Visible to the public Biblio

Filters: Keyword is indicators of compromise  [Clear All Filters]
2022-06-09
Atluri, Venkata, Horne, Jeff.  2021.  A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise. SoutheastCon 2021. :1–5.
Cyber-attacks on our Nation's Critical Infrastructure are growing. In this research, a Cyber Threat Intelligence (CTI) framework is proposed, developed, and tested. The results of the research, using 5 different simulated attacks on a dataset from an Industrial Control System (ICS) testbed, are presented with the extracted IOCs. The Bagging Decision Trees model showed the highest performance of testing accuracy (94.24%), precision (0.95), recall (0.93), and F1-score (0.94) among the 9 different machine learning models studied.
2021-03-09
Akram, B., Ogi, D..  2020.  The Making of Indicator of Compromise using Malware Reverse Engineering Techniques. 2020 International Conference on ICT for Smart Society (ICISS). CFP2013V-ART:1—6.

Malware threats often go undetected immediately, because attackers can camouflage well within the system. The users realize this after the devices stop working and cause harm for them. One way to deceive malicious content detection, malware authors use packers. Malware analysis is an activity to gain knowledge about malware. Reverse engineering is a technique used to identify and deal with new viruses or to understand malware behavior. Therefore, this technique can be the right choice for conducting malware analysis, especially for malware with packers. The results of the analysis are used as a source for making creating indicator of compromise in the YARA rule format. YARA rule is used as a component for detecting malware using the indicators obtained in the analysis process.

2020-08-03
Parmar, Manisha, Domingo, Alberto.  2019.  On the Use of Cyber Threat Intelligence (CTI) in Support of Developing the Commander's Understanding of the Adversary. MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). :1–6.
Cyber Threat Intelligence (CTI) is a rapidly developing field which has evolved in direct response to exponential growth in cyber related crimes and attacks. CTI supports Communication and Information System (CIS)Security in order to bolster defenses and aids in the development of threat models that inform an organization's decision making process. In a military organization like NATO, CTI additionally supports Cyberspace Operations by providing the Commander with essential intelligence about the adversary, their capabilities and objectives while operating in and through cyberspace. There have been many contributions to the CTI field; a noteworthy contribution is the ATT&CK® framework by the Mitre Corporation. ATT&CK® contains a comprehensive list of adversary tactics and techniques linked to custom or publicly known Advanced Persistent Threats (APT) which aids an analyst in the characterization of Indicators of Compromise (IOCs). The ATT&CK® framework also demonstrates possibility of supporting an organization with linking observed tactics and techniques to specific APT behavior, which may assist with adversary characterization and identification, necessary steps towards attribution. The NATO Allied Command Transformation (ACT) and the NATO Communication and Information Agency (NCI Agency) have been experimenting with the use of deception techniques (including decoys) to increase the collection of adversary related data. The collected data is mapped to the tactics and techniques described in the ATT&CK® framework, in order to derive evidence to support adversary characterization; this intelligence is pivotal for the Commander to support mission planning and determine the best possible multi-domain courses of action. This paper describes the approach, methodology, outcomes and next steps for the conducted experiments.
2020-05-08
Dionísio, Nuno, Alves, Fernando, Ferreira, Pedro M., Bessani, Alysson.  2019.  Cyberthreat Detection from Twitter using Deep Neural Networks. 2019 International Joint Conference on Neural Networks (IJCNN). :1—8.

To be prepared against cyberattacks, most organizations resort to security information and event management systems to monitor their infrastructures. These systems depend on the timeliness and relevance of the latest updates, patches and threats provided by cyberthreat intelligence feeds. Open source intelligence platforms, namely social media networks such as Twitter, are capable of aggregating a vast amount of cybersecurity-related sources. To process such information streams, we require scalable and efficient tools capable of identifying and summarizing relevant information for specified assets. This paper presents the processing pipeline of a novel tool that uses deep neural networks to process cybersecurity information received from Twitter. A convolutional neural network identifies tweets containing security-related information relevant to assets in an IT infrastructure. Then, a bidirectional long short-term memory network extracts named entities from these tweets to form a security alert or to fill an indicator of compromise. The proposed pipeline achieves an average 94% true positive rate and 91% true negative rate for the classification task and an average F1-score of 92% for the named entity recognition task, across three case study infrastructures.

2020-02-17
Skopik, Florian, Filip, Stefan.  2019.  Design principles for national cyber security sensor networks: Lessons learned from small-scale demonstrators. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). :1–8.
The timely exchange of information on new threats and vulnerabilities has become a cornerstone of effective cyber defence in recent years. Especially national authorities increasingly assume their role as information brokers through national cyber security centres and distribute warnings on new attack vectors and vital recommendations on how to mitigate them. Although many of these initiatives are effective to some degree, they also suffer from severe limitations. Many steps in the exchange process require extensive human involvement to manually review, vet, enrich, analyse and distribute security information. Some countries have therefore started to adopt distributed cyber security sensor networks to enable the automatic collection, analysis and preparation of security data and thus effectively overcome limiting scalability factors. The basic idea of IoC-centric cyber security sensor networks is that the national authorities distribute Indicators of Compromise (IoCs) to organizations and receive sightings in return. This effectively helps them to estimate the spreading of malware, anticipate further trends of spreading and derive vital findings for decision makers. While this application case seems quite simple, there are some tough questions to be answered in advance, which steer the further design decisions: How much can the monitored organization be trusted to be a partner in the search for malware? How much control of the scanning process should be delegated to the organization? What is the right level of search depth? How to deal with confidential indicators? What can be derived from encrypted traffic? How are new indicators distributed, prioritized, and scan targets selected in a scalable manner? What is a good strategy to re-schedule scans to derive meaningful data on trends, such as rate of spreading? This paper suggests a blueprint for a sensor network and raises related questions, outlines design principles, and discusses lessons learned from small-scale pilots.
2019-03-04
[Anonymous].  2018.  A Systems Approach to Indicators of Compromise Utilizing Graph Theory. 2018 IEEE International Symposium on Technologies for Homeland Security (HST). :1–6.
It is common to record indicators of compromise (IoC) in order to describe a particular breach and to attempt to attribute a breach to a specific threat actor. However, many network security breaches actually involve multiple diverse modalities using a variety of attack vectors. Measuring and recording IoC's in isolation does not provide an accurate view of the actual incident, and thus does not facilitate attribution. A system's approach that describes the entire intrusion as an IoC would be more effective. Graph theory has been utilized to model complex systems of varying types and this provides a mathematical tool for modeling systems indicators of compromise. This current paper describes the applications of graph theory to creating systems-based indicators of compromise. A complete methodology is presented for developing systems IoC's that fully describe a complex network intrusion.