US2023379352A1PendingUtilityA1
Mapping a vulnerability to a stage of an attack chain taxonomy
Est. expiryMay 21, 2040(~13.9 yrs left)· nominal 20-yr term from priority
G06N 3/0442G06N 3/09H04L 63/1433G06N 20/00G06F 40/30G06F 40/205G06N 5/04G06N 20/10G06N 5/022G06N 3/044
71
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
In an embodiment, a semantic model and a semantic model training method that obtains a textual description of one or more features associated with a first vulnerability that has been used in one or more attacks. Text is parsed from the first textual description in accordance with one or more rules. The system determines a first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy. The model is generated or refined to map the parsed text to the first label associated with the one or more stages of the attack chain taxonomy.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of semantic model training, comprising:
obtaining at least one first textual description of one or more features associated with a first vulnerability that has been used in one or more attacks; parsing text from the at least one first textual description in accordance with one or more rules; determining at least one first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy; and generating or refining a model that maps the parsed text to the at least one first label associated with the one or more stages of the attack chain taxonomy.
2 . The method of claim 1 ,
wherein the at least one first textual description comprises an intrusion or exploit report, a proof-of-concept, or a zero-day report, or wherein the at least one first textual description includes an adversarial tactics, techniques and common knowledge (ATT&CK) description, a mitigation technique description, a patch description, a description of a sequence of steps for exploit, a rating-level characterization of a vulnerability, a vulnerability description, or any combination thereof.
3 . The method of claim 1 , further comprising:
inserting the at least one first label into a joint label space; inserting at least one second label related to one or more intrusion techniques into the joint label space; generating at least one technique label based on labels in the joint label space, wherein the determination of the at least one first label for the first vulnerability is based on context extracted from the parsed text, wherein the generating of the at least one technique label is based on a distance function between the at least one second label and the at least one first label.
4 . The method of claim 1 ,
wherein the generating or refining of the model comprises execution of a machine learning process that maps the parsed text and/or the at least one first label to the one or more stages of the attack chain taxonomy, and wherein a classifier is trained to map text parsed from a vulnerability description to the one or more stages of the attack chain taxonomy.
5 . The method of claim 1 , further comprising:
obtaining at least one second textual description of one or more additional features associated with a second vulnerability; parsing text of the second textual description in accordance with the one or more rules; generating or determining at least one second label for the second vulnerability from the text parsed in accordance with the one or more rules; and mapping the at least one second label to at least one stage of the attach chain taxonomy based on the model.
6 . The method of claim 1 , wherein the generating or refining includes:
generating labels of a joint label space by a multi-label text classification model having at least two label encoding heads.
7 . The method of claim 6 ,
wherein a first head of the at least two label encoding heads comprises a context encoder that encodes vector representations of words associated with the first vulnerability based on the parsed text, wherein a second head of the at least two label encoding heads is a concept encoder that identifies the one or more stages of the attach chain taxonomy associated with the first vulnerability as labels based on the parsed text.
8 . The method of claim 7 , wherein a third head of the at least two label encoding heads encodes attacker actions and mitigation techniques.
9 . The method of claim 8 ,
wherein an output of the first head and an output of the second head are combined and inserted into the joint label space, and wherein the output of the second head and the third head are combined and inserted into the joint label space.
10 . The method of claim 6 , further comprising:
training a multi-layer perceptron classifier via machine learning on the joint label space.
11 . A method, comprising:
obtaining at least one textual description of one or more features associated with a vulnerability and/or exploit; parsing text from the at least one textual description in accordance with one or more rules; obtaining a model that maps textual data to labels for the one or more features of the vulnerability and/or exploit to respective stages of an attack chain taxonomy; and mapping the parsed text to at least one first label for the first vulnerability associated with one or more stages of the attack chain taxonomy in accordance with the model.
12 . The method of claim 11 , wherein a classifier operates on a joint latent space of the model, the classifier assigning labels to the vulnerability and/or exploit from a label set of the joint latent space.
13 . The method of claim 12 , wherein a size of the label set is independent of the joint latent space.
14 . The method of claim 11 , wherein after training, a classifier predicts labels for the vulnerability and/or exploit based on the parsed text, the labels being derived from a first label set of a joint latent space observed during training and a second label set of the joint latent space that was not observed during training.
15 . The method of claim 11 , wherein the one or more rules comprise:
a rule for selecting certain nouns, pronouns, verbs, and/or abbreviations from the at least one textual description, a rule for selecting words based on proximity to a named instance of the vulnerability, a rule selecting or separating words based on whether the words precede a keyword or follow a keyword, or any combination thereof.
16 . An apparatus, comprising:
a memory; and at least one processor coupled to the memory and configured to:
obtain at least one textual description of one or more features associated with a vulnerability and/or exploit;
parse text from the at least one textual description in accordance with one or more rules;
obtain a model that maps textual data to labels for the one or more features of the vulnerability and/or exploit to respective stages of an attack chain taxonomy; and
map the parsed text to at least one first label for the first vulnerability associated with one or more stages of the attack chain taxonomy in accordance with the model.
17 . The apparatus of claim 16 , wherein a classifier operates on a joint latent space of the model, the classifier assigning labels to the vulnerability and/or exploit from a label set of the joint latent space.
18 . The apparatus of claim 17 , wherein a size of the label set is independent of the joint latent space.
19 . The apparatus of claim 16 , wherein after training, a classifier predicts labels for the vulnerability and/or exploit based on the parsed text, the labels being derived from a first label set of a joint latent space observed during training and a second label set of the joint latent space that was not observed during training.
20 . The apparatus of claim 16 , wherein the one or more rules comprise:
a rule for selecting certain nouns, pronouns, verbs, and/or abbreviations from the at least one textual description, a rule for selecting words based on proximity to a named instance of the vulnerability, a rule selecting or separating words based on whether the words precede a keyword or follow a keyword, or any combination thereof.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.