TINKER: A framework for Open source Cyberthreat Intelligence
This addresses the problem for security analysts by providing a structured approach to handle CTI, though it appears incremental as it builds on existing knowledge graph methods.
The paper tackles the challenge of integrating unstructured cyber threat intelligence (CTI) into security systems by proposing TINKER, a semi-supervised framework that extracts and structures CTI into a knowledge graph, enabling scalable analysis and sharing.
Threat intelligence on malware attacks and campaigns is increasingly being shared with other security experts for a cost or for free. Other security analysts use this intelligence to inform them of indicators of compromise, attack techniques, and preventative actions. Security analysts prepare threat analysis reports after investigating an attack, an emerging cyber threat, or a recently discovered vulnerability. Collectively known as cyber threat intelligence (CTI), the reports are typically in an unstructured format and, therefore, challenging to integrate seamlessly into existing intrusion detection systems. This paper proposes a framework that uses the aggregated CTI for analysis and defense at scale. The information is extracted and stored in a structured format using knowledge graphs such that the semantics of the threat intelligence can be preserved and shared at scale with other security analysts. Specifically, we propose the first semi-supervised open-source knowledge graph-based framework, TINKER, to capture cyber threat information and its context. Following TINKER, we generate a Cyberthreat Intelligence Knowledge Graph (CTI-KG) and demonstrate the usage using different use cases.