-
Notifications
You must be signed in to change notification settings - Fork 100
Using TRAM
The main workflow of TRAM is:
- User uploads report.
- The system processes the report and generates the ATT&CK technique labels.
- Users validates and accepts the ATT&CK technique labels.
To upload a report, click "Upload Report" in the menu bar.
In this example, we uploaded a report called "From Zero to Domain Admin.pdf". After the file finishes uploading, we see the report appear at the top of the list with the status "Queued". In the background, the system will start processing the report.
Important The BERT machine learning model takes a few minutes to process a report. If you configure your system to use a different classifier, such as logistic regression, the analysis can run a lot faster -- as little as 5-10 seconds.
When the report analysis is finished, its status will change to "Reviewing". This means that the report is ready for human validation.
Click the "Analyze" button next to the report to view it's contents.
The interface shows the report on the left side. The report is broken up into small fragments (either sentences or phrases, depending on how you configured TRAM's machine learning system). If a fragment has an ATT&CK technique label, it will display a number. In the example below, the number 1 next to the highlighted phrase indicates that one ATT&CK technique has been mapped to it.
When you select a sentence, the right side of the screen will show the labels applied to that sentence. If you disagree with the machine learning system's label, you can click the red button to remove it from that phrase. You can also click the "Add" button to add any ATT&CK technique to that phrase. Finally, click the "Accepted" button to finalize the mapping status.
After accepting a label, the box next to the phrase will turn green to show that it has been accepted, and the system will automatically scroll you to the next phrase. Click "Close Report" to return to the main screen.
The ML Admin screen lets you peek under the hood of the machine learning system.
Note: the ML Admin screen does not apply to the default BERTClassifierModel, because that model is pretrained and included with TRAM. It cannot be retrained from within your TRAM environment.
On the left side of the screen, you see a summary of the training data, including which ATT&CK techniques have been trained on and how many training records are labeled for each technique. On the right side you can see the ML models included with TRAM as well as their F-1 scores, which are a measure of overall performance. You can