Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Hunting observable objects for indication of compromise

 
: Sykosch, Arnold; Ohm, Marc; Meier, Michael

:

Association for Computing Machinery -ACM-:
ARES 2018, 13th International Conference on Availability, Reliability and Security. Proceedings : Hamburg, Germany, August 27 - 30, 2018
New York: ACM, 2018
ISBN: 978-1-4503-6448-5
Art. 59
International Conference on Availability, Reliability and Security (ARES) <13, 2018, Hamburg>
Englisch
Konferenzbeitrag
Fraunhofer FKIE ()

Abstract
Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection.
This is done by assigning individual weights to observables listed in a STIX™ report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIX™-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79.

: http://publica.fraunhofer.de/dokumente/N-509793.html