SENTINEL: A Multi-Modal Early Detection Framework for Emerging Cyber Threats using Telegram

TL;DR

SENTINEL is a framework that uses multi-modal signals from Telegram social media discussions, combining language models and graph neural networks, to proactively detect emerging cyber threats with high accuracy.

Contribution

This work introduces SENTINEL, a novel multi-modal framework that aligns social media signals with real-world cyber threats for early detection.

Findings

Achieved an F1 score of 0.89 in threat detection.

Effectively leverages language and network signals.

Utilizes data from 16 Telegram channels with 365k messages.

Abstract

Cyberattacks pose a serious threat to modern sociotechnical systems, often resulting in severe technical and societal consequences. Attackers commonly target systems and infrastructure through methods such as malware, ransomware, or other forms of technical exploitation. Most traditional mechanisms to counter these threats rely on post-hoc detection and mitigation strategies, responding to cyber incidents only after they occur rather than preventing them proactively. Recent trends reveal social media discussions can serve as reliable indicators for detecting such threats. Malicious actors often exploit online platforms to distribute attack tools, share attack knowledge and coordinate. Experts too, often predict ongoing attacks and discuss potential breaches in online spaces. In this work, we present SENTINEL, a framework that leverages social media signals for early detection of cyber attacks. SENTINEL aligns cybersecurity discussions to realworld cyber attacks leveraging multi modal signals, i.e., combining language modeling through large language models and coordination markers through graph neural networks. We use data from 16 public channels on Telegram related to cybersecurity and open source intelligence (OSINT) that span 365k messages. We highlight that social media discussions involve active dialogue around cyber threats and leverage SENTINEL to align the signals to real-world threats with an F1 of 0.89. Our work highlights the importance of leveraging language and network signals in predicting online threats.