Revealing the Chain with pytm-Seq: Approach for Multi-step Threat Detection
摘要
As software complexity increases and cyberattacks grow more sophisticated, the need for tools that can automatically identify threats within systems has become increasingly evident. However, prior research has primarily focused on detecting attacks or vulnerabilities at individual points within a system, limiting its ability to identify multi-step threats that arise when adversaries exploit the order in which data is transferred among system components. To address this limitation, this paper extends the Data Flow Diagram (DFD) metamodel of the OWASP-ODTM project by incorporating additional information such as data-transfer sequence. Using this extended metamodel, we developed a methodology capable of automatically identifying multi-step threats within a system. We further implemented this methodology in pytm, an existing threat-modelling automation tool, and proposed an enhanced version named pytm-Seq. To demonstrate that pytm-Seq can identify multi-step threats exploited in real-world attacks, we analyzed 52 incidents and derived 7 multi-step threat patterns. We then verify whether these patterns can be detected within DFDs using pytm-Seq. Finally, we quantitatively evaluate the tool’s detection accuracy for the patterns and observe an accuracy of 86%. These findings confirm that the proposed methodology and tool can support multi-step threat analysis by accounting for interactions among multiple components and the sequence of data transfers. (All of the case study results and our tool is open to the public through the following url https://github.com/sinse100/pytm-Seq ).