“…Conversely, an associated URL in threat data might have been used many times. Therefore, threat intelligence must be extracted from the threat data with possible IOCs and their contextual information [3,16,52,46]. Table 1 shows examples of some of these websites that provide threat feeds and are utilized for gathering OSINT.…”
Section: Source Descriptionmentioning
confidence: 99%
“…Using threat intelligence platforms, companies can improve their countermeasures against cyber-attacks and prepare detection and prevention mechanisms. In recent years, the cybersecurity communities have emphasized building common threat intelligence platforms to share threat information in a unified and structured way, and make CTI actionable [18,22,31,33,46,52]. Various specifications and protocols such as STIX, TAXII, Cybox, CWE, CAPEC and CVE are widely used to describe and share threat information through common platforms [5,6,12,37].…”
Section: Source Descriptionmentioning
confidence: 99%
“…Security teams write scripts and define rules to extract necessary information from CTI, and map alerts and incidents to CTI [3,16,38,46]. Whilst techniques such as defining rules and scripts can be automated, they do not help in identifying evolving threats and alerts [41,52,56], because rules can only be defined for behavior of known threats. Thus, human understanding and resolution are required to identify, define and update CTI, rules and scripts for emerging threats to adapt changing contexts.…”
A wide variety of Cyber Threat Information (CTI) is used by Security Operation Centres (SOCs) to perform validation of security incidents and alerts. Security experts manually define different types of rules and scripts based on CTI to perform validation tasks. These rules and scripts need to be updated continuously due to evolving threats, changing SOCs' requirements and dynamic nature of CTI. The manual process of updating rules and scripts delays the response to attacks. To reduce the burden of human experts and accelerate response, we propose a novel Artificial Intelligence (AI) based framework, SmartValidator. SmartValidator leverages Machine Learning (ML) techniques to enable automated validation of alerts. It consists of three layers to perform the tasks of data collection, model building and alert validation. It projects the validation task as a classification problem. Instead of building and saving models for all possible requirements, we propose to automatically construct the validation models based on SOC's requirements and CTI. We built a Proof of Concept (PoC) system with eight ML algorithms, two feature engineering techniques and 18 requirements to investigate the effectiveness and efficiency of SmartValidator. The evaluation results showed that when prediction models were built automatically for classifying cyber threat data, the F1-score of 75% of the models were above 0.8, which indicates adequate performance of the PoC for use in a real-world organization. The results further showed that dynamic construction of prediction models required 99% less models to be built than pre-building models for all possible requirements. Thus, SmartValidator is much more efficient to use when SOCs' requirements and threat behaviour are constantly evolving. The framework can be followed by various industries to accelerate and automate the validation of alerts and incidents based on their CTI and SOC's preferences.
“…Conversely, an associated URL in threat data might have been used many times. Therefore, threat intelligence must be extracted from the threat data with possible IOCs and their contextual information [3,16,52,46]. Table 1 shows examples of some of these websites that provide threat feeds and are utilized for gathering OSINT.…”
Section: Source Descriptionmentioning
confidence: 99%
“…Using threat intelligence platforms, companies can improve their countermeasures against cyber-attacks and prepare detection and prevention mechanisms. In recent years, the cybersecurity communities have emphasized building common threat intelligence platforms to share threat information in a unified and structured way, and make CTI actionable [18,22,31,33,46,52]. Various specifications and protocols such as STIX, TAXII, Cybox, CWE, CAPEC and CVE are widely used to describe and share threat information through common platforms [5,6,12,37].…”
Section: Source Descriptionmentioning
confidence: 99%
“…Security teams write scripts and define rules to extract necessary information from CTI, and map alerts and incidents to CTI [3,16,38,46]. Whilst techniques such as defining rules and scripts can be automated, they do not help in identifying evolving threats and alerts [41,52,56], because rules can only be defined for behavior of known threats. Thus, human understanding and resolution are required to identify, define and update CTI, rules and scripts for emerging threats to adapt changing contexts.…”
A wide variety of Cyber Threat Information (CTI) is used by Security Operation Centres (SOCs) to perform validation of security incidents and alerts. Security experts manually define different types of rules and scripts based on CTI to perform validation tasks. These rules and scripts need to be updated continuously due to evolving threats, changing SOCs' requirements and dynamic nature of CTI. The manual process of updating rules and scripts delays the response to attacks. To reduce the burden of human experts and accelerate response, we propose a novel Artificial Intelligence (AI) based framework, SmartValidator. SmartValidator leverages Machine Learning (ML) techniques to enable automated validation of alerts. It consists of three layers to perform the tasks of data collection, model building and alert validation. It projects the validation task as a classification problem. Instead of building and saving models for all possible requirements, we propose to automatically construct the validation models based on SOC's requirements and CTI. We built a Proof of Concept (PoC) system with eight ML algorithms, two feature engineering techniques and 18 requirements to investigate the effectiveness and efficiency of SmartValidator. The evaluation results showed that when prediction models were built automatically for classifying cyber threat data, the F1-score of 75% of the models were above 0.8, which indicates adequate performance of the PoC for use in a real-world organization. The results further showed that dynamic construction of prediction models required 99% less models to be built than pre-building models for all possible requirements. Thus, SmartValidator is much more efficient to use when SOCs' requirements and threat behaviour are constantly evolving. The framework can be followed by various industries to accelerate and automate the validation of alerts and incidents based on their CTI and SOC's preferences.
“…Threat intelligence (TI) is closely related to cybersecurity IS and SA. It embraces all evidence‐based knowledge about existing or emerging threats, which can be used to support cyberdefense decisions . TI has recently attracted great attention, including vendors of security solutions who offer diverse TI solutions …”
Section: Collaborative Security Information Sharing Situation Awarementioning
In recent years, critical infrastructures and power systems in particular have been subjected to sophisticated cyberthreats, including targeted attacks and advanced persistent threats. A promising response to this challenging situation is building up enhanced threat intelligence (TI) that interlinks information sharing and fine-grained situation awareness. In this paper, a framework that integrates all levels of TI, ie, strategic, tactical, operational, and technical, is presented. The platform implements the centralized model of information exchange with peer-to-peer interactions between partners as an option. Several supportive solutions were introduced, including anonymity mechanisms or data processing and correlation algorithms. A data model that enables communication of cyberincident information, both in natural language and machine-readable formats, was defined. Similarly, security requirements for critical components were devised. A pilot implementation of the platform was developed and deployed in the operational environment, which enabled practical evaluation of the design. Also, the security of the anonymity architecture was analyzed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.