Activity-Attack Graphs for Intelligence-Informed Threat COA Development

dc.contributor.authorMckee, Cole
dc.contributor.authorEdie, Kelsie
dc.contributor.authorDuby, Adam
dc.date.accessioned2023-10-24T19:16:43Z
dc.date.available2023-10-24T19:16:43Z
dc.date.issued2023-03-08
dc.description.abstractA threat course of action (COA) describes the likely tactics, techniques, and procedures (TTPs) an adversary may deploy across the cyber kill-chain. Threat COA development and analysis informs hunt teams, incident responders, and threat emulation efforts on likely activities the adversary will conduct during an attack. In this paper, we propose a novel approach to generate and evaluate threat COAs through association rule mining. We identify frequent TTP itemsets to create a set of activity groups that describe associations between TTPs. We overlay activity groups to create a directed and edge-weighted activity-attack graph. The graphs hypothesize various adversary avenues of attack, and the weighted edges inform the analyst's trust of a hypothesized TTP in the COA. Our research identifies meaningful associations between TTPs and provides an analytical approach to generating threat COAs. Further, our implementation uses the STIX framework for extensibility and usability in a variety of threat intelligence environments.
dc.description.sponsorshipDepartment of Electrical Engineering and Computer Science
dc.identifier.citationC. Mckee, K. Edie and A. Duby, "Activity-Attack Graphs for Intelligence-Informed Threat COA Development," 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2023, pp. 0598-0604, doi: 10.1109/CCWC57344.2023.10099277.
dc.identifier.doihttps://doi/10.1109/ccwc57344.2023.10099277
dc.identifier.urihttps://hdl.handle.net/20.500.14216/998
dc.publisherIEEE
dc.relation.ispartof2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC)
dc.subjectItemsets
dc.subjectConferences
dc.subjectEmulation
dc.subjectAutomatic generation control
dc.subjectData collection
dc.subjectExtensibility
dc.subjectUsability
dc.titleActivity-Attack Graphs for Intelligence-Informed Threat COA Development
dc.typeproceedings-article
local.peerReviewedYes

Files