Marc Müller

Lukas Lange, Marc Müller, Ghazaleh Haratinezhad Torbati et al.

Monitoring the threat landscape to be aware of actual or potential attacks is of utmost importance to cybersecurity professionals. Information about cyber threats is typically distributed using natural language reports. Natural language processing can help with managing this large amount of unstructured information, yet to date, the topic has received little attention. With this paper, we present AnnoCTR, a new CC-BY-SA-licensed dataset of cyber threat reports. The reports have been annotated by a domain expert with named entities, temporal expressions, and cybersecurity-specific concepts including implicitly mentioned techniques and tactics. Entities and concepts are linked to Wikipedia and the MITRE ATT&CK knowledge base, the most widely-used taxonomy for classifying types of attacks. Prior datasets linking to MITRE ATT&CK either provide a single label per document or annotate sentences out-of-context; our dataset annotates entire documents in a much finer-grained way. In an experimental study, we model the annotations of our dataset using state-of-the-art neural models. In our few-shot scenario, we find that for identifying the MITRE ATT&CK concepts that are mentioned explicitly or implicitly in a text, concept descriptions from MITRE ATT&CK are an effective source for training data augmentation.

Holger Kinkelin, Heiko Niedermayer, Marc Müller et al.

Configuration management in networks with highest security demands must not depend on just one administrator and her device. Otherwise, problems can be caused by mistakes or malicious behavior of this admin, or when her computer got compromised, which allows an attacker to abuse the administrator's far-reaching permissions. Instead, we propose to use a reliable and resilient configuration management process orchestrated by a configuration management system (CMS). This can be achieved by separation of concerns (proposing a configuration vs. authorizing it), employing multi-party authorization (MPA), and enforcing that only authorized configurations can be deployed. This results in a configuration management process that is decentralized on a human, decision-making level, and a technical, device level. However, due to different opinions or adversarial interference, the result of an MPA process can end in a conflict. This raises the question how such conflicts can be mediated in a better way than just employing majority voting, which is insufficient in certain situations. As an alternative, this paper introduces building blocks of customizable conflict mediation strategies which we integrated into our CMS TANCS . The conflict mediation functionality as well as the initial TANCS implementation run on top of the distributed ledger and smart contract framework Hyperledger Fabric which makes all processes resilient and tamper-resistant.