Boosting Cyber-Threat Intelligence via Collaborative Intrusion Detection

Sharing threat events and Indicators of Compromise (IoCs) enables quick and crucial decision making relative to effective countermeasures against cyberattacks. However, the current threat information sharing solutions do not allow easy communication and knowledge sharing among threat detection syste...

Full description

Saved in:
Bibliographic Details
Published in:Future generation computer systems 2022-10, Vol.135, p.30-43
Main Authors: Guarascio, Massimo, Cassavia, Nunziato, Pisani, Francesco Sergio, Manco, Giuseppe
Format: Article
Language:English
Subjects:
Active Learning
Cyber Threat Intelligence architecture
Intrusion Detection System
Security data enrichment
SIEM
Threat analytics
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Sharing threat events and Indicators of Compromise (IoCs) enables quick and crucial decision making relative to effective countermeasures against cyberattacks. However, the current threat information sharing solutions do not allow easy communication and knowledge sharing among threat detection systems (in particular Intrusion Detection Systems (IDS)) exploiting Machine Learning (ML) techniques. Moreover, the interaction with the expert, which represents an important component to gather verified and reliable input data for the ML algorithms, is weakly supported. To address all these issues, ORISHA, a platform for ORchestrated Information SHaring and Awareness enabling the cooperation among threat detection systems and other information awareness components, is proposed here. ORISHA is backed by a distributed Threat Intelligence Platform based on a network of interconnected Malware Information Sharing Platform instances, which enables the communication with several Threat Detection layers belonging to different organizations. Within this ecosystem, Threat Detection Systems mutually benefit by sharing knowledge that allows them to refine the underlying predictive accuracy. Uncertain cases, i.e. examples with low anomaly scores, are proposed to the expert, who acts with the role of oracle in an Active Learning scheme. By interfacing with a honeynet, ORISHA allows for enriching the knowledge base with further positive attack instances and then yielding robust detection models. An experimentation conducted on a well-known Intrusion Detection benchmark demonstrates the validity of the proposed architecture. •An architecture for threat information sharing and awareness is proposed.•A distributed TIP is used to enable the cooperation among different security tools.•The platform allows for gathering data from different sources (e.g., honeynet).•The platform includes an IDS based on an incremental deep ensemble method.•Experiments conducted on an IDS benchmark substantiate the validity of the proposal.
ISSN:0167-739X
1872-7115
DOI:10.1016/j.future.2022.04.028