TOM: A Threat Operating Model for Early Warning of Cyber Security Threats

Abstract

Threat profiling helps reveal the current trends of attacks, and underscores the significance of specific vulnerabilities, hence serves as the means for providing an early warning of potential attacks. However, the existing approaches on threat profiling models are mainly rule-based and depend on the domain experts’ knowledge, which limit their applicability in the automated processing of cyber threat information from heterogeneous sources, e.g. the cyber threat intelligence information from open sources. The threat profiling models based on analytic approaches, on the other hand, are potentially capable of automatically discovering the hidden patterns from a massive volume of information. This paper proposes to apply the data analytic approaches to develop the threat profiling models in order to identify the potential threats by analyzing a large number of cyber threat intelligence reports from open sources, extract information from the cyber threat intelligence reports, and represent them in a structure that facilitates the automated risk assessment, and hence achieve the early warning of likely cyber attacks. We introduce the Threat Operating Model (TOM) which captures important information of the identified cyber threats, while can be implemented as an extension of the Structured Threat Information eXpression (STIX). Both the matrix-decomposition based semi-supervised method and the term frequency based unsupervised method are proposed. The experiment results demonstrate a fairly effectiveness (accuracy around 0.8) and a robust performance w.r.t different temporal periods.