Graph-based visual analytics for cyber threat intelligence

Böhm, Fabian; Menges, Florian; Pernul, Günther

doi:10.1186/s42400-018-0017-4

Cited by 34 publications

(23 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In order to facilitate the definition of rules, it can be helpful to visualize the generated data. Therefore, existing approaches as presented by Böhm et al (2018) could be extended to the proposed data format. Machine learning techniques also show a lot of potential regarding the correlation of data acquired by humans and machine-generated data.…”

Section: Discussionmentioning

confidence: 99%

Human-as-a-security-sensor for harvesting threat intelligence

2019

Self Cite

View full text Add to dashboard Cite

Humans are commonly seen as the weakest link in corporate information security. This led to a lot of effort being put into security training and awareness campaigns, which resulted in employees being less likely the target of successful attacks. Existing approaches, however, do not tap the full potential that can be gained through these campaigns. On the one hand, human perception offers an additional source of contextual information for detected incidents, on the other hand it serves as information source for incidents that may not be detectable by automated procedures. These approaches only allow a text-based reporting of basic incident information. A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing. In this work, we propose an approach, which allows humans to systematically report perceived anomalies or incidents in a structured way. Our approach furthermore supports the integration of such reports into analytics systems. Thereby, we identify connecting points to SIEM systems, develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans. A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept.

show abstract

Section: Discussionmentioning

confidence: 99%

Human-as-a-security-sensor for harvesting threat intelligence

2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…Providing a possible path to solve these requirements, we draw upon the idea to make complex threat intelligence exchange formats, like STIX, accessible for human experts through an interactive visual interface. The feasibility and applicability of this approach have been shown in earlier work [29]. In this work, we implemented and evaluated an open-source visual analytics prototype for STIX.…”

Section: Aggregating Quality Indicatorsmentioning

confidence: 91%

“…Volatility in this setting is expressed by the number of modifications to the assessed STIX object. The number of modifications can be drawn if concepts like the historization from earlier work are implemented [29]. This concept allows to track changes and the number of changes applied to a STIX object.…”

Section: S A(a)mentioning

confidence: 99%

“…6 This is quite reasonable as STIX is based in graph-like structure itself. Additionally, the integrity-preserving storage concept proposed by Böhm et al [29] is most efficiently implemented using this technology. We extend this approach by adding a new database to the architecture.…”

Section: Persisting Quality Indicators In the Cti Vaultmentioning

confidence: 99%

“…Throughout this section, we describe the changes we made to the original visual interface to include visual indications about the quality of STIX artifacts. In Böhm et al [29], the process of visually analyzing STIX-based CTI with KAVAS starts with a simple drop-down menu to select the report of interest. The drop-down menu contains only the name of the report given by its publisher.…”

Section: Displaying Quality Indicators In Kavasmentioning

confidence: 99%

See 2 more Smart Citations

Measuring and visualizing cyber threat intelligence quality

Schlette

Böhm

Caselli

et al. 2020

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

The very raison d'être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts' subjective perceptions are, where necessary, included in the quality assessment concept.

show abstract

Unifying Cyber Threat Intelligence

Menges

Sperl

Pernul

2019

Trust, Privacy and Security in Digital Business

View full text Add to dashboard Cite

The threat landscape and the associated number of IT security incidents are constantly increasing. In order to address this problem, a trend towards cooperative approaches and the exchange of information on security incidents has been developing over recent years. Today, several different data formats with varying properties are available that allow to structure and describe incidents as well as cyber threat intelligence (CTI) information. Observed differences in data formats implicate problems in regard to consistent understanding and compatibility. This ultimately builds a barrier for efficient information exchange. Moreover, a common definition for the components of CTI formats is missing. In order to improve this situation, this work presents an approach for the description and unification of these formats. Therefore, we propose a model that describes the elementary properties as well as a common notation for entities within CTI formats. In addition, we develop a unified model to show the results of our work, to improve the understanding of CTI data formats and to discuss possible future research directions.

show abstract

Graph-based visual analytics for cyber threat intelligence

Cited by 34 publications

References 21 publications

Human-as-a-security-sensor for harvesting threat intelligence

Human-as-a-security-sensor for harvesting threat intelligence

Measuring and visualizing cyber threat intelligence quality

Unifying Cyber Threat Intelligence

Contact Info

Product

Resources

About