Research Progress in Data-Driven Threat Hunting Language Models

doi:10.11871/jfdc.issn.2096-742X.2022.05.011

Abstract

Abstract:

[Objective] This paper summarizes the research progress of language models for proactive threat hunting driven by data, and provides technical foresight for the detection and source tracing of advanced threats. [Methods] This study combines the frontier academic and industrial progress of cyber security, introduces and summarizes related research from multiple levels such as the evaluation metric construction for threat hunting, the fusion of multi-modal, multi-dimensional, and multi-source data, the dependency explosion mitigation and analysis, and finally the modeling of multi-modal threat hunting language. [Results] Combining the key requirements of threat hunting and related technology trends, the supported data types, model types, modeling methods, timeliness, and other dimensions of the research status and future works of data-driven threat hunting and language models are comprehensively summarized. [Conclusions] In the face of threat detection and forensic scenarios for adversarial APT attacks, on one hand, it is necessary to build a multi-source heterogeneous fusion data infrastructure and solve the problem of data dependence explosion. On the other hand, it is still necessary to explore standardized and flexible language models to support the unified analysis of multi-modal, multi-source, and multi-dimensional data.

Key words: threat hunting, security operations, advanced persistent threats

ZHANG Runzi,KANG Bin. Research Progress in Data-Driven Threat Hunting Language Models[J]. Frontiers of Data and Computing, 2022, 4(5): 98-107, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2022.05.011.

Figures/Tables 8

Table 1

Fig.1

Fig.2

Fig.3

Fig.4

Fig.5

Table 2

Fig.6

References 16

[1]	John Caimano, Kerry Matre. Your Metrics Suck! 5 Sec-Ops Metrics That Are Better Than MTTR[EB/OL]. (2020-06-23).[2021-06-12]. https://www.rsaconference.com/Library/presentation/USA/2021/your-metrics-suck-5-secops-metrics-that-are-better-than-mttr.
[2]	Gartner. Hype Cycle for Security Operations, 2020[EB/OL]. (2020-06-23).[2021-06-12]. https://www.gartner.com/en/documents/3986721/hype-cycle-for-security-operations-2020.
[3]	Greg Young. The Skeptic’s Guide to Using XDR to Get Zero Trust[EB/OL]. (2021-05-19).[2021-06-12]. https://www.rsaconference.com/library/Presentation/USA/2021/the-skeptics-guide-to-using-xdr-to-get-zero-trust.
[4]	Alsaheel A, Nan Y, Ma S, et al. {ATLAS}: A Sequence-based Learning Approach for Attack Investigation[C]. 30th {USENIX} Security Symposium ({USENIX} Sec-urity 21), 2021.
[5]	OASIS. Introduction to STIX[EB/OL]. (2021-05-20).[2021-06-12]. https://oasis-open.github.io/cti-doc-umen-tation/stix/intro.html.
[6]	The MITRE Corporation. Malware Attribute Enumeration and Characterization[EB/OL]. (2017-10-09).[2021-06-12]. https://oasis-open.github.io/cti-documentation/stix/intro.html.
[7]	The MITRE Corporation. ATT&CK[EB/OL]. (2017-5-17). [2021-06-12]https://attack.mitre.org/.
[8]	The Open Cybersecurity Alliance. ATT&opencybersecu-rityalliance/kestrel-lang[EB/OL]. (2017-5-19).[2021-06-12]. https://github.com/IBM/kestrel-lang.
[9]	Endgame. endgameinc/eql[EB/OL]. (2019-11-02).[2021-06-12]. https://github.com/endgameinc/eql.
[10]	Noel S, Harley E, Tam K H, et al. CyGraph: graph-based analytics and visualization for cybersecurity[M]. Handbook of Statistics: Elsevier, 2016: 117-167.
[11]	Shu X, Araujo F, Schales D L, et al. Threat Intelligence Computing[C]. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018: 1883-1898.
[12]	Sigma. SigmaHQ/sigma[EB/OL].(2019-01-10).[2021-06-12]. https://github.com/SigmaHQ/sigma.
[13]	Flink. FlinkCEP - Complex event processing for Flink[EB/OL]. (2019-05-03).[2021-06-12]. https://ci.apache.org/projects/flink/flink-docs-stable/dev/libs/cep.html.
[14]	Gao P, Shao F, Liu X, et al. Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence[J]. arXiv preprint arXiv:2010.13637, 2020.
[15]	Gao P, Xiao X, Li D, et al. {SAQL}: A stream-based query system for real-time abnormal system behavior detection[C]. 27th {USENIX} Security Symposium ({USENIX} Security 18), 2018: 639-656.
[16]	Gao P, Xiao X, Li Z, et al. {AIQL}: Enabling efficient attack investigation from system monitoring data[C]. 2018 {USENIX} Annual Technical Conference ({USE-NIX}{ATC} 18), 2018: 113-126.

监控维度	分项名称
分析活动 Analyst Activity	Events Per Analyst Hour (EPAH)
	Handling time per alert per stage per analyst
	Incidents by severity
	Severity updates
运营卫生 Hygiene	Unused rules
	Duplicate rules
	Top 10 and bottom 10
	# of tunes per technology
实现价值 Realized Value	% of features used
	% of visible traffic
	New use cases/alerts resulting from Threat Intel feeds
	Backlog of undeployed technology
过程偏离 Process Deviation	SOC procedure deviation
	Automation failures
	Training for consistency
	Certifications and continuous learning
分析负载分布 Analyst Work Distribution	Distribution of alerts per analyst
	Source of alerts
	Time spent according to 30/30/30 model
	Team structure

名称	数据类型				支持的模式类型					实时性			特性
名称	行为	环境	情报	知识	单点	集合	序列	静态图	时序图	模型	流式	批式	特性
Kestrel[8]	√	√	√		√	√		√		√		√	IBM Threat Hunting Language开源项目基于Jupyter notebook交互式实现Event Query Language
EQL[9]	√				√	√	√				√		无结构约束（Schema-independent）Elastic/Endgame终端分析开源实现CyGraph Query Language
CyQL[10]	√	√	√	√				√				√	基于MITRE CYGraph多源异构图架构
τ-calculus[11]	√	√	√		√	√	√	√	√			√	基于IBM Threat Intelligence Comput-ing时序图分析引擎
Sigma[12]	√				√	√						√	Generic Signature Formats for SIEM Systems应用层指纹识别格式语言
Flink CEP[13]	√	√	√		√	√	√				√	√	通用流式分析引擎灵的序列模式支持
TBQL [14]	√		√		√			√				√	Threat Behavior Query Language面向情报要素提取与匹配
SAQL [15]	√				√	√				√	√		Stream based Anornaly Query Language 异常检测专用语言,支持多种类型异常分析
AIQL[16]	√				√	√				√		√	Attack Investigation Query Language 与SAQL同体系架构