The Attacker Might Also Do Next: ATT&CK Behavior Forecasting by Attacker-based Collaborative Filtering and Graph Databases

Cyber attacks are causing tremendous damage around the world. To protect against attacks, many organizations have established or outsourced Security Operation Centers (SOCs) to check a large number of logs daily. Since there is no perfect countermeasure against cyber attacks, it is necessary to detect signs of intrusion quickly to mitigate damage caused by them. However, it is challenging to analyze a lot of logs obtained from PCs and servers inside an organization. Therefore, there is a need for a method of efficiently analyzing logs. In this paper, we propose a recommendation system using the ATT&CK technique, which predicts and visualizes attackers' behaviors using collaborative filtering so that security analysts can analyze logs efficiently. We evaluated the proposed method using real-world cyber-attack cases and found that it is able to make predictions with higher recall than our previously proposed method.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.31(2023) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.31.802------------------------------

Cyber attacks are causing tremendous damage around the world. To protect against attacks, many organizations have established or outsourced Security Operation Centers (SOCs) to check a large number of logs daily. Since there is no perfect countermeasure against cyber attacks, it is necessary to detect signs of intrusion quickly to mitigate damage caused by them. However, it is challenging to analyze a lot of logs obtained from PCs and servers inside an organization. Therefore, there is a need for a method of efficiently analyzing logs. In this paper, we propose a recommendation system using the ATT&CK technique, which predicts and visualizes attackers' behaviors using collaborative filtering so that security analysts can analyze logs efficiently. We evaluated the proposed method using real-world cyber-attack cases and found that it is able to make predictions with higher recall than our previously proposed method.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.31(2023) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.31.802------------------------------