#Twiti: Social Listening for Threat Intelligence | Proceedings of ...

In this paper, we present Twiti, a system that automatically extracts various forms of malware IOCs from Twitter. research-article Shareon #Twiti:SocialListeningforThreatIntelligenceAuthors:HyejinShinSamsungResearch,RepublicofKoreaSamsungResearch,RepublicofKoreaViewProfile,WooChulShimSamsungResearch,RepublicofKoreaSamsungResearch,RepublicofKoreaViewProfile,SaebomKimSamsungResearch,RepublicofKoreaSamsungResearch,RepublicofKoreaViewProfile,SolLeeSamsungResearch,RepublicofKoreaSamsungResearch,RepublicofKoreaViewProfile,YongGooKangKoreaUniversity,RepublicofKoreaKoreaUniversity,RepublicofKoreaViewProfile,YongHoHwangSamsungResearch,RepublicofKoreaSamsungResearch,RepublicofKoreaViewProfileAuthorsInfo&ClaimsWWW'21:ProceedingsoftheWebConference2021April2021Pages92–104https://doi.org/10.1145/3442381.3449797Online:03June2021PublicationHistory 3citation501DownloadsMetricsTotalCitations3TotalDownloads501Last12Months429Last6weeks25 GetCitationAlertsNewCitationAlertadded!Thisalerthasbeensuccessfullyaddedandwillbesentto:Youwillbenotifiedwheneverarecordthatyouhavechosenhasbeencited.Tomanageyouralertpreferences,clickonthebuttonbelow.ManagemyAlertsNewCitationAlert!Pleaselogintoyouraccount SavetoBinderSavetoBinderCreateaNewBinderNameCancelCreateExportCitationPublisherSiteGetAccessWWW'21:ProceedingsoftheWebConference2021#Twiti:SocialListeningforThreatIntelligencePages92–104 PreviousChapterNextChapter ABSTRACT Twitterisapopularpublicsourceforthreathunting.ManysecurityvendorsandsecurityprofessionalsuseTwitterinpracticeforcollectingIndicatorsofCompromise(IOCs).However,littleisknownaboutIOCsonTwitter.Theirimportantcharacteristicssuchasearliness,uniqueness,andaccuracyhaveneverbeeninvestigated.Moreover,howtoextractIOCsfromTwitterwithhighaccuracyisnotobvious.Inthispaper,wepresentTwiti,asystemthatautomaticallyextractsvariousformsofmalwareIOCsfromTwitter.BasedonthecollectedIOCs,weconductthefirstempiricalassessmentandthoroughanalysisofmalwareIOCsonTwitter.TwitiextractsIOCsfromtweetsidentifiedashavingmalwareIOCinformationbyleveragingnaturallanguageprocessingandmachinelearningtechniques.Withextensiveevaluation,wedemonstratethatnotonlycanTwitiextractmalwareIOCsaccurately,butalsotheextractedIOCsareuniqueandearly.ByanalyzingIOCsinTwitifromvariousaspects,wefindthatTwittercapturesongoingmalwarethreatssuchasEmotetvariantsandmalwaredistributionsitesbetterthanotherpublicthreatintelligence(TI)feeds.WealsofindthatonlyatinyfractionofIOCsonTwittercomefromcommercialvendoraccountsandindividualTwitterusersarethemaincontributorsoftheearlydetectedorexclusiveIOCs,whichindicatesthatTwittercanprovidemanyvaluableIOCsuncoveredincommercialdomain References 2019SONICWALLCYBERTHREATREPORT.www.sonicwall.com/lp/2019-cyber-threat-report-lp.GoogleScholarAbuse.chFeodoTracker.https://feodotracker.abuse.ch/.GoogleScholarActionableThreatIntelligence.https://www.checkpoint.com/downloads/partners/checkpoint-intsights-solution-brief.pdf.GoogleScholarAlexaTop1Million.http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.GoogleScholarAlienVaultIPreputation.http://reputation.alienvault.com/reputation.data.GoogleScholarAny.Run.https://app.any.run/.GoogleScholarAV-TESTSecurityReport2018/2019.https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2018-2019.pdf.GoogleScholarAWS,GoogleCloudPopularHomeforBotnetControllers.https://www.darkreading.com/cloud/aws-google-cloud-popular-home-for-botnet-controllers/d/d-id/1330798.GoogleScholarCiscoUmbrella1M.http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip.GoogleScholarHackersuseMicrosoftAzuretohostmalwareandrunC2servers.https://www.scmagazineuk.com/hackers-use-microsoft-azure-host-malware-run-c2-servers/article/1586279.GoogleScholarHuntingThreatsonTwitter.https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hunting-threats-on-twitter.GoogleScholarHybridAnalysis.https://www.hybrid-analysis.com/.GoogleScholarInQuestLabsIOCDatabase.https://labs.inquest.net/iocdb.GoogleScholarInternetSecurityThreatReport2019.https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf.GoogleScholarioc-fanger3.1.0.https://pypi.org/project/ioc-fanger/.GoogleScholariocextract1.13.1.https://pypi.org/project/iocextract/.GoogleScholarMajesticMillion.http://downloads.majestic.com/majestic_million.csv.GoogleScholarMalwareBazaar.https://bazaar.abuse.ch/.GoogleScholarTheOpenIOCFramework.http://www.openioc.org.GoogleScholarOTXAlienVault.https://otx.alienvault.com/.GoogleScholarSourcesofThreatData.https://www.recordedfuture.com/threat-data-sources/.GoogleScholarThreatIngestor:ExtractandaggregateIOCs.https://github.com/InQuest/ThreatIngestor.GoogleScholarTwitterIOCHunter.http://tweettioc.com/.GoogleScholarTwitterSearchAPI.https://developer.twitter.com/en/docs/tweets/search/overview.GoogleScholarTwitterTimelineAPI.https://developer.twitter.com/en/docs/tweets/timelines/overview.GoogleScholarURLhaus.https://urlhaus.abuse.ch/.GoogleScholarurlscan.io.https://urlscan.io/.GoogleScholarUsingTwitterasasourceofIndicatorsofCompromise.https://medium.com/@cybersiftIO/using-twitter-as-a-source-of-indicators-of-compromise-bc6877fba629.GoogleScholarTheValueofThreatIntelligence:AnnualStudyofNorthAmerican&UnitedKingdomCompanies.https://www.anomali.com/resources/whitepapers/2019-ponemon-report-the-value-of-threat-intelligence-from-anomali.GoogleScholarVirusTotalContributors.https://support.virustotal.com/hc/articles/115002146809-Contributors.GoogleScholar[n.d.].VirusTotalReports.https://support.virustotal.com/hc/en-us/articles/115002719069-Reports.GoogleScholar2019.Garminreportedlypaidmultimillion-dollarransomaftersufferingcyberattack.https://www.theverge.com/2020/8/4/21353842/garmin-ransomware-attack-wearables-wastedlocker-evil-corp.GoogleScholar2019.Securityresearcherstakedown100,000malwaresitesoverthelasttenmonths.https://www.zdnet.com/article/security-researchers-take-down-100000-malware-sites-over-the-last-ten-months/.GoogleScholarMitsuakiAkiyama,TakeshiYagi,TakeshiYada,TatsuyaMori,andYoukiKadobayashi.2017.AnalyzingtheecosystemofmaliciousURLredirectionthroughlongitudinalobservationfromhoneypots.Computers&Security69(2017),155–173.GoogleScholarCrossRefEihalAlowaisheq.2019.Crackingwallofconfinement:Understandingandanalyzingmaliciousdomaintakedowns.InTheNetworkandDistributedSystemSecuritySymposium(NDSS).GoogleScholarCrossRefX.Bouwman,H.Griffioen,J.Egbers,C.Doerr,B.Klievink,andM.vanEeten.2020.AdifferentcupofTI?Theaddedvalueofcommercialthreatintelligence.In29thUSENIXSecuritySymposium(USENIXSecurity20).USENIXAssociation.https://www.usenix.org/conference/usenixsecurity20/presentation/bouwmanGoogleScholarJacobDevlin,Ming-WeiChang,KentonLee,andKristinaToutanova.2018.Bert:Pre-trainingofdeepbidirectionaltransformersforlanguageunderstanding.arXiv:1810.04805(2018).GoogleScholarNunoDionísio,FernandoAlves,Pedro MFerreira,andAlyssonBessani.2019.Cyberthreatdetectionfromtwitterusingdeepneuralnetworks.In2019InternationalJointConferenceonNeuralNetworks(IJCNN).IEEE.GoogleScholarCrossRefJoobinGharibshah,Tai ChingLi,AndreCastro,KonstantinosPelechrinis,Evangelos EPapalexakis,andMichalisFaloutsos.2017.Miningactionableinformationfromsecurityforums:thecaseofmaliciousIPaddresses.InIEEE/ACMInternationalConferenceonAdvancesinSocialNetworksAnalysisandMining.Springer,193–211.GoogleScholarChengHuang,ShuangHao,LucaInvernizzi,JiayongLiu,YongFang,ChristopherKruegel,andGiovanniVigna.2017.Gossip:Automaticallyidentifyingmaliciousdomainsfrommailinglistdiscussions.InProceedingsofthe2017ACMonAsiaConferenceonComputerandCommunicationsSecurity.ACM,494–505.GoogleScholarDigitalLibraryConstantinosKolias,GeorgiosKambourakis,AngelosStavrou,andJeffreyVoas.2017.DDoSintheIoT:Miraiandotherbotnets.Computer50,7(2017),80–84.GoogleScholarDigitalLibraryVector GuoLi,MatthewDunn,PaulPearce,DamonMcCoy,Geoffrey MVoelker,StefanSavage,andKirillLevchenko.2019.ReadingtheTeaLeaves:AComparativeAnalysisofThreatIntelligence.In28thUSENIXSecuritySymposium.GoogleScholarXiaojingLiao,KanYuan,XiaoFengWang,ZhouLi,LuyiXing,andRaheemBeyah.2016.AcingtheIOCgame:Towardautomaticdiscoveryandanalysisofopen-sourcecyberthreatintelligence.InProceedingsofthe2016ACMSIGSACConferenceonComputerandCommunicationsSecurity.ACM,755–766.GoogleScholarDigitalLibraryEdwardLoperandStevenBird.2002.NLTK:TheNaturalLanguageToolkit.InProceedingsoftheACL-02WorkshoponEffectiveToolsandMethodologiesforTeachingNaturalLanguageProcessingandComputationalLinguistics-Volume1(Philadelphia,Pennsylvania)(ETMTNLP’02).AssociationforComputationalLinguistics,Stroudsburg,PA,USA,63–70.https://doi.org/10.3115/1118108.1118117GoogleScholarDigitalLibraryChristopherManning,MihaiSurdeanu,JohnBauer,JennyFinkel,StevenBethard,andDavidMcClosky.2014.TheStanfordCoreNLPNaturalLanguageProcessingToolkit.InProceedingsof52ndAnnualMeetingoftheAssociationforComputationalLinguistics:SystemDemonstrations(Baltimore,Maryland).AssociationforComputationalLinguistics,55–60.https://doi.org/10.3115/v1/P14-5010GoogleScholarCrossRefNielsProvos,DeanMcNamee,PanayiotisMavrommatis,KeWang,andNagendraModadugu.2007.TheGhostInTheBrowser:AnalysisofWeb-basedMalware.InFirstWorkshoponHotTopicsinUnderstandingBotnets(HotBots’07).GoogleScholarSivaramakrishnanRamanathan,JelenaMirkovic,andMinlanYu.2020.BLAG:ImprovingtheAccuracyofBlacklists.InProceedingsofthe27thAnnualNetworkandDistributedSystemsSecurity(NDSS)Symposium.GoogleScholarCrossRefAlanRitter,SamClark,OrenEtzioni,2011.Namedentityrecognitionintweets:anexperimentalstudy.InProceedingsoftheconferenceonempiricalmethodsinnaturallanguageprocessing.AssociationforComputationalLinguistics,1524–1534.GoogleScholarDigitalLibraryHyejinShin,WooChulShim,JiinMoon,JaewooSeo,SolLee,andYong HHwang.2020.Cybersecurityeventdetectionwithnewandre-emergingwords.InProceedingsofthe15thACMAsiaConferenceonComputerandCommunicationsSecurity(AsiaCCS).ACM.GoogleScholarDigitalLibrarySushantSinha,MichaelBailey,andFarnamJahanian.2008.ShadesofGrey:Ontheeffectivenessofreputation-based“blacklists”.In20083rdInternationalConferenceonMaliciousandUnwantedSoftware(MALWARE).IEEE,57–64.GoogleScholarCrossRefBinYu,Daniel LGray,JiePan,MartineDe Cock,andAnderson CANascimento.2017.InlineDGAdetectionwithdeepnetworks.In2017IEEEInternationalConferenceonDataMiningWorkshops(ICDMW).IEEE,683–692.GoogleScholarCrossRefShengpingZhou,ZiLong,LianzhiTan,andHaoGuo.2018.Automaticidentificationofindicatorsofcompromiseusingneural-basedsequencelabelling.arXivpreprintarXiv:1810.10156(2018).GoogleScholar IndexTerms(auto-classified) #Twiti:SocialListeningforThreatIntelligenceSecurityandprivacySocialandprofessionaltopicsComputing/technologypolicyComputercrime Comments LoginoptionsCheckifyouhaveaccessthroughyourlogincredentialsoryourinstitutiontogetfullaccessonthisarticle.SigninFullAccessGetthisPublication InformationContributorsPublishedin WWW'21:ProceedingsoftheWebConference2021April20214054pagesISBN:9781450383127DOI:10.1145/3442381Editors:JureLeskovecStanford,MarkoGrobelnikJožefStefanInstitute,MarcNajorkGoogle,JieTangTsinghuaUniversity,LeilaZiaWikimediaFoundation Copyright©2021ACMSponsorsIn-CooperationPublisherAssociationforComputingMachineryNewYork,NY,UnitedStates PublicationHistory Online:3June2021 PermissionsRequestpermissionsaboutthisarticle.RequestPermissions AuthorTagsopensourcethreatintelligencethreathuntingTwitterIOCQualifiersresearch-articleResearchRefereedlimitedConference AcceptanceRatesOverallAcceptanceRate1,087of7,181submissions,15% FundingSources OtherMetricsViewArticleMetricsBibliometricsCitations3ArticleMetrics3TotalCitationsViewCitations501TotalDownloadsDownloads(Last12months)429Downloads(Last6weeks)25OtherMetricsViewAuthorMetricsCitedByViewallPDFFormatVieworDownloadasaPDFfile.PDFeReaderViewonlinewitheReader.eReaderDigitalEditionViewthisarticleindigitaledition.ViewDigitalEditionHTMLFormatViewthisarticleinHTMLFormat.ViewHTMLFormatFiguresOtherSharethisPublicationlinkhttps://dl.acm.org/doi/abs/10.1145/3442381.3449797CopyLinkShareonSocialMedia Shareon 0ReferencesCloseFigureViewerBrowseAllReturnChangezoomlevelCaption ViewTableofContents ExportCitationsSelectCitationformatBibTeXEndNoteACMRefDownloadcitationCopycitationPreviewisnotavailable.Byclickingdownload,anewtabwillopentostarttheexportprocess.Theprocessmaytakeafewminutesbutonceitfinishesafilewillbedownloadedonyourbrowsersopleasedonotclosethenewtab.Download AboutCookiesOnThisSiteWeusecookiestoensurethatwegiveyouthebestexperienceonourwebsite. LearnmoreGotit!