Exploiting TTP Co-Occurrence via GloVe-Based Embedding with MITRE ATT&CK Framework

Abstract

The digital transformation of various systems has brought great convenience to our daily lives, but it has also increased the level of cyberattacks. As the number of cyberattacks has increased, so has the number of reports analyzing them, MITRE publishes the ATT&CK Matrix which analyzes the tactics and techniques of attacks based on real-world examples. As the flow of attacks has become more understandable through TTP information, researchers have been using it with deep learning models to detect or predict attacks, which makes embedding essential to train the model. In previous studies on embedding TTPs, embedding is limited to simple statistical methods such as one-hot encoding and TF-IDF. Such methods do not consider the order of TTPs and the conceptual similarity between TTPs, therefore do not capture the rich information that TTPs contain. In this paper, we propose embedding TTP with GloVe, a method using a co-occurrence matrix. To properly evaluate the semantic embedding performance of TTP, we also propose a measurement called Tactic Match Rate (TMR). In the experimental results, 8 out of 14 tactics showed a TMR of more than 0.5. Especially the 'TA0007 (Discovery)' tactic showed the highest TMR of 0.87. Through correlation analysis, the experimental result shows that the reason for the different embedding performances of the tactic is affected by the frequency of the technique in the same tactic, with at most a 0.96 score. We also experimentally demonstrated that the neutrality of TTP affects learning performance.