ThreatCluster: Threat Clustering for Information Overload Reduction in Computer Emergency Response Teams

Public information contains valuable Cyber Threat Intelligence (CTI) that is used to prevent attacks in the future. Ideally, the learnings from previous attacks help to mitigate all those that follow. While there are standards for sharing this information, much of it is shared in non-standardized news articles or blog posts. It is a time-consuming task to monitor online sources for threats and even then, one can never be sure, to use the right sources. Current research propose extractors of Indicators of Compromise from known sources, while the identification of new sources is rarely considered. This paper proposes a focused crawler focused on the CTI domain based on multi-armed bandit (MAB) and different crawling strategies. It uses SBERT to identify relevant documents, while dynamically adapt its crawling path. We propose a system called ThreatCrawl, which achieve a harvest rate of over 25% and is able to expand its used seed by over 300%, while retaining focus on the topic at hand. In addition, this crawler identified previously unknown but highly relevant overview pages, datasets, and domains.