OSTIS: A novel Organization-Specific Threat Intelligence System

Dincy R. Arikkat, Vinod P., Rafidha Rehiman Rafidha*, Serena Nicolazzo, Antonino Nocera, Georgiana Timpau, Mauro Conti

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

Abstract

With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense. This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.

Original languageEnglish
Article number103990
JournalComputers and Security
Volume145
DOIs
Publication statusPublished - Oct 2024
Externally publishedYes

Keywords

  • Cyber Threat Intelligence
  • Cybersecurity knowledge graph
  • Explainable AI
  • Named entity recognition
  • Natural language processing
  • Organization-specific threat intelligence
  • Relation extraction

Fingerprint

Dive into the research topics of 'OSTIS: A novel Organization-Specific Threat Intelligence System'. Together they form a unique fingerprint.

Cite this