Design of Threat Response Modeling Language for Attacker Profile Based on Probability Distribution
Algorithm 1
TTCG generation network based on TRMLang.
Data preparation: Choose the TTP and local TTC of a specific attack action according to the prior attacker profile and key techniques mapping of the attack process;
Input: Attacker Profile (AP) and local TTC set ();
Output: TRMLang model with integrated TTCG generation network.
Start:
Step 1: Get the attack action of a specific attacker: , and calculate the capability factor based on the dynamic attributes of the attacker;
Step 2: Obtain the assets associations () and the defensive distribution () in a defined scene;
Step 3:
fordo
Calculate the probability distribution for attack action :
end for
Step 4: Check the dependency table . If the technique is related to the local TTC set, go to Step 5, otherwise go back to Step 1;
Step 5: Calculate the conditional probability based on CTI automated analysis and ATT&CK collection of attack action .
Step 6:
fordo
Calculate the normalized conditional probability ;
Use the prior class probability to calculate the normalized posterior probability .
end for
Step 7: Consider all to calculate the maximal support of for and go to Step 8;
Step 8: If the technique for a given has the maximum posterior probability, then add technique ti to the TTCG generation network and exit. Otherwise, go back to Step 1.
