Quality Evaluation of Cyber Threat Intelligence Feeds

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

20 Citations (Scopus)


In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. Next to this understanding, specialized feeds of indicators about these threats downloaded into a firewall or intrusion detection system allow for a timely reaction to emerging threats. These feeds however only provide an actual benefit if they are of high quality. In other words, if they provide relevant, complete information in a timely manner. Incorrect and incomplete information may even cause harm, for example if it leads an organization to block legitimate clients or if the information is too unspecific and results in an excessive amount of collateral damage. In this paper, we evaluate the quality of 17 open source cyber threat intelligence feeds over a period of 14 months, and 7 additional feeds over 7 months. Our analysis shows that the majority of indicators are active for at least 20 days before they are listed. Additionally, we have found that many list have biases towards certain countries. Finally, we also show that blocking listed IP addresses can yield large amounts of collateral damage.

Original languageEnglish
Title of host publicationApplied Cryptography and Network Security
EditorsMauro Conti, Jianying Zhou, Emiliano Casalicchio, Angelo Spognardi
Place of PublicationCham
Number of pages20
EditionPart II
ISBN (Electronic)978-3-030-57878-7
ISBN (Print)978-3-030-57877-0
Publication statusPublished - 2020
Event18th International Conference on Applied Cryptography and Network Security, ACNS 2020 - Rome, Italy
Duration: 19 Oct 202022 Oct 2020

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference18th International Conference on Applied Cryptography and Network Security, ACNS 2020


  • Blocklist
  • Cyber threat intelligence


Dive into the research topics of 'Quality Evaluation of Cyber Threat Intelligence Feeds'. Together they form a unique fingerprint.

Cite this