Cybersecurity Event Detection with New and Re-emerging Words

Shin, Hyejin; Shim, WooChul; Moon, Jiin; Seo, Jae Woo; Lee, Sol; Hwang, Yong Ho

doi:10.1145/3320269.3384721

Cited by 11 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We selected the 20 security keywords in Table 1 for the following experiments. Based on previous researches [54,55] and our preliminary study, we selected keywords most likely to be shared on Twitter for information about phishing sites. We also selected the same number of Security Keywords in Japanese as those translated from English.…”

Section: Collecting Tweetsmentioning

confidence: 99%

“…Threat Intelligence Extraction from Twitter. Research on threat intelligence generation using Twitter information has been conducted from various perspectives [16,30,51,54,55]. Shin et al proposed a system to extract four types of information from a text on Twitter and external blogs: URLs, domain names, IP addresses, and hash values related to cyberattacks [55].…”

Section: Related Workmentioning

confidence: 99%

“…In this study, we propose an approach that uses Twitter as a new observation point to immediately collect actual phishing situations encountered by users that have bypassed existing countermeasures and to understand the characteristics of such phishing. Some previous studies have also used Twitter as a source to extract nonphishing cyberattack information (e.g., vulnerability information and malware behavior information) [16,51,54,55] and limited phishing cyberattack information (e.g., search by fixed keywords or monitor only specific users) [52,55,58]. Specifically, these previous studies used Twitter posts of the cyberattack information by security experts, which allowed them to identify vulnerability information and indicator of compromises (IOCs) before they were published on the National Vulnerability Database [42] and Virus-Total [10].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

The rise in phishing attacks via e-mail and short message service (SMS) has not slowed down at all. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine, demonstrating that CrowdCanary is superior to existing systems in both accuracy and volume of threat extraction. We also analyzed users who shared phishing threats by utilizing the extracted phishing URLs and categorized them into two distinct groups -namely, experts and non-experts. As a result, we found that CrowdCanary could collect information that is specifically included in non-expert reports, such as information shared only by the company brand name in the tweet, information about phishing attacks that we find only in the image of the tweet, and information about the landing page before the redirect.

show abstract

Section: Collecting Tweetsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Finally, two Dense layers and the Softmax function are designed for detection and classification. [16], [31], [32], [14] apply CNN and BiLSTM neural networks as the basic framework to extract features of the domain information for NER in CTI. The differences among them are just attention mechanisms such as selfattention or multi-head attention allocating the corresponding weight of the extracted token feature, and tag decoders such as softmax or CRF obtaining association information among tags.…”

Section: Related Workmentioning

confidence: 99%

Multi-features based Semantic Augmentation Networks for Named Entity Recognition in Threat Intelligence

Li¹,

Li²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Extracting cybersecurity entities such as attackers and vulnerabilities from unstructured network texts is an important part of security analysis. However, the sparsity of intelligence data resulted from the higher frequency variations and the randomness of cybersecurity entity names makes it difficult for current methods to perform well in extracting security-related concepts and entities. To this end, we propose a semantic augmentation method which incorporates different linguistic features to enrich the representation of input tokens to detect and classify the cybersecurity names over unstructured text. In particular, we encode and aggregate the constituent feature, morphological feature and part of speech feature for each input token to improve the robustness of the method. More than that, a token gets augmented semantic information from its most similar K words in cybersecurity domain corpus where an attentive module is leveraged to weigh differences of the words, and from contextual clues based on a large-scale general field corpus. We have conducted experiments on the cybersecurity datasets DNRTI and MalwareTextDB, and the results demonstrate the effectiveness of the proposed method.

show abstract

“…They also address Twitter's role in significant cyber events, such as the publication of multiple zero-day Denial-of-service (DDoS) vulnerabilities in Microsoft Windows, user reports on various DDoS attacks, the publication of sensitive data, and the origins of ransomware operations [7,8]. Shin et al [9] discussed that open data sources are a great place to find information about threats. Their work highlight the crucial aspect of the security of installed software and systems is the early detection of developing security threats from such information.…”

Section: Introductionmentioning

confidence: 99%

Deep Learning Based Cyber Event Detection from Open-Source Re-Emerging Social Data

Mohammad,

Al-Ahmadi,

Al-Muhtadi

2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Social media forums have emerged as the most popular form of communication in the modern technology era, allowing people to discuss and express their opinions. This increases the amount of material being shared on social media sites. There is a wealth of information about the threat that may be found in such open data sources. The security of already-deployed software and systems relies heavily on the timely detection of newly-emerging threats to their safety that can be gleaned from such information. Despite the fact that several models for detecting cybersecurity events have been presented, it remains challenging to extract security events from the vast amounts of unstructured text present in public data sources. The majority of the currently available methods concentrate on detecting events that have a high number of dimensions. This is because the unstructured text in open data sources typically contains a large number of dimensions. However, to react to attacks quicker than they can be launched, security analysts and information technology operators need to be aware of critical security events as soon as possible, regardless of how often they are reported. This research provides a unique event detection method that can swiftly identify significant security events from open forums such as Twitter. The proposed work identified new threats and the revival of an attack or related event, independent of the volume of mentions relating to those events on Twitter. In this research work, deep learning has been used to extract predictive features from open-source text. The proposed model is composed of data collection, data transformation, feature extraction using deep learning, Latent Dirichlet Allocation (LDA) based medium-level cyber-event detection and final Google Trends-based high-level cyber-event detection. The proposed technique has been evaluated on numerous datasets. Experiment results show that the proposed method outperforms existing methods in detecting cyber events by giving 95.96% accuracy.

show abstract

Cybersecurity Event Detection with New and Re-emerging Words

Cited by 11 publications

References 20 publications

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Multi-features based Semantic Augmentation Networks for Named Entity Recognition in Threat Intelligence

Deep Learning Based Cyber Event Detection from Open-Source Re-Emerging Social Data

Contact Info

Product

Resources

About