-
Notifications
You must be signed in to change notification settings - Fork 98
Home
Threat Report ATT&CK Mapper (TRAM) is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®.
TRAM enables researchers to test and refine Machine Learning (ML) models for identifying ATT&CK techniques in prose-based cyber threat intelligence (CTI) reports and allows CTI analysts to train ML models and validate the results.
Through research into automating the mapping of cyber threat intel reports to ATT&CK, TRAM aims to reduce cost and increase the effectiveness of integrating ATT&CK across the CTI community. Threat intel providers, threat intel platforms, and analysts can use TRAM to integrate ATT&CK more easily and consistently into their products.
The purpose of this wiki is to describe the Center for Threat Informed Defense research, provide reference information on data annotation process and ML fine-tuning activities, and to enable users to recreate the experiments and further the research.
Mapping TTPs found in CTI reports to MITRE ATT&CK is difficult, error prone, and time-consuming. This release is focused on improving the models that are used in TRAM to perform text classification. The goals of our project can be divided into three areas: having a streamlined approach to generating customized training data through expert annotation, providing high quality training data, and incorporating the best-performing LLM into TRAM.
- Data annotation: Recommended annotation tool features and best practices guide
- High-quality model training data: Annotated 150 reports containing 4,070 technique-labeled sentences out of 19,011 total samples
- TRAM tool updates: integrating a new prediction model based on SciBERT
See the README on center-for-threat-informed-defense/TRAM to pull the docker images, offline installation instructions, and developer build process.
The center-for-threat-informed-defense/TRAM user_notebooks section has Jupyter notebooks for the SciBERT-based single-label model and multi-label model. There are supplemental notebooks tailored to further fine-tune each model with additional data.