Association ruleset formulation for cyberattack attribution process in cyber threat intelligence using apriori algorithm

• Main Author: Abu, Md Sahrom
• Format: Thesis
• Language: English; English
• Published: 2021
• Subjects: Q Science (General); QA Mathematics
• Online Access: http://eprints.utem.edu.my/id/eprint/26021/; https://plh.utem.edu.my/cgi-bin/koha/opac-detail.pl?biblionumber=121151

The current threat landscape shows that the rapid evolving cyberattacks with the Tactic, Technique and Procedure (TTPs) used by an adversary become less predictable, more persistent, resourceful, money motivated and better funded. Many organisation has taken an initiative to utilize Cyber Threat Intelligence (CTI) in their security posture in attributing cyberattack effectively. However, the massive amount of data from threat intelligence feeds for CTI is sketchy and not dependable in terms of quality. This voluminous data can lead to ineffectiveness of identifying cyberattack attribution level due to a lack of useful data from various data sources. To fully leverage CTI capabilities for threat attribution, an organisation need to spend their focus more on discovering the hidden knowledge behind the voluminous data to produce an effective cyberattack attribution. Hence, this thesis focused mainly on the relationship between data in the CTI, with the aim of investigating the critical CTI process involved in cyberattacks attribution and formulating the association ruleset to perform the attribution process in the CTI. Data collected from various sources underwent preprocessing state to prepare a required data format for data analysis. Prior to that, an analysis of CTI framework was conducted to classify the critical CTI processes that involved in cyberattack attribution. Based on these critical processes, an experiment is designed to produce cyberattack attribution. This attribution was produced through data preprocessing and association analysis processes. In data preprocessing, a clean and useful data is produced and become as an input for association analysis process. Then, the Apriori algorithm is used to formulate association ruleset in association analysis process and is known as the CTI Association Ruleset (CTI-AR). The CTI-AR was evaluated and validated to verify its effectiveness in identifying cyberattack attribution level by using an experimental approach. The results showed that CTI-AR effectively identify the attributes, relationship between attributes and attribution level group of cyberattack in CTI. This confirmed that CTI-AR capable to identify a strong and meaningful association between basic indicator of compromise (IOC) in network traffic and TTPs that can help to perform cyberattack attribution. This research has a high potential of being expanded into cyber threat hunting process in providing a more proactive cybersecurity environment.