Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CTI ANT Research Paper

CTI ANT Research Paper

Accepted to the IEEE International Workshop on Big Data Analytics for Cyber Threat Hunting (CyberHunt 2020)
Cyber Threat Intelligence
Threat Hunting
MITRE ATT&CK
Machine Learning
Natural Language Processing

Avatar for Chia-En Tsai

Chia-En Tsai

October 30, 2020
Tweet

More Decks by Chia-En Tsai

Other Decks in Technology

Transcript

  1. CTI ANT: Hunting for Chinese Threat Intelligence Abstract—As cybercriminals continually

    challenge the se- curity of enterprises with sophisticated and rapidly evolving exploits, cyber threat intelligence (CTI) has emerged as a promising solution to enhance resilience against threats by understanding and limiting your focus on enemies that target your industry, efficiently leveraging the limited resources that hinder all SOCs. With a wide array of public and commercial sources that distribute threat intelligence data, extending intelligence collection and analysis has become indispensable in developing effective cybersecurity measures. Unstructured data like technical articles and reports are known to be difficult to analyze and formalize. While many previous research works attempt to semantically extract un- structured threat intelligence, none of them is applied for Chinese data sources. As China is both the largest source and victim of cyberattacks, lacking visibility of Chinese data sources is a major blind spot of CTI. In this paper, we present CTI ANT, the first automatic system for analyzing Chinese CTI, which enlarges the threat intelligence visibility to Chinese data sources. CTI ANT is constructed of three sub-systems: an automatic classification system (CSAC) for inspecting threat intelligence types, a rec- ommendation system (CTRS) that identifies trending keywords to assist threat analysts, and a Web API to label MITRE ATT&CK® techniques in Chinese APT reports. Evaluation re- sults confirm that the proposed CSAC and CTRS have achieved superior performance with an average accuracy exceeding 93% and 80%, respectively. Moreover, the MITRE ATT&CK Web API presents precise labeling in Chinese ATT&CK reports, stimulating new insights on Chinese CTI. I. Introduction As security boundaries become more complicated and blurred, it is extremely difficult to build a totally se- cure infrastructure against unknown threats, especially for large enterprises. In order to better defend against the unknown threats, Cyber Threat Intelligence (CTI) becomes a promising and paramount solution against threats through understanding your enemies [1] [2] [3]. The cycle of threat intelligence could be divided into five steps: requirements, collection, analysis, production, and evaluation [1]. According to Li et al. [2], there is no single intelligence platform that could cover enough intelligence to adequately defend. Thus, it leads many researchers to focus on extending intelligence collection and analysis steps from diverse intelligence sources to enlarge visibility. According to data type, intelligence collection and anal- ysis could be further classified into two classes: structured and unstructured. Structured data includes formalized data, such as IPs, domains, and malware hashes, which generally refer to IoC (Indicators of Compromise). Struc- tured data can be seamlessly integrated into security operations. On the other hand, many research papers, APT (Advanced Persistent Threat) reports, and technical articles belong to unstructured data. These data could depict the threat actor’s TTP (Tactics, Techniques, and Procedures), which is believed to be tougher for threat actors to alter and bypass. Moreover, unstructured data is known to be difficult to analyze and formalize, thus creating many challenges for the cybersecurity industry. In this paper, we propose CTI ANT (Chinese Threat Intelligence ANalysis SysTem), the first automatic sys- tem for extracting threat intelligence from unstructured Chinese data sources via several NLP (Nature Language Processing) methodologies. The contribution of this paper is listed as follows: • To our best knowledge, our proposed scheme is the first CTI framework for Chinese unstructured data sources. • Proposing a system to automatically recognize MITRE ATT&CK techniques in Chinese APT re- ports. • Automatic classification for article types and identify- ing keywords to assist threat analysts to locate these articles more easily. II. Related Works NLP is widely adopted to the unstructured CTI data, such as extracting IoCs from security articles. Since the named entity contains a significant amount of information in unstructured data, NER (Name Entity Recognition) be- comes an important topic in this research field. While Zhao et al. applied word embedding and syntactic dependency to extract IoCs from the unstructured data, [4] Wang et al. used finite state transducer for NER. [5]. BiLSTM- CRF is also used for NER by Wu et al. [6] Instead of using NER, Cyber-All-Intel encodes the unstructured data into Vectorized Knowledge Graphs to generally answer the query. [7] Furthermore, the NLP could also be utilized to attribute the threat actor for a higher level application. [8] In oder to provides a unified representation for threat actors’ TTP, the MITRE ATT&CK Framework is pub- lished. However, as these techniques may not be directly written in the articles using a consistent name entity style, NER cannot be directly applied. MITRE’s TRAM tried to recognize the MITRE ATT&CK techniques in articles for the first time. [9] rcATT was also proposed to recognize the MITRE techniques via numbers of NLP methods. [10] Husari et al. [11] recognized the tactics in the MITRE ATT&CK Framework and characterized the temporal relationship of the tactics.
  2. However none of the aforementioned research is applied for Chinese

    data source. As China is both the largest sources and victim of cyberattacks, lacking visibility of Chinese data sources creates a severe blind spot for CTI. Meanwhile, highly-active security forums also provide fertile sources for intelligence. It indicates that Chinese CTI is worthy of research. Our CTI ANT aims to enlarge the threat intelligence visibility to include Chinese data sources. To the best of our knowledge, we are the first to propose a CTI system which is capable of handling Chinese data sources. III. DESIGN AND IMPLEMENTATION A. Hypothesis The design of our CTI prototype is to analyze cy- bersecurity articles. The hypothesis is that the article is cybersecurity-related and its content is predominantly written in simplified Chinese, with little English. Hence, NLP analytic techniques are applicable to these articles as they follow general writing structures. However, technical terms are more frequently distributed in cybersecurity articles than ordinary ones. This feature is taken into consideration and adapted to our prototype, which will be further elaborated. Fig. 1: Proposed Prototype Architecture B. Architecture Figure 1 illustrates the architecture of the proposed prototype called: Chinese Threat Intelligence ANalysis sysTem (CTI ANT), which contains an Article Scraper (AS), an Article Preprocessor (AP), a Cyber Security Ar- ticle Classifier (CSAC), a Cyber Topic Recommendation System(CTRS), and a MITRE ATT&CK Detector(MD). The AS automatically accumulates cybersecurity arti- cles and MITRE ATT&CK techniques from cybersecurity forums. It removes irrelevant information and retrieves the title and technical content of each article. Then, these articles are inspected by the AP, which utilizes NLP algorithms to divide each article into word tokens and filter the unrelated tokens based on an expert-defined filtering list. The processed MITRE ATT&CK techniques are fed to the MD, which splits the content into sentence seg- ments and labels with corresponding MITRE ATT&CK techniques indicated in the data source. In the ATT&CK classifier, the MD evaluates different NLP classifiers to determine the highest MITRE ATT&CK technique de- tection accuracy. On the other hand, the processed articles are dispatched to the CSAC and the CTRS. The article is vectorized and disintegrated through NLP algorithms. Then, the CTRS extracted the top N cybersecurity topics for two different categories: Vulnerabilities and Enterprise Security. Re- ceiving the previously vectorized articles from the CTRS, the CSAC analyzes term importance for each token and employs the topic classifier to determine the corresponding topic of each cybersecurity article. C. Information Extraction and Token Identification To detect cybersecurity topics and MITRE ATT&CK techniques, cybersecurity articles are extracted from the prestigious Chinese cybersecurity forums, FREEBUF, [12] and pre-processed; such as noise removal and filtering stop words and uncommon cybersecurity terminologies that may mislead the subsequent NLP classifiers. 1) Article Scraping: The Article Scraper(AS) is essen- tially a crawler written in Python designed to accumulate the content and title of each article. Two Python crawlers are used for Article Scraping, one for crawling cyberse- curity articles on FREEBUF and the other for crawling Chinese MITRE ATT&CK articles on VULHUB [13]. The FREEBUF crawler commences from the homepages of the two principal cybersecurity categories: Vulnera- bilities and Enterprise Security. The two categories are selected for their prevalence and wide coverage of cyber- security topics. One major problem is that a considerable number of the extracted articles were incomplete, consist- ing only of the titles but not the content; additionally, the crawler is denied access to retrieve FREEBUF’s articles after frequent attempts. To allow the crawler sufficient time to comprehensively extract the articles, the AS increases the wait intervals between each article extraction. In the VULHUB crawler, it specifically selects fre- quent and significant cyberattack techniques recognized by cybersecurity experts. Some of the selected techniques are listed as follows: web shell (T1100), process injection (T1055), credential dumping (T1003), and pass the hash (T1075). The crawler then labels the content and title for each technique. The problems for the VULHUB crawler are addressed with the same techniques as the FREEBUF crawler. 2) Article Preprocessing: Numerous word phrases are unrelated to the cybersecurity topics even on professional
  3. cybersecurity articles. E.g., common phrases and conjunc- tions are intertwined

    in the technical descriptions. Such content has to be removed prior to further classification. Therefore, Article Preprocessor (AP) breaks each article into shorter word segments using the Jieba Simplified Chinese tokenizer. The subsequent pre-processing step is to create a stop word list that assists the AP in identifying the unrelated word phrases. The AP stop word list included the simplified Chinese stop word list from Harbin Institute of Technology [14] as well as the cybersecurity-specified terminology list from coworking cybersecurity experts. D. Cyber Topic Recommendation System As illustrated in Figure 1, an objective of the CTI ANT is to establish a Cyber Topic Recommendation System (CTRS) that displays prevalent cybersecurity topics for Vulnerabilities and Enterprise Security respectively. The components of CTRS are listed as follows. 1) Count Vectorizer: Once all articles are pre-processed, the Count Vectorizer converts the text to a matrix of word token counts (i.e., term-document matrix) This method is particularly useful in creating a more machine- comprehendable format, allowing the subsequent NLP methods to perform analysis more efficiently and accu- rately. The CTRS Count Vectorizer utilizes the method in scikit-learn [15]. It generates two term-document ma- trices for vulnerabilities and enterprise security articles respectively. 2) Vector Decomposition: For the process, the CTRS organizes the technical terms into different clusters (i.e. Cyber Topics). After examining current vector decom- position methods, Single Value Decomposition (SVD) is adopted for its promising results demonstrated in the Japanese SVD animal clustering research [16]. Using the Vulnerabilities count vectorizer matrix as input, SVD decomposes the complex matrix into 3 matrices: Item vectors, Singular Values, and Subject Vectors. Of the 3 matrices previously stated, the Subject Vectors was employed in the CTRS for its feature in grouping the technical tokens into clusters (i.e., subjects) based on their inter-similarity. Each cluster is a vector represented by topic-related technical tokens from the cybersecurity articles. To extract the top N topics in Vulnerabilities, the Subject Vector Extractor (SVE) sorts the subject vectors, representing each topic with the most associated technical word tokens. Meanwhile, the procedures for the vector decomposition and the SVE are replicated for the count vectorizer matrix in Enterprise Security. E. Cyber Security Article Classifier The CTRS depends on constant article updates to bring its recommendation results up-to-date. To achieve this, the Cyber Security Article Classifier (CSAC) determines the category of each article from the target categories: Vulner- abilities and Enterprise Security. Based on the classified article type, CSAC updates the latest classified articles to the respective recommendation systems. The CSAC is established through a machine learning data pipeline. The components of the pipelines are demonstrated in Figure 1. 1) Term Importance Generator: With the vectorized cybersecurity articles from the CTRS, the Term Impor- tance Generator (TIG) generates word-importance values for each cybersecurity term. It enables the subsequent Topic Classifier to identify important word tokens. In this research, the TIG applies TF-IDF to explore the importance of a cybersecurity term to an article by using the aforementioned term-document matrix. The TIG is done separately on the two target categories. With the term importance generated and retained, the articles for the target categories are labeled and merged as a single file set. 2) Topic Classifier: For the merged file set, the Topic Classifier (TC) determines the classification boundary between the two target categories. Specifically, each article is classified as the vulnerabilities or the Enterprise Security category. The classifier can be trained with different kinds of machine learning techniques. In this paper, TC applies Stochastic Gradient Descent (SGD). A major benefit of SGD is that it employs the logistic regression algorithm as its loss function, which works well on a small labeled dataset, and every training point has a certain influence on the estimated logistic regression function. A CTI study [17] has demonstrated promising results in utilizing logistic regression. F. MITRE ATT&CK Detector The MITRE ATT&CK Detector (MD) expands the capacity of the CSAC: from identifying Vulnerabilities and Enterprise Security articles to further detecting and recog- nizing prevalent MITRE ATT&CK methods as illustrated in Figure 1. 1) Sentence Splitter and Data Labeling: Unlike the CSAC, which uses a complete article as a single data point. MD analyzes each sentence segment of MITRE ATT&CK (MA) description. The primary reason for this different approach is that the MA corpus contains precise yet compact descriptions for each cyberattack technique. By implementing the Sentence Splitter (SS), the MD could examine the MA corpus more thoroughly. After the MA corpus is processed through the SS, each sentence segment is labeled with a corresponding tag that represents the cyberattack type. Although the stop words were previously removed from sentence segments, many generic phrases do not contribute to a specific MITRE ATT&CK term. For example, sentences informing that the cyberattack “bypasses restrictions” is considered generic, as it applies to many attacks. To resolve this issue, generic phrase segments are manually selected and assigned to a specific “non-attack description” tag. This data label- ing approach enables the subsequent ATT&CK classifier
  4. to detect verifiable MITRE ATT&CK descriptions with higher accuracy. 2)

    ATT&CK Classifier: Prior to running the labeled sentence segments in the ATT&CK classifier, the sen- tences are undertaken through a data pipeline consisting the Count Vectorizer and the TF-IDF model. For the ATT&CK classifier, three classification models: Naïve Bayes, SGD, and Decision Tree are compared and ana- lyzed. In recognizing the MITRE ATT&CKs, the SGD classifier yielded the highest precision and recall. 3) Web API: To create an interchangeable interface for the MD, a Web API is proposed. A cybersecurity article can be submitted via Web API and it will return a detec- tion report of all MITRE ATT&CK related descriptions in the submitted article. For each description, the Web API predicts and return top N corresponding MITRE ATT&CK labels. IV. Evaluation To evaluate the accuracy, coverage, and performance of CTI ANT, 826 real-world cybersecurity articles were analyzed in the experiment. In this section, we first introduce the experiment environment settings. Then, the evaluation result is demonstrated at the end of this section. A. Settings In this subsection, we explain the datasets used in the evaluation and the parameter settings of the system. Datasets Two datasets are used in the evaluation. First, a security forum dataset for training the Cyber Topic Recommendation System (III-D) and topic classifier (III-E). Second, a MITRE ATT&CK dataset to train the MITRE ATT&CK Detector (III-F). 1) Security Forum Dataset: This dataset contains 287 cybersecurity articles. These files were collected from FREEBUF [12], one of the most recognized security forums in the Chinese-speaking world. The forum contains rich and up-to-date cybersecurity threats and technique reports in Simplified Chinese. Under the description tags of these articles, we assembled the links pointing to the sources of these items and crawled 143 vulnerabilities and 144 enterprise security articles, including their title and technical text content. 2) MITRE ATT&CK Dataset: These files were col- lected from VULHUB, a well-recognized portal for MITRE ATT&CK techniques in Simplified Chinese. The dataset contains 539 MITRE ATT&CK de- scriptions, including their title, technical content, and corresponding ATT&CK ID (with the following format: T+4 digit numbers). As there exists no standard benchmark for MITRE ATT&CK tech- niques, we established the benchmark based on the assumption that every statement in the article is relating to the corresponding ATT&CK ID. Fig. 2: Training Time Comparison of Naïve Bayes, SGD and Decision Tree Parameter settings: The environment and parameters of our proposed system are configured as follows: 1) Environment: The CTI ANT is run on a virtual machine leased from Digitalocean, which consists 8G memory and 4 vCPU. The training time for the classifiers: Naïve Bayes, SGD, and Decision Tree, is demonstrated in Figure 2. 2) Classifier Parameters: In SGD, the loss function employs the “logistic regression” function instead of the default “hinge” function, for purposes mentioned in III-E. Aside from SGD, the parameters for the classifiers mentioned are utilized in default parame- ters of the scikit-learn models. 3) Data Pipeline: The NLP data pipeline is imple- mented with scipy models to accommodate the data flow. B. Results 1) Accuracy and coverage: In our study, we evaluated the topic classifier (TC) over the testing data from the cybersecurity dataset. As shown in Table I, the evaluation demonstrated that our prototype achieved a precision of 92% and a recall of 96% in finding vulnerabilities articles. On the other hand, in finding enterprise security articles, TC achieved 95% precision and 91% recall. TABLE I: Precision and Recall precision recall Vulnerabilities 92 96 Enterprise Security 95 91 We also analyze the misclassified data so the accuacy can be further improved in the future. Two misclassified category data 5 and 10 will be listed and explained below. First, Data 5 presents another incorrect classification from CSAC, predicted as a vulnerablities article when belonging to the Enterprise Security category in FREE- BUF [12]. However, this type of article was deemed by cybersecurity experts to be an undeterminable classifica- tion case, as it locates at the classification boundary of the two classes. Since Data 5 not only introduced the benefits
  5. of AWVS (a vulnerabilities scanner) towards enterprise security but also

    includes AWVS implementation details (a recognized feature of vulnerabilities articles), the article overlaps between both vulnerabilities and ES. Thus the article’s ambiguity makes the classifier unable to clearly define its corresponding category. Whereas Data 10 presents an incorrect classification from CSAC, predicted as an Enterprise Security article when belonging to the Vulnerabilities category in FREE- BUF [12]. The article was thoroughly introspected by cybersecurity experts. Based on their evaluation, although Data 10 thoroughly depicts the vulnerabilities caused by remote code execution, the article was also infiltrated by many terms that frequently occur in Enterprise Security class, such as “magecart” (a hacker group that steals personal information from on-line merchants). Such terms that withhold high frequencies tend to mislead the classi- fier. For the MITRE ATT&CK classifier, the result is de- picted in Figure 3. Comparing to random guess with an accuracy of 3%, the SGD classifier yielded the highest precision of 43.6%. The Naïve Bayes and Decision Tree models had respective accuracies of 21.6% and 37.3%. Fig. 3: Comparison of Random Guess, SGD, Naïve Bayes and Decision Tree Through our data, we investigated the root cause for the low accuracy of Naïve Bayes and Decision Tree. For Naïve Bayes, many cybersecurity tokens did not simultaneously appear on both the training and testing dataset, which causes zero conditional probability problem and deteriorates the performance of the classifier. On the other hand, the decision tree classifier easily overfits by learning from noise data and optimizes for that particular sample, which causes its order or variable importance to change significantly. Thus the substantial amount of noise data (i.e., non-attack descriptions) in the MITRE ATT&CK dataset poses as an underlying cause for its deficient performance. To deeply introspect the result of MITRE ATT&CK classifier, we visualize the result into the heatmap presen- tation. In Figure 4, the colors of diagonal cells are lighter; this indicates the classifier makes the correct decisions. It is worth noting that almost all columns of T1003 are also in a lighter color; it shows our classifier misclassified many other techniques into T1003. The reason might be due to there being more samples of T1003 than other techniques in the dataset. Similarly, several techniques are also misclassified into the Non-Attack class, thus the cells in the Non-Attack column are also lighter. Both aforementioned problems are due to data imbalance. Collecting more diversified data for each class, which balances the data, could drastically relieve the problem. Fig. 4: Correlation Matrix for MITRE ATT&CK ID Fig. 5: Topics by CTRS To understand the effectiveness of Cyber Topic Rec- ommendation System (CTRS), some topics extracted by CTRS are listed in Table 5, where the original Chinese and translated English are both listed for reference. For
  6. example, the topic Vulnerabilities-1 could be obviously recognized as something

    related to cryptography, authen- tication, and network application vulnerability. Therefore, these topics could provide a higher level of meaning for security experts. We could observe from Figure 5 that there are still some too-common keywords (e.g., argument, information security, and step). These keywords only provide rare information. Thus removing these keyword could further improve the effectiveness of CTRS. While there is no ground truth available to evaluate CTRS, the results are manually reviewed by security experts. The evaluation shown in Table II indicates that the ratio of finding related topics is 75% for vulnerability articles and 85% for Enterprise Security articles. This eval- uation demonstrates that CTRS can provide meaningful hints for security experts to quickly capture the topics of the article. TABLE II: Evaluation result of CTRS topic non-relative high medium low Vulnerabilities 5 4 4 7 Enterprise Security 3 6 7 4 V. Conclusion As we mentioned in the introduction, the lack of Chi- nese threat intelligence visibility creates a blind spot for CTI. Additionally, highly-active Chinese security forums provide fertile sources for intelligence. In this paper, CTI ANT, a novel prototype for Chinese CTI analysis is proposed to enlarge the threat intelligence visibility and analysis capability to Chinese data sources. In addition to the quantitative performance measure- ments mentioned in the evaluations section, here we highlight the findings from our study: 1) Cyber Security Article Classifier (CSAC): We have established an automatic classification system that assists security analysts to quickly identify the theme of cyber threat data, a significant step towards Chinese CTI gathering and updating. 2) Cyber Topic Recommendation System (CTRS): It determines the inter-similarity of prevalent security- related keywords and clusters them to distinct cy- bersecurity topics. Not only does the CTRS results assist threat analysts in identifying key threat actors to deploy appropriate security controls, but the results have also revealed intrinsic connections across various keywords. 3) MITRE ATT&CK Detector (MD): We respectively analyzed various classification models to automat- ically recognize MITRE ATT&CK techniques in Chinese APT reports, facilitating the design of bet- ter cyber defense mechanisms for multiple domains. Through the visualization of MITRE ATT&CK detections in heatmap format, we have further un- covered the imbalance of Chinese MITRE ATT&CK data and proposed adjustment strategies to enable higher-efficiency results for future Chinese CTI in- spection. References [1] D. Chismon and M. Ruks, “Threat intelligence: Collecting, analysing, evaluating,” MWR InfoSecurity Ltd, 2015. [2] V. G. Li, M. Dunn, P. Pearce, D. McCoy, G. M. Voelker, and S. Savage, “Reading the tea leaves: A comparative analysis of threat intelligence,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 851–867. [3] S. Samtani, M. Abate, V. Benjamin, and W. Li, “Cybersecurity as an industry: A cyber threat intelligence perspective,” The Palgrave Handbook of International Cybercrime and Cyberde- viance, pp. 135–154, 2020. [4] J. Zhao, Q. Yan, J. Li, M. Shao, Z. He, and B. Li, “Timiner: Au- tomatically extracting and analyzing categorized cyber threat intelligence from social data,” Computers & Security, p. 101867, 2020. [5] T. Wang and K. P. Chow, “Automatic tagging of cyber threat intelligence unstructured data using semantics extraction,” in 2019 IEEE International Conference on Intelligence and Secu- rity Informatics (ISI). IEEE, 2019, pp. 197–199. [6] H. Wu, X. Li, and Y. Gao, “An effective approach of named entity recognition for cyber threat intelligence,” in 2020 IEEE 4th Information Technology, Networking, Electronic and Au- tomation Control Conference (ITNEC), vol. 1. IEEE, 2020, pp. 1370–1374. [7] S. Mittal, A. Joshi, and T. Finin, “Cyber-all-intel: An ai for security related threat intelligence,” arXiv preprint arXiv:1905.02895, 2019. [8] L. Perry, B. Shapira, and R. Puzis, “No-doubt: Attack attri- bution based on threat intelligence reports,” in 2019 IEEE In- ternational Conference on Intelligence and Security Informatics (ISI). IEEE, 2019, pp. 80–85. [9] MITRE, Threat Report ATT&CK® Mapping (TRAM), 2019 (accessed October 4, 2020). [Online]. Available: https: //github.com/mitre-attack/tram [10] V. Legoy, “rcatt: Retrieving att&ck tactics and techniques in cyber threat reports,” FIRST Cyber Threat Intelligence Symposium, 2020. [11] G. Husari, E. Al-Shaer, B. Chu, and R. F. Rahman, “Learning apt chains from cyber threat intelligence,” in Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security, 2019, pp. 1–2. [12] FreeBuf, 2012 (accessed October 15, 2020), https://www. freebuf.com/. [13] VULHUB, 2012 (accessed October 15, 2020), http://vulhub. org.cn/attack. [14] Simplified Chinese Stop Word list, 2019 (accessed Octo- ber 15, 2020), https://github.com/goto456/stopwords/blob/ master/cn_stopwords.txt. [15] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay, “Scikit-learn: Ma- chine learning in Python,” Journal of Machine Learning Re- search, vol. 12, pp. 2825–2830, 2011. [16] C. Sumiyoshi, H. Fujino, T. Sumiyoshi, Y. Yasuda, H. Ya- mamori, M. Fujimoto, and R. Hashimoto, “Semantic memory organization in japanese patients with schizophrenia examined with category fluency,” Frontiers in Psychiatry, vol. 9, p. 87, 2018. [17] X. Liao, K. Yuan, X. Wang, Z. Li, L. Xing, and R. Beyah, “Acing the ioc game: Toward automatic discovery and analysis of open- source cyber threat intelligence,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16. New York, NY, USA: Association for Computing Machinery, 2016, p. 755–766.