Correlation of cyber threat intelligence with sightings for intelligence assessment and augmentation

Cyber threat intelligence (CTI) provides the means to rapidly identify and investigate attacks such that the security risks can be addressed. However, few studies have assessed the consistency between the CTI and the observations in the real-world environment (i.e., sightings). Accordingly, this study proposes an approach for assessing such consistency. The assessment process involves finding both false positives (i.e., attacks reported in the CTI, but not observed in the sightings) and false negatives (i.e., attacks observed in the sightings, but not reported in the CTI). The latter are then used to augment the CTI. Several strategies are proposed for assessment and augmentation with a large number of flows in the sightings. For assessment, we first list the characteristic rules for various attacks, and see whether the characteristics of the malicious flows labeled with the attack tags by the CTI match the corresponding rules. We also divide the reported malicious flows into clusters for easier observation. For augmentation, a machine learning framework is employed to identify flows in the sighting with a behavior similar to that of known malicious flows. The attack type and severity of these flows are predicted and used to update the CTI accordingly. The experimental results reveal that among the sightings, over 50% of the flows do not exhibit the behaviors expected from the characteristic rules, but nevertheless appear to be probing or scanning. The proportion of such flows is greater than 90% in the largest cluster for each attack type. When the learning framework is employed, the number of high-severity malicious sources identified in the sighting increases by 156% compared to that reported in the original blacklist. In addition, around 53% of these sources are also considered as potentially malicious by other intelligence sources, and are thus regarded as valid candidates for CTI augmentation.