Behavior’ | ‘China Mobile’ | [‘Web App Attack’, ‘Port Scan’] |
Source IP | Location | Last Seen | Carrier Information | Threat Types |
---|---|---|---|---|
111. XXX. XXX.150 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Zombie’, ‘Exploit’] |
111. XXX. XXX.151 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Brute Force’, ‘Web Spam’ , ‘Exploit’] |
111. XXX. XXX.152 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.154 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.153 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.155 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Dynamic IP’] |
111. XXX. XXX.156 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.157 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.158 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Dynamic IP’] |
111. XXX. XXX.159 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
111. XXX. XXX.160 | ‘Henan, China’ | 2024-03-25 | ‘China Mobile’ | [‘Scan’, ‘Exploit’, ‘Dynamic IP’] |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
**ang, X.; Liu, H.; Zeng, L.; Zhang, H.; Gu, Z. IPAttributor: Cyber Attacker Attribution with Threat Intelligence-Enriched Intrusion Data. Mathematics 2024, 12, 1364. https://doi.org/10.3390/math12091364
**ang X, Liu H, Zeng L, Zhang H, Gu Z. IPAttributor: Cyber Attacker Attribution with Threat Intelligence-Enriched Intrusion Data. Mathematics. 2024; 12(9):1364. https://doi.org/10.3390/math12091364
Chicago/Turabian Style**ang, **ayu, Hao Liu, Liyi Zeng, Huan Zhang, and Zhaoquan Gu. 2024. "IPAttributor: Cyber Attacker Attribution with Threat Intelligence-Enriched Intrusion Data" Mathematics 12, no. 9: 1364. https://doi.org/10.3390/math12091364