脅威情報の共有に向けたグラフ記述のための軽量マークアップ言語の提案

全文

(1)Computer Security Symposium 2018 22 - 25 October 2018. †1. STIX. MISP. JSON. STIX 2.0 2% DOT. STIX. 19%. A Lightweight Markup Language for Graph Description towards Threat Information Sharing Mayo YAMASAKI†1 Abstract: To share structured threat information, standardized formats such as STIX and MISP have been proposed. However, it is hard to describe them manually because these formats are designed to mainly share between machines. To tackle this problem, this paper proposes a lightweight markup language for graph description that is easy to read and write for both humans and machines. In the proposed method, by preliminarily sharing the schema of the graph with a low update frequency, graph-structured data for each document can be described as a lightweight markup language. I show that threat information compliant with STIX 2.0 can be described by using the proposed method. Further, I experimentally demonstrate that the proposed method can describe threat information with 2% editing cost compared to STIX in JSON and 19% cost compared with the DOT language. Keywords: Threat Intelligence, Graph Description Language, Lightweight Markup Language, Knowledge Representation. 1.. malware. IPv4. ioc-ipv4. indicates. STIX(Structured Threat Information eXpression)[ 1 ]. ”[. ]{. }”. MISP(Malware Information. Sharing Platform)[2] 60%. Figure 1. [3] (Indicator of Compromise). (Observable). l. [4] l. STIX 2.0. l. DOT[5] .. 2%. Figure 1 †1 NTT NTT Secure Platform Laboratories. © 2018 Information Processing Society of Japan. a http://www.json.org. － 107 －. 19%. JSON[ a] STIX. STIX.

(2) Figure 1 ”[. 2. DOT GXL[6]. ]{. }”. XML. 2. GraphML[7] l l. Figure 1. DOT Figure 1 1. digraph G {. 2. (malware. ioc-ipv4). (indicates) Table 1. a [label = "malware:EvilRat"]; b [label = "malware:EvilTrojan"] c [label = "malware:Trojan.EvilRansom"] Table 1. d [label = "ioc-ipv4:192.168.0.0"]; e [label = "ioc-ipv4:192.168.0.1"];. Figure 1. malware ioc-ipv4. a -> d [label = "indicates"]; b -> d [label = "indicates"];. malware indicates. ioc-ipv4 -. c -> e [label = "indicates"]; } Table 1. RDF(Resource Description Framework)[8] ioc-ipv4 XML. JSON Turtle. malware. indicates. malware. N-Triples. ioc-ipv4. STIX 2.0. RDF. DOT Markdown[9][10]. reStructuredText[11]. HTML. Figure 1. 2. 2 ioc-ipv4 indicates. ”192.168.0.1 . ”EvilTrojan”. 3. 3.1. © 2018 Information Processing Society of Japan. STIX. － 108 －. malware.

(3) 3.2. JSON. 3.2.1. SDO(STIX Domain Object) 1. 1. STIX SRO(STIX. Relationship Object) SDO. SRO. 3.2.2. JSON. (. key-value Indicator SDO l. ) pattern. ”[]” ”{}”. l. STIX 2.0. Figure 1. ”EvilRat” l. { "type": "malware",. l. "id": "malware--395237ba-9175-47ed-… ",. ”,”. "created": "2018-08-16T01:00:17.017Z", "modified": "2018-08-16T01:00:17.017Z", "name": "evilrat", "labels": [. [name a]{type1}. "unknown". [name b]{type 2, attr-name:attr-value}. ]. [name[c]{type-3, , attr-1, attr-2}]{type-4} "name a". }. "type1". 4.2 STIX 2.0. "name b" 2". "type. 4.2.1. "attr-name:attr-value". "c". ”typel-3". SDO. SDO. " attr-1, attr-2". Table 2. 3.2.3. 2. ”${NAME}”. ”${NOW}” Table 2. first_observed. 1. Table. SDO. *1. last_observed. number_observed. observed-data. *2. object_refs. SDO SDO. 3.2.4. SRO. Threat Actor. (targets),. l. (impersonates). Identity. l. ”{}”. Identity (attributed-to). 3. 3. Malware varient-of. Malware. Malware. SRO. Malware. varient-of. l varient-of l. (. ). original-malware. Indicator. 4.. Observed Data Vulnerability. STIX 2.0. 4.1 STIX 2.0 STIX 2.0. © 2018 Information Processing Society of Japan. ioc-ipv4 ipv4 cve. － 109 －.

(4) Table 2 STIX SDO Attack Pattern Campaign Course of Action Identity. Indicator. Intrusion Set Malware. attack-pattern campaign coa victim criminal persona ioc ioc-as-number ioc-directory ioc-domain-name ioc-email-addr ioc-file-name ioc-file-sha256 ioc-file-md5 ioc-ipv4 ioc-ipv6 ioc-mac-addr ioc-mutex ioc-process-name ioc-process-id ioc-url ioc-user-id ioc-registry-key ioc-x509-ca ioc-x509-serial intrusion-set malware original-malware observed-data. Observed Data. Report Threat Actor Tool Vulnerability. as-number directory domain-name email-addr file-name file-sha256 file-md5 ipv4 ipv6 mac-addr mutex process-name process-id url user-id registry-key x509-ca x509-serial report threat-actor tool vulnerability cve. © 2018 Information Processing Society of Japan. SDO name=${NAME} name=${NAME} name=${NAME} name=${NAME}, identity_class=” unknown”, labels=[“unknown”] name=${NAME}, identity_class=” unknown”, labels=[“unknown”] name=${NAME}, identity_class=” unknown”, labels=[“unknown”] pattern=${NAME}, labels=[“unknown”] pattern="[autonomous-system:number=${NAME}]", labels=[“unknown”] pattern="[directory:path=${NAME}]", labels=[“unknown”] pattern="[domain-name:value=${NAME}]", labels=[“unknown”] pattern="[email-addr:vlaue=${NAME}]", labels=[“unknown”] pattern="[file:name=${NAME}]", labels=[“unknown”] pattern="[file:hashes.'SHA-256'=${NAME}], labels=[“unknown”] pattern="[file:hashes.'MD5'=${NAME}]", labels=[“unknown”] pattern="[ipv4-addr:vlaue=${NAME}]", labels=[“unknown”] pattern="[ipv6-addr:vlaue=${NAME}]” , labels=[“unknown”] pattern="[mac-addr:vlaue=${NAME}]", labels=[“unknown”] pattern="[mutex:name=${NAME}]", labels=[“unknown”] pattern="[process:name=${NAME}]", labels=[“unknown”] pattern="[process:pid=${NAME}]", labels=[“unknown”] pattern="[url:vlaue=${NAME}]", labels=[“unknown”] pattern="[user-account:user_id=${NAME}]", labels=[“unknown”] pattern="[windows-registry-key:key=${NAME}]", labels=[“unknown”] pattern="[x509-certificate:issuer=${NAME}]", labels=[“unknown”] pattern="[x509-certificate:serial_number=${NAME}]", labels=[“unknown”] name=${NAME} name=${NAME}, labels=[“unknown”] name=${NAME}, labels=[“unknown”] objects=${NAME}, first_observed=${NOW}, last_observed=${NOW}, number_observed=1 objects={"0":{"type":"autonomous-system","number": "${NAME}"}}, *1 objects={"0":{"type":"directory","path": "${NAME}"}}, *1 objects={"0":{"type":"domain-name","value": "${NAME}"}} objects={"0":{"type":"email-addr","value": "${NAME}"}}, *1 objects={"0":{"type":"file","name": "${NAME}"}}, *1 objects={"0":{"type":"file","hashes": { "SHA-256": "${NAME}"}}}, *1 objects={"0":{"type":"file","hashes": { "MD5": "${NAME}"}}}, *1 objects={"0":{"type":"ipv4-addr","value": "${NAME}"}}, *1 objects={"0":{"type":"ipv6-addr","value": "${NAME}"}}, *1 objects={"0":{"type":"mac-addr","value": "${NAME}"}}, *1 objects={"0":{"type":"mutex","name": "${NAME}"}}, *1 objects={"0":{"type":"process","name": "${NAME}"}}, *1 objects={"0":{"type":"process","id": "${NAME}"}}, *1 objects={"0":{"type":"url","value": "${NAME}"}}, *1 objects={"0":{"type":"user-account","user_id": "${NAME}"}}, *1 objects={"0":{"type":"windows-registry-key","key": "${NAME}"}}, *1 objects={"0":{"type":"x509-certificate","issuer": "${NAME}"}}, *1 objects={"0":{"type":"x509-certificate","serial_number": "${NAME}"}}, *1 name=${NAME}, labels=[“unknown”], published=${NOW}, object_refs*2 name=${NAME}, labels=[“unknown”] name=${NAME}, labels=[“unknown”] name=${NAME} name=${NAME}, external_references=[{"source_name": "cve", "external_id": ${NAME}}]. － 110 －.

(5) 4.2.2 Table 3. Table 3 STIX 2.0. SDO. SDO. Table 3. uses attributed-to attributed-to attributed-to mitigates. coa. indicates. Indicator. variant-of impersonates. malware threat-actor. object-refs. report. uses uses. with. ioc-file-name. with with with. file-name ioc-x509-ca x509-ca ioc-processname process-name. with with. SDO Vulnerability, victim 10 malware, tool. 13,548. tool intrusion-set, threat-actor threat-actor criminal attack-pattern, malware, tool, Vulnerability attack-pattern, campaign, intrusion-set, threat-actor, malware, tool original-malware persona attack-pattern, campaign, coa, victim, Indicator, intrusion-set, malware, Observed Data, report, threat-actor, tool, Vulnerability ioc-file-sha256, ioc-filemd5 file-sha256, file-md5 ioc-x509-serial x509-serial. SDO. STIX 2.0. SRO. 14.5 GUI. Figure 2. GUI. DOT N-Triples. RDF. YAML. Turtle. RDF. JSON. STIX. STIX. Table 4. process-id. Table 4 “with”. STIX(JSON). 2% DOT. 19%. Report. ID Indicator. 13.9. ioc-process-id. ”object-refs” ”object-refs”. SDO. attack-pattern, malware, tool. SRO. “with”. STIX Validator[c]. 5.. STIX SDO attack-pattern, campaign, intrusion-set, threat-actor, malware, tool attack-pattern campaign, intrusion-set, threat-actor malware campaign intrusion-set threat-actor. targets. STIX. SDO. Table 4. Observed Data. STIX(JSON) [%]. 4.3 STIX 2.0 Table 2. 3. STIX 2.0 ”{}” key-value YAML[b]. b http://yaml.org/spec/1.2/spec.html. © 2018 Information Processing Society of Japan. flow style. STIX(JSON) STIX(YAML) RDF(N-Triples) RDF(Turtle) DOT. SDO. (. ). 12593 10033 2227 1904 1382 268 38. c https://github.com/oasis-open/cti-stix-validator. － 111 －. 80 18 15 11 2 -.

(6) Figure 2. STIX. GUI STIX. 6.. Figure 2. [1] [2]. 38. [3]. [4]. [5]. [6]. STIX 2.0 Table 2. 3. [7]. STIX 2.0. [8]. [9]. 7.. [10] [11]. JSON. © 2018 Information Processing Society of Japan. － 112 －. 2%. DOT. 19%. STIX - Structured Threat Information Expression . https://stixproject.github.io/, ( 2018-08-13). MISP standards . https://github.com/MISP/misp-rfc, ( 2018-08-13). The Value of Threat Intelligence: The Second Annual Study of North American & United Kingdom Companies . https://anomali.cdn.rackfoundry.net/files/white-papers/2017anomali-research-report.pdf, ( 2018-08-13). Exploring the opportunities and limitations of current Threat Intelligence Platforms . https://www.enisa.europa.eu/publications/exploring-theopportunities-and-limitations-of-current-threat-intelligenceplatforms, ( 2018-08-13). Gansner, Emden R., and Stephen C. North . An open graph visualization system and its applications to software engineering. Software: practice and experience. 2000, 30.11, p. 1203-1233. Holt, Richard C., Andreas Winter, and Andy Schurr. GXL: Toward a standard exchange format. Reverse Engineering, 2000. Proceedings. Seventh Working Conference on. IEEE. 2000, p. 162171. Brandes, U., Eiglsperger, M., Herman, I., Himsolt, M., & Marshall, M. S. GraphML progress report structural layer proposal. International Symposium on Graph Drawing. Springer, Berlin, Heidelberg. 2001. p. 501-512. RDF 1.1 Concepts and Abstract Syntax . https://www.w3.org/TR/2014/REC-rdf11-concepts-20140225/, ( 2018-08-13). Markdown https://daringfireball.net/projects/markdown/, ( 2018-08-13). CommonMark , https://commonmark.org/, ( 2018-0813). reStructuredText Markup Specification , http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html, ( 2018-08-13). ( 2018-08-13)..

(7)