Clustering of Threat Information to Mitigate Information Overload for Computer Emergency Response Teams

The constantly increasing number of threats and the existing diversity of information sources pose challenges for Computer Emergency Response Teams (CERTs). In order to respond to new threats, CERTs need to gather information in a timely and comprehensive manner. However, the volume of information and sources can lead to information overload. This paper answers the question of how to reduce information overload for CERTs with the help of clustering methods. Conditions for such a framework were established and subsequently tested. In order to perform an evaluation, different types of evaluation metrics were introduced and selected in relation to the framework conditions. Furthermore, different vectorizations and distance measures in combination with the clustering methods were evaluated and interpreted. Two different ground-truth datasets were used for the evaluation, one containing threat messages and a dataset with messages from different news categories. The work shows that the K-means clustering method along with TF-IDF vectorization and cosine distance provide the best results in the domain of threat messages.