Enhancing Cybersecurity through Attack Classification Using the Mitre ATT&CK Framework and Machine Learning and Natural Language Processing
AbstractThe development and widespread use of new technologies has led to an increase in cyber-attacks. As these technologies become more accessible and interconnected, they create expanded opportunities for malicious actors to exploit vulnerabilities. Traditional methods are insufficient to detect new cyber-attacks because these methods generally work signaturebased. It is necessary to use new and up-to-date solutions to detect current and complex attacks. Machine learning and related concepts, which have become popular recently, also find a wide application area in cyber security. These concepts are used to solve cyber security tasks such as anomaly detection, malware analysis, attack prediction and attack classification. In this study, a comprehensive comparison of machine learning, deep learning, and transformer models was conducted to evaluate their performance in the classification of endpoint attack logs. The data set used in the study was obtained by collecting the sysmon logs generated during a series of endpoint attack scenarios. These logs were classified according to the tactics in the Mitre Attack Framework to be used in model training. The findings demonstrated that among the models tested, an NLP model RoBERTa achieved the best performance, with an accuracy of 88,79% and a notable ability to recognizing patterns in endpoint attacks logs. These results highlight the model's effectiveness in detecting and classifying attack patterns, offering valuable insights for enhancing endpoint security measures.