{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,23]],"date-time":"2025-11-23T06:18:15Z","timestamp":1763878695399,"version":"3.40.3"},"reference-count":50,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,3,18]],"date-time":"2025-03-18T00:00:00Z","timestamp":1742256000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,18]],"date-time":"2025-03-18T00:00:00Z","timestamp":1742256000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Universit\u00e0 degli Studi di Bari Aldo Moro"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,4]]},"abstract":"Abstract<\/jats:title>\n As the use of information systems exponentially increases, every organization is exposed to cyber-attacks. To detect and mitigate the damage caused by such attacks, organizations need to share information extracted from the analysis of known ones. Intrusion detection (IDS) and intrusion prevention (IPS) systems use information on known threats to detect and prevent attack re-execution. Given the large amount of information usually available for known attacks, restricting such amount only to really valuable information is necessary to allow protection systems to work more efficiently. One of the main challenges in cyber threat intelligence (CTI) is to filter relevant information and eliminate obsolete data. The recently published RFC 9424 emphasizes the need to produce such systems. In this work, a methodology named comprehensive assessment and rating of IoCs via CADE algorithm (CARIOCA) is proposed, which aims to analyze data contained in the CTI platform to select a subset of indicators of compromise (IoCs) considered most relevant for protection systems. Through CARIOCA, IoCs evaluation based on three level scorings is proposed, considering sources\u2019 reliability, IoCs freshness, and CTI reports quality using a new algorithm, named category attribute density evaluation (CADE). The state-of-the-art considers the qualities of an IoC or the estimated reliability of the CTI source to select relevant IoCs. By combining three scores, CARIOCA can comprehensively assess IoCs relevance. The results obtained in the experiments support CARIOCA\u2019s effectiveness in selecting the most relevant subset of IoCs for IDS\/IPS.<\/jats:p>","DOI":"10.1007\/s10207-025-01006-2","type":"journal-article","created":{"date-parts":[[2025,3,18]],"date-time":"2025-03-18T06:40:27Z","timestamp":1742280027000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["CARIOCA: prioritizing the use of IoC by threats assessment shared on the MISP platform"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-1230-2181","authenticated-orcid":false,"given":"Piero","family":"Delvecchio","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3955-0478","authenticated-orcid":false,"given":"Stefano","family":"Galantucci","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7344-636X","authenticated-orcid":false,"given":"Andrea","family":"Iannacone","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7305-2210","authenticated-orcid":false,"given":"Giuseppe","family":"Pirlo","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,18]]},"reference":[{"key":"1006_CR1","unstructured":"Corporation, M.: MITRE common vulnerabilities and exposures. https:\/\/cve.mitre.org\/"},{"key":"1006_CR2","unstructured":"Corporation, M.: MITRE ATT &CK \u00ae. https:\/\/attack.mitre.org\/"},{"key":"1006_CR3","doi-asserted-by":"crossref","unstructured":"Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: Misp: the design and implementation of a collaborative threat intelligence sharing platform. In: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pp. 49\u201356 (2016)","DOI":"10.1145\/2994539.2994542"},{"key":"1006_CR4","unstructured":"Agency, F.N.C.: OpenCTI - GitHub. https:\/\/github.com\/OpenCTI-Platform\/opencti"},{"key":"1006_CR5","doi-asserted-by":"crossref","first-page":"153102","DOI":"10.1109\/ACCESS.2021.3128070","volume":"9","author":"W Zeng","year":"2021","unstructured":"Zeng, W., Liu, Z., Yang, Y., Yang, G., Luo, Q.: Qbc inconsistency-based threat intelligence ioc recognition. IEEE Access 9, 153102\u2013153107 (2021)","journal-title":"IEEE Access"},{"issue":"2","key":"1006_CR6","first-page":"2472","volume":"24","author":"P Kumar","year":"2021","unstructured":"Kumar, P., Gupta, G.P., Tripathi, R., Garg, S., Hassan, M.M.: Dltif: deep learning-driven cyber threat intelligence modeling and identification framework in iot-enabled maritime transportation systems. IEEE Trans. Intell. Transp. Syst. 24(2), 2472\u20132481 (2021)","journal-title":"IEEE Trans. Intell. Transp. Syst."},{"key":"1006_CR7","unstructured":"Alahmadi, B.A., Axon, L., Martinovic, I.: 99% false positives: a qualitative study of $$\\{$$SOC$$\\}$$ analysts\u2019 perspectives on security alarms. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 2783\u20132800 (2022)"},{"key":"1006_CR8","doi-asserted-by":"crossref","first-page":"961","DOI":"10.1016\/j.procs.2022.08.117","volume":"204","author":"M Saraiva","year":"2022","unstructured":"Saraiva, M., Mateus-Coelho, N.: Cybersoc framework a systematic review of the state-of-art. Proc. Comput. Sci. 204, 961\u2013972 (2022)","journal-title":"Proc. Comput. Sci."},{"key":"1006_CR9","doi-asserted-by":"publisher","unstructured":"Paine, K., Whitehouse, O., Sellwood, J. S. A.: Indicators of compromise (IoCs) and their role in attack defence. RFC Editor (2023). https:\/\/doi.org\/10.17487\/RFC9424. https:\/\/www.rfc-editor.org\/info\/rfc9424","DOI":"10.17487\/RFC9424"},{"key":"1006_CR10","doi-asserted-by":"crossref","first-page":"102074","DOI":"10.1016\/j.inffus.2023.102074","volume":"102","author":"MM Salim","year":"2024","unstructured":"Salim, M.M., El Azzaoui, A., Deng, X., Park, J.H.: Fl-ctif: a federated learning based cti framework based on information fusion for secure iiot. Inf. Fusion 102, 102074 (2024)","journal-title":"Inf. Fusion"},{"key":"1006_CR11","doi-asserted-by":"crossref","first-page":"101589","DOI":"10.1016\/j.cose.2019.101589","volume":"87","author":"TD Wagner","year":"2019","unstructured":"Wagner, T.D., Mahbub, K., Palomar, E., Abdallah, A.E.: Cyber threat intelligence sharing: survey and research directions. Comput. Secur. 87, 101589 (2019)","journal-title":"Comput. Secur."},{"key":"1006_CR12","doi-asserted-by":"crossref","first-page":"103352","DOI":"10.1016\/j.cose.2023.103352","volume":"132","author":"S Ainslie","year":"2023","unstructured":"Ainslie, S., Thompson, D., Maynard, S., Ahmad, A.: Cyber-threat intelligence for security decision-making: a review and research agenda for practice. Comput. Secur. 132, 103352 (2023)","journal-title":"Comput. Secur."},{"key":"1006_CR13","doi-asserted-by":"crossref","first-page":"109920","DOI":"10.1016\/j.comnet.2023.109920","volume":"234","author":"M Allegretta","year":"2023","unstructured":"Allegretta, M., Siracusano, G., Gonzalez, R., Gramaglia, M.: Are crowd-sourced cti datasets ready for supporting anti-cybercrime intelligence? Comput. Netw. 234, 109920 (2023)","journal-title":"Comput. Netw."},{"key":"1006_CR14","first-page":"103786","volume":"83","author":"P Alaeifar","year":"2024","unstructured":"Alaeifar, P., Pal, S., Jadidi, Z., Hussain, M., Foo, E.: Current approaches and future directions for cyber threat intelligence sharing: A survey. J. Inf. Secur. Appl. 83, 103786 (2024)","journal-title":"J. Inf. Secur. Appl."},{"issue":"5","key":"1006_CR15","doi-asserted-by":"crossref","first-page":"824","DOI":"10.3390\/electronics9050824","volume":"9","author":"A Ramsdale","year":"2020","unstructured":"Ramsdale, A., Shiaeles, S., Kolokotronis, N.: A comparative analysis of cyber-threat intelligence sources, formats and languages. Electronics 9(5), 824 (2020)","journal-title":"Electronics"},{"key":"1006_CR16","doi-asserted-by":"crossref","unstructured":"Meier, R., Scherrer, C., Gugelmann, D., Lenders, V., Vanbever, L.: Feedrank: a tamper-resistant method for the ranking of cyber threat intelligence feeds. In: 2018 10th International Conference on Cyber Conflict (CyCon), pp. 321\u2013344. IEEE (2018)","DOI":"10.23919\/CYCON.2018.8405024"},{"key":"1006_CR17","doi-asserted-by":"crossref","unstructured":"Qiang, L., Zhengwei, J., Zeming, Y., Baoxu, L., Xin, W., Yunan, Z.: A quality evaluation method of cyber threat intelligence in user perspective. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications\/12th IEEE International Conference On Big Data Science and Engineering (TrustCom\/BigDataSE), pp. 269\u2013276. IEEE (2018)","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00049"},{"key":"1006_CR18","unstructured":"Korte, K.: Measuring the quality of open source cyber threat intelligence feeds (2021)"},{"key":"1006_CR19","doi-asserted-by":"crossref","unstructured":"Schaberreiter, T., Kupfersberger, V., Rantos, K., Spyros, A., Papanikolaou, A., Ilioudis, C., Quirchmayr, G.: A quantitative evaluation of trust in the quality of cyber threat intelligence sources. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1\u201310 (2019)","DOI":"10.1145\/3339252.3342112"},{"key":"1006_CR20","unstructured":"Jordan, B., Piazza, R., Darley, T.: STIX Version 2.1. OASIS Open (2021). https:\/\/docs.oasis-open.org\/cti\/stix\/v2.1\/os\/stix-v2.1-os.html"},{"key":"1006_CR21","doi-asserted-by":"crossref","first-page":"102576","DOI":"10.1016\/j.cose.2021.102576","volume":"113","author":"A Tundis","year":"2022","unstructured":"Tundis, A., Ruppert, S., M\u00fchlh\u00e4user, M.: A feature-driven method for automating the assessment of osint cyber threat sources. Comput. Secur. 113, 102576 (2022)","journal-title":"Comput. Secur."},{"key":"1006_CR22","doi-asserted-by":"crossref","unstructured":"Wang, M., Yang, L., Lou, W.: A comprehensive dynamic quality assessment method for cyber threat intelligence. In: 2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 178\u2013181. IEEE (2022)","DOI":"10.1109\/DSN-W54100.2022.00037"},{"key":"1006_CR23","unstructured":"Angelelli, M., Arima, S., Catalano, C., Ciavolino, E.: Cyber-risk perception and prioritization for decision-making and threat intelligence. arXiv preprint arXiv:2302.08348 (2023)"},{"key":"1006_CR24","unstructured":"Ermerins, J., Noort, N., Novais\u00a0Marques, J., Velasco, L.: Scoring model for iocs by combining open intelligence feeds to reduce false positives. In: Security and Network Engineering. University of Amsterdam (2020)"},{"key":"1006_CR25","doi-asserted-by":"crossref","first-page":"103960","DOI":"10.1016\/j.cose.2024.103960","volume":"8","author":"N Xiao","year":"2024","unstructured":"Xiao, N., Lang, B., Wang, T., Chen, Y.: Apt-mmf: an advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion. Comput. Secur. 8, 103960 (2024)","journal-title":"Comput. Secur."},{"key":"1006_CR26","doi-asserted-by":"crossref","unstructured":"Azevedo, R., Medeiros, I., Bessani, A.: Pure: generating quality threat intelligence by clustering and correlating osint. In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications\/13th IEEE International Conference On Big Data Science And Engineering (TrustCom\/BigDataSE), pp. 483\u2013490. IEEE (2019)","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00071"},{"key":"1006_CR27","doi-asserted-by":"crossref","unstructured":"Faiella, M., Granadillo, G.G., Medeiros, I., Azevedo, R., Zarzosa, S.G.: Enriching threat intelligence platforms capabilities. In: ICETE (2), pp. 37\u201348 (2019)","DOI":"10.5220\/0007830400370048"},{"key":"1006_CR28","first-page":"102715","volume":"58","author":"G Gonz\u00e1lez-Granadillo","year":"2021","unstructured":"Gonz\u00e1lez-Granadillo, G., Faiella, M., Medeiros, I., Azevedo, R., Gonz\u00e1lez-Zarzosa, S.: Etip: an enriched threat intelligence platform for improving osint correlation, analysis, visualization and sharing capabilities. J. Inf. Secur. Appl. 58, 102715 (2021)","journal-title":"J. Inf. Secur. Appl."},{"key":"1006_CR29","first-page":"83","volume":"2022","author":"S Zhang","year":"2022","unstructured":"Zhang, S., Chen, P., Bai, G., Wang, S., Zhang, M., Li, S., Zhao, C.: An automatic assessment method of cyber threat intelligence combined with att &ck matrix. Wirel. Commun. Mob. Comput. 2022, 83 (2022)","journal-title":"Wirel. Commun. Mob. Comput."},{"key":"1006_CR30","doi-asserted-by":"crossref","unstructured":"Haass, J.C.: Cyber threat intelligence and machine learning. In: 2022 Fourth International Conference on Transdisciplinary AI (TransAI), pp. 156\u2013159. IEEE (2022)","DOI":"10.1109\/TransAI54797.2022.00033"},{"issue":"9","key":"1006_CR31","doi-asserted-by":"crossref","first-page":"1401","DOI":"10.3390\/electronics11091401","volume":"11","author":"G Sakellariou","year":"2022","unstructured":"Sakellariou, G., Fouliras, P., Mavridis, I., Sarigiannidis, P.: A reference model for cyber threat intelligence (cti) systems. Electronics 11(9), 1401 (2022)","journal-title":"Electronics"},{"key":"1006_CR32","doi-asserted-by":"crossref","first-page":"2","DOI":"10.25300\/MISQ\/2022\/15392","volume":"46","author":"S Samtani","year":"2022","unstructured":"Samtani, S., Chai, Y., Chen, H.: Linking exploits from the dark web to known vulnerabilities for proactive cyber threat intelligence: an attention-based deep structured semantic model 1. MIS Quart. 46, 2 (2022)","journal-title":"MIS Quart."},{"key":"1006_CR33","doi-asserted-by":"crossref","unstructured":"Mavzer, K.B., Konieczna, E., Alves, H., Yucel, C., Chalkias, I., Mallis, D., Cetinkaya, D., Sanchez, L.A.G.: Trust and quality computation for cyber threat intelligence sharing platforms. In: 2021 IEEE International Conference on Cyber Security and Resilience (CSR), pp. 360\u2013365. IEEE (2021)","DOI":"10.1109\/CSR51186.2021.9527975"},{"key":"1006_CR34","doi-asserted-by":"crossref","unstructured":"Al-Ibrahim, O., Mohaisen, A., Kamhoua, C., Kwiat, K., Njilla, L.: Beyond free riding: quality of indicators for assessing participation in information sharing for threat intelligence. arXiv preprint arXiv:1702.00552 (2017)","DOI":"10.1145\/3132465.3132468"},{"key":"1006_CR35","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1007\/s10207-020-00490-y","volume":"20","author":"D Schlette","year":"2021","unstructured":"Schlette, D., B\u00f6hm, F., Caselli, M., Pernul, G.: Measuring and visualizing cyber threat intelligence quality. Int. J. Inf. Secur. 20, 21\u201338 (2021)","journal-title":"Int. J. Inf. Secur."},{"key":"1006_CR36","unstructured":"Rich, P.: $$\\text{STIX}^{{\\rm TM}}$$ version 2.0 (2017)"},{"issue":"14","key":"1006_CR37","doi-asserted-by":"crossref","first-page":"4890","DOI":"10.3390\/s21144890","volume":"21","author":"A Dimitriadis","year":"2021","unstructured":"Dimitriadis, A., Prassas, C., Flores, J.L., Kulvatunyou, B., Ivezic, N., Gritzalis, D.A., Mavridis, I.K.: Contextualized filtering for shared cyber threat information. Sensors 21(14), 4890 (2021)","journal-title":"Sensors"},{"key":"1006_CR38","unstructured":"Ivezic, N., Ljubicic, M., Jankovic, M., Kulvatunyou, B., Nieman, S., Minakawa, G.: Business process context for message standards. In: BPM (Industry Track), pp. 100\u2013111 (2017)"},{"key":"1006_CR39","unstructured":"Dulaunoy, A., Wagener, G., Iklody, A., Mokaddem, S., Wagner, C.: An indicator scoring method for misp platforms. In: The Networking Conference TNC, vol. 18 (2018)"},{"key":"1006_CR40","doi-asserted-by":"crossref","unstructured":"Muttaqin, F.Z., Salamun, M.A., Rosyid, N.R.: Incident taxonomy analysis on misp using a quantitative threat assessment approach. In: AIP Conference Proceedings, vol. 2654. AIP Publishing (2023)","DOI":"10.1063\/5.0115372"},{"issue":"1","key":"1006_CR41","first-page":"31","volume":"1","author":"M Aruldoss","year":"2013","unstructured":"Aruldoss, M., Lakshmi, T.M., Venkatesan, V.P.: A survey on multi criteria decision making methods and its applications. Am. J. Inf. Syst. 1(1), 31\u201343 (2013)","journal-title":"Am. J. Inf. Syst."},{"key":"1006_CR42","doi-asserted-by":"crossref","unstructured":"Dezert, J., Tchamova, A., Han, D., Tacnet, J.-M.: The spotis rank reversal free method for multi-criteria decision-making support. In: 2020 IEEE 23rd International Conference on Information Fusion (FUSION), pp. 1\u20138. IEEE (2020)","DOI":"10.23919\/FUSION45008.2020.9190347"},{"key":"1006_CR43","unstructured":"MISP: MISP Modules-GitHub. https:\/\/github.com\/MISP\/misp-modules"},{"key":"1006_CR44","unstructured":"Kornblum, J., Grohne, H.: ssdeep-GitHub. https:\/\/github.com\/ssdeep-project\/ssdeep"},{"key":"1006_CR45","unstructured":"Page, L.: The pagerank citation ranking: bringing order to the web. Technical report. Stanford Digital Library Technologies Project (1998)"},{"key":"1006_CR46","unstructured":"CAPEC: Common attack pattern enumeration and classification (CAPEC). https:\/\/capec.mitre.org\/"},{"key":"1006_CR47","unstructured":"Christey, S., Martin, R.A.: Vulnerability type distributions in cve. Mitre report (2007)"},{"key":"1006_CR48","unstructured":"Bianco, D.: The pyramid of pain. Enterprise Detection & Response (2013)"},{"key":"1006_CR49","first-page":"1","volume":"67","author":"M Alshehri","year":"2021","unstructured":"Alshehri, M.: Generic attribute scoring for information decay in threat information sharing platform. Comput. Mater. Contin. 67, 1 (2021)","journal-title":"Comput. Mater. Contin."},{"key":"1006_CR50","unstructured":"Horsely, C.: Just how big does MISP Data Get, Anyway? We Ran the Numbers-Cosive. https:\/\/www.cosive.com\/blog\/just-how-big-does-misp-data-get-anyway"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01006-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01006-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01006-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,30]],"date-time":"2025-03-30T08:02:36Z","timestamp":1743321756000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01006-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,18]]},"references-count":50,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,4]]}},"alternative-id":["1006"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01006-2","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2025,3,18]]},"assertion":[{"value":"18 March 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no conflict of interest to declare that are relevant to the content of this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"98"}}