Ontology-based unified model for heterogeneous threat intelligence integration and sharing

Abstract

Threat intelligence contains valuable information for cyber security; however, usually the intelligence is from multiple sources and is described with different data formats and schemas, which not only leads to the inefficiency of intelligence integration and analysis, but also makes threat intelligence sharing difficult. Therefore, the unified representation of the threat intelligence becomes a crucial challenge. This paper presents an ontology-based unified model for describing the multi-source and heterogeneous threat intelligence. In our model, we first propose the cyber security ontology and the unified model. Hence, the threat intelligence from different sources can be mapped to our unified model to achieve unified representation, which makes threat intelligence sharing and analysis more efficient. Furthermore, we propose and implement an intelligence integration framework based on our unified intelligence model and the open source intelligence collection tool IntelMQ. The feasibility and effectiveness of our model is verified by the performance of this framework.