0xllssFF
commented
6 months ago We extracted the IOC from the document, such as some file names and IP addresses, searched it in the data set, and marked the nodes we could find as malicious nodes. We performed the above processing on both DARPA TC E3 and E5, but found that not all IOCs can be found. We found that the data missing in the E5 data set was serious, so we did not choose the E5 data set for evaluation. There are quite a lot of IOCs that can be found in the Ground Truth data sets such as CADETS, THEIA, and TRACE given in the E3 document. During our final detection, we marked the graphs containing these abnormal nodes as attack graphs, and calculated the graph-level/node-level accuracy based on these marked attack nodes.
Hey, I can't find the label malicious entities for the DARPA engagement datasets. Can you provide them or explained exactly how you extracted them? The paper is vague on the topic. Evaluation, C: "To build the ground truth for the three datasets from DARPA TC, we first labeled the attack according to the documents provided by DARPA."