Vulcan: Automatic extraction and analysis of cyber threat intelligence from unstructured text

Jo, Hyeonseong; Lee, Yong Jae; Shin, Seungwon

doi:10.1016/j.cose.2022.102763

Cited by 28 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…), personal or business blogs, file or code repositories, public logfiles. The challenging problem is that these sources are in natural language [74] and unstructured (one can imagine a mobile chat group), and require processing information to generate CTI that is concise, structured and better fit to an automated standard and later to be shared on a platform [79], [80], [81]. Another problem is correlation [82]: to build actionable CTI about a specific threat, one is likely to need to correlate multiple sources and at multiple events.…”

Section: ) Architectures and Trust Managementmentioning

confidence: 99%

Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Jesus,

Bains,

Chang

2024

IEEE Trans. Eng. Manage.

View full text Add to dashboard Cite

Cyber threat intelligence (CTI) is widely recognized as an important area in cybersecurity but it remains an area showing silos and reserved for large organizations. For an area whose strength is in open and responsive sharing, we see that the generation of feeds has a small scale, is secretive, and is nearly always from specialized businesses that have a commercial interest in not publicly sharing insights at a speed where it could be effective in raising preparedness or stopping an attack. This article has three purposes. First, we extensively review the state and challenges of open, crowd-sourced CTI, with a focus on the perceived barriers. Second, having identified that confidentiality (in multiple forms) is a key barrier, we perform a confidentiality threat analysis of existing sharing architectures and standards, including reviewing circa one million of real-world feeds between 2014 and 2022 from the popular open platform MISP toward quantifying the inherent risks. Our goal is to build the case that, either by redesigning sharing architectures or simply performing simple sanitization of shared information, the confidentiality argument is not as strong as one may have presumed. Third, after identifying key requirements for open crowd-based sharing of CTI, we propose a reference (meta-) architecture.Managerial Relevance-CTI is widely recognized as a key advantage toward cyber resilience in its multiple dimensions, from business continuity to reputation/regulatory protection. Furthermore, as we review in this article, there are strong indications that the next generation of approaches to cybersecurity will be centered on CTI. Whereas CTI is an established business area, we see little adoption, closed communities, or high costs that small businesses cannot afford. For an area that, intuitively, should be open, as velocity and accuracy of information is crucial, we shed light on why we have no significant open, crowd-sourced CTI. In other words, why is usage so lacking? We identify reasons and deconstruct unclear and unhelpful rationales by looking at a wide range of literature (research and professional) and an analysis of nearly ten years of open CTI data. Our findings from current data indicate two types of reasons. One, and dominant, is unhelpful perceptions (e.g., confidentiality), and another stems from market factors (e.g., "free-riding") that need collective movement as no single player may be able to break the cycle. After looking at motivations and barriers, we review existing technologies, elicit requirements, and propose a high-level open CTI sharing architecture that could be used as a reference for practitioners.

show abstract

Section: ) Architectures and Trust Managementmentioning

confidence: 99%

Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Jesus,

Bains,

Chang

2024

IEEE Trans. Eng. Manage.

View full text Add to dashboard Cite

show abstract

“…Esse conhecimento pode melhorar o tempo de resposta a um incidente de seguranc ¸a. Por outro lado, segundo [Jo et al 2022] os IoCs são apenas um dos tipos de dados CTI e não devem ser o único foco das estratégias de seguranc ¸a cibernética, já que as ameac ¸as estão em constante evoluc ¸ão e se tornando cada vez mais sofisticadas.…”

Section: Indicadores De Comprometimento (Iocs)unclassified

“…Durante essas fases, os agentes maliciosos podem deixar rastros associados a atividades específicas, como tentativas de acesso a URLs incomuns ou a manipulac ¸ão de listas de e-mails corporativos. Esses vestígios são conhecidos como Indicadores de Comprometimento (IoCs) [Jo et al 2022], funcionando como uma espécie de impressão digital que pode ser observada por especialistas em seguranc ¸a da informac ¸ão. Além disso, exemplos adicionais de IoCs compreendem enderec ¸os Internet Protocol (IP), nomes de domínio e hashes de arquivos.…”

Section: Introduc ¸ãOunclassified

Extração e Análise de Indicadores de Comprometimento (IoCs) em Fóruns da Dark Web

Jesus Filho,

Gabriel,

Miani

2023

Anais Do XXIII Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg 2023)

View full text Add to dashboard Cite

Com o aumento e sofisticação dos ataques aos sistemas de informação, torna-se essencial extrair inteligência de ameaças cibernéticas. Nesse sentido, os Indicadores de Comprometimento (IoCs), que consistem em sinais capazes de identificar atividades maliciosas em sistemas computacionais, merecem atenção. O presente trabalho dedica-se à extração e análise de IoCs em fóruns da Dark Web, com o objetivo de fornecer informações relevantes à segurança da informação. Os resultados encontrados indicam uma incidência de IoCs superior a 26%, sendo a maioria URLs. Além disso, constatou-se que os posts das categorias relacionadas à computação possuem quase o dobro de IoCs em comparação com outras categorias.

show abstract

“…Zhou et al [4] also proposed an extraction system for APT threat intelligence, but they could only extract related entities. Vulcan [5] extracted descriptive or static CTI data from unstructured text and determined their semantic relationships. However, their defnitions of entities and relationships in threat intelligence are not comprehensive.…”

Section: Introductionmentioning

confidence: 99%

A Novel Threat Intelligence Information Extraction System Combining Multiple Models

Guo

Chen

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

The increasing number of cyberattacks has made the cybersecurity situation more serious. Thus, it is urgent to use cyber threat intelligence to deal with the complex and changing cyber environment. However, cyber threat intelligence usually exists in an unstructured form, and a huge amount of data poses a great challenge to security analysts. To this end, this paper proposes a novel threat intelligence information extraction system combining multiple models, which contains four key steps: entity extraction, coreference resolution, relation extraction, and knowledge graph construction. In the entity extraction task, a multihead self-attention mechanism is adopted to extract the dependency relationships between words. In the coreference resolution task, contextual information and mention embedding are fused to improve the mention representation. Meanwhile, features of different dimensions are extracted using a convolutional neural network. In the relation extraction task, additional features such as part of speech, mention width, entity type, and distance of entity pairs are incorporated to improve the embedding representation. Finally, a knowledge graph is constructed to explicitly present entities and their relationships. Experimental results indicate that compared with the baseline model, the F1 score of our model is improved by at least 8.87, 9.82, and 10.56 on entity extraction, coreference resolution, and relation extraction, respectively. The knowledge graph in Neo4j demonstrates the effectiveness of our system.

show abstract

Vulcan: Automatic extraction and analysis of cyber threat intelligence from unstructured text

Cited by 28 publications

References 10 publications

Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Extração e Análise de Indicadores de Comprometimento (IoCs) em Fóruns da Dark Web

A Novel Threat Intelligence Information Extraction System Combining Multiple Models

Contact Info

Product

Resources

About