Engineering Science and Technology, an International Journal (Sep 2024)

APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence

  • Burak Gulbay,
  • Mehmet Demirci

Journal volume & issue
Vol. 57
p. 101791

Abstract

Read online

Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.

Keywords