A heterogeneous graph-based approach for cyber threat attribution using threat intelligence

Cyber Threat attribution is the process of associating a cyberattack with the threat groups. This process is essential for enhancing defense strategies and enabling rapid response to threats, making threat attribution a critical component of an effective network security defense system. Current methods often struggle to leverage the intricate relationships among threat behaviors or lack an attacker's feature extraction mechanism resulting in the need for manual analysis of vast data, thereby presenting challenges in the face of the escalating number and complexity of attacks. To tackle these challenges, we propose HG-CTA, a novel cyber threat attribution method based on heterogeneous graph. We first utilize cyber threat intelligence(CTI) to construct a heterogeneous knowledge base. Then we formalize threat attribution as a link prediction task on heterogeneous graph and propose a metapath context based heterogeneous graph embedding methods to extract feature of attackers. Finally, attribution is achieved by inferring the relationship between the attackers and threat groups. Through experiment on a data set constructed from threat intelligence provided by Alienvault, Miter ATT&CK, we demonstrate the effectiveness of our proposed attribution method compared with baseline models.