Cyber threat intelligence framework using advanced malware forensics

  • Yansi KeimEmail author
  • A. K. Mohapatra
Original Research


The emerging risk of cybercrimes has compelled the organisations to shift their cyber defence strategy from reactive to proactive. In this paper, we have analysed various cyber threat intelligence models used by organizations with respect to their potential features, their methods of countermeasures, language specification of the threat indicators, whether they are open source or closed source, owning organization, acceptance parameters of security requirements and capability to measure the efficacy of cyber threat intelligence feeds. In addition to this, the paper also proposes a cyber-threat intelligence framework which overcome the problems found in existing models and frameworks. The proposed framework consists of three layers. Layer 1 consists of input layer data incoming from online and offline sources. Layer 2 pre-processes, classifies and filters the received data from layer 1. Layer 3, provides a detailed report using Elastic search–Logstash–Kibana (ELK) stack. The implementation result shows that the proposed model detects new generation malware effectively and fulfils all the security requirements as proposed in SANS Tools and Standards for Cyber Threat Intelligence Projects.


Cyber threat intelligence (CTI) Threat intelligence model (TIM) Security Threat Cyber threat intelligence model (CTIM) Techniques-tools-procedures (TTP) Indicators of compromise (IoC) 


  1. 1.
    State of Malware Report, Malwarebytes Labs, Santa Clara, CA, 2017.
  2. 2.
    Patrick H, Fields Z (2017) A need for cyber security creativity. In: Collective creativity for responsible and sustainable business practice. IGI Global, pp 42–61Google Scholar
  3. 3.
    6 Easy ways to advance your cybersecurity program when you have a small team, ThreatConnect, Arlington, VA (2017).
  4. 4.
  5. 5.
    Osako T, Suzuki T, Iwata Y (2016) Proactive defense model based on cyber threat analysis. FUJITSU Sci Tech J 52(3):72–77Google Scholar
  6. 6.
    Tools and Standards for Cyber Threat Intelligence Projects, October 14th 2013, SANS Institute InfoSec Reading Room.
  7. 7. Accessed 28 Nov 2016 (19:24:16)
  8. 8.
    Obrst L, Chase P, Markeloff R (2012) Developing an ontology of the cyber security domain. STIDS, FairfaxGoogle Scholar
  9. 9.
    VerIS—a framework for gathering risk management Information from security incidents, Wade Baker Alex Hutton Chris Porter, Risk Intelligence Verizon Cybertrust Security,
  10. 10.
  11. 11. Accessed 28 Nov 2016 (19:20:16)
  12. 12.
    Dog, Spike E et al (2016) Strategic cyber threat intelligence sharing: a case study of IDS logs. In: 2016 25th International Conference on Computer Communication and Networks (ICCCN). IEEE, Waikoloa, HI, USAGoogle Scholar
  13. 13. Accessed 28 Nov 2016 (19:34:27)
  14. 14. Accessed 28 Nov 2016 (21:56:28)
  15. 15. Accessed 28 Nov 2016 (20:04:14)
  16. 16. Accessed 02 Dec 2016 (14:20:20)
  17. 17.
    Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX™), February 20, 2014, Mitre Co.,
  18. 18.
  19. 19.
    Trusted Automated eXchange of Indicator Information—TAXII™ enabling cyber threat information exchange, Mitre Corp. Accessed 03 Dec 2016 (19:56:32)
  20. 20. Accessed 02 Dec 2016 (15:12:19)
  21. 21. Accessed 03 Dec 2016 (14:37:12)
  22. 22.
  23. 23.
  24. 24.
    Caltagirone S, Pendergast A, Betz C (2013) The diamond model of intrusion analysis. Center for Cyber Intelligence Analysis and Threat Research, HanoverGoogle Scholar
  25. 25.
  26. 26.
    Pirscoveanu R-S, Stevanovic M, Pedersen JM (2016) Clustering analysis of malware behavior using Self Organizing Map. In: 2016 International conference on cyber situational awareness, data analytics and assessment (CyberSA). IEEE, London, UKGoogle Scholar
  27. 27.
    Annachhatre C, Austin TH, Stamp M (2015) Hidden Markov models for malware classification. J Comput Virol Hacking Tech 11(2):59–73CrossRefGoogle Scholar
  28. 28.
    Pai S et al (2017) Clustering for malware classification. J Comput Virol Hacking Tech 13(2):95–107MathSciNetCrossRefGoogle Scholar
  29. 29.
    Nataraj L, Manjunath BS (2016) SPAM: signal processing to analyze malware. arXiv preprint. arXiv:1605.05280
  30. 30.
    Makandar A, Patrot A (2015) Malware analysis and classification using artificial neural network. In: 2015 International conference on trends in automation, communications and computing technology (I-TACT-15), vol 1. IEEE. Accessed 07 July 2016 (23:12:18)
  31. 31.
    Masud MM, Khan L, Thuraisingham B (2008) A scalable multi-level feature extraction technique to detect malicious executables. Inf Syst Front 10(1):33–45CrossRefGoogle Scholar
  32. 32.
    Ahmadi M et al (2016) Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the sixth ACM conference on data and application security and privacy. ACM, New YorkGoogle Scholar
  33. 33.
    Chen T, Guestrin C (2016) Xgboost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining. ACM, New YorkGoogle Scholar
  34. 34.

Copyright information

© Bharati Vidyapeeth's Institute of Computer Applications and Management 2019

Authors and Affiliations

  1. 1.Indira Gandhi Delhi Technical University for WomenNew DelhiIndia

Personalised recommendations