Abstract
Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.
Original language | English |
---|---|
Title of host publication | ARES '24 |
Subtitle of host publication | Proceedings of the 19th International Conference on Availability, Reliability and Security |
Place of Publication | New York |
Publisher | Association for Computing Machinery, Inc |
Number of pages | 11 |
ISBN (Electronic) | 979-8-4007-1718-5 |
DOIs | |
Publication status | Published - 30 Jul 2024 |
Event | 19th International Conference on Availability, Reliability and Security, ARES 2024 - Vienna, Austria Duration: 30 Jul 2024 → 2 Aug 2024 |
Conference
Conference | 19th International Conference on Availability, Reliability and Security, ARES 2024 |
---|---|
Country/Territory | Austria |
City | Vienna |
Period | 30/07/24 → 2/08/24 |