research-article

A Quantitative Evaluation of Trust in the Quality of Cyber Threat Intelligence Sources

Authors:

Thomas Schaberreiter,

Veronika Kupfersberger,

Konstantinos Rantos,

Arnolnt Spyros,

Alexandros Papanikolaou,

Christos Ilioudis,

Gerald QuirchmayrAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 83, Pages 1 - 10

https://doi.org/10.1145/3339252.3342112

Published: 26 August 2019 Publication History

Abstract

Threat intelligence sharing has become a cornerstone of cooperative and collaborative cybersecurity. Sources providing such data have become more widespread in recent years, ranging from public entities (driven by legislatorial changes) to commercial companies and open communities that provide threat intelligence in order to help organisations and individuals to better understand and assess the cyber threat landscape putting their systems at risk. Tool support to automatically process this information is emerging concurrently. It has been observed that the quality of information received by the sources varies significantly and that in order to assess the quality of a threat intelligence source it is not sufficient to only consider qualitative indications of the source itself, but it is necessary to monitor the data provided by the source continuously to be able to draw conclusions about the quality of information provided by a source. In this paper, we propose a methodology for evaluating cyber threat information sources based on quantitative parameters. The methodology aims to facilitate trust establishment to threat intelligence sources, based on a weighted evaluation method that allows each entity to adapt it to its own needs and priorities. The approach facilitates automated tools utilising threat intelligence, since information to be considered can be prioritised based on which source is trusted the most at the time the intelligence arrives.

References

[1]

Omar Al-Ibrahim, Aziz Mohaisen, Charles Kamhoua, Kevin Kwiat, and Laurent Njilla. 2017. Beyond free riding: quality of indicators for assessing participation in information sharing for threat intelligence. arXiv preprint arXiv:1702.00552. (Feb. 2017).

[2]

Donovan Artz and Yolanda Gil. 2007. A survey of trust in computer science and the semantic web. Web Semantics: Science, Services and Agents on the World Wide Web 5, 2 (2007), 58--71.

Digital Library

[3]

Leonardo Castro Botega, Jéssica Oliveira de Souza, Fábio Rodrigues Jorge, Caio Saraiva Coneglian, Márcio Roberto de Campos, Vânia Paula de Almeida Neris, and Regina Borges de Araújo. 2017. Methodology for data and information quality assessment in the context of emergency situational awareness. Universal Access in the Information Society 16, 4 (2017), 889--902.

Digital Library

[4]

Li Cai and Yangyong Zhu. 2015. The challenges of data quality and data quality assessment in the big data era. Data Science Journal 14 (2015), 2.

[5]

Filipe Caldeira, Edmundo Monteiro, and Paulo Simões. 2011. Trust and Reputation for Information Exchange in Critical Infrastructures. In Critical Information Infrastructures Security, Christos Xenakis and Stephen Wolthusen (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 140--152.

Digital Library

[6]

Filipe Caldeira, Thomas Schaberreiter, Sébastien Varrette, Edmundo Monteiro, Paulo Simões, Pascal Bouvry, and Djamel Khadraoui. 2013. Trust based inter-dependency weighting for on-line risk monitoring in interdependent critical infrastructures. International Journal of Secure Software Engineering (IJSSE) 4, 4 (2013), 47--69.

Digital Library

[7]

European Commission and High Representative of the European Union for Foreign Affairs and Security Policy. 2013. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. JOIN(2013) 1 final. (2013).

[8]

European Parliament and Council. 2016. Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. Official Journal of the European Union. (July 2016). https://eur-lex.europa.eu/eli/dir/2016/1148/oj.

[9]

European Parliament and Council. 2016. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union. (April 2016). http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679.

[10]

Anna Huang. 2008. Similarity measures for text document clustering. In Proceedings of the sixth New Zealand computer science research student conference (NZCSRSC 2008), Vol. 4. Christchurch, New Zealand, 49--56.

[11]

Christopher S. Johnson, Mark Lee Badger, David A. Waltermire, Julie Snyder, and Clem Skorupka. 2016. Guide to Cyber Threat Information Sharing. Technical Report NIST SP 800-150. National Institute of Standards and Technology.

[12]

Veronika Kupfersberger, Thomas Schaberreiter, Chris Wills, Gerald Quirchmayr, and Juha Röning. 2018. Applying Soft Systems Methodology to Complex Problem Situations in Critical Infrastructures: The CS-AWARE Case Study. International Journal on Advances in Security 11, 3 & 4 (2018), 191--200.

[13]

Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah. 2016. Acing the IOC game: Toward automatic discovery and analysis of open-source cyber threat intelligence. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, Vienna, Austria, 755--766.

Digital Library

[14]

Rob McMillan. 2013. Definition: Threat Intelligence. Technical Report G00249251. Gartner.

[15]

R. Meier, C. Scherrer, D. Gugelmann, V. Lenders, and L. Vanbever. 2018. FeedRank: A tamper-resistant method for the ranking of cyber threat intelligence feeds. In 2018 10th International Conference on Cyber Conflict (CyCon). IEEE, Tallinn, Estonia, 321--344.

[16]

Sami Mokaddem, Gerard Wagener, Alexandre Dulaunoy, and Andras Iklody. 2019. Taxonomy driven indicator scoring in MISP threat intelligence platforms. arXiv preprint arXiv:1902.03914. (Feb. 2019).

[17]

Lawrence Page, Sergey Brin, Rajeev Motwani, and Terry Winograd. 1999. The PageRank citation ranking: Bringing order to the web. Technical Report 422. Stanford InfoLab.

[18]

Li Qiang, Jiang Zhengwei, Yang Zeming, Liu Baoxu, Wang Xin, and Zhang Yunan. 2018. A Quality Evaluation Method of Cyber Threat Intelligence in User Perspective. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). IEEE, New York, NY, USA, 269--276.

[19]

David Ross, Jason Shiffer, Tony Dell, William Gibb, and Doug Wilson. 2013. OpenIOC 1.1. Available online: https://github.com/mandiant/OpenIOC_1.1. (Sept. 2013).

[20]

STIX 2017. Structured Threat Information Expression (STIX) version 2.0. OASIS standard https://www.oasis-open.org/standards#stix2.0. (July 2017).

[21]

Thomas D Wagner, Esther Palomar, Khaled Mahbub, and Ali E Abdallah. 2018. A Novel Trust Taxonomy for Shared Cyber Threat Intelligence. Security and Communication Networks 2018, Article 9634507 (2018), 11 pages.

[22]

Hongwei Zhu and Richard Y Wang. 2009. Information quality framework for verifiable intelligence products. In Data Engineering. Springer, Boston, MA, 315--333.

Cited By

Paladini TFerro LPolino MZanero SCarminati M(2024)You Might Have Known It Earlier: Analyzing the Role of Underground Forums in Threat IntelligenceProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678930(368-383)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678930
Jesus VBains BChang V(2024)Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat IntelligenceIEEE Transactions on Engineering Management10.1109/TEM.2023.3279274(1-20)Online publication date: 2024
https://doi.org/10.1109/TEM.2023.3279274
Sakellariou GFouliras PMavridis I(2024)A Methodology for Developing & Assessing CTI Quality MetricsIEEE Access10.1109/ACCESS.2024.335110812(6225-6238)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351108
Show More Cited By

Recommendations

Quality Evaluation of Cyber Threat Intelligence Feeds
Applied Cryptography and Network Security
Abstract
In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. ...
Cyber Threat Intelligence
Darkweb Cyber Threat Intelligence Mining

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Horizon 2020 Framework Programme

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
1,128
Total Downloads

Downloads (Last 12 months)203
Downloads (Last 6 weeks)11

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Paladini TFerro LPolino MZanero SCarminati M(2024)You Might Have Known It Earlier: Analyzing the Role of Underground Forums in Threat IntelligenceProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678930(368-383)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678930
Jesus VBains BChang V(2024)Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat IntelligenceIEEE Transactions on Engineering Management10.1109/TEM.2023.3279274(1-20)Online publication date: 2024
https://doi.org/10.1109/TEM.2023.3279274
Sakellariou GFouliras PMavridis I(2024)A Methodology for Developing & Assessing CTI Quality MetricsIEEE Access10.1109/ACCESS.2024.335110812(6225-6238)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351108
Chen SHwang RAli ALin YWei YPai T(2024)Improving quality of indicators of compromise using STIX graphsComputers & Security10.1016/j.cose.2024.103972144(103972)Online publication date: Sep-2024
https://doi.org/10.1016/j.cose.2024.103972
Kumar MEpiphaniou GMaple C(2024)Comprehensive Threat Analysis in Additive Manufacturing Supply Chain: A Hybrid Qualitative and Quantitative Risk Assessment FrameworkProduction Engineering10.1007/s11740-024-01283-1Online publication date: 9-May-2024
https://doi.org/10.1007/s11740-024-01283-1
Cheimonidis PRantos K(2023)Dynamic Risk Assessment in Cybersecurity: A Systematic Literature ReviewFuture Internet10.3390/fi1510032415:10(324)Online publication date: 28-Sep-2023
https://doi.org/10.3390/fi15100324
Chatziamanetoglou DRantos K(2023)Blockchain-Based Cyber Threat Intelligence Sharing Using Proof-of-Quality ConsensusSecurity and Communication Networks10.1155/2023/33031222023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/3303122
Fischer DSauerwein CWerchan MStelzer D(2023)An Exploratory Study on the Use of Threat Intelligence Sharing Platforms in Germany, Austria and SwitzerlandProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600185(1-7)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600185
Asiri MSaxena NGjomemo RBurnap P(2023)Understanding Indicators of Compromise against Cyber-attacks in Industrial Control Systems: A Security PerspectiveACM Transactions on Cyber-Physical Systems10.1145/35872557:2(1-33)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3587255
Yasmeen AUllah KMuhammad A(2023)HDA-TIP: A Framework for Heterogeneous Data Aggregation for Threat Intelligence Platform2023 17th International Conference on Ubiquitous Information Management and Communication (IMCOM)10.1109/IMCOM56909.2023.10035604(1-7)Online publication date: 3-Jan-2023
https://doi.org/10.1109/IMCOM56909.2023.10035604
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents