CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs

Shota Fujii; Nobutaka Kawaguchi; Tomohiro Shigemoto; Toshihiro Yamauchi

doi:10.1007/978-3-031-15255-9_5

CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs

Shota Fujii, Nobutaka Kawaguchi, Tomohiro Shigemoto, Toshihiro Yamauchi

School of Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

Abstract

Cybersecurity threats have been increasing and growing more sophisticated year by year. In such circumstances, gathering Cyber Threat Intelligence (CTI) and following up with up-to-date threat information is crucial. Structured CTI such as Structured Threat Information eXpression (STIX) is particularly useful because it can automate security operations such as updating FW/IDS rules and analyzing attack trends. However, as most CTIs are written in natural language, manual analysis with domain knowledge is required, which becomes quite time-consuming. In this work, we propose CyNER, a method for automatically structuring CTIs and converting them into STIX format. CyNER extracts named entities in the context of CTI and then extracts the relations between named entities and IOCs in order to convert them into STIX. In addition, by using key phrase extraction, CyNER can extract relations between IOCs that lack contextual information, such as those listed at the bottom of a CTI, and named entities. We describe our design and implementation of CyNER and demonstrate that it can extract named entities with the F-measure of 0.80 and extract relations between named entities and IOCs with the maximum accuracy of 81.6%. Our analysis of structured CTI showed that CyNER can extract IOCs that are not included in existing reputation sites, and that it can automatically extract IOCs that have been exploited for a long time and across multiple attack groups. CyNER is thus expected to contribute to the efficiency of CTI analysis.

Original language	English
Title of host publication	Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings
Editors	Chen-Mou Cheng, Mitsuaki Akiyama
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	85-104
Number of pages	20
ISBN (Print)	9783031152542
DOIs	https://doi.org/10.1007/978-3-031-15255-9_5
Publication status	Published - 2022
Event	17th International Workshop on Security, IWSEC 2022 - Tokyo, Japan Duration: Aug 31 2022 → Sept 2 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13504 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th International Workshop on Security, IWSEC 2022
Country/Territory	Japan
City	Tokyo
Period	8/31/22 → 9/2/22

Keywords

Cyber Threat Intelligence
Information Extraction
Named Entity Recognition
Relation Extraction
STIX

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-031-15255-9_5

Cite this

Fujii, S., Kawaguchi, N., Shigemoto, T., & Yamauchi, T. (2022). CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs. In C-M. Cheng, & M. Akiyama (Eds.), Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings (pp. 85-104). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13504 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-15255-9_5

CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs. / Fujii, Shota; Kawaguchi, Nobutaka; Shigemoto, Tomohiro et al.
Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings. ed. / Chen-Mou Cheng; Mitsuaki Akiyama. Springer Science and Business Media Deutschland GmbH, 2022. p. 85-104 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13504 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Fujii, S, Kawaguchi, N, Shigemoto, T & Yamauchi, T 2022, CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs. in C-M Cheng & M Akiyama (eds), Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13504 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 85-104, 17th International Workshop on Security, IWSEC 2022, Tokyo, Japan, 8/31/22. https://doi.org/10.1007/978-3-031-15255-9_5

Fujii S, Kawaguchi N, Shigemoto T, Yamauchi T. CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs. In Cheng C-M, Akiyama M, editors, Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 85-104. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-15255-9_5

Fujii, Shota ; Kawaguchi, Nobutaka ; Shigemoto, Tomohiro et al. / CyNER : Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs. Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings. editor / Chen-Mou Cheng ; Mitsuaki Akiyama. Springer Science and Business Media Deutschland GmbH, 2022. pp. 85-104 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f671b6a6307744f8a8db9f4fdbb02ecf,

title = "CyNER: Information Extraction from Unstructured Text of CTI Sources with Noncontextual IOCs",

abstract = "Cybersecurity threats have been increasing and growing more sophisticated year by year. In such circumstances, gathering Cyber Threat Intelligence (CTI) and following up with up-to-date threat information is crucial. Structured CTI such as Structured Threat Information eXpression (STIX) is particularly useful because it can automate security operations such as updating FW/IDS rules and analyzing attack trends. However, as most CTIs are written in natural language, manual analysis with domain knowledge is required, which becomes quite time-consuming. In this work, we propose CyNER, a method for automatically structuring CTIs and converting them into STIX format. CyNER extracts named entities in the context of CTI and then extracts the relations between named entities and IOCs in order to convert them into STIX. In addition, by using key phrase extraction, CyNER can extract relations between IOCs that lack contextual information, such as those listed at the bottom of a CTI, and named entities. We describe our design and implementation of CyNER and demonstrate that it can extract named entities with the F-measure of 0.80 and extract relations between named entities and IOCs with the maximum accuracy of 81.6%. Our analysis of structured CTI showed that CyNER can extract IOCs that are not included in existing reputation sites, and that it can automatically extract IOCs that have been exploited for a long time and across multiple attack groups. CyNER is thus expected to contribute to the efficiency of CTI analysis.",

keywords = "Cyber Threat Intelligence, Information Extraction, Named Entity Recognition, Relation Extraction, STIX",

author = "Shota Fujii and Nobutaka Kawaguchi and Tomohiro Shigemoto and Toshihiro Yamauchi",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 17th International Workshop on Security, IWSEC 2022 ; Conference date: 31-08-2022 Through 02-09-2022",

year = "2022",

doi = "10.1007/978-3-031-15255-9_5",

language = "English",

isbn = "9783031152542",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "85--104",

editor = "Chen-Mou Cheng and Mitsuaki Akiyama",

booktitle = "Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings",

address = "Germany",

}

TY - GEN

T1 - CyNER

T2 - 17th International Workshop on Security, IWSEC 2022

AU - Fujii, Shota

AU - Kawaguchi, Nobutaka

AU - Shigemoto, Tomohiro

AU - Yamauchi, Toshihiro

PY - 2022

Y1 - 2022

N2 - Cybersecurity threats have been increasing and growing more sophisticated year by year. In such circumstances, gathering Cyber Threat Intelligence (CTI) and following up with up-to-date threat information is crucial. Structured CTI such as Structured Threat Information eXpression (STIX) is particularly useful because it can automate security operations such as updating FW/IDS rules and analyzing attack trends. However, as most CTIs are written in natural language, manual analysis with domain knowledge is required, which becomes quite time-consuming. In this work, we propose CyNER, a method for automatically structuring CTIs and converting them into STIX format. CyNER extracts named entities in the context of CTI and then extracts the relations between named entities and IOCs in order to convert them into STIX. In addition, by using key phrase extraction, CyNER can extract relations between IOCs that lack contextual information, such as those listed at the bottom of a CTI, and named entities. We describe our design and implementation of CyNER and demonstrate that it can extract named entities with the F-measure of 0.80 and extract relations between named entities and IOCs with the maximum accuracy of 81.6%. Our analysis of structured CTI showed that CyNER can extract IOCs that are not included in existing reputation sites, and that it can automatically extract IOCs that have been exploited for a long time and across multiple attack groups. CyNER is thus expected to contribute to the efficiency of CTI analysis.

AB - Cybersecurity threats have been increasing and growing more sophisticated year by year. In such circumstances, gathering Cyber Threat Intelligence (CTI) and following up with up-to-date threat information is crucial. Structured CTI such as Structured Threat Information eXpression (STIX) is particularly useful because it can automate security operations such as updating FW/IDS rules and analyzing attack trends. However, as most CTIs are written in natural language, manual analysis with domain knowledge is required, which becomes quite time-consuming. In this work, we propose CyNER, a method for automatically structuring CTIs and converting them into STIX format. CyNER extracts named entities in the context of CTI and then extracts the relations between named entities and IOCs in order to convert them into STIX. In addition, by using key phrase extraction, CyNER can extract relations between IOCs that lack contextual information, such as those listed at the bottom of a CTI, and named entities. We describe our design and implementation of CyNER and demonstrate that it can extract named entities with the F-measure of 0.80 and extract relations between named entities and IOCs with the maximum accuracy of 81.6%. Our analysis of structured CTI showed that CyNER can extract IOCs that are not included in existing reputation sites, and that it can automatically extract IOCs that have been exploited for a long time and across multiple attack groups. CyNER is thus expected to contribute to the efficiency of CTI analysis.

KW - Cyber Threat Intelligence

KW - Information Extraction

KW - Named Entity Recognition

KW - Relation Extraction

KW - STIX

UR - http://www.scopus.com/inward/record.url?scp=85136964208&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85136964208&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-15255-9_5

DO - 10.1007/978-3-031-15255-9_5

M3 - Conference contribution

AN - SCOPUS:85136964208

SN - 9783031152542

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 85

EP - 104

BT - Advances in Information and Computer Security - 17th International Workshop on Security, IWSEC 2022, Proceedings

A2 - Cheng, Chen-Mou

A2 - Akiyama, Mitsuaki

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 31 August 2022 through 2 September 2022

ER -