Samenvatting
Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.
Originele taal-2 | Engels |
---|---|
Titel | ARES '24 |
Subtitel | Proceedings of the 19th International Conference on Availability, Reliability and Security |
Plaats van productie | New York |
Uitgeverij | Association for Computing Machinery, Inc |
Aantal pagina's | 11 |
ISBN van elektronische versie | 979-8-4007-1718-5 |
DOI's | |
Status | Gepubliceerd - 30 jul. 2024 |
Evenement | 19th International Conference on Availability, Reliability and Security, ARES 2024 - Vienna, Oostenrijk Duur: 30 jul. 2024 → 2 aug. 2024 |
Congres
Congres | 19th International Conference on Availability, Reliability and Security, ARES 2024 |
---|---|
Land/Regio | Oostenrijk |
Stad | Vienna |
Periode | 30/07/24 → 2/08/24 |