OSTIS：新颖的特定组织威胁情报系统

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-07-19 DOI:10.1016/j.cose.2024.103990

{"title":"OSTIS：新颖的特定组织威胁情报系统","authors":"","doi":"10.1016/j.cose.2024.103990","DOIUrl":null,"url":null,"abstract":"<div><p>With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense.</p><p>This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"OSTIS: A novel Organization-Specific Threat Intelligence System\",\"authors\":\"\",\"doi\":\"10.1016/j.cose.2024.103990\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense.</p><p>This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.</p></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2024-07-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824002955\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824002955","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

随着网络攻击的日益复杂和频繁，企业认识到需要采取积极主动和有针对性的方法来保护其数字资产和运营。每个行业都面临着一系列不同的威胁，这些威胁受其行业目标、地理覆盖范围、员工规模、收入、合作关系以及数字资产规模等因素的影响。这就造成了威胁环境的广泛异质性，因此需要量身定制的威胁情报源。虽然一些安全从业人员可能会倾向于广泛的情报来源，但仅仅依靠基于数量的解决方案往往会导致 "警报疲劳"。因此，针对特定组织的威胁情报在网络安全防御中的重要性与日俱增。这项工作提出了一个名为 OSTIS（特定组织威胁情报系统）的完整而新颖的框架，用于生成和管理针对特定组织的网络威胁情报（CTI）数据。我们的方法识别可靠的安全博客，并通过定制的重点网络爬虫从中收集 CTI 数据。然后，使用自动深度学习模型识别和提取这些来源的相关内容。此外，我们的人工智能驱动解决方案将 CTI 数据映射到特定的领域场景，如教育、金融、政府、医疗保健、工业控制系统和物联网。为了验证训练有素的模型并从中获得洞察力，我们还利用 SHapley Additive exPlanations（SHAP）工具执行了一项可解释的人工智能（简称 XAI）任务。这使我们能够解释预测过程，并从数据中找出有影响力的内容。我们框架的最后一步是生成组织特定威胁情报知识图谱（OSTIKG），使组织能够及时识别和可视化攻击模式和事件。为创建该图，我们开发并调整了多种技术，以提取各种实体，包括恶意软件群组、活动、攻击类型、恶意软件类型、软件工具等，并识别它们之间的关系。最后，通过广泛的实验活动，我们证明了框架所有组件的有效性和性能，在识别相关内容方面的 F1 分数为 0.84，在领域分类方面的 F1 分数为 0.93，在识别实体和关系以构建 OSTIKG 图表方面的 F1 分数分别为 0.95 和 0.89。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

OSTIS: A novel Organization-Specific Threat Intelligence System

With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense.

This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.