Top

The Journal of Supercomputing

Published in:

23-09-2022

Architecting threat hunting system based on the DODAF framework

Authors: Ali Aghamohammadpour, Ebrahim Mahdipour, Iman Attarzadeh

Published in: The Journal of Supercomputing | Issue 4/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The importance of large data analytic systems for cyber security is expanding. Thus, collecting systematically, thoroughly assessing, and synthesizing the literature on architectural techniques for developing such systems is critical. There is a general lack of an overview of architectural techniques for developing threat intelligence systems. Threat hunting is an analyst-centric process that helps organizations discover hidden advanced threats that miss by automatic preventative and investigative systems. The Department of Defense Architecture Framework (DODAF) establishes a modeling framework for capturing high-level system design and operational requirements. This paper presents different threat hunting system viewpoints using the DODAF attribute-based method. The proposed architecture enriches by state-of-the-art MITRE’s ATT&CK and D3FEND frameworks. Also, we proposed a unique approach to infer malicious threats category associations by comparing suspicious and malicious events' similarities. Using ATT&CK’s rich techniques made the similarity between malicious and suspicious files more accurate. Finally, we used a survey questionnaire approach to collect relational data to assess the impact of qualitative attributes on the development of threat hunting processes. We evaluated the proposed hunting architecture using twelve essential quality attributes indirectly. We believe that the proposed method can reduce the architectural shortcomings in threat hunting systems development.

previous article Scene optimization of GPU-based back-projection algorithm

next article Image compression and denoising using multiresolution region-based image description scheme

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Cole E (2016) Threat hunting: open season on the adversary. SANS Institute Information Reading Room

DoDAF Architecture Framework Version 2.02. U.S. Department of Defense. https://doi.org/https://dodcio.defense.gov/Library/DoD-Architecture-Framework. Accessed 18 Apr 2022

DoDAF Architecting. AcqNotes. https://doi.org/https://acqnotes.com/acqnote/tasks/architecting-overview. Accessed 18 Apr 2022

Vance A (2016) Securing enterprise architecture with DoD architectural framework (DoDAF). In: Presented at the International Conference on Cyber Conflict (CyCon)

Ring SJ, Nicholson D, Thilenius J, Harris S (2007) Activity-based methodology for development and analysis of integrated DoD architecture. In: Handbook of enterprise systems architecture in practice: IGI Global, pp 85–113

Brown S, Carlin S, Torres-Negron I (2017) Next-generation defensive cyber operations (DCO) platform. J Inform Warfare 16(2):43–55

Meland PH, Nesheim DA, Bernsmed K, Sindre G (2022) Assessing cyber threats for storyless systems. J Inform Secur Appl 64:103050

Gao P et al (2021) Enabling efficient cyber threat hunting with cyber threat intelligence. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), IEEE, pp 193–204CrossRef

Shlapentokh-Rothman M (2020) Unifying public threat knowledge for cyber hunting. Massachusetts Institute of Technology

10.

Milajerdi SM, Eshete B, Gjomemo R, Venkatakrishnan V (2019) Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp 1795–1812

11.

Silva A, Gondim J, Albuquerque R, Villalba L (2020) A methodology to evaluate standards and platforms within cyber threat intelligence. Future Internet 12(6):108CrossRef

12.

Puzis R, Zilberman P, Elovici Y (2020) ATHAFI: Agile threat hunting and forensic investigation. arXiv preprint https://doi.org/arXiv:2003.03663

13.

Ullah F, Babar MA (2019) Architectural tactics for big data cybersecurity analytics systems: a review. J Syst Softw 151:81–118CrossRef

14.

Saaty TL (1994) Fundamentals of decision making and priority theory with the analytic hierarchy process. RWS publications

15.

Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG, Thomas CB (2018) Mitre attack: design and philosophy. Technical report

16.

Kaloroumakis PE, Smith MJ (2021) Toward a knowledge graph of cybersecurity countermeasures. The MITRE Corporation

17.

Shu X, Coccoli P (2021) Kestrel threat hunting language

18.

Xiong W, Legrand E, Åberg O, Lagerström R (2021) Cyber security threat modeling based on the MITRE enterprise ATT&CK matrix. Softw Syst Model, pp 1–21

19.

Guide to cyber threat modelling (2020) Cybersecurity Agency of Singapore

20.

Mavroeidis V, Jøsang A (2018) Data-driven threat hunting using sysmon. In: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp 82–88

21.

Muckin M, Fitch SC (2019) A threat-driven approach to cyber security. Lockheed Martin Corporation

22.

Collins M Chapter 1. Threat hunting and its goals. Oreilly. https://doi.org/https://www.oreilly.com/library/view/threat-hunting/9781492028260/ch01.html. (Accessed 8 Apr 2022)

23.

Wafula K, Wang Y (2019) CARVE: a scientific method-based threat hunting hypothesis development model. In: 2019 IEEE International Conference on Electro Information Technology (EIT), IEEE,pp 1–6

24.

Soliman HM, Salmon G, Sovilj D, Rao M (2021) RANK: AI-assisted end-to-end architecture for detecting persistent attacks in enterprise networks. arXiv preprint https://doi.org/arXiv:2101.02573

25.

Konev A, Shelupanov A, Kataev M, Ageeva V, Nabieva A (2022) A survey on threat-modeling techniques: protected objects and classification of threats. Symmetry 14(3):549CrossRef

26.

Lee J, Moon D, Kim I, Lee Y (2019) A semantic approach to improving machine readability of a large-scale attack graph. J Supercomput 75(6):3028–3045CrossRef

27.

Al-Shaer R, Spring JM, Christou E (2020) Learning the associations of mitre att&ck adversarial techniques. In: 2020 IEEE Conference on Communications and Network Security (CNS), IEEE, pp 1–9

28.

Shin Y, Kim K, Lee JJ, Lee K (2021) ART: automated reclassification for threat actors based on ATT&CK matrix similarity. In: 2021 world automation congress (WAC), IEEE, pp 15–20CrossRef

29.

(2021) Zero trust reference architecture. U.S Department of Defence (DOD)

30.

Pan X, Yin B, Hu J (2011) Modeling and simulation for SoS based on the DoDAF framework. In: The Proceedings of 2011 9th International Conference on Reliability, Maintainability and Safety, IEEE, pp 1283–1287CrossRef

31.

Pan X, Yin B, Hu J (2011) Modeling and simulation for SoS based on The DODAF framework. In: International Conference on Reliability, Maintainability and Safety

32.

Richards J (2014) Using the department of defense architecture framework to develop security requirements. SANS institute

33.

Software | MITRE ATTACK The MITRE corporation. https://doi.org/https://attack.mitre.org/software/. Accessed 19 Apr 2022

34.

Wannacry ransomware analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/66f00cc0-a177-432a-b471-685d5a70b8c9/. Accessed 25 Apr 2022

35.

Hydra malware analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/d650c063-37b6-4cdd-89b4-d60c956031ac/. Accessed 25 Apr 2022

36.

Executer.exe analyzed report. Any Run malware analysis sandbox. https://doi.org/https://app.any.run/tasks/c8ad2625-f4c8-4212-82d6-de7769338e9d/. Accessed 5 Apr 2022

37.

Shahid A et al (2020) Insights into relevant knowledge extraction techniques: a comprehensive review. J Supercomput 76(3):1695–1733CrossRef

Title: Architecting threat hunting system based on the DODAF framework
Authors: Ali Aghamohammadpour
Ebrahim Mahdipour
Iman Attarzadeh
Publication date: 23-09-2022
Publisher: Springer US
Published in: The Journal of Supercomputing / Issue 4/2023
Print ISSN: 0920-8542
Electronic ISSN: 1573-0484
DOI: https://doi.org/10.1007/s11227-022-04808-6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 4/2023

HBI-LB: A Dependable Fault-Tolerant Load Balancing Approach for Fog based Internet-of-Things Environment

Three edge-disjoint Hamiltonian cycles in crossed cubes with applications to fault-tolerant data broadcasting

SUDV: Malicious fog node management framework for software update dissemination in connected vehicles

DCCP: a dependable committee consensus protocol for permissionless blockchain

A disassembly sequence planning method with improved discrete grey wolf optimizer for equipment maintenance in hydropower station

A novel 2-phase consensus with customized feedback based group decision-making involving heterogeneous decision-makers

Premium Partner