Date of Award

12-11-2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Information Science

First Advisor

Philip Huff

Abstract

Cybersecurity operations require the ability to collect and analyze large amounts of cyber threat intelligence (CTI) to assess risks and formulate defensive strategies against emerging threats. This task has become increasingly complex due to the rapid evolution of cyber threats and the growing volume of unstructured, natural-language CTI sources. The scale of data and analysis needed to utilize CTI effectively far exceeds humans' manual capacity, especially for organizations with limited resources. This research focuses on leveraging Large Language Models (LLMs) and machine learning techniques to enhance CTI extraction, risk assessment, and data sharing. We utilized LLMs to automate the extraction and structuring of adversarial Skills, Knowledge, Resources, Authorities, and Motivation (SKRAM) attributes from unstructured CTI sources, transforming natural-language texts into the structured STIX 2.1 format, thus reducing the workload on security analysts. Threat association and risk prioritization allow organizations to focus on the most relevant CTI by identifying threats most pertinent to them. By leveraging extracted SKRAM attributes, we systematically assess both historical and current cyber threats, generating detailed profiles and assigning risk scores to determine how closely an organization aligns with victims targeted by specific ransomware groups. Additionally, we link adversarial SKRAM attributes to entities based on attack likelihood and potential outcomes, such as financial, operational, or reputational risks, enabling more effective defense prioritization. Finally, sharing CTI among organizations is often hindered by concerns about exposing vulnerabilities or sensitive information. To address this, we introduce a browser-based privacy filter that detects sensitive and identifiable information within an organization before data leaves the network. This model can be trained within the browser, allowing entities to flag sensitive information while ensuring compliance with privacy regulations and contributing to the broader CTI community.

Share

COinS