Reading the tea leaves: A comparative analysis of threat intelligence

Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, Stefan Savage, Kirill Levchenko

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    The term “threat intelligence” has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 28th USENIX Security Symposium
    PublisherUSENIX Association
    Pages851-867
    Number of pages17
    ISBN (Electronic)9781939133069
    StatePublished - Jan 1 2019
    Event28th USENIX Security Symposium - Santa Clara, United States
    Duration: Aug 14 2019Aug 16 2019

    Publication series

    NameProceedings of the 28th USENIX Security Symposium

    Conference

    Conference28th USENIX Security Symposium
    CountryUnited States
    CitySanta Clara
    Period8/14/198/16/19

    Fingerprint

    Security of data
    Industry
    Tea

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Cite this

    Li, V. G., Dunn, M., Pearce, P., McCoy, D., Voelker, G. M., Savage, S., & Levchenko, K. (2019). Reading the tea leaves: A comparative analysis of threat intelligence. In Proceedings of the 28th USENIX Security Symposium (pp. 851-867). (Proceedings of the 28th USENIX Security Symposium). USENIX Association.

    Reading the tea leaves : A comparative analysis of threat intelligence. / Li, Vector Guo; Dunn, Matthew; Pearce, Paul; McCoy, Damon; Voelker, Geoffrey M.; Savage, Stefan; Levchenko, Kirill.

    Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. p. 851-867 (Proceedings of the 28th USENIX Security Symposium).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Li, VG, Dunn, M, Pearce, P, McCoy, D, Voelker, GM, Savage, S & Levchenko, K 2019, Reading the tea leaves: A comparative analysis of threat intelligence. in Proceedings of the 28th USENIX Security Symposium. Proceedings of the 28th USENIX Security Symposium, USENIX Association, pp. 851-867, 28th USENIX Security Symposium, Santa Clara, United States, 8/14/19.
    Li VG, Dunn M, Pearce P, McCoy D, Voelker GM, Savage S et al. Reading the tea leaves: A comparative analysis of threat intelligence. In Proceedings of the 28th USENIX Security Symposium. USENIX Association. 2019. p. 851-867. (Proceedings of the 28th USENIX Security Symposium).
    Li, Vector Guo ; Dunn, Matthew ; Pearce, Paul ; McCoy, Damon ; Voelker, Geoffrey M. ; Savage, Stefan ; Levchenko, Kirill. / Reading the tea leaves : A comparative analysis of threat intelligence. Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. pp. 851-867 (Proceedings of the 28th USENIX Security Symposium).
    @inproceedings{f6a9c28ce66c4e9d98d0c7dd56be38c7,
    title = "Reading the tea leaves: A comparative analysis of threat intelligence",
    abstract = "The term “threat intelligence” has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.",
    author = "Li, {Vector Guo} and Matthew Dunn and Paul Pearce and Damon McCoy and Voelker, {Geoffrey M.} and Stefan Savage and Kirill Levchenko",
    year = "2019",
    month = "1",
    day = "1",
    language = "English (US)",
    series = "Proceedings of the 28th USENIX Security Symposium",
    publisher = "USENIX Association",
    pages = "851--867",
    booktitle = "Proceedings of the 28th USENIX Security Symposium",

    }

    TY - GEN

    T1 - Reading the tea leaves

    T2 - A comparative analysis of threat intelligence

    AU - Li, Vector Guo

    AU - Dunn, Matthew

    AU - Pearce, Paul

    AU - McCoy, Damon

    AU - Voelker, Geoffrey M.

    AU - Savage, Stefan

    AU - Levchenko, Kirill

    PY - 2019/1/1

    Y1 - 2019/1/1

    N2 - The term “threat intelligence” has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.

    AB - The term “threat intelligence” has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.

    UR - http://www.scopus.com/inward/record.url?scp=85074853226&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85074853226&partnerID=8YFLogxK

    M3 - Conference contribution

    AN - SCOPUS:85074853226

    T3 - Proceedings of the 28th USENIX Security Symposium

    SP - 851

    EP - 867

    BT - Proceedings of the 28th USENIX Security Symposium

    PB - USENIX Association

    ER -