A System for Automated Open-Source Threat Intelligence Gathering and Management

TL;DR

This paper introduces SecurityKG, an automated system that gathers, extracts, and manages open-source cyber threat intelligence using AI and NLP, creating an interactive security knowledge graph to enhance threat understanding.

Contribution

The paper presents a novel system, SecurityKG, that automates OSCTI collection, extracts high-level threat concepts, and constructs an interactive knowledge graph, addressing limitations of existing platforms.

Findings

Successfully integrates AI and NLP for high-fidelity threat knowledge extraction

Creates an interactive security knowledge graph for threat analysis

Enhances understanding of threat behaviors beyond low-level indicators

Abstract

To remain aware of the fast-evolving cyber threat landscape, open-source Cyber Threat Intelligence (OSCTI) has received growing attention from the community. Commonly, knowledge about threats is presented in a vast number of OSCTI reports. Despite the pressing need for high-quality OSCTI, existing OSCTI gathering and management platforms, however, have primarily focused on isolated, low-level Indicators of Compromise. On the other hand, higher-level concepts (e.g., adversary tactics, techniques, and procedures) and their relationships have been overlooked, which contain essential knowledge about threat behaviors that is critical to uncovering the complete threat scenario. To bridge the gap, we propose SecurityKG, a system for automated OSCTI gathering and management. SecurityKG collects OSCTI reports from various sources, uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors, and constructs a security knowledge graph. SecurityKG also provides a UI that supports various types of interactivity to facilitate knowledge graph exploration.