Cyber attacks targeting specific victims use multiple intrusion routes and various attack methods. In order to combat such diversified cyber attacks, Threat Intelligence is attracting attention. Attack activities, vulnerability information and other threat information are gathered, analyzed and organized in threat intelligence and it enables organizations to understand their risks. Integrated analysis of the threat information is needed to compose the threat intelligence. Threat information can be found in incident reports published by security vendors. However, it is difficult to analyze and compare their reports because they are described in various formats defined by each vendor. Therefore, in this paper, we apply a modeling framework for analyzing and deriving the relevance of the reports from the views of similarity and relation between the models. This paper presents the procedures of modeling incident information described in the reports. Moreover, as case studies, we apply the modeling method to some actual incident reports and compare their models.
Daiki ITO
PwC Cyber Services
Kenta NOMURA
PwC Cyber Services
Masaki KAMIZONO
PwC Cyber Services
Yoshiaki SHIRAISHI
Kobe University
Yasuhiro TAKANO
Kobe University
Masami MOHRI
Gifu University
Masakatu MORII
Kobe University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Daiki ITO, Kenta NOMURA, Masaki KAMIZONO, Yoshiaki SHIRAISHI, Yasuhiro TAKANO, Masami MOHRI, Masakatu MORII, "Modeling Attack Activity for Integrated Analysis of Threat Information" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2658-2664, November 2018, doi: 10.1587/transinf.2017ICP0015.
Abstract: Cyber attacks targeting specific victims use multiple intrusion routes and various attack methods. In order to combat such diversified cyber attacks, Threat Intelligence is attracting attention. Attack activities, vulnerability information and other threat information are gathered, analyzed and organized in threat intelligence and it enables organizations to understand their risks. Integrated analysis of the threat information is needed to compose the threat intelligence. Threat information can be found in incident reports published by security vendors. However, it is difficult to analyze and compare their reports because they are described in various formats defined by each vendor. Therefore, in this paper, we apply a modeling framework for analyzing and deriving the relevance of the reports from the views of similarity and relation between the models. This paper presents the procedures of modeling incident information described in the reports. Moreover, as case studies, we apply the modeling method to some actual incident reports and compare their models.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0015/_p
Copy
@ARTICLE{e101-d_11_2658,
author={Daiki ITO, Kenta NOMURA, Masaki KAMIZONO, Yoshiaki SHIRAISHI, Yasuhiro TAKANO, Masami MOHRI, Masakatu MORII, },
journal={IEICE TRANSACTIONS on Information},
title={Modeling Attack Activity for Integrated Analysis of Threat Information},
year={2018},
volume={E101-D},
number={11},
pages={2658-2664},
abstract={Cyber attacks targeting specific victims use multiple intrusion routes and various attack methods. In order to combat such diversified cyber attacks, Threat Intelligence is attracting attention. Attack activities, vulnerability information and other threat information are gathered, analyzed and organized in threat intelligence and it enables organizations to understand their risks. Integrated analysis of the threat information is needed to compose the threat intelligence. Threat information can be found in incident reports published by security vendors. However, it is difficult to analyze and compare their reports because they are described in various formats defined by each vendor. Therefore, in this paper, we apply a modeling framework for analyzing and deriving the relevance of the reports from the views of similarity and relation between the models. This paper presents the procedures of modeling incident information described in the reports. Moreover, as case studies, we apply the modeling method to some actual incident reports and compare their models.},
keywords={},
doi={10.1587/transinf.2017ICP0015},
ISSN={1745-1361},
month={November},}
Copy
TY - JOUR
TI - Modeling Attack Activity for Integrated Analysis of Threat Information
T2 - IEICE TRANSACTIONS on Information
SP - 2658
EP - 2664
AU - Daiki ITO
AU - Kenta NOMURA
AU - Masaki KAMIZONO
AU - Yoshiaki SHIRAISHI
AU - Yasuhiro TAKANO
AU - Masami MOHRI
AU - Masakatu MORII
PY - 2018
DO - 10.1587/transinf.2017ICP0015
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - Cyber attacks targeting specific victims use multiple intrusion routes and various attack methods. In order to combat such diversified cyber attacks, Threat Intelligence is attracting attention. Attack activities, vulnerability information and other threat information are gathered, analyzed and organized in threat intelligence and it enables organizations to understand their risks. Integrated analysis of the threat information is needed to compose the threat intelligence. Threat information can be found in incident reports published by security vendors. However, it is difficult to analyze and compare their reports because they are described in various formats defined by each vendor. Therefore, in this paper, we apply a modeling framework for analyzing and deriving the relevance of the reports from the views of similarity and relation between the models. This paper presents the procedures of modeling incident information described in the reports. Moreover, as case studies, we apply the modeling method to some actual incident reports and compare their models.
ER -