Ontology-based Cyber Risk Monitoring Using Cyber Threat Intelligence

Merah, Yazid; Kenaza, Tayeb

doi:10.1145/3465481.3470024

Cited by 13 publications

(4 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, Syam et al [5] propose a trusted response management ecosystem where STIX serves as a unified language for threat intelligence providers to seamlessly use CTIs for defensive actions. STIX also plays a crucial role in formalizing ontology for CTI, enabling connections between security events and CTIs, and allowing the inference of new knowledge about potential threats [40]. Prominent entities in the cybersecurity sector, such as SANS [31] and Intel [30], incorporate STIX indicators into their threat-hunting methodologies.…”

Section: Why Do We Focus On Stix?mentioning

confidence: 99%

Sharing cyber threat intelligence: Does it really help?

Jin,

Kim,

Lee

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The sharing of Cyber Threat Intelligence (CTI) across organizations is gaining traction, as it can automate threat analysis and improve security awareness. However, limited empirical studies exist on the prevalent types of cybersecurity threat data and their effectiveness in mitigating cyber attacks. We propose a framework named CTI-Lense to collect and analyze the volume, timeliness, coverage, and quality of Structured Threat Information eXpression (STIX) data, a de facto standard CTI format, from a list of publicly available CTI sources. We collected about 6 million STIX data objects from October 31, 2014 to April 10, 2023 from ten data sources and analyzed their characteristics. Our analysis reveals that STIX data sharing has steadily increased in recent years, but the volume of STIX data shared is still relatively low to cover all cyber threats. Additionally, only a few types of threat data objects have been shared, with malware signatures and URLs accounting for more than 90% of the collected data. While URLs are usually shared promptly, with about 72% of URLs shared earlier than or on the same day as VirusTotal, the sharing of malware signatures is significantly slower. Furthermore, we found that 19% of the Threat actor data contained incorrect information, and only 0.09% of the Indicator data provided security rules to detect cyber attacks. Based on our findings, we recommend practical considerations for effective and scalable STIX data sharing among organizations.

show abstract

Section: Why Do We Focus On Stix?mentioning

confidence: 99%

Sharing cyber threat intelligence: Does it really help?

Jin,

Kim,

Lee

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Gao et al [77] introduced the use of open-source cyber threat intelligence (OSCTI) to analyze APT attacks, which not only helped detect and deal with APT attacks but also improved the understanding and analysis capabilities of threat intelligence to protect network security. In [78,79], structured threat information expression (STIXTM) was used to achieve network threat intelligence and information sharing, addressing the hidden dangers of using a large amount of complex network security information today. The authors [80] used STRIDE to analyze and evaluate security threats faced by systems or applications, helping developers identify and mitigate potential security risks at the design stage and improving the security of systems or applications.…”

Section: Threat Intelligence Modelmentioning

confidence: 99%

Advanced Persistent Threats and Their Defense Methods in Industrial Internet of Things: A Survey

et al. 2023

View full text Add to dashboard Cite

The industrial internet of things (IIoT) is a key pillar of the intelligent society, integrating traditional industry with modern information technology to improve production efficiency and quality. However, the IIoT also faces serious challenges from advanced persistent threats (APTs), a stealthy and persistent method of attack that can cause enormous losses and damages. In this paper, we give the definition and development of APTs. Furthermore, we examine the types of APT attacks that each layer of the four-layer IIoT reference architecture may face and review existing defense techniques. Next, we use several models to model and analyze APT activities in IIoT to identify their inherent characteristics and patterns. Finally, based on a thorough discussion of IIoT security issues, we propose some open research topics and directions.

show abstract

“…By using this ontology to create a malware knowledge map and extract the hidden information from it, Rastogi et al (2020) created a malware ontology called MALONT. A security ontology for risk monitoring was proposed by Merah et al (2021) using Cyber Threat Intelligence (CTI), highlighting the interdependence of risk concepts that could expand the use of Structured Threat Information Expression (STIX). Zhang et al (2021) proposed a RIoTSCO Internet of Things security ontology integrating multi-source heterogeneous data.…”

Section: Related Workmentioning

confidence: 99%

“…The ontology for ICS asset threat in this section is inspired by multiple ontologies Li et al, 2021;Rastogi et al, 2020;Merah et al, 2021). After being combined with some concepts and adjusted by a number of details, the ontology here is more suitable for the description of assets and their environment in ICS.…”

Section: Ics Asset Threat Ontology and Reasoningmentioning

confidence: 99%

Threat Attribution and Reasoning for Industrial Control System Asset

Zhang,

Shi,

et al. 2023

International Journal of Ambient Computing and Intelligence

View full text Add to dashboard Cite

Due to the widespread use of the industrial internet of things, the industrial control system has steadily transformed into an intelligent and informational one. To increase the industrial control system's security, based on industrial control system assets, this paper provides a method of threat modeling, attributing, and reasoning. First, this method characterizes the asset threat of an industrial control system by constructing an asset security ontology based on the asset structure. Second, this approach makes use of machine learning to identify assets and attribute the attacker's attack path. Subsequently, inference rules are devised to replicate the attacker's attack path, thereby reducing the response time of security personnel to threats and strengthening the semantic relationship between asset security within industrial control systems. Finally, the process is used in the simulation environment and real case scenario based on the power grid, where the assets and attacks are mapped. The actual attack path is deduced, and it demonstrates the approach's effectiveness.

show abstract

Ontology-based Cyber Risk Monitoring Using Cyber Threat Intelligence

Cited by 13 publications

References 14 publications

Sharing cyber threat intelligence: Does it really help?

Sharing cyber threat intelligence: Does it really help?

Advanced Persistent Threats and Their Defense Methods in Industrial Internet of Things: A Survey

Threat Attribution and Reasoning for Industrial Control System Asset

Contact Info

Product

Resources

About