Graph Mining-based Trust Evaluation Mechanism with Multidimensional Features for Large-scale Heterogeneous Threat Intelligence

More and more organizations and individuals start to pay attention to real-time threat intelligence to protect themselves from the complicated, organized, persistent and weaponized cyber attacks. However, most users worry about the trustworthiness of threat intelligence provided by TISPs (Threat Intelligence Sharing Platforms). The trust evaluation mechanism has become a hot topic in applications of TISPs. However, most current TISPs do not present any practical solution for trust evaluation of threat intelligence itself. In this paper, we propose a graph mining-based trust evaluation mechanism with multidimensional features for large-scale heterogeneous threat intelligence. This mechanism provides a feasible scheme and achieves the task of trust evaluation for TISP, through the integration of a trust-aware intelligence architecture model, a graph mining-based intelligence feature extraction method, and an automatic and interpretable trust evaluation algorithm. We implement this trust evaluation mechanism in a practical TISP (called GTTI), and evaluate the performance of our system on a real-world dataset from three popular cyber threat intelligence sharing platforms. Experimental results show that our mechanism can achieve 92.83% precision and 93.84% recall in trust evaluation. To the best of our knowledge, this work is the first to evaluate the trust level of heterogeneous threat intelligence automatically from the perspective of graph mining with multidimensional features including source, content, time, and feedback. Our work is beneficial to provide assistance on intelligence quality for the decision-making of human analysts, build a trust-aware threat intelligence sharing platform, and enhance the availability of heterogeneous threat intelligence to protect organizations against cyberspace attacks effectively.

[1]  Ruth Breu,et al.  Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives , 2017, Wirtschaftsinformatik.

[2]  Barbara Poblete,et al.  Information credibility on twitter , 2011, WWW.

[3]  Ee-Peng Lim,et al.  Detecting product review spammers using rating behaviors , 2010, CIKM.

[4]  Trevor Cunningham A Cyber-Threat Intelligence Program – How to develop one and why it matters , 2015 .

[5]  Cynthia Wagner,et al.  MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform , 2016, WISCS@CCS.

[6]  Wiem Tounsi,et al.  A survey on technical threat intelligence in the age of sophisticated cyber attacks , 2018, Comput. Secur..

[7]  L. Dandurand,et al.  Towards improved cyber security information sharing , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[8]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[9]  Gurmeet Singh Manku,et al.  Detecting near-duplicates for web crawling , 2007, WWW '07.

[10]  Yuri Demchenko,et al.  The Incident Object Description Exchange Format , 2007, RFC.

[11]  Florian Skopik,et al.  A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing , 2016, Comput. Secur..

[12]  Bernd Grobauer,et al.  Mining Attributed Graphs for Threat Intelligence , 2017, CODASPY.

[13]  Aurélien Francillon,et al.  The role of phone numbers in understanding cyber-crime schemes , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[14]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[15]  Aiko Pras,et al.  In Whom Do We Trust - Sharing Security Events , 2016, AIMS.

[16]  Adam Doupé,et al.  Towards Automated Threat Intelligence Fusion , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[17]  Stuart Murdoch,et al.  Anonymity vs. Trust in Cyber-Security Collaboration , 2015, WISCS@CCS.

[18]  Ruth Breu,et al.  Data Quality Challenges and Future Research Directions in Threat Intelligence Sharing Practice , 2016, WISCS@CCS.