Reading the tea leaves: A comparative analysis of threat intelligence

Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, Stefan Savage, Kirill Levchenko

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    The term “threat intelligence” has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 28th USENIX Security Symposium
    PublisherUSENIX Association
    Pages851-867
    Number of pages17
    ISBN (Electronic)9781939133069
    StatePublished - 2019
    Event28th USENIX Security Symposium - Santa Clara, United States
    Duration: Aug 14 2019Aug 16 2019

    Publication series

    NameProceedings of the 28th USENIX Security Symposium

    Conference

    Conference28th USENIX Security Symposium
    Country/TerritoryUnited States
    CitySanta Clara
    Period8/14/198/16/19

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Fingerprint

    Dive into the research topics of 'Reading the tea leaves: A comparative analysis of threat intelligence'. Together they form a unique fingerprint.

    Cite this