TU Darmstadt / ULB / TUbiblio

A Feature-driven Method for Automating the Assessment of OSINT Cyber Threat Sources

Tundis, Andrea ; Ruppert, Samuel ; Mühlhäuser, Max (2022):
A Feature-driven Method for Automating the Assessment of OSINT Cyber Threat Sources.
In: Computers & Security, 113, Elsevier, ISSN 0167-4048,
DOI: 10.1016/j.cose.2021.102576,
[Article]

Abstract

Global malware campaigns and large-scale data breaches show how everyday life can be impacted when the defensive measures fail to protect computer systems from cyber threats. Understanding the threat landscape and the adversaries' attack tactics to perform it represent key factors for enabling an efficient defense against threats over the time. Of particular importance is the acquisition of timely and accurate information from threats intelligence sources available on the web which can provide additional intelligence on emerging threats even before they can be observed as actual attacks. Currently, specific indicators of compromise (e.g. IP addresses, domains, hashsums of malicious files) are shared in a semi-automated and structured way via so-called threat feeds. Unfortunately, current systems have to deal with the trade-off between the timeliness of such an alert (i.e. warning at the first mention of a threat) and the need to wait for verification by other sources (i.e. warning after multiple sources have verified the threat). In addition, due to the increasing number of open sources, it is challenging to find the right balance between feasibility and costs in order to identify a relatively small subset of valuable sources. In this paper, a method to automate the assessment of cyber threat intelligence sources and predict a relevance score for each source is proposed. Specifically, a model based on meta-data and word embedding is defined and experimented by training regression models to predict the relevance score of sources on Twitter. The results evaluation show that the assigned score allows to reduce the waiting time for intelligence verification, on the basis of its relevance, thus improving the time advantage of early threat detection.

Item Type: Article
Erschienen: 2022
Creators: Tundis, Andrea ; Ruppert, Samuel ; Mühlhäuser, Max
Title: A Feature-driven Method for Automating the Assessment of OSINT Cyber Threat Sources
Language: English
Abstract:

Global malware campaigns and large-scale data breaches show how everyday life can be impacted when the defensive measures fail to protect computer systems from cyber threats. Understanding the threat landscape and the adversaries' attack tactics to perform it represent key factors for enabling an efficient defense against threats over the time. Of particular importance is the acquisition of timely and accurate information from threats intelligence sources available on the web which can provide additional intelligence on emerging threats even before they can be observed as actual attacks. Currently, specific indicators of compromise (e.g. IP addresses, domains, hashsums of malicious files) are shared in a semi-automated and structured way via so-called threat feeds. Unfortunately, current systems have to deal with the trade-off between the timeliness of such an alert (i.e. warning at the first mention of a threat) and the need to wait for verification by other sources (i.e. warning after multiple sources have verified the threat). In addition, due to the increasing number of open sources, it is challenging to find the right balance between feasibility and costs in order to identify a relatively small subset of valuable sources. In this paper, a method to automate the assessment of cyber threat intelligence sources and predict a relevance score for each source is proposed. Specifically, a model based on meta-data and word embedding is defined and experimented by training regression models to predict the relevance score of sources on Twitter. The results evaluation show that the assigned score allows to reduce the waiting time for intelligence verification, on the basis of its relevance, thus improving the time advantage of early threat detection.

Journal or Publication Title: Computers & Security
Journal volume: 113
Publisher: Elsevier
Uncontrolled Keywords: Open source cyber threat intelligence, Cybersecurity, Machine learning, Feature engineering, Twitter
Divisions: 20 Department of Computer Science
20 Department of Computer Science > Telecooperation
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > emergenCITY
Date Deposited: 21 Dec 2021 12:17
DOI: 10.1016/j.cose.2021.102576
Official URL: https://www.sciencedirect.com/science/article/pii/S016740482...
Additional Information:

Art.No.: 102576

Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details