Skip to content
Back to outputs

A comparative analysis of cyber-threat intelligence sources, formats and languages

Research output: Contribution to journalArticlepeer-review

Standard

A comparative analysis of cyber-threat intelligence sources, formats and languages. / Ramsdale, Andrew; Shiaeles, Stavros; Kolokotronis, Nicholas.

In: Electronics, Vol. 9, No. 5, 824, 16.05.2020.

Research output: Contribution to journalArticlepeer-review

Harvard

APA

Vancouver

Author

Ramsdale, Andrew ; Shiaeles, Stavros ; Kolokotronis, Nicholas. / A comparative analysis of cyber-threat intelligence sources, formats and languages. In: Electronics. 2020 ; Vol. 9, No. 5.

Bibtex

@article{5bf0ee79479d44968d513bde6b25fd75,
title = "A comparative analysis of cyber-threat intelligence sources, formats and languages",
abstract = "The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats.",
keywords = "cyber-threat intelligence, threat exchange, vulnerability alerts, incident reporting, indicators of compromise, cyber-observables",
author = "Andrew Ramsdale and Stavros Shiaeles and Nicholas Kolokotronis",
year = "2020",
month = may,
day = "16",
doi = "10.3390/electronics9050824",
language = "English",
volume = "9",
journal = "Electronics",
issn = "2079-9292",
publisher = "MDPI AG",
number = "5",

}

RIS

TY - JOUR

T1 - A comparative analysis of cyber-threat intelligence sources, formats and languages

AU - Ramsdale, Andrew

AU - Shiaeles, Stavros

AU - Kolokotronis, Nicholas

PY - 2020/5/16

Y1 - 2020/5/16

N2 - The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats.

AB - The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats.

KW - cyber-threat intelligence

KW - threat exchange

KW - vulnerability alerts

KW - incident reporting

KW - indicators of compromise

KW - cyber-observables

U2 - 10.3390/electronics9050824

DO - 10.3390/electronics9050824

M3 - Article

VL - 9

JO - Electronics

JF - Electronics

SN - 2079-9292

IS - 5

M1 - 824

ER -

ID: 21095496