TIMiner: Automatically extracting and analyzing categorized cyber threat intelligence from social data

Abstract

Security organizations increasingly rely on Cyber Threat Intelligence (CTI) sharing to enhance resilience against cyber threats. However, its effectiveness remains dubious due to two major limitations: first, the existing approaches fail to identify the unseen types of Indicator of compromise (IOC); second, they are incapable of automatically generating categorized CTIs with domain tags (e.g., finance, government), which makes CTI sharing ineffective. To combat the challenges, this paper proposes TIMiner, a novel automated framework for CTI extraction and sharing based on social media data. Particularly, an efficient domain recognizer based on convolutional neural network is first implemented to identify CTIs’ targeted domain. Then, an indicator of compromise (IOC) extraction approach based on word embedding and syntactic dependence is proposed, which provides the ability to identify unseen types of IOCs. Finally, the extracted IOC and its domain tag are integrated to generate a categorized CTI with specific-domain. TIMiner is capable of generating CTIs with domain tags automatically. With the categorized CTIs, Threat-Index is presented to quantify the severity of the threats toward different domains. Experimental results confirm that the proposed CTI domain recognizer and IOC extraction achieve superior performance with the accuracy exceeding 84% and 94%, respectively. Moreover, TIMiner stimulates new insights on the evolution of cyber attacks across multiple domains.