Discerning Reliable Cyber Threat Indicators for Timely Cyber Threat Intelligence

TL;DR

This paper demonstrates how social media can be effectively used to extract reliable cyber threat indicators using CNNs and machine learning, achieving high accuracy and revealing the importance of URLs and automated accounts in threat intelligence.

Contribution

It introduces a novel approach combining CNN and machine learning models to filter and identify actionable IoCs from social media data, enhancing timely cyber threat detection.

Findings

CNN achieved 98.80% F1-score in IoC detection

URLs were the most common IoC, with 48.67% validity

XGBoost outperformed other models with macro F1 of 0.814

Abstract

In today's dynamic cybersecurity landscape, timely and accurate threat intelligence is essential for proactive defense. This study explores the potential of social media platforms as a valuable resource for extracting actionable Indicators of Compromise (IoCs). Utilizing a Convolutional Neural Network (CNN), we achieved an F1-score of 98.80% and a detection rate of 99.65%, filtering vast social media data to identify key IoCs, including IP addresses, URLs, file hashes, domain addresses, and CVE IDs. These indicators are critical for detecting potential threats and vulnerabilities, and their relevance was evaluated using metrics such as correctness, timeliness, and overlap. Our analysis shows that URLs emerged as the most frequently shared IoC, with 48.67% representing valid threats. To further investigate the role of automated accounts in disseminating IoCs, we applied several machine learning models, with XGBoost delivering the highest performance achieving a macro F1-score of 0.814 and a weighted F1-score of 0.925. These findings highlight the growing significance of social media as a reliable source of actionable threat intelligence, offering valuable insights for cybersecurity professionals to stay ahead of emerging threats.