MITREtrieval: Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology

Cyber Threat Intelligence (CTI) plays a crucial role in understanding and preemptively defending against emerging threats. Typically disseminated through unstructured reports, CTI encompasses detailed insights into threat actors, their actions, and attack patterns. The MITRE ATT&CK framework offers a comprehensive catalog of adversary tactics, techniques, and procedures (TTPs), serving as a valuable resource for deciphering attacker behavior and enhancing defensive measures. Addressing the challenge of time-consuming manual analysis of MITRE TTPs in unstructured CTI reports, this paper presents MITREtrieval, a novel system that leverages deep learning and ontology to efficiently extract MITRE techniques. This approach mitigates issues related to the implicit nature of TTPs, textual semantic dependencies, and the scarcity of adequately labeled datasets, enabling more effective analysis even with limited sample sizes. Our approach combines a sophisticated sentence-level BERT deep learning model with ontology knowledge to address sparse data challenges, using a voting algorithm to merge outcomes. This results in a more accurate classification of MITRE techniques, capturing contextual nuances effectively. Our evaluation confirms MITREtrieval's effectiveness in identifying techniques, regardless of their representation in training samples. MITREtrieval has surpassed benchmarks, achieving F2 scores of 58%, 62%, and 69% in multi-label technique identification across 113, 46, and 23 CTI reports, respectively, thereby streamlining CTI analysis and improving threat intelligence.