Mapping Linux Shell Commands to MITRE ATT&CK using NLP-Based Approach
Yevonnael Andrew, Charles Lim, Eka Budiarto
Abstract
Honeypot is a decoy computer resource used to trap an attacker and one of the most common honeypots is a medium to high interaction honeypot that is able to log shell interaction executed by an attacker. In the cybersecurity field, these collected commands can be mapped to MITRE ATT&CK, a knowledge base, and model for cyber adversary behavior. To maximize the utilization of ATT&CK, a good mapping between Linux commands and ATT&CK is desirable. In this paper, we evaluate and measure the performance of Linux commands mapping to ATT&CK Techniques and Sub-Techniques, and ATT&CK Tactics using NLP techniques, such as Bag of Words, TF-IDF, and pre-trained Word Embeddings. Cosine similarity scoring is used to extract the top-n ATT&CK Techniques and Sub-Techniques, and ATT&CK Tactics for each command. The models’ performance is evaluated using recall at n metrics.