A System for Efficiently Hunting for Cyber Threats in Computer Systems Using Threat Intelligence
This work addresses the challenge of detecting sophisticated cyber attacks for security analysts, but it is incremental as it builds upon existing system auditing frameworks and focuses on automating processes rather than introducing a new paradigm.
The paper tackles the problem of inefficient log-based cyber threat hunting by developing ThreatRaptor, a system that uses open-source Cyber Threat Intelligence (OSCTI) to automate query construction and execution, resulting in a system that reduces manual effort and improves hunting efficiency.
Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.