Gathering Cyber Threat Intelligence from Twitter Using Novelty Classification

Preventing organizations from Cyber exploits needs timely intelligence about Cyber vulnerabilities and attacks, referred to as threats. Cyber threat intelligence can be extracted from various sources including social media platforms where users publish the threat information in real-time. Gathering Cyber threat intelligence from social media sites is a time-consuming task for security analysts that can delay timely response to emerging Cyber threats. We propose a framework for automatically gathering Cyber threat intelligence from Twitter by using a novelty detection model. Our model learns the features of Cyber threat intelligence from the threat descriptions published in public repositories such as Common Vulnerabilities and Exposures (CVE) and classifies a new unseen tweet as either normal or anomalous to Cyber threat intelligence. We evaluate our framework using a purpose-built data set of tweets from 50 influential Cyber security-related accounts over twelve months (in 2018). Our classifier achieves the F1-score of 0.643 for classifying Cyber threat tweets and outperforms several baselines including binary classification models. Analysis of the classification results suggests that Cyber threat-relevant tweets on Twitter do not often include the CVE identifier of the related threats. Hence, it would be valuable to collect these tweets and associate them with the related CVE identifier for Cyber security applications.