Clustering APT Groups Through Cyber Threat Intelligence by Weighted Similarity Measurement

Zheng-Shao Chen; R. Vaitheeshwari; Eric Hsiao-Kuang Wu; Ying-Dar Lin; Ren-Hung Hwang; Po-Ching Lin; Yuan-Cheng Lai; Asad Ali

doi:10.1109/ACCESS.2024.3469552

IEEE Access (Jan 2024)

Clustering APT Groups Through Cyber Threat Intelligence by Weighted Similarity Measurement

Zheng-Shao Chen,
R. Vaitheeshwari,
Eric Hsiao-Kuang Wu,
Ying-Dar Lin,
Ren-Hung Hwang,
Po-Ching Lin,
Yuan-Cheng Lai,
Asad Ali

Affiliations

Zheng-Shao Chen: Department of Computer Science and Information Engineering, National Central University, Taoyuan, Taiwan
R. Vaitheeshwari: ORCiD; Department of Computer Science and Information Engineering, National Central University, Taoyuan, Taiwan
Eric Hsiao-Kuang Wu: ORCiD; Department of Computer Science and Information Engineering, National Central University, Taoyuan, Taiwan
Ying-Dar Lin: ORCiD; Department of Computer Science, National Yang Ming Chiao Tung University, Hsinchu, Taiwan
Ren-Hung Hwang: ORCiD; College of Artificial Intelligence, National Yang Ming Chiao Tung University, Tainan, Taiwan
Po-Ching Lin: ORCiD; Department of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan
Yuan-Cheng Lai: ORCiD; Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan
Asad Ali: National Institute of Cyber Security, Ministry of Digital Affairs, Taipei, Taiwan

DOI: https://doi.org/10.1109/ACCESS.2024.3469552
Journal volume & issue: Vol. 12
pp. 141851 – 141865

Abstract

Read online

Advanced Persistent Threat (APT) groups pose significant cybersecurity threats due to their sophisticated and persistent nature. This study introduces a novel methodology to understand their collaborative patterns and shared objectives, which is crucial for developing robust defense mechanisms. We utilize MITRE ATT&CK Techniques, software, target nations, and industries as our primary features to understand the characteristics of APT groups. Since essential information is often buried within the unstructured data of Cyber Threat Intelligence (CTI) reports, we employ Natural Language Processing (NLP) and Named Entity Recognition (NER) to extract relevant data. To analyze and interpret the complex relationships between APT groups, we compute similarity among the features using weighted cosine similarity metrics and Machine Learning (ML) models, enhanced by feature crosses and feature selection strategies. Subsequently, hierarchical clustering is used to group APTs based on their similarity scores, helping to identify common behaviors and uncover deeper relationships. Our methodology demonstrates notable clustering performance, with a silhouette coefficient of 0.76, indicating strong intra-cluster similarity. The Adjusted Rand Index (ARI) of 0.63, though moderate, effectively measures agreement between our clustering and the ground truth. These metrics provide robust validation, surpassing commonly recognized benchmarks for effective clustering in cybersecurity. Our methodology successfully classifies 23 distinct APT groups into six clusters, highlighting the importance of techniques and industry features in the clustering process. Notably, techniques such as T1059 (Command and Scripting Interpreter) and T1036 (Masquerading) are prevalently deployed, observed in 18 out of 23 APT groups across all six clusters.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords