Using neural networks to process forensics and generate threat intelligence information
地域:
CA
CA Sunnyvale
摘要
Aspects of the disclosure relate to generating threat intelligence information. A computing platform may receive forensics information corresponding to message attachments. For each message attachment, the computing platform may generate a feature representation. The computing platform may input the feature representations into a neural network, which may result in a numeric representation for each message attachments. The computing platform may apply a clustering algorithm to cluster each message attachments based on the numeric representations, which may result in clustering information. The computing platform may extract, from the clustering information, one or more indicators of compromise indicating that one or more attachments corresponds to a threat campaign. The computing platform may send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, which may cause the enterprise user device to display a user interface identifying the one or more indicators of compromise.
說明書
This application claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 63/073,640, filed Sep. 2, 2020, and entitled “Using Neural Networks to Process Forensics and Generate Threat Intelligence Information,” which is incorporated by reference herein in its entirety.
Aspects of the disclosure relate to data processing methods, machine learning systems, and communication systems and networks. In particular, one or more aspects of the disclosure relate to using neural networks to process forensics and generate threat intelligence information.
Increasingly, individuals and organizations face various cybersecurity threats, and various efforts may be taken to identify cybersecurity threat campaigns (e.g., sets of threats that have been observed or are otherwise related in some way, such as threats sent out by the same malicious actor). The landscape of such threat campaigns is constantly changing, however. As a result of the changes in the threat landscape, it may be difficult to analyze large numbers of threats, group them into campaigns, and provide useful insights for protecting against such threats. This may result in undetected threat campaigns, thus leaving individuals and/or organizations vulnerable to cyber-attacks and/or other events in which there might be unauthorized access of proprietary or otherwise personal information.
權(quán)利要求
What is claimed is:1. A computing platform, comprising:at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:train a neural network, wherein training the neural network comprises training the neural network using metric learning and sub-word embeddings, and wherein training the neural network using the metric learning comprises:inputting two or more inputs into the neural network; identifying labels corresponding to each of the two or more inputs; and prompting the neural network to produce particular embeddings based on the identified labels; receive forensics information corresponding to a plurality of message attachments; generate, for each of the plurality of message attachments, a feature representation; input the feature representations into the neural network, wherein inputting the feature representations into the neural network results in a numeric representation for each of the plurality of message attachments; apply a clustering algorithm to cluster each of the plurality of message attachments based on the numeric representations, resulting in clustering information; extract, from the clustering information, one or more indicators of compromise indicating that one or more of the plurality of attachments corresponds to a threat campaign; and send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, wherein sending the user interface information causes the enterprise user device to display a user interface identifying the one or more indicators of compromise. 2. The computing platform of claim 1 , wherein the neural network is a Siamese network. 3. The computing platform of claim 2 , wherein:the neural network is trained to produce a common embedding if the two or more inputs have corresponding labels, the neural network is trained to produce different embeddings if the two of more inputs have different labels. 4. The computing platform of claim 1 , wherein using the sub-word embeddings comprises training the neural network to learn a vocabulary of sub-words adapted to threat identification. 5. The computing platform of claim 1 , wherein the one or more indicators of compromise each correspond to a particular threat campaign. 6. The computing platform of claim 1 , wherein the one or more indicators of compromise indicate one or more of: a uniform resource locator (URL) known to host malicious content, a sender name, an internet protocol (IP) address, an organization name, or a country. 7. The computing platform of claim 1 , wherein extracting the one or more indicators of compromise comprises:identifying one or more generic indicators of compromise; and filtering, from the one or more indicators of compromise, the one of more generic indicators of compromise. 8. A method comprising:at a computing platform comprising at least one processor, a communication interface, and memory:training, by the at least one processor, a neural network, wherein training the neural network comprises training the neural network using metric learning and sub-word embeddings, and wherein training the neural network using the metric learning comprises:inputting two or more inputs into the neural network; identifying labels corresponding to each of the two or more inputs; and prompting the neural network to produce particular embeddings based on the identified labels; receiving, by the at least one processor, forensics information corresponding to a plurality of message attachments; generating, by the at least one processor and for each of the plurality of message attachments, a feature representation; inputting, by the at least one processor, the feature representations into the neural network, wherein inputting the feature representations into the neural network results in a numeric representation for each of the plurality of message attachments; applying, by the at least one processor, a clustering algorithm to cluster each of the plurality of message attachments based on the numeric representations, resulting in clustering information; extracting, by the at least one processor and from the clustering information, one or more indicators of compromise indicating that one or more of the plurality of attachments corresponds to a threat campaign; and sending, by the at least one processor and to an enterprise user device, user interface information comprising the one or more indicators of compromise, wherein sending the user interface information causes the enterprise user device to display a user interface identifying the one or more indicators of compromise. 9. The method of claim 8 , wherein the neural network is a Siamese network. 10. The method of claim 8 , wherein:the neural network is trained to produce a common embedding if the two or more inputs have corresponding labels, the neural network is trained to produce different embeddings if the two of more inputs have different labels. 11. The method of claim 8 , wherein using the sub-word embeddings comprises training, by the at least one processor, the neural network to learn a vocabulary of sub-words adapted to threat identification. 12. The method of claim 8 , wherein the one or more indicators of compromise each correspond to a particular threat campaign. 13. The method of claim 8 , wherein the one or more indicators of compromise indicate one or more of: a uniform resource locator (URL) known to host malicious content, a sender name, an internet protocol (IP) address, an organization name, or a country. 14. The method of claim 8 , wherein extracting the one or more indicators of compromise comprises:identifying, by the at least one processor, one or more generic indicators of compromise; and filtering, by the at least one processor and from the one or more indicators of compromise, the one of more generic indicators of compromise. 15. One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to:train a neural network, wherein training the neural network comprises training the neural network using metric learning and sub-word embeddings, and wherein training the neural network using the metric learning comprises:inputting two or more inputs into the neural network; identifying labels corresponding to each of the two or more inputs; and prompting the neural network to produce particular embeddings based on the identified labels; receive forensics information corresponding to a plurality of message attachments; generate, for each of the plurality of message attachments, a feature representation; input the feature representations into the neural network, wherein inputting the feature representations into the neural network results in a numeric representation for each of the plurality of message attachments; apply a clustering algorithm to cluster each of the plurality of message attachments based on the numeric representations, resulting in clustering information; extract, from the clustering information, one or more indicators of compromise indicating that one or more of the plurality of attachments corresponds to a threat campaign; and send, to an enterprise user device, user interface information comprising the one or more indicators of compromise, wherein sending the user interface information causes the enterprise user device to display a user interface identifying the one or more indicators of compromise.
意見反饋
使用該功能遇到問題