Abstract
Identifying attacks on computer networks is a complex task, given the huge number of machines, data diversity, and a large volume of data. Cyber Threat Intelligence consists of collecting, classifying, enriching, classifying data, and producing knowledge about threats in network defense systems. In this scenario, we find network Intrusion Detection Systems that specifically analyze network traffic and through signatures detect anomalies, generating records for system operators. The purpose of this work is to present a methodology to generate knowledge about Threat Intelligence, from the records of network sensors, collecting Threat or Compromise Indicators and enriching them to feed Threat Intelligence Sharing Platforms. Our methodology speeds up the decision-making process as it incorporates an up-to-date, public repository of signatures already in the collector, eliminating the threat identification phase in an additional step. For the demonstration and evaluation of the methodology, a proof of concept was carried out that covered the entire threat identification cycle.
The authors are grateful for the support of ABIN TED 08/2019.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdullahi, M., et al.: Detecting cybersecurity attacks in internet of things using artificial intelligence methods: a systematic literature review. Electronics 11(2), 1–28 (2022). https://doi.org/10.3390/electronics11020198
Albasheer, H., et al.: Cyber-attack prediction based on network intrusion detection systems for alert correlation techniques: a survey. Sensors 22(4), 1494 (2022). https://doi.org/10.3390/S22041494
Alcantara, L., Padilha, G., Abreu, R., D’Amorim, M.: Syrius: synthesis of rules for intrusion detectors. IEEE Trans. Reliab. 71, 1–12 (2021). https://doi.org/10.1109/TR.2021.3061297
Bhati, N.S., Khari, M., García-Díaz, V., Verdú, E.: A Review on Intrusion Detection Systems and Techniques (2020). https://doi.org/10.1142/S0218488520400140
Burger, E.W., Goodman, M.D., Kampanakis, P., Zhu, K.A.: Taxonomy model for cyber threat intelligence information exchange technologies. In: WISCS 2014: Proceedings of the 2014 ACM Workshop on Information Sharing and Collaborative Security, pp. 51–60 (2014). https://doi.org/10.1145/2663876.2663883
Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley (1994). https://archive.org/details/firewallsinterne00ches
de Melo e Silva, A., Gondim, J.J.C., de Oliveira Albuquerque, R., Villalba, L.J.G.: A methodology to evaluate standards and platforms within cyber threat intelligence. Future Internet 12(6), 1–23 (2020). https://doi.org/10.3390/fi12060108
DTF: Date Time Format Info. Universal Sortable Date Time Pattern. http://shorturl.at/kWZ25
Elmellas, J.: Knowledge is power: the evolution of threat intelligence. Comput. Fraud Secur. 2016(7), 5–9 (2016)
Ferrag, M.A., Babaghayou, M., Yazici, A.: Cyber security for fog-based smart grid SCADA systems: solutions and challenges. J. Inf. Secur. Appl. 52, 102500 (2020). https://doi.org/10.1016/j.jisa.2020.102500
Hoepers, C., Steding-Jessen, K., Montes, A.: Honeynets applied to the CSIRT scenario. In: FIRST, p. 9 (2003). http://www.honeynet.org/alliance/
Irfan, A.N., Ariffin, A., ri Mahrin, M.N., Anuar, S.: A malware detection framework based on forensic and unsupervised machine learning methodologies. In: ACM International Conference Proceeding Series, pp. 194–200 (2020). https://doi.org/10.1145/3384544.3384556
Kalogeraki, E.M., Papastergiou, S., Panayiotopoulos, T.: An attack simulation and evidence chains generation model for critical information infrastructures. Electronics 11(3), 404 (2022). https://doi.org/10.3390/electronics11030404
Kim, E., Kim, K., Shin, D., Jin, B., Kim, H.: Cytime: cyber threat intelligence management framework for automatically generating security rules. In: ACM International Conference Proceeding Series Part F1377 (2018). https://doi.org/10.1145/3226052.3226056
Klock, A.C.T., Gasparini, I., Pimenta, M.S.: 5W2H framework. In: Proceedings of the 15th Brazilian Symposium on Human Factors in Computing Systems, pp. 1–10. ACM, New York (2016). https://doi.org/10.1145/3033701.3033715
Koloveas, P., Chantzios, T., Alevizopoulou, S., Skiadopoulos, S., Tryfonopoulos, C.: inTIME: a machine learning-based framework for gathering and leveraging web data to cyber-threat intelligence. Electronics 10(7), 818 (2021). https://doi.org/10.3390/electronics10070818
Kristiansen, L.M., Agarwal, V., Franke, K., Shah, R.S.: CTI-Twitter: gathering cyber threat intelligence from twitter using integrated supervised and unsupervised learning. In: Proceedings - 2020 IEEE International Conference on Big Data, Big Data 2020, pp. 2299–2308 (2020). https://doi.org/10.1109/BigData50022.2020.9378393
Marchio, J.: Analytic tradecraft and the intelligence community: enduring value, intermittent emphasis. Intell. Natl. Secur. 29(2), 159–183 (2014). https://doi.org/10.1080/02684527.2012.746415
Masip-Bruin, X., et al.: Cybersecurity in ICT supply chains: key challenges and a relevant architecture. Sensors 21(18) (2021). https://doi.org/10.3390/S21186057
Mavroeidis, V., Jøsang, A.: Data-driven threat hunting using sysmon. In: ACM International Conference Proceeding Series, pp. 82–88 (2018). https://doi.org/10.1145/3199478.3199490
McAuliffe, N., Wolcott, D., Schaefer, L., Kelem, N., Hubbard, B., Haley, T.: Is your computer being misused? A survey of current intrusion detection system technology. In: Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 260–272 (1990). https://doi.org/10.1109/CSAC.1990.143785
Mironeanu, C., Archip, A., Amarandei, C.M., Craus, M.: Experimental cyber attack detection framework. Electronics 10(14) (2021). https://doi.org/10.3390/ELECTRONICS10141682
Nam, K., Kim, K.: A study on SDN security enhancement using open source IDS/IPS Suricata. In: 9th International Conference on Information and Communication Technology Convergence: ICT Convergence Powered by Smart Intelligence, ICTC 2018, pp. 1124–1126 (2018). https://doi.org/10.1109/ICTC.2018.8539455
Nash, A.: Demystifying cyber threat intelligence sharing platforms: an evaluation of data quality issues and their effects on cyber attribution. Master degree in science, Faculty of Utica College (2021). http://shorturl.at/bdgRX
OISF: Suricata | Open Source IDS/IPS/NSM engine (2020). https://suricata-ids.org/. https://github.com/OISF/suricata/
Panwar, A., Ahn, G.J., Doupé, A., Zhao, Z.: iGen: toward automatic generation and analysis of indicators of compromise (IOCs) using convolutional neural network. Master of science, Arizona State University (2017). https://hdl.handle.net/2286/R.I.44216
Riesco, R., Villagrá, V.A.: Leveraging cyber threat intelligence for a dynamic risk framework. Int. J. Inf. Secur. 18(6), 715–739 (2019). https://doi.org/10.1007/s10207-019-00433-2
Roopak, M., Tian, G.Y., Chambers, J.: An intrusion detection system against DDoS attacks in IoT networks. In: 2020 10th Annual Computing and Communication Workshop and Conference, CCWC 2020, pp. 562–567 (2020). https://doi.org/10.1109/CCWC47524.2020.9031206
Sander, T., Hailpern, J.: UX aspects of threat information sharing platforms. In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, pp. 51–59. ACM, New York (2015). https://doi.org/10.1145/2808128.2808136
Schlette, D., Böhm, F., Caselli, M., Pernul, G.: Measuring and visualizing cyber threat intelligence quality. Int. J. Inf. Secur. 20(1), 21–38 (2021). https://doi.org/10.1007/s10207-020-00490-y
Schreiber, J., Meehan, M., Langston, R.: 2021 Open Source IDS Tools: Suricata vs Snort vs Bro (Zeek) | AT &T Cybersecurity (2020). http://shorturl.at/oPS37
Shafiq, M., Yu, X., Bashir, A.K., Chaudhry, H.N., Wang, D.: A machine learning approach for feature selection traffic classification using security analysis. J. Supercomput. 74(10), 4867–4892 (2018). https://doi.org/10.1007/s11227-018-2263-3
Siebert, E.: Indicadores de ataque versus indicadores de comprometimento. Technical report, CrowdStrike Holdings, Inc, Austin, Texas (2020). http://shorturl.at/bru49
de Sousa, C.E., Gondim, J.J.C., Albuquerque, R.d.O.: ENRICHER: ferramenta de enriquecimento de dados integrada à plataforma MISP. Dissertation completion graduation, Universidade de Brasília (2021)
Sworna, Z.T., Islam, C., Babar, M.A.: APIRO: a framework for automated security tools API recommendation. ACM Trans. Softw. Eng. Methodol. 41 (2022). https://doi.org/10.1145/3512768
Wendt, D.W.: Exploring The Strategies Cybersecurity Specialists Need To Improve Adaptive Cyber Defenses Within The Financial Sector: An Exploratory Study. D.c.s, Colorado Technical University (2019). https://shorturl.at/ouV46
Zhou, Y., Tang, Y., Yi, M., Xi, C., Lu, H.: CTI view: APT threat intelligence analysis system. Secur. Commun. Netw. 2022 (2022). https://doi.org/10.1155/2022/9875199
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Pincovscy, JA., Costa-Gondim, JJ. (2023). Methodology for Cyber Threat Intelligence with Sensor Integration. In: Garcia, M.V., Gordón-Gallegos, C. (eds) CSEI: International Conference on Computer Science, Electronics and Industrial Engineering (CSEI). CSEI 2022. Lecture Notes in Networks and Systems, vol 678. Springer, Cham. https://doi.org/10.1007/978-3-031-30592-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-30592-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30591-7
Online ISBN: 978-3-031-30592-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)