Abstract
Receiving timely and relevant security information is crucial for maintaininga high-security level on an IT infrastructure. This information can beextracted from Open Source Intelligence published daily by users, securityorganisations, and researchers. In particular, Twitter has become aninformation hub for obtaining cutting-edge information about many subjects,including cybersecurity. This work proposes SYNAPSE, a Twitter-based streamingthreat monitor that generates a continuously updated summary of the threatlandscape related to a monitored infrastructure. Its tweet-processing pipelineis composed of filtering, feature extraction, binary classification, aninnovative clustering strategy, and generation of Indicators of Compromise(IoCs). A quantitative evaluation considering all tweets from 80 accounts overmore than 8 months (over 195.000 tweets), shows that our approach timely andsuccessfully finds the majority of security-related tweets concerning anexample IT infrastructure (true positive rate above 90%), incorrectly selects asmall number of tweets as relevant (false positive rate under 10%), andsummarises the results to very few IoCs per day. A qualitative evaluation ofthe IoCs generated by SYNAPSE demonstrates their relevance (based on the CVSSscore and the availability of patches or exploits), and timeliness (based onthreat disclosure dates from NVD).