Explainable cyber threat behavior identification based on self-adversarial topic generation

•This paper proposes an end-to-end model-independent explainable framework that can conveniently identify TTPs from CTI and provide behavior evidence.•This paper constructs a self-adversarial learning method that is able to acquire an ensemble of evidence small enough to ensure that behavioral evidence is sufficient and necessary.•In this paper, we validate the classification enhancement effect of this framework on multiple base methods and datasets to ensure the generality and portability of the approach. Cyber Threat Intelligence (CTI) provides ample evidence and information regarding the detection of cyber attack activities. Existing methods employ CTI reports to extract Tactics, Techniques and Procedures (TTPs) for attack detection. Nevertheless, these methods are challenged in providing necessary and sufficient evidentiary support for recognition decisions, making it difficult for human operators to comprehend and accept the decision-making process. This paper proposes a topic prototype-based explainable TTPs classification approach, which provides accurate boundaries for key evidences to justify the results of TTPs classification. The proposed method introduces a self-adversarial framework for obtaining necessary and sufficient evidence for TTPs classification. The framework consists of an evidence generator and a TTPs classifier discriminator. The evidence generator utilizes a topic prototype-based keyword importance filtering method to extract evidence from CTI text while removing noise, resulting in an evidence set and a perturbation set. Subsequently, the impact of the evidence set and the perturbation set on TTPs classification is assessed using our siamese discriminator. The discriminator is specifically trained to ensure that only the elements belonging to the evidence set are accurately classified as TTPs information. The experiments primarily test the necessity and sufficiency of TTPs and evidence. In the sufficiency evaluations, classical deep learning methods are used for TTPs classification to verify the accuracy of the results, where the proposed method improves the Micro F1 scores by 0.16% to 6.63% and Macro F1s by 0.26% to 6.85%. To prove necessity, various case-based explainable methods are used to measure the completeness of CTI evidence. The results shows that the proposed method is able to obtain more stable prediction, more reasonable evidence sets, and more significant boundaries.