How to Assess Threat Reports? - Conception, Implementation, and Evaluation

Thesis typeMaster Thesis
SupervisorThomas Geras
Starting dateAs soon as possible
SkillsLaTeX, Git, Any programming language
LanguageGerman, English (preferred)
Industry cooperationNot possible
Publish date2022-09-02

Problem and context

The term intelligence has its origin in the military jargon. Intelligence is actionable and context-related information created by gathering, proceeding, and analyzing data [1]. Cyber Threat Intelligence in this context is understood as evidence-based knowledge about existing and emerging threats [2]. Cyber Threat Intelligence can analyze how threat actors behave in the digital world to achieve their malicious goals [1]. Examples for CTI are the so-called Indicator of Compromise (IOC) or Tactics, Techniques, and Procedures (TTPs). IOCs are simple information like IP addresses, hash values, or web domains. More complex information about the behavior of threat actors like the used techniques and tactics are called TTPs [1]. There are several norms for the representation of CTI, whereby STIX has established itself as the unspoken standard. There are various options for procuring CTI, such as Open Source Intelligence (OSINT). Likewise, an exchange between two or more parties within a sharing community can be used to procure CTI. In this case, sharing platforms like MISP are used for procurement or exchange.

CTI can help to mitigate cyber attacks or even prevent potential attacks. However, research agrees that CTI has specific weaknesses. For example, inaccurate, incomplete, or outdated CTI poses a significant challenge [3, 4]. Therefore, the quality of CTI is a crucial factor in the success of the exchange and its actions [5, 6, 7].


Security analysts’ time is tight, and they are overloaded with CTI in the form of reports and feeds. So how can an analyst distinguish between a good, well-written, relevant report and a poor one? Choosing the correct reports would save analysts time, let them focus on the relevant cases, and get early warnings.

This work aims to develop a concept for assessing (threat) reports. One approach could be to convert the report with NLP and ML techniques into knowledge graphs and evaluate the graphs instead of the written report. Other concepts can be discussed and compared within this work.