Abstract
The emerging risk of cybercrimes has compelled the organisations to shift their cyber defence strategy from reactive to proactive. In this paper, we have analysed various cyber threat intelligence models used by organizations with respect to their potential features, their methods of countermeasures, language specification of the threat indicators, whether they are open source or closed source, owning organization, acceptance parameters of security requirements and capability to measure the efficacy of cyber threat intelligence feeds. In addition to this, the paper also proposes a cyber-threat intelligence framework which overcome the problems found in existing models and frameworks. The proposed framework consists of three layers. Layer 1 consists of input layer data incoming from online and offline sources. Layer 2 pre-processes, classifies and filters the received data from layer 1. Layer 3, provides a detailed report using Elastic search–Logstash–Kibana (ELK) stack. The implementation result shows that the proposed model detects new generation malware effectively and fulfils all the security requirements as proposed in SANS Tools and Standards for Cyber Threat Intelligence Projects.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig6_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig7_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig8_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig9_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-019-00280-3/MediaObjects/41870_2019_280_Fig10_HTML.png)
Similar content being viewed by others
References
State of Malware Report, Malwarebytes Labs, Santa Clara, CA, 2017. https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf
Patrick H, Fields Z (2017) A need for cyber security creativity. In: Collective creativity for responsible and sustainable business practice. IGI Global, pp 42–61
6 Easy ways to advance your cybersecurity program when you have a small team, ThreatConnect, Arlington, VA (2017). https://www.threatconnect.com/wp-content/uploads/ThreatConnect-6-Easy-Ways-to-Advance-Your-Cybersecurity-Program-08-04-16.pdf
https://webcache.googleusercontent.com/search?q=cache:rpbp2y5vElMJ:https://www.cpni.gov.uk/Documents/Publications/2015/11-jUNE-2015-CONTEXT_CPNI_Threat_Intelligence_FINAL.pdf+&cd=6&hl=en&ct=clnk&gl=in. Accessed 27 Nov 2016 (23:26:09)
Osako T, Suzuki T, Iwata Y (2016) Proactive defense model based on cyber threat analysis. FUJITSU Sci Tech J 52(3):72–77
Tools and Standards for Cyber Threat Intelligence Projects, October 14th 2013, SANS Institute InfoSec Reading Room. https://www.sans.org/reading-room/whitepapers/warfare/tools-standards-cyber-threat-intelligence-projects-34375
http://veriscommunity.net/howto.html. Accessed 28 Nov 2016 (19:24:16)
Obrst L, Chase P, Markeloff R (2012) Develo** an ontology of the cyber security domain. STIDS, Fairfax
VerIS—a framework for gathering risk management Information from security incidents, Wade Baker Alex Hutton Chris Porter, Risk Intelligence Verizon Cybertrust Security, http://www.securitymetrics.org/attachments/Metricon-4.5-Baker-Hutton-VERIS.pdf
http://www.verizonenterprise.com/verizon-insights-lab/dbir/. Accessed 28 Nov 2016 (20:31:18)
https://github.com/vz-risk/veris. Accessed 28 Nov 2016 (19:20:16)
Dog, Spike E et al (2016) Strategic cyber threat intelligence sharing: a case study of IDS logs. In: 2016 25th International Conference on Computer Communication and Networks (ICCCN). IEEE, Waikoloa, HI, USA
http://openioc.org/. Accessed 28 Nov 2016 (19:34:27)
https://github.com/mandiant/OpenIOC_1.1. Accessed 28 Nov 2016 (21:56:28)
https://github.com/mandiant/ioc_writer. Accessed 28 Nov 2016 (20:04:14)
http://cyboxproject.github.io/about/. Accessed 02 Dec 2016 (14:20:20)
Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX™), February 20, 2014, Mitre Co., https://www.standardscoordination.org/sites/default/files/docs/STIX_Whitepaper_v1.1.pdf
https://securityintelligence.com/how-stix-taxii-and-cybox-can-help-with-standardizing-threat-information/. Accessed 02 Dec 2016 (20:53:45)
Trusted Automated eXchange of Indicator Information—TAXII™ enabling cyber threat information exchange, Mitre Corp. https://makingsecuritymeasurable.mitre.org/docs/taxii-intro-handout.pdf. Accessed 03 Dec 2016 (19:56:32)
https://taxiiproject.github.io/. Accessed 02 Dec 2016 (15:12:19)
https://github.com/csirtgadgets/massive-octo-spice. Accessed 03 Dec 2016 (14:37:12)
http://csirtgadgets.org/collective-intelligence-framework. Accessed 03 Dec 2016 (14:33:12)
Alient Vault Threat Exchange (2016). http://billows.com.tw/download/dm/AlienVault-Open-Threat-Exchange.pdf
Caltagirone S, Pendergast A, Betz C (2013) The diamond model of intrusion analysis. Center for Cyber Intelligence Analysis and Threat Research, Hanover
https://securityintelligence.com/a-gentle-introduction-to-the-x-force-exchange-api/. Accessed 5 Dec 2016 (18:59:12)
Pirscoveanu R-S, Stevanovic M, Pedersen JM (2016) Clustering analysis of malware behavior using Self Organizing Map. In: 2016 International conference on cyber situational awareness, data analytics and assessment (CyberSA). IEEE, London, UK
Annachhatre C, Austin TH, Stamp M (2015) Hidden Markov models for malware classification. J Comput Virol Hacking Tech 11(2):59–73
Pai S et al (2017) Clustering for malware classification. J Comput Virol Hacking Tech 13(2):95–107
Nataraj L, Manjunath BS (2016) SPAM: signal processing to analyze malware. ar**v preprint. ar**v:1605.05280
Makandar A, Patrot A (2015) Malware analysis and classification using artificial neural network. In: 2015 International conference on trends in automation, communications and computing technology (I-TACT-15), vol 1. IEEE. https://www.youtube.com/watch?v=VLQTRlLGz5Y. Accessed 07 July 2016 (23:12:18)
Masud MM, Khan L, Thuraisingham B (2008) A scalable multi-level feature extraction technique to detect malicious executables. Inf Syst Front 10(1):33–45
Ahmadi M et al (2016) Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the sixth ACM conference on data and application security and privacy. ACM, New York
Chen T, Guestrin C (2016) Xgboost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining. ACM, New York
http://scikit-learn.org/stable/modules/generated/sklearn.ensemble.RandomForestClassifier.html. Accessed 07 July 07 2016 (12:04:15)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Keim, Y., Mohapatra, A.K. Cyber threat intelligence framework using advanced malware forensics. Int. j. inf. tecnol. 14, 521–530 (2022). https://doi.org/10.1007/s41870-019-00280-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41870-019-00280-3