Abstract

     Sharing threat events and Indicators of Compromise (IoCs) enables quick and crucial decision making relative to effective countermeasures against cyberattacks. However, the current threat information sharing solutions do not allow easy communication and knowledge sharing among threat detection systems (in particular Intrusion Detection Systems (IDS)) exploiting Machine Learning (ML) techniques. Moreover, the interaction with the expert, which represents an important component to gather verified and reliable input data for the ML algorithms, is weakly supported. To address all these issues, ORISHA, a platform for ORchestrated Information SHaring and Awareness enabling the cooperation among threat detection systems and other information awareness components, is proposed here. ORISHA is backed by a distributed Threat Intelligence Platform based on a network of interconnected Malware Information Sharing Platform instances, which enables the communication with several Threat Detection layers belonging to different organizations. Within this ecosystem, Threat Detection Systems mutually benefit by sharing knowledge that allows them to refine the underlying predictive accuracy. Uncertain cases, i.e. examples with low anomaly scores, are proposed to the expert, who acts with the role of oracle in an Active Learning scheme. By interfacing with a honeynet, ORISHA allows for enriching the knowledge base with further positive attack instances and then yielding robust detection models. An experimentation conducted on a well-known Intrusion Detection benchmark demonstrates the validity of the proposed architecture.

Introduction

     Nowadays, organizations and users face an enormous amount of sophisticated, targeted and widespread cyberattacks. Malicious actors were proven able to compromise government computer systems as well user devices causing various types of damages. Phishing, identity theft, information leakage, DDOS and botnet represent some examples of popular threat occurred in 2020 [1]. The outbreak of COVID-19 has further exacerbated this situation. As the virus spread during the early part of the 2020, the number of cyberattacks against organizations grew exponentially, reaching a peak in April [2], [3]. The pandemic unveiled different vulnerabilities of well-known platforms, applications and systems, and simultaneously stimulated the interest for promoting the usage of information sharing technologies to increase the degree of security for enterprises and organizations.

Conclusions

     Security intelligence and data analytics techniques can be used to strengthen the capabilities of cybersecurity applications in various vertical domains and use cases. These techniques can largely benefit from mechanisms to share digital evidence and ensure interoperability. The current Threat Intelligence platforms do not provide native mechanisms to incorporate such mechanisms, especially when data-driven and AI powered threat detection systems are involved. ORISHA is a first attempt to enable a sharing and interoperability protocol among such components, based solely on a data-oriented approach. This simple, flexible strategy and data formats for collaborative threat intelligence can trigger specific advantages: Improving the alert effectiveness by reducing the amount of false positive alerts; better contextualizing threat data with the contribution of multiple actors; boosting trust among producers and consumers of threat intelligence information; and strengthening the robustness of machine learning and deep learning models adopted by security applications. An experimental evaluation, conducted on a well-known IDS benchmark, demonstrates how merging data sharing and active learning strategies can improve the detection capabilities of the MISP network allowing to discover undetected attacks.