From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts

Moumita Das Purba; Bill Chu; Ehab Al-Shaer

doi:10.1109/ISI49825.2020.9280541

From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts

Moumita Das Purba
, Bill Chu
, Ehab Al-Shaer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

Much of the vital information about emerging threats and the corresponding defensive measures are contained in large volumes of natural language texts online. Capturing such actionable intelligence in real-time is critical to prevent large scale attacks automatically. The ATTCK framework is a widely recognized standard to catalog technical details of cyber threats and deploy mitigating measures. A technique in ATTCK specifies a set of adversary actions to achieve a particular goal, such as Exfiltration over Command and Control channel. Details of the technique include encrypted traffic and encoded data. A key challenge in identifying such cyber intelligence from natural language texts is that for a given action, such as encrypted traffic, many alternative expressions are possible (e.g., send using a self-signed certificate, send using HTTPS requests). It is not practical to manually provide an exhaustive list of all such variants. We demonstrate that using cyber-phrase embedding on a cybersecurity text corpus is a promising approach to overcome such difficulties. Our evaluation demonstrates that our model outperforms existing models. We have created an open-source project to make our tools and data available for the cybersecurity research community.

Original language	English
Title of host publication	Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781728188003
DOIs	https://doi.org/10.1109/ISI49825.2020.9280541
State	Published - 9 Nov 2020
Externally published	Yes
Event	18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020 - Virtual, Arlington, United States Duration: 9 Nov 2020 → 10 Nov 2020

Publication series

Name	Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020

Conference

Conference	18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020
Country/Territory	United States
City	Virtual, Arlington
Period	9/11/20 → 10/11/20

Bibliographical note

Publisher Copyright:
© 2020 IEEE.

Keywords

CK Framework
Cyber attack
Cyber threat intelligence
MITRE ATT
NLP
Text mining
Word Embedding

ASJC Scopus subject areas

Information Systems and Management
Safety, Risk, Reliability and Quality
Computer Networks and Communications
Computer Vision and Pattern Recognition
Information Systems

Access to Document

10.1109/ISI49825.2020.9280541

Cite this

Das Purba, M., Chu, B., & Al-Shaer, E. (2020). From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts. In Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020 Article 9280541 (Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISI49825.2020.9280541

Das Purba, Moumita ; Chu, Bill ; Al-Shaer, Ehab. / From Word Embedding to Cyber-Phrase Embedding : Comparison of Processing Cybersecurity Texts. Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020. Institute of Electrical and Electronics Engineers Inc., 2020. (Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020).

@inproceedings{e183b1909a4b4ed1aa36953a9704423f,

title = "From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts",

abstract = "Much of the vital information about emerging threats and the corresponding defensive measures are contained in large volumes of natural language texts online. Capturing such actionable intelligence in real-time is critical to prevent large scale attacks automatically. The ATTCK framework is a widely recognized standard to catalog technical details of cyber threats and deploy mitigating measures. A technique in ATTCK specifies a set of adversary actions to achieve a particular goal, such as Exfiltration over Command and Control channel. Details of the technique include encrypted traffic and encoded data. A key challenge in identifying such cyber intelligence from natural language texts is that for a given action, such as encrypted traffic, many alternative expressions are possible (e.g., send using a self-signed certificate, send using HTTPS requests). It is not practical to manually provide an exhaustive list of all such variants. We demonstrate that using cyber-phrase embedding on a cybersecurity text corpus is a promising approach to overcome such difficulties. Our evaluation demonstrates that our model outperforms existing models. We have created an open-source project to make our tools and data available for the cybersecurity research community.",

keywords = "CK Framework, Cyber attack, Cyber threat intelligence, MITRE ATT, NLP, Text mining, Word Embedding",

author = "\{Das Purba\}, Moumita and Bill Chu and Ehab Al-Shaer",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020 ; Conference date: 09-11-2020 Through 10-11-2020",

year = "2020",

month = nov,

day = "9",

doi = "10.1109/ISI49825.2020.9280541",

language = "English",

series = "Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020",

address = "United States",

}

Das Purba, M, Chu, B & Al-Shaer, E 2020, From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts. in Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020., 9280541, Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020, Institute of Electrical and Electronics Engineers Inc., 18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020, Virtual, Arlington, United States, 9/11/20. https://doi.org/10.1109/ISI49825.2020.9280541

From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts. / Das Purba, Moumita; Chu, Bill; Al-Shaer, Ehab.
Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020. Institute of Electrical and Electronics Engineers Inc., 2020. 9280541 (Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - From Word Embedding to Cyber-Phrase Embedding

T2 - 18th IEEE International Conference on Intelligence and Security Informatics, ISI 2020

AU - Das Purba, Moumita

AU - Chu, Bill

AU - Al-Shaer, Ehab

PY - 2020/11/9

Y1 - 2020/11/9

N2 - Much of the vital information about emerging threats and the corresponding defensive measures are contained in large volumes of natural language texts online. Capturing such actionable intelligence in real-time is critical to prevent large scale attacks automatically. The ATTCK framework is a widely recognized standard to catalog technical details of cyber threats and deploy mitigating measures. A technique in ATTCK specifies a set of adversary actions to achieve a particular goal, such as Exfiltration over Command and Control channel. Details of the technique include encrypted traffic and encoded data. A key challenge in identifying such cyber intelligence from natural language texts is that for a given action, such as encrypted traffic, many alternative expressions are possible (e.g., send using a self-signed certificate, send using HTTPS requests). It is not practical to manually provide an exhaustive list of all such variants. We demonstrate that using cyber-phrase embedding on a cybersecurity text corpus is a promising approach to overcome such difficulties. Our evaluation demonstrates that our model outperforms existing models. We have created an open-source project to make our tools and data available for the cybersecurity research community.

AB - Much of the vital information about emerging threats and the corresponding defensive measures are contained in large volumes of natural language texts online. Capturing such actionable intelligence in real-time is critical to prevent large scale attacks automatically. The ATTCK framework is a widely recognized standard to catalog technical details of cyber threats and deploy mitigating measures. A technique in ATTCK specifies a set of adversary actions to achieve a particular goal, such as Exfiltration over Command and Control channel. Details of the technique include encrypted traffic and encoded data. A key challenge in identifying such cyber intelligence from natural language texts is that for a given action, such as encrypted traffic, many alternative expressions are possible (e.g., send using a self-signed certificate, send using HTTPS requests). It is not practical to manually provide an exhaustive list of all such variants. We demonstrate that using cyber-phrase embedding on a cybersecurity text corpus is a promising approach to overcome such difficulties. Our evaluation demonstrates that our model outperforms existing models. We have created an open-source project to make our tools and data available for the cybersecurity research community.

KW - CK Framework

KW - Cyber attack

KW - Cyber threat intelligence

KW - MITRE ATT

KW - NLP

KW - Text mining

KW - Word Embedding

UR - https://www.scopus.com/pages/publications/85098932438

U2 - 10.1109/ISI49825.2020.9280541

DO - 10.1109/ISI49825.2020.9280541

M3 - Conference contribution

AN - SCOPUS:85098932438

T3 - Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020

BT - Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 9 November 2020 through 10 November 2020

ER -

Das Purba M, Chu B, Al-Shaer E. From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts. In Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020. Institute of Electrical and Electronics Engineers Inc. 2020. 9280541. (Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020). doi: 10.1109/ISI49825.2020.9280541

From Word Embedding to Cyber-Phrase Embedding: Comparison of Processing Cybersecurity Texts

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this