Integrating OSINT and Cyber Threat Intelligence to Enhance the Security of Enterprise IoT

Abstract

Open Source Intelligence (OSINT) tools enable the collection of OSINT information from publicly available sources. In parallel, Cyber Threat Intelligence (CTI) harnesses this intelligence , employing Artificial Intelligence (AI) for automated data analysis for threat detection to identify potential vul-nerabilities and security threats. The research focuses on Industrial Internet of Things (IIoT) within edge computing environments to create Edge Intelligence with the support of CTI platforms. The reason is the vulnerability against cy-berattacks in production environments. Potential security threats and attacks should be detected based on OSINT information in Enterprise IoT environments. AI with Federated Learning can be integrated into CTI environments, which will be represented by an example of an Energy Cloud Environment that distributes data between multiple networks to detect attacks and prevent future vulnerabilities by distributing the OSINT information. It will be shown that CTI platforms are valuable tools that can complement the protection of IoT devices to enhance security. Future data breaches can be prevented in Enterprise IoT environments with the innovative methods and open source tools for formatting data as Indicators of Compromise (IoC) presented in the paper. The referenced best practices can be reused for other Enterprise environments and expanded on a global level.

Full text

Integrating OSINT and Cyber Threat Intelligence to Enhance the
Security of Enterprise IoT∗
Sarah Julia Kriesch
Friedrich-Alexander-Universität
Erlangen-Nürnberg (FAU)
sarah.j.kriesch@fau.de
ABSTRACT
Open Source Intelligence (OSINT) tools enable the collection
of OSINT information from publicly available sources. In
parallel, Cyber Threat Intelligence (CTI) harnesses this intel-
ligence, employing Articial Intelligence (AI) for automated
data analysis for threat detection to identify potential vul-
nerabilities and security threats. The research focuses on
Industrial Internet of Things (IIoT) within edge computing
environments to create Edge Intelligence with the support
of CTI platforms. The reason is the vulnerability against cy-
berattacks in production environments. Potential security
threats and attacks should be detected based on OSINT infor-
mation in Enterprise IoT environments. AI with Federated
Learning can be integrated into CTI environments, which
will be represented by an example of an Energy Cloud En-
vironment that distributes data between multiple networks
to detect attacks and prevent future vulnerabilities by dis-
tributing the OSINT information. It will be shown that CTI
platforms are valuable tools that can complement the protec-
tion of IoT devices to enhance security. Future data breaches
can be prevented in Enterprise IoT environments with the
innovative methods and open source tools for formatting
data as Indicators of Compromise (IoC) presented in the pa-
per. The referenced best practices can be reused for other
Enterprise environments and expanded on a global level.
KEYWORDS
Open Source Intelligence, IoT, IT Security, Cyber Threat Intelli-
gence, Articial Intelligence, i1seminar
1 INTRODUCTION
Open Source Intelligence (OSINT) tools are mainly used for receiv-
ing information using dierent publicly available sources. Cyber
Threat Intelligence (CTI) is a specic area for detecting cyber threats
for cybersecurity. IoT devices are often developed in a way that
makes them vulnerable to attackers [
2
]. It should be represented
that Enterprise IoT environments can gain security enhancements
by applying CTI. You can forecast possible attacks on Enterprise
Internet of Things (IoT) environments based on OSINT information.
In this way, detecting vulnerabilities with CTI is possible.
∗
This paper was written as part of the conference seminar “IT Security” which was
organized by the chair of IT Security Infrastructures at the FAU during the Winter
term 2024. Special thanks to Lena Voigt and Jonas Röckl for the provided support
during the course of this paper.
ETIP will be represented as an Enriched Threat Intelligence Plat-
form for using open source information [
26
] to calculate the threat
score for incident prioritization as an indicator of cyber threats. One
important step to explain is the data analysis with threat attributes
for specifying the collected information [
19
]. The process is dened,
how the cyber-threat attribution is processed and which informa-
tion is required for calculating the Indicators of Compromise (IoC)
for prioritizing the analysis of incidents [
19
], where the threat score
will be included. Such a process design is described by the OSINT
Cycle [
41
]. The Structured Threat Intelligent Expression (STIX) has
been developed as a standard and human and machine-readable
data format [
18
], which can be integrated into CTI platforms for au-
tomated data analysis with TAXII for Trusted Automated Exchange
of Intelligence Information. The focus of the research is on Indus-
trial Internet of Things (IIoT) within edge computing environments
to create Edge Intelligence with the help of Articial Intelligence
[
42
]. Potential security threats and attacks can be detected based
on distributed OSINT information. That can be automated with
integrated machine learning and articial intelligence [
37
]. The
goal is an automated vulnerability detection and distribution of this
information. That will be substantiated by a successful use-case
example within an Energy Cloud environment based on IIoT in an
edge computing environment [13].
This example of the Energy Cloud is distributing its CTI data
through dierent networks. That is based on Federated Learning
for AI [
32
], which can support to provide an exchange between
systems about the latest security incidents [
17
]. That all should
give an overview of CTI and the benets of using it for enhancing
the security and protection of Enterprise IoT environments. CTI
platforms can detect attacks on IoT devices in edge computing en-
vironments and prevent some data breaches in this manner. Based
on the represented open-source software-based tools and examples,
it should be possible to reuse these best practices globally.
2 BACKGROUND AND RELATED WORK
The Section 2.1 "Open Source Intelligence" explains OSINT and the
dierence between OSINT and non-OSINT data. That is corrobo-
rated afterwards with design best practices for OSINT tools based
on 2.2 "The OSINT Cycle" in the following section [
41
]. Bottom-up,
2.3 "Cyber Threat Intelligence" (CTI) is explained as a part of cy-
bersecurity [
31
]. The same, some background information about
the role of 2.4 "Industrial Internet of Things (IIoT) and Enterprise"
followed by 2.5 "Edge Computing" together with the 2.6 "IIoT Ar-
chitecture" is essential [
16
] for a good understanding especially for
the architecture example of the 4.3 "CTI framework for an Energy
Cloud".

Finally, all these topics will be pulled together in the Section 2.7
"Attacks on IIoT" with some possible attacks upon IIoT devices [
2
]
and in Section 2.8 "The Role of Security for Enterprise IoT in Edge
Computing Environments".
2.1 Open Source Intelligence
Johnson describes OSINT on p. 130 as a strong foundation for other
intelligence areas [
20
]. Samtani et al. state on p. 139 that OSINT
provides organizations with the view of the outside to identify
relevant threats [
31
]. Johnson indicates that this open source in-
formation (OSINF) contains multiple categories, including media
sources, dierent online sources (also covering the World Wide
Web), geospatial information, and commercial imagery [
20
]. Koops
et al
. [22]
include in OSINT "the collection, analysis and use of
data from open sources for intelligence purposes". Malicious actors
can get access to sensitive data from open sources. Stodelov and
Miloslavskaya
[34]
call email addresses, IP addresses, accessible
ports, and all other private data within organizations sensitive data.
Tabatabaei and Wells
[38]
dene OSINT data as accessible infor-
mation without special authorization, memberships or relationships.
These data can be structured or unstructured, as well as available
oine or online. Generally, non-OSINT data are formal not publicly
accessible [
38
]. Also, condential data are non-OSINT data. These
can be personal data or, in another manner, sensitive. Such data are
principally under data protection law. Tabatabaei and Wells
[38]
highlight that the industry must keep non-OSINT data within the
company. That is also valid for data related to activities, nances,
or employees [38].
In the best case, OSINT tools are designed based on legal and
ethical rules to match social standards by the society. Stodelov and
Miloslavskaya
[34]
reference a basic set of OSINT tools as part of the
OSINT framework supporting organizations with a view "through
the eyes of an attacker". The established design contains dierent
phases explained in detail in Section 2.2 "The OSINT Cycle". Data
analysis also includes validation. Ghioni et al
. [11]
indicate that
dierent OSINT tools are available for diverse forensic aims. Tex-
tual data can be analyzed with linguistic tools. Natural Language
Processing (NLP) is a discipline for combining linguistics with AI
(analysis of textual data in dierent areas). Geospatial tools, which
include commercial satellite imagery and other remote sensing
tools, can be used for geolocation, geo-inference (identifying con-
sumer locations), and georeferencing (getting geographical object
data). For example, network-based tools can establish relationships
between entities based on data from social networks. Gibson et al.
[12]
mention on p. 102 Gephi
1
as an example tool for network
analysis. Further information from image and video les can be
extracted with the support of visual forensics tools.
Ghioni et al
. [11]
mean that, in contrast to other intelligence-
gathering elds, OSINT is receiving support in the digital world for
development, and its eld is expanding with other areas (e.g., AI
and Machine Learning). Gibson et al
. [12]
point to the introduction
of Validated Open-Source Intelligence (OSINT-V) with profound
1gephi.org (accessed 15th January 2024)
reliability for getting condence in the validation during the data
analysis. All in all, OSINT provides many benets when it comes
to distribute data and access information [
26
] as described in the
next Section.
2.2 The OSINT Cycle
Figure 1: The Open Source Intelligence Cycle (by Kriesch,
based on Ungureanu [41] and Gibson et al. [12])
OSINT tools are, in the best case, designed based on the OSINT cycle.
Ungureanu
[41]
has explained OSINT based on a split into 4 phases
(data collection, data processing, data analysis, data dissemination)
for the OSINT cycle. Figure 1, "The Open Source Intelligence Cycle",
shows these 4 phases containing the dierent operational steps:
1)
Data Collection (category Open Source Data) includes
exploring sources, monitoring sources, collecting data, and
storing open source data. In general, this phase is scanning,
collecting and tracking data to store it afterwards [41].
2)
Data Processing (category Open Source Information for
OSINT) contains normalizing, aggregating, indexation of
processed data (assigning attributes), correlations, clearing
of access rights and open source information storage. The
normalization brings all data information into the same
structure. All data must be aggregated to collate metadata
and attributes during the indexation, and correlated after-
wards. If many metadata and attributes are allocatable, the
information for a next phase is conrming. Permissions
are also included for protection in this phase because of the
essentiality for performing tasks and storing open source
information [41].
3)
Data Analysis (category OSINT / OSINT-V) is responsible
for the source validation, intelligent validation, integration
and analysis. This phase automatically validates commonly
the information that has been collected and built before. AI
can be applied here to be eciently, which will be explained
in Section 5, "Articial Intelligence for Cyber Threat Intelli-
gence". It can also be used to prevent data manipulation by
O-2

actors in this phase. The information source and the publi-
cation timestamp are determined during the data analysis
[41].
4)
Intelligence Dissemination (category OSINT-V) brings
all data to production and executes intelligent indexation,
distribution, OSINT storage and feedback. An automated
generated report is something like the resulting product.
All documents have to be indexed and stored accessible
for the future. Some technologies provide distribution ma-
trices to disseminate the information additionally to other
recipients with special permissions (set in 2.2 "Data Pro-
cessing"). Finally, the audience of the created data security
reports oers feedback with suggestions and questions for
clarication [41].
2.3 Cyber Threat Intelligence
Sun et al
. [35]
believe CTI can deliver deeper insights into possible
cyber threats and attacks. Lee
[24]
, recognized in the industrial
cybersecurity community as a Cyber Threat Intelligence Profes-
sional and book author, describes CTI in his blog as "the process
and product resulting from the interpretation of raw data into in-
formation that meets a requirement as it relates to the adversaries
that have the intent, opportunity and capability to do harm". In
general, CTI is the process of using available information to realize
threats against an institution, as described by Martins and Medeiros
[26]
. The goal is earlier detection of incidents, reinforcement of
the systems, and the preparation for known the same as unknown
threats [
26
]. Samtani et al
. [31]
compare the process behind CTI as
data-driven, similar to the data analysis procedures in the process
behind the "OSINT Cycle", see Section 2.2, p.2. Organizations must
determine their intelligence based on their needs with assets and
possible attacks. These data requirements are then applied for data
collection and aggregation in cyber threat analytics. [
31
]. Samtani
et al
. [31]
describe CTI platforms as developed to enable analysts to
determine patterns of malicious behaviours learned from previous
situations and better eliminate future attacks.
2.4 IIoT and Enterprise
Dhirani et al
. [7]
describe IIoT as a concept for implementing sep-
arate technologies, including IoT, cloud computing, and articial
intelligence, together with other inventive solutions covering moni-
toring and automation. Dorsemaine et al
. [8]
dene IIoT as a "group
of infrastructures, interconnecting connected objects and allow-
ing their management, data mining, and the access to data they
generate where connected objects are sensor(s) and/or actuator(s)
carrying out a specic function that are able to communicate with
other equipment". Boyes et al
. [5]
point out that IoT devices are
connected via networks, using dierent sensors or computing ca-
pabilities, and collaborate with other IoT objects that are using or
sending data. Bibi et al
. [4]
highlight the requirement of dierent
IIoT communication protocols for the possible transformation of
single IoT devices into intelligent communication. Such systems
are also used for manufacturing in the Enterprise [5].
2.5 Edge Computing
Lynn et al
. [25]
explain Edge Computing as the network layer, in-
cluding the end devices and their users to serve services. Applied
examples are a local computing capability on a sensor, metering,
or other network-included devices. Qiu et al
. [28]
expand this def-
inition with a computing model for data analysis and processing
using computing resources, storage, and networks between sources
of data and data centres for cloud computing. IIoT, as described in
Section 2.4, "IIoT and Enterprise", can be a part of that with many
distributed heterogeneous industrial IoT devices for collecting data
and transferring it to the cloud server for computing and operation.
IoT devices in edge computing have adequate computing power for
integrating the preprocessing of source data, the calculation, and
the uploading of the results to the public cloud or servers/devices
in data centres [
28
]. The benets of edge computing, combined
with IoT, are enhancing system improvement, security of data be-
cause of distributed data, and reducing operational costs based on
smaller systems. Edge computing and IoT can also be called "Edge
IoT environments" together.
2.6 The IIoT Architecture
Figure 2: IIoT Architecture (adopted from Tsiknas et al
. [40]
and Rosati and Lynn [29])
The "IIoT Architecture" in Figure 2 represents the IIoT architec-
ture with dierent layers based on various device types designed
to understand better IoT security combined with edge computing.
Haddadpajouh et al
. [16]
dene it with an Application Layer, a Net-
work Layer and a Device/Edge Layer. Tsiknas et al
. [40]
, and Rosati
and Lynn
[29]
have added an optional Service Support and Applica-
tion Support Layer to the architecture for (generic/specic) support
capabilities if data centre communication, mail and web services
or other external services would be added. The Device/Edge Layer
covers systems that perform the physical processes of the IIoT, such
as embedded devices and sensors [
16
]. Additionally, it contains the
gateway capabilities which communicate and control the device
capabilities of the 1st level. Attacks at this level intend to prevent
legitimate communication between the two levels and control the
ow of communication. Therefore, they are combined into one layer.
Haddadpajouh et al
. [16]
deem that gateways are mainly aected
by attacks on the Edge Layer. The Network Layer is responsible
for networking and transportation capabilities. It includes TCP/IP
and Operational Technology (OT) specic communication proto-
cols like Modbus [
16
]. Găitan and Zagan
[15]
hint that the Modbus
protocol is used interconnected between automation devices. Lynn
O-3

et al
. [25]
state that the Service Support and Application Support
Layer with generic/specic support capabilities are responsible for
data processing, while the Application Layer has the user interface
for IoT applications. The Application Layer is responsible for IoT
applications. Every layer can be aected by dierent sets of attacks,
which are covered with examples in the next Section 2.7, "Attacks
on IIoT".
2.7 Attacks on IIoT
Ansari et al
. [2]
indicate DDoS attacks, malware injection attacks,
side-channel attacks, and authentication and authorization attacks
are the most common attacks on IoT devices. With DDoS attacks,
the attacker sends many packets to the target device to utilize all
the resources and bandwidth available at the target. Users can not
use the system anymore. Side-channel attacks infect by gathering
publicly available, non-privacy sensitive data, inuencing the target
(via side-channel information), and then conveying the private data
from this information by exploiting the correlations [
2
]. These are
inherently available between the public and the private information.
Malware injection attacks include installations of malicious pro-
grams with SQL injections, XML signature wrapping, or cross-site
scripting (XSS). The SQL injection can damage and maliciously
adopt the backend database with sent SQL queries. The XML signa-
ture wrapping attack catches and modies an XML message to relay
it to a target system with the goal of executing the projected code.
The XSS attack delivers malicious JavaScript or HTML code to the
data content [
2
]. Ansari et al
. [2]
refer "dictionary attacks, attacks
targeting vulnerabilities in authentication mechanisms without le-
gitimate access permissions, attacks exploiting susceptibilities in
authorization protocols, and over-privileged attacks" as possible au-
thentication and authorization attacks on IoT devices. Dictionary
attacks utilize a credential or password dictionary to access authen-
tication systems. Attacks targeting authentication weaknesses are
applied as an example by using security aws in the WPA/WPA2
security protocols. Authorization-based attacks prot from a lack of
logic or missing design principles integrated into authorization pro-
tocols applied on edge computing systems [
2
]. In over-privileged
attacks, the actor applies higher permissions than required to a de-
vice or an app. That provides him the privilege to perform malicious
activities inside the network [2].
2.8 The Role of Security for Enterprise IoT in
Edge Computing Environments
Qiu et al
. [28]
highlight network security and data security as two
essential security areas for applying Edge Computing to IIoT. The
reasons are large communication networks and the transmitted
data between IoT devices. It is possible to decrease the data volume
for the dierent nodes, but there are security concerns regarding
data storage. Qiu et al
. [28]
argue that secure data-sharing solutions
exist for edge computing in IIoT (incl. privacy protection and inte-
grated cryptography). However, with an increasing number of data
interfaces, topics like distributed storage and access control intro-
duce new security-related considerations for collaboration between
multiple devices. Montasari et al
. [27]
anticipate here data volatil-
ity and information volatility. Data volatility has the focus on on
the availability of particular data. Information volatility covers all
data that can be utilized. Koops et al
. [22]
recommend "privacy-by-
design strategies with data protection regulations" for the usage of
these data. Otherwise, according to Dhirani et al
. [7]
, cyber threats
are possible through malicious acts such as stealing, adopting, or
disrupting data (depredating data condentiality, integrity, and
availability). Dutta and Kant
[9]
suggest cyber threat intelligence
platforms for the detection of predictable attacks, depending on the
indication, with information as a reference point for the security
appliances. The goal is the prevention of future cyber attacks.
3
INTEGRATING OSINT AND CYBER THREAT
INTELLIGENCE
González-Granadillo et al
. [14]
describe OSINT data as collected
data from publicly available sources for applying them in intelli-
gence contexts throughout Cyber Threat Intelligence Platforms
(TIP), which are the primary consumers. This will be explained
based on the example "ETIP", in Section 3.1, for data collection, stor-
age, sharing, and integration with externals. In the rst step, OSINT
data (structured and unstructured data) must be collected as OSINT
information. Based on that, helpful information and Indicators of
Compromise (IoC) can be gained from OSINT. Martins and Medeiros
[26]
, Irshad and Basit Siddiqui
[19]
, and González-Granadillo et al
.
[14]
explain how to use threat attributes and calculate threat scores
based on them, which will be explained in 3.2 "The Threat Score"
and 3.3 "Data Analysis with Threat Attributes". Iacovazzi et al
. [18]
dene 3.4 "STIX" as a standardized data format for threat attributes,
which can be applied automated in TAXII [19].
3.1 ETIP
González-Granadillo et al
. [14]
have the opinion that sharing of
OSINF is not enough. CTI must use specic standards that allow in-
volved parties to speed up the processing and analysis of all phases
of received information in the 2.2 "OSINT Cycle" to achieve inter-
operability among them. Solutions such as CTI platforms must be
operated and reviewed afterwards. The required information can
be collected from many sources with CTI platforms. To do that, OS-
INF has to be gathered, screened, adopted, analyzed, and validated.
Martins and Medeiros
[26]
advise of developed frameworks for the
communication of CTI to share threat information in a scalable
manner and include standardized reports. Finally, such frameworks
are an advantage in information sharing for cybersecurity purposes.
Martins and Medeiros
[26]
reference ETIP as one of these plat-
forms extending the importing functionality, quality assurance
processes, and information-sharing prociency of prevalent CTI
platforms. ETIP receives and circulates structured information data
from external origins equal to OSINT [26].
González-Granadillo et al
. [14]
illustrate the three modules of
the platform: The input module collects, normalizes, processes, and
aggregates the IoCs from OSINT feeds as well as infrastructure-
related data.
The operational module executes the heuristic analysis process for
the calculation of the threat score, which is explained in the next
Section 3.2 "The Threat Score". That is one benet belonging to
each IoC. The threat score provides the possibility to prioritize the
O-4

analysis of incidents. It is based on two weights, as described in
the next Section. The Threat Score Agent shares the enriched IoC
(eIoC), incl. threat score, for the security information, together with
OSINF [
14
]. This module receives the assorted IoCs and correlates
them with the information collected from the infrastructure (e.g.,
open ports, IP addresses, communication protocols). An incident
would result in an eIoC.
The third module is the output module with an integrated visualized
tool dashboard for the enriched generated information together
with connections to the security data analytic platform. For this
reason, it is possible to use OSINT data for CTI with ETIP.
3.2 The Threat Score
As described in Section 3.1, "ETIP", and by González-Granadillo et al
.
[14]
, the threat score is calculated based on a heuristic analysis pro-
cess to prioritize the incidents. It is included as a custom attribute
in the sent IoC within CTI. The threat score calculation within ETIP
has to evaluate the threat data rst. That consists of the Source
Identication of threat data (incl. log les, databases, reports, and
internet sources as examples), the Heuristics Identication based on
important information about the infrastructure (e.g. IP addresses,
ports, and timestamps) valid for the 3.3 "analysis process" in the
next section and the Threshold Denition. The threshold denition
checks for each heuristic to indicate whether the input data con-
tains a CVE for the detected threat. This value, ranging from 0to 5,
is assigned to cover all possible results associated with the instance
of identied heuristics. These instances have been assigned addi-
tionally the Score Computation. The resulting value represents the
priority and importance of the security information from OSINT
data sources and other infrastructure data. The evaluation process
also needs the Training Period for evaluating (individually and glob-
ally) the performance of the engine throughout the training process,
an Engine Calibration for minimizing variances (e.g., fewer false
positives and false negatives) based on analyzing the obtained re-
sults and Final Tests after the engine calibration to rerun the tests
before to evaluate the tool’s improved performance.
González-Granadillo et al
. [14]
call the Weighted Mean the func-
tion used to calculate the threat score in Figure 3, "Threat Score
Calculation". The threat score is the sum of all individual heuristic
values (X
𝑖
) based on the information obtained from the IoC dur-
ing the evaluation multiplied by its corresponding weight factor
(P
𝑖
). The second one considers criteria like relevance, accuracy,
timeliness and variety. Afterwards, this sum is multiplied by the
completeness criterion (C
𝑝
). C
𝑝
is counted as the number of not
empty features divided by all features.
𝑇 𝑆 =𝐶𝑝· 𝑡

𝑖=1
𝑋𝑖·𝑃𝑖!(1)
Figure 3: Threat Score Calculation (by González-Granadillo
et al. [14])
The resulting threat score ranges between zero and ve
(
0≤TS ≤5
). The IoC is more reliable, with a higher threat score.
As a result, a value between 0and 1indicates a very low priority.
Between 2and 3are medium-level priorities.High-level priorities
are located between 3and 4, and critical priorities can be found
between 4and 5.
3.3 Data Analysis with Threat Attributes
Martins and Medeiros
[26]
term data analysis as the most cru-
cial part of cyber threat intelligence and OSINT. It is essential to
consider and process OSINT data in diverse formats to attain com-
prehensive data about a specic attack. Irshad and Basit Siddiqui
[19]
watch the identication of the action order used by the actor
in the attacks as an important task in cyber-threat attribution. Most
attacks contain information about "who, what, where, why, and
how" it has happened (i.e. from log les on servers). Afterwards,
it may be possible to identify what an attacker wanted to achieve
in this attack. Such parameters give information about the times-
tamp, the attacker’s direction, and objectives/goals. Additionally,
information can be gained about the used tools and techniques.
That can all help to prevent future attacks. Cyber threat attribution
can a high complexity because of dierent measures to keep the
identity secret. Irshad and Basit Siddiqui
[19]
point out that for a
reasonable judgement about attackers, the focus should be on the
detailed group of features, i.e., tools and techniques,malware,target
country,target organization and target application. The data sources
are also fundamental. Tools, techniques and procedures and mal-
ware get high-level IoCs in comparison to IP addresses, URLs, hash,
domain names, source/destination port, timestamp, and infection
types with low-level IoCs [19].
Martins and Medeiros
[26]
have identied that too many at-
tributes in a single event can also increase the complexity. Irshad
and Basit Siddiqui
[19]
highlight converting unstructured data into
intelligence as the most complicated task. The required framework
has to collect the data, extract features with text pre-processing (i.e.
removing points), identify datasets from cybersecurity elds (incl.
assigning weights) and apply semantic mapping for the validation
of extracted features against benchmark frameworks. The formed
datasets can be utilized as threat attributes [
19
]. As soon as the
threat attributes are available, attributes with similar types (i.e.,
properties) must be determined and aggregated [
26
]. Martins and
Medeiros
[26]
explain that with the examples, "MD5 and SHA1",
attributes as hash values are applied as a checksum for data in-
tegrity verication. Therefore, they will be aggregated together in
the group named le hash. In this manner, characteristics of the
attributes are created. Martins and Medeiros
[26]
annotate that the
four attribute groups network address,le hash,other info and le
name are continuously available. .
3.4 STIX
All data should have the same format for being processed for CTI.
Iacovazzi et al
. [18]
reference STIX as an open source language and
serialization format applicable for exchanging CTI data. It assists
four cyber threat use cases [
18
]: analyzing cyber threats, specifying
indicator patterns, managing response activities, and sharing CTI
[18].
STIX can be saved in the machine-readable JSON format and may be
O-5

visualized as open source software (by the OASIS consortium
2
[
33
])
in a graphical representation for CTI tools and platforms like ETIP,
as described in Section 3.1. This standardized format is extend-
able for use cases for dierent domains, applicable for machine-
processing automation and readable for humans. Based on this
format, OSINF can be categorized with particular attributes as STIX
Domain Objects (SDOs). The structure of the STIX architecture with
chaining objects makes it possible to dene relationships between
constructs. Iacovazzi et al
. [18]
specify the follwing most important
and included SDOs:
•ThreatActor: An Actor of threats, which are known
•Campaign: A group of activities by Threat Actors
•CourseOfAction: Recommendations for next actions
•
ExploitTarget: Weaknesses in networks, software, sys-
tems, and other points of aim
•Incident: A STIX incident
•
Indicator: Detection indicator-based on patterns for cyber
attacks
•
Observable: STIX Cyber-observable Objects (SCOs) to
share information
•TTP: Tactics, Techniques, and Procedures
Further available SDOs are vulnerability,identity,report,location,
attack pattern,infrastructure,grouping,malware analysis,malware,
intrusion set,note,opinion,tool, and report [18].
Irshad and Basit Siddiqui
[19]
reference the Trusted Automated
Exchange of Intelligence Information (TAXII) with the possibility
to extract threat feeds based on STIX.
4 SECURITY ENHANCEMENTS FOR IIOT
Tsiknas et al
. [40]
have the opinion that managing IIoT systems
needs the highest reliability, security, and accuracy. The enhanced
security for IIoT should be in parallel with the common protec-
tion of critical infrastructure, like telecommunications, water and
energy networks, or government infrastructure. Dhirani et al
. [7]
highlight that realized data breaches in the IIoT area should be
censored due to special exposures related to machine-to-machine
(M2M) communication and environments.
Dutta and Kant
[9]
describe CTI, as explained in the section be-
fore, as "evidence-based knowledge" about a malignant activity for
detecting attacks in the cybersphere. Dierent attack types like
spoong, Man in the Middle (MITM), DDoS, and manipulating of
data can induce the imitation of a unique user, jeopardize the au-
thentication and aect the security based on CIA (Condentiality,
Integrity, Availability) directly [
9
]. The associated threat detection
mechanism of IoT applications with CTI platforms can help detect
attacks well in advance [
9
]. Kumar et al
. [23]
call CTI a sturdy se-
curity strategy that applies articial intelligence models to identify
cyber-attacks and protect data of IoT environments today.
This practice is represented in Section 4.1, "Usage Cyber Threat
Intelligence for IIoT", with the expansion of adding the Intelligence
for Edge Computing with 4.2 "Edge Intelligence" in the following
section. That all is completed afterwards with a real project exam-
ple within Section 4.3, "A Cyber Threat Intelligence Framework for
Energy Cloud Environments".
2oasis-open.github.io (accessed 5th January 2024)
4.1 Usage of Cyber Threat Intelligence for IIoT
Alam et al
. [1]
state the intelligence of CTI is distributed within
the 2.6 "IoT architecture layers". Several IoT devices can collect the
essential input data for CTI [
1
]. Sensors and devices for locating
and identication can create real-time data "thousands of times per
second" as a standard [
1
]. As mentioned in Section 2.7, "Attacks
on IIoT", IoT devices can be aected by dierent attack types. That
integrates challenges related to security and privacy [
1
]. The STIX
format can be extended for CTI platforms to use critical patterns to
mark specic object features [
9
]. As highlighted as an exceptional
feature in Section 3.4, "STIX", it can also be saved in the JSON for-
mat for representing data objects. Alfonso reference JSON as the
generally preferred format for IoT applications since it can explain
itself. There are dierent CTI platforms for IIoT available. One ex-
ample which is compatible with STIX and TAXII is the Malware
Information Sharing Platform (MISP)
3
. Iacovazzi et al
. [18]
recom-
mend the MISP engine based on open source software because it
can be easily extended and customized for use cases in the IoT area.
It is constantly updated and contains many well-documented APIs.
Bibi et al
. [4]
want to expand CTI with Deep Learning based on
Deep Neural Networks (DNN), Convolutional Neural Networks
(CNN), Articial Neural Networks (ANN), and Recurrent Neural
Networks (RNN). Deep Learning based CTI systems with RNN and
DNN algorithms have already classied anomalies in IoT networks
with a detection accuracy of 80.7% and 90% [4].
4.2 Edge Intelligence
Xu et al
. [43]
describe the combination of edge computing with AI
as the solution for critical tasks with AI based applications. Ansari
et al
. [2]
calls this integrated intelligence with AI on the Edge Layer
of the 2 "IIoT Architecture" Edge Intelligence.
Villar-Rodriguez et al
. [42]
highlight that Edge Intelligence cov-
ers many areas, such as medical engineering and Industry 4.0, for
applying edge computing environments, and autonomous driving.
Regarding cybersecurity, the main objective of Edge Intelligence
is to guarantee the CIA triad. Condentiality includes the privacy
of the input data applied to AI algorithms or the algorithms them-
selves. Every sensitive information must be kept private at all times
[
42
]. Qiu et al
. [28]
speak about edge servers, edge nodes, or edge
networks, with the leakage of private data holding the access rights
of the edge computing system or the unreasonable design of the
encrypted transmission protocol as points for data privacy issues.
Villar-Rodriguez et al
. [42]
point out the importance of integrity
for data security and reliability. That integrates that malfunctions
in software and hardware or drastic instructions may cause unex-
pected and unauthorized data changes. Cryptographic algorithms
can be applied to guarantee the condentiality of the information
and the related integrity. Additionally, edge computing provides
the possibility to keep redundant information separately, ensuring
integrity by reapplying the data from the actual data and comparing
it with the stored redundant information on dierent devices [
42
].
As the last part of CIA, availability refers to information availability,
which implies authorized users or systems can access the data just
as they execute AI algorithms [42].
3www.misp-project.org (accessed 22nd January 2024)
O-6

Qiu et al
. [28]
argue that traditional security protection meth-
ods can not meet the protection requirements of edge computing
because they do not fully consider security risks. Ansari et al
. [2]
advise that edge systems are mostly congured as passive data
aggregation and processing nodes with less intelligence integrated
into them. Intelligence can be incorporated with AI for automated
detection, which brings new security threats and challenges that
require special defences and countermeasures [
2
]. AI for edge com-
puting is centred on taking advantage of AI to provide processes
with intelligent tools that assist in deploying or applying the edge
computing paradigm [42].
In the next Section about a successfully implemented CTI frame-
work for an Energy Cloud environment, Edge Intelligence is in-
tegrated with distributing data between multiple networks. The
training requires a distributed learning [
43
], explained in Section
5.2 with "Federated Learning". The training data are generated by
edge computing devices [
43
], like IoT devices, and share them in
a collaborative training approach in a common layer [
43
], as rep-
resented in Figure 4, "Energy Cloud Platform Architecture". The
dierent IoT devices in the Local Layer send their data to the local
CTI server in the Station Layer.
Edge computing environments contain multiple IoT devices.
Therefore, Alfonso make a demand for the ability to collect IoCs
from distributed sources and in dierent formats as a requirement
for the CTI platform. Iacovazzi et al
. [18]
recommend Cloud-based
CTI engines based on the requirements because they can collect
IoCs from multiple sources, including log les, security appliances,
and threat intelligence feeds, and convert them into a standardized
format that is easily understandable and actionable for cybersecu-
rity professionals [18].
4.3 A Cyber Threat Intelligence Framework for
Energy Cloud Environments
Gong and Lee
[13]
represent a successful project implementing a
CTI framework for an Energy Cloud environment in production.
Figure 4, "Energy Cloud Platform Architecture for CTI", shows the
architecture consisting of three layers: the local AMI layer, the sta-
tion layer, and the cloud layer.
The local AMI (Advanced Metering Infrastructure) layer contains
client devices for the cloud environment. To identify cyber threats,
these devices collect data for IoCs related to systems and networks.
The collected IoCs will be forwarded to the station layer with the
behaviour information of the devices.
The station layer has management servers in charge of the lower
energy network. The management server generates the CTI based
on the collected IoCs from the AMI layer. The station layer builds a
hierarchical structure with dierent network environments. This
structure covers the whole energy cloud environment, including
various devices and power generation systems. Each management
server poses as a security system for each system and network
by creating a security model optimized for a sub-network. This
layer also implies the Meter Data Management System (MDMS) for
managing smart meters of the local layer, the base station in charge
of actual energy transmission, and the local CTI server. The MDMS
is responsible for calculating the Home Area Network (HAN) power
demand based on energy data. This calculated power demand will
be transferred to the base station. Finally, the base station delivers
the required energy. The role of the CTI server in each region is to
create CTIs for consumer devices. The types of cyber attacks on
the energy cloud environment depend on the target environment
and device. Therefore, a security model trained on an AMI-specic
intrusion accident index on the local CTI server has been chosen.
The CTI server can also receive data from lower layers and data
related to cyber threats from external OSINT sources. This way,
high-level CTIs can be generated and shared with the servers in the
station layer. The analysis of network packet data has been executed
with Deep Learning in the Host Intrusion Detection System (HIDS)
and the Network Intrusion Detection System (NIDS) in the AMI
layer. Abnormal user behaviour patterns can be detected based on
a Convolutional Neural Network (CNN) by analyzing long-term
energy data patterns [13].
Figure 4: Energy Cloud Platform Architecture for CTI (by
Gong and Lee [13])
Gong and Lee
[13]
reference STIX and TAXII as foundation tech-
nologies for creating energy object data in a readable format. These
data will be converted into the Open Indicators of Compromise
(OpenIOC)4format.
The cloud layer contain a high-voltage transmission centre, an
energy management system (EMS) and a central CTI server. The
EMS has to analyze the energy demand ow of the whole energy
cloud with the help of the energy object data provided by the
MDMS in the station layer. This demand ow provides the policy
to react. The central CTI server in the cloud layer creates a cyber
threat response plan (with STIX-based security policies) for the
energy cloud environment. That includes specic domain and IP
4github.com/reeye/OpenIOC_1.1 (accessed 06th January 2024)
O-7

address blocking policies, rewalls, and antivirus software update
policies. These security policies will be returned to the local CTI
servers to count further cyber attacks. The total is also based on
all collected IoCs from general IT systems and AMIs in the local
layer and the cyber threat-related data collected by OSINT [
13
].
Additionally, this central CTI server has been using the National
Vulnerability Database (NVD) by the National Institute of Standards
and Technology (NIST) as an external source for comparison [
13
].
The CTI server can also classify the cyber threat types.
5 ARTIFICIAL INTELLIGENCE FOR CYBER
THREAT INTELLIGENCE
As mentioned in Section 4.2, "Edge Intelligence", and successfully
applied in the use-case 4.3 with the "Energy Cloud", it is possi-
ble to automate CTI processes with Articial Intelligence. Villar-
Rodriguez et al
. [42]
highlight the benets of AI and the intelligence
in other aspects of edge computing, such as in the guarantee of re-
quirements, including safety, to ensure compliance standards with
privacy requirements. The methods based on AI that are utilized
are real-time stream analytics, online learning, and incremental
learning, the same as Federated Learning [
42
]. Real-time stream
analytics can apply the data by the data processing utilities. Online
learning and incremental learning are based on machine learning
to learn from changed and adopted data. Villar-Rodriguez et al
. [42]
recommend Federated Learning for distributed and diverse data,
which is especially interesting regarding CTI for security analysis.
As mentioned in Section 4.1, "Usage of Cyber Threat Intelligence
for IIoT", Deep Learning algorithms can achieve a high detection
rate of attacks. Therefore, the benets of Deep Learning as part of
machine learning are explained in Section 5.1, "Deep Learning for
AI", based on an example by Bibi et al
. [4]
. Sarhan et al
. [32]
and Hao
et al
. [17]
recommend Federated Learning in Section 5.2, "Federated
Learning for Distributed Learning", to increase the knowledge of
the learning models and keep user information private.
5.1 Deep Learning for CTI
Villar-Rodriguez et al
. [42]
state that AI-based techniques include
Machine Learning for importing Deep Learning models.Sarhan et al
.
[32]
describe machine learning as an area of AI with great success
in the scope of CTI. It can enhance the performance and eciency
of systems based on learning patterns. Bibi et al
. [4]
want to see
Deep Learning as an optimized real-time learning technique for
threat intelligence and detection of multivector cyber threats. Bibi
et al
. [4]
has identied that such Deep Learning practices applied
for IoT security detection can achieve an average accuracy of about
97.8% and 98.8% appropriately.
Bibi et al
. [4]
propose CuConvLSTM2D as a framework because
it contains a Deep Learning layer for sophisticated cyber threats
and attacks in distributed IIoT environments. Because many data
are transferred in IIoT environments, data sequences are handled in
time series [
4
]. In IIoT environments, the training data are mostly
shared across devices, as mentioned by Ansari et al
. [2]
. In this case,
"Federated Learning" from the next section can be used.
5.2
Federated Learning for Distributed Learning
Figure 5: The Federated-Learning Approach [6]
Sarhan et al
. [32]
state that Federated Learning has been established
as a learning model based on expansive attacks to achieve trustwor-
thy detection precision across unrecognized trac in organizations
before. It is possible to share CTI and their insights, as shown in
Figure 5, "The Federated-Learning Approach", with dierent IoT
devices (smartphones, IIoT and cars as examples) together with a
central node as the central CTI server.
Bagdasaryan et al
. [3]
explain that Federated Learning models
are built by linking model updates submitted by participants. Fed-
erated Learning distributes the training via a neuronal network
across multiple participants by aggregating local models into a
global model [
3
]. The central training server randomly takes a
subset of participants and sends them to the global model after-
wards. Every participant can adopt this model to a new local model
based on the private data and push the dierence back. That can
be executed also from IoT devices. Hao et al
. [17]
highlight the
enablement of implementing articial intelligence in large industry
applications for IoT in a collaborative manner with this distributed
Deep Learning method. The data sharing includes additional tasks
regarding privacy concerns based on possible attacks with shared
parameters. Therefore, Hao et al
. [17]
recommend homomorphic
encryption to expand the security. With this solution, all participat-
ing devices are assigned to the same secret key. Trocoso-Pastoriza
et al
. [39]
term homomorphic encryption unique for calculating
based on encrypted data without decrypting it rst. Hao et al
. [17]
have introduced "Privacy-Enhanced Federated Learning for Indus-
trial Articial Intelligence" based on this concept. It should prevent
privacy leakages and protect the privacy of the training data [17].
O-8

6 DISCUSSION
In Section 2.1, "Open Source Intelligence", dierent modern OSINT
tools are described, which also use AI and ML. As explained in
Section 2.3, "Cyber Threat Intelligence", the process behind CTI
is close to the 2.2 "OSINT Cycle" based on the applied available
information, which can include OSINT data. 3.4 "STIX" has been
established as a readable standard format for automation in CTI,
which can be processed with TAXII afterwards. In this way, it is
possible to create CTI platforms that assimilate OSINT data and
establish relationships based on STIX objects to identify security
aws [33].
Montasari et al
. [27]
highlight that many organizations do not ef-
ciently utilize CTI to safeguard networks against cyber-attacks. In
contrast, CTI is already with the National Incident-Based Reporting
System (NIBRS) in use by the USA as a solution to avoid possible
cyber security incidents in advance [
31
]. Besides that, companies
institute automated CTI platforms, as illustrated in the example
of Section 4.3 with the Energy Cloud. CTI can be considered to be
a driven security measure linking the collection, alignment and
analysis of information regarding attacks in real-time. So, the pre-
vention of data breaches and subsequent adverse consequences
is possible [
27
]. CTI with AI is also applicable in edge computing
environments. That has been called 4.2 "Edge Intelligence".
Suryotrisongko et al
. [37]
dene computable CTI in their re-
search as the “next level of actionable CTI” by extending the de-
nition by the European Union Agency for Cybersecurity (ENISA)
for actionable CTI utilizing AI/ML computability criteria. These
automation techniques can help prevent attacks with publicly avail-
able OSINT repositories. That should be applied by fetching IoCs
from OSINT for a second opinion and submitting new conrmed
IoC identications to the OSINT repositories [
37
]. Additionally, a
training process is required for the submission process because of
possible wrong or poor-quality results, which must be handled cau-
tiously. Kinyua and Awuah
[21]
determine that AI and ML-based
cyber defence systems will be signicant in responding to the grow-
ing number and intricacy of threats, the evolution of threats, and
the requirement for fast and enhanced automated responses to
threats. Such systems are qualied for quick analysis of large data
sets, anomaly detection, and the discovery of suspicious patterns.
In addition, automated updates to available OSINT servers may
prevent cybersecurity attacks based on mature real-time analysis
[
21
]. Montasari et al
. [27]
have the opinion that such techniques are
an advantage with structured data based on categories of entities
with their properties, names, relationships to each other, and events
by segmenting concepts and joining them.
Campos et al
. [6]
highlight the privacy concerns of Federated
Learning as part of ML based on possible missing information from
clients’ training data. However, Ghimire and Rawat
[10]
argue that
this Deep Learning method has been explored for its applicability
in dierent IIoT areas with a focus on the exchange of only updated
parameters between IoT devices and the server.
Sun et al
. [36]
suggest open-source threat intelligence publishing
platforms (OSTIPs) as a solution. OSTIPs are websites for cyber-
security information established to publish the latest ndings of
security-related research outcomes. The new ndings can be applied
as machine-readable CTI records. These can be analysed automati-
cally in fast, reusable deployments for diverse defence mechanisms.
Montasari et al
. [27]
point to the option of applying AI and ML
methods to automatically collect and process data together with
other available security solutions and include unstructured data
from separate sources. Afterwards, this information will be linked
by adding the context on compromise and acts of vandalism.
Villar-Rodriguez et al
. [42]
highlight also architectures based on
Federated Learning with a global CTI server calculating all weights
with the support of Edge Intelligence for edge computing. Said
[30]
states that billions of weights must be determined with deep
learning schemes, which requires growing computing capacities
for fast real-time decisions.
7 CONCLUSION
Today, CTI has achieved a level of automation with the support
of CTI platforms so that they can be integrated into Enterprise
environments in production. The original goal to use public OSINT
data has been transferred with CTI to identify cyber security risks.
Some organizations and companies have been using CTI with
modern AI techniques to protect their environments, as represented
by the 4.3, "Energy Cloud environment". It is an ongoing develop-
ment idea to provide all these collected data for a general purpose
with discussed OSTIPs (besides other public sources) to interact
faster on possible attacks. This way, all organizations can benet
from securing their production environments.
AI and Machine Learning can help to analyze data and nd
anomalies that are otherwise undetected, even before important
data is breached. Homomorphic encryption is a good solution for
protecting sent data inside an IIoT network for edge computing.
Global centrally accessible CTI systems can be used as Infrastruc-
ture as a Service (IaaS) for receiving the lastest security incident
information. In that case, the required OSINT data are collected and
distributed to CTI servers within companies and other organiza-
tions. In the future, it would be a benet for all using the collected
cyber threat information from a global server for being up to date
about the latest incidents. There are many IoT devices (i.e., for smart
homes) available where OSINT can be applied to read trusted data
easily. That should be prevented.
REFERENCES
[1]
Tanweer Alam, Baha Rababah, Arshad Ali, and Shamimul Qamar. 2020. Dis-
tributed Intelligence at the Edge on IoT Networks. Annals of Emerging Technolo-
gies in Computing 4 (12 2020), 1–18.
DOI:
http://dx.doi.org/10.33166/AETiC.2020.
05.001
[2]
Mohammad S. Ansari, Saeed H. Alsamhi, Yuansong Qiao, Yuhang Ye, and Brian
Lee. 2020. Security of Distributed Intelligence in Edge Computing: Threats and
Countermeasures. Springer International Publishing, Cham, 95–122.
DOI:
http:
//dx.doi.org/10.1007/978-3- 030-41110-7_6
[3]
Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly
Shmatikov. 2020. How to backdoor federated learning. In International conference
on articial intelligence and statistics. PMLR, 2938–2948.
O-9

[4]
Iram Bibi, Adnan Akhunzada, and Neeraj Kumar. 2023. Deep AI-Powered Cyber
Threat Analysis in IIoT. IEEE Internet of Things Journal 10, 9 (2023), 7749–7760.
DOI:http://dx.doi.org/10.1109/JIOT.2022.3229722
[5]
Hugh Boyes, Bil Hallaq, Joe Cunningham, and Tim Watson. 2018. The industrial
internet of things (IIoT): An analysis framework. Computers in Industry 101
(2018), 1–12. DOI:http://dx.doi.org/10.1016/j.compind.2018.04.015
[6]
Enrique Mármol Campos, Pablo Fernández Saura, Aurora González-Vidal, José L.
Hernández-Ramos, Jorge Bernal Bernabé, Gianmarco Baldini, and Antonio
Skarmeta. 2022. Evaluating Federated Learning for intrusion detection in Inter-
net of Things: Review and challenges. Computer Networks 203 (2022), 108661.
DOI:http://dx.doi.org/10.1016/j.comnet.2021.108661
[7]
Lubna Luxmi Dhirani, Eddie Armstrong, and Thomas Newe. 2021. Industrial IoT,
Cyber Threats, and Standards Landscape: Evaluation and Roadmap. Sensors 21,
11 (2021). DOI:http://dx.doi.org/10.3390/s21113901
[8]
Bruno Dorsemaine, Jean-Philippe Gaulier, Jean-Philippe Wary, Nizar Kheir, and
Pascal Urien. 2015. Internet of Things: A Denition & Taxonomy. In 2015 9th
International Conference on Next Generation Mobile Applications, Services and
Technologies. 72–77. DOI:http://dx.doi.org/10.1109/NGMAST.2015.71
[9]
Abir Dutta and Shri Kant. 2021. Implementation of Cyber Threat Intelli-
gence Platform on Internet of Things (IoT) using TinyML Approach for De-
ceiving Cyber Invasion. In 2021 International Conference on Electrical, Com-
puter, Communications and Mechatronics Engineering (ICECCME). 1–6.
DOI:
http://dx.doi.org/10.1109/ICECCME52200.2021.9590959
[10]
Bimal Ghimire and Danda B. Rawat. 2022. Recent Advances on Federated
Learning for Cybersecurity and Cybersecurity for Federated Learning for In-
ternet of Things. IEEE Internet of Things Journal 9, 11 (2022), 8229–8249.
DOI:
http://dx.doi.org/10.1109/JIOT.2022.3150363
[11]
Riccardo Ghioni, Mariarosaria Taddeo, and Luciano Floridi. 2023. Open Source
Intelligence and AI: A Systematic Review of the Gelsi Literature? AI and Society
(2023), 1–16. DOI:http://dx.doi.org/10.1007/s00146-023-01628-x
[12]
Helen Gibson, Steve Ramwell, and Tony Day. 2016. Analysis, Interpretation and
Validation of Open Source Data. Springer International Publishing, Cham, 95–110.
DOI:http://dx.doi.org/10.1007/978-3- 319-47671-1_7
[13]
Seonghyeon Gong and Changhoon Lee. 2021. Cyber Threat Intelligence Frame-
work for Incident Response in an Energy Cloud Platform. Electronics 10, 3 (2021).
DOI:http://dx.doi.org/10.3390/electronics10030239
[14]
Gustavo González-Granadillo, Mario Faiella, Ibéria Medeiros, Rui Azevedo, and
Susana González-Zarzosa. 2021. ETIP: An Enriched Threat Intelligence Platform
for improving OSINT correlation, analysis, visualization and sharing capabilities.
Journal of Information Security and Applications 58 (2021), 102715.
DOI:
http:
//dx.doi.org/10.1016/j.jisa.2020.102715
[15]
Vasile Gheorghi
t
,
ă Găitan and Ionel Zagan. 2021. Experimental Implementation
and Performance Evaluation of an IoT Access Gateway for the Modbus Extension.
Sensors 21, 1 (2021). DOI:http://dx.doi.org/10.3390/s21010246
[16]
Hamed Haddadpajouh, Raouf Khayami, Ali Dehghantanha, Kim-Kwang Ray-
mond Choo, and Reza Meimandi Parizi. 2020. AI4SAFE-IoT: an AI-powered se-
cure architecture for edge layer of Internet of things. Neural Computing and Appli-
cations (2020), 16119–16133.
DOI:
http://dx.doi.org/10.1007/s00521-020- 04772-3
[17]
Meng Hao, Hongwei Li, Xizhao Luo, Guowen Xu, Haomiao Yang, and Sen Liu.
2020. Ecient and Privacy-Enhanced Federated Learning for Industrial Articial
Intelligence. IEEE Transactions on Industrial Informatics 16, 10 (2020), 6532–6542.
DOI:http://dx.doi.org/10.1109/TII.2019.2945367
[18]
Alfonso Iacovazzi, Han Wang, Ismail Butun, and Shahid Raza. 2023. Towards
Cyber Threat Intelligence for the IoT. In 2023 19th International Conference on
Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT).
483–490. DOI:http://dx.doi.org/10.1109/DCOSS-IoT58021.2023.00081
[19]
Ehtsham Irshad and Abdul Basit Siddiqui. 2023. Cyber threat attribution using
unstructured reports in cyber threat intelligence. Egyptian Informatics Journal
24, 1 (2023), 43–59. DOI:http://dx.doi.org/10.1016/j.eij.2022.11.001
[20]
Loch Johnson. 2007. Émigré intelligence reporting. Routledge, Oxford.
DOI:
http://dx.doi.org/10.4324/9780203089323
[21]
Johnson Kinyua and Lawrence Awuah. 2021. AI/ML in Security Orchestration,
Automation and Response: Future Research Directions. Intelligent Automation &
Soft Computing 28, 2 (2021), 527–545.
DOI:
http://dx.doi.org/10.32604/iasc.2021.
016240
[22]
Bert-Jaap Koops, Jaap-Henk Hoepman, and Ronald Leenes. 2013. Open-source
intelligence and privacy by design. Computer Law & Security Review 29, 6 (2013),
676–688. DOI:http://dx.doi.org/10.1016/j.clsr.2013.09.005
[23]
Prabhat Kumar, Govind P. Gupta, Rakesh Tripathi, Sahil Garg, and Moham-
mad Mehedi Hassan. 2023. DLTIF: Deep Learning-Driven Cyber Threat Intelli-
gence Modeling and Identication Framework in IoT-Enabled Maritime Trans-
portation Systems. IEEE Transactions on Intelligent Transportation Systems 24, 2
(2023), 2472–2481. DOI:http://dx.doi.org/10.1109/TITS.2021.3122368
[24]
Robert M. Lee. 2016. Intelligence Dened and its Impact on Cyber Threat
Intelligence. (2016). Retrieved January 13, 2024 from https://www.robertmlee.
org/intelligence-dened- and-its-impact- on-cyber-threat-intelligence/.
[25]
Theo Lynn, Patricia Takako Endo, Andrea Maria N. C. Ribeiro, Gibson B. N.
Barbosa, and Pierangelo Rosati. 2020. The Internet of Things: Denitions, Key
Concepts, and Reference Architectures. Springer International Publishing, Cham,
1–22. DOI:http://dx.doi.org/10.1007/978-3- 030-41110-7_1
[26]
Cláudio Martins and Ibéria Medeiros. 2022. Generating Quality Threat Intelli-
gence Leveraging OSINT and a Cyber Threat Unied Taxonomy. ACM Trans.
Priv. Secur. 25 3, 19 (May 2022), 36. DOI:http://dx.doi.org/10.1145/3530977
[27]
Reza Montasari, Fiona Carroll, Stuart Macdonald, Hamid Jahankhani, Amin
Hosseinian-Far, and Alireza Daneshkhah. 2021. Application of Articial Intelli-
gence and Machine Learning in Producing Actionable Cyber Threat Intelligence.
Springer International Publishing, Cham, 47–64.
DOI:
http://dx.doi.org/10.1007/
978-3- 030-60425-7_3
[28]
Tie Qiu, Jiancheng Chi, Xiaobo Zhou, Zhaolong Ning, Mohammed Atiquzzaman,
and Dapeng Oliver Wu. 2020. Edge Computing in Industrial Internet of Things:
Architecture, Advances and Challenges. IEEE Communications Surveys & Tutori-
als 22, 4 (2020), 2462–2488.
DOI:
http://dx.doi.org/10.1109/COMST.2020.3009103
[29]
Pierangelo Rosati and Theo Lynn. 2020. Mapping the Business Value of the
Internet of Things. Springer International Publishing, Cham, 141–157.
DOI:
http://dx.doi.org/10.1007/978-3- 030-41110-7_8
[30]
Dhaou Said. 2023. Quantum Computing and Machine Learning for Cybersecurity:
Distributed Denial of Service (DDoS) Attack Detection on Smart Micro-Grid.
Energies 16, 8 (2023). DOI:http://dx.doi.org/10.3390/en16083572
[31]
Sagar Samtani, Maggie Abate, Victor Benjamin, and Weifeng Li. 2020. Cybersecu-
rity as an Industry: A Cyber Threat Intelligence Perspective. Springer International
Publishing, Cham, 135–154.
DOI:
http://dx.doi.org/10.1007/978-3- 319-78440-3_8
[32]
Mohanad Sarhan, Siamak Layeghy, Nour Moustafa, and Marius Portmann. 2022.
Cyber Threat Intelligence Sharing Scheme Based on Federated Learning for
Network Intrusion Detection. Journal of Network and Systems Management 31, 1
(Oct. 2022). DOI:http://dx.doi.org/10.1007/s10922-022-09691-3
[33]
Daniel Schlette, Fabian Böhm, Marco Caselli, and Günther Pernul. 2021. Cy-
ber threat attribution using unstructured reports in cyber threat intelligence.
International Journal of Information Security 20, 1 (2021), 21–38.
DOI:
http:
//dx.doi.org/10.1007/s10207-020- 00490-y
[34]
Denis Stodelov and Natalia Miloslavskaya. 2022. Open Source INTelligence Tools.
Procedia Computer Science 213 (11 2022), 83–88.
DOI:
http://dx.doi.org/10.1016/j.
procs.2022.11.041
[35]
Nan Sun, Ming Ding, Jiaojiao Jiang, WeikangXu, Xiaoxing Mo, Yonghang Tai, and
Jun Zhang. 2023. Cyber Threat Intelligence Mining for Proactive Cybersecurity
Defense: A Survey and New Perspectives. IEEE Communications Surveys &
Tutorials 25, 3 (2023), 1748–1774.
DOI:
http://dx.doi.org/10.1109/COMST.2023.
3273282
[36]
Tianfang Sun, Pin Yang, Mengming Li, and Shan Liao. 2021. An Automatic
Generation Approach of the Cyber Threat Intelligence Records Based on Multi-
Source Information Fusion. Future Internet 13, 2 (2021).
DOI:
http://dx.doi.org/
10.3390/13020040
[37]
Hatma Suryotrisongko, Yasuo Musashi, Akio Tsuneda, and Kenichi Sugitani.
2022. Robust Botnet DGA Detection: Blending XAI and OSINT for Cyber Threat
Intelligence Sharing. IEEE Access 10 (2022), 34613–34624.
DOI:
http://dx.doi.org/
10.1109/ACCESS.2022.3162588
[38]
Fahimeh Tabatabaei and Douglas Wells. 2016. OSIN T in the Context of Cyber-
Security. Springer International Publishing, Cham, 213–231.
DOI:
http://dx.doi.
org/10.1007/978-3- 319-47671-1_14
[39]
Juan R Trocoso-Pastoriza, Alain Mermoud, Romain Bouyé, Francesco Marino,
Jean-Philippe Bossuat, Vincent Lenders, and Jean-Pierre Hubaux. 2022. Orches-
trating collaborative cybersecurity: a secure framework for distributed privacy-
preserving threat intelligence sharing. arXiv preprint arXiv:2209.02676 (2022).
DOI:http://dx.doi.org/10.48550/arXiv.2209.02676
[40]
Konstantinos Tsiknas, Dimitrios Taketzis, Konstantinos Demertzis, and Charala-
bos Skianis. 2021. Cyber Threats to Industrial IoT: A Survey on Attacks and Coun-
termeasures. IoT 2, 1 (2021), 163–186.
DOI:
http://dx.doi.org/10.3390/iot2010009
[41]
Gabriel Ungureanu. 2020. OPEN SOURCE IN TELLIGENCE (OSINT). THE WAY
AHEAD. Journal of Defense Resources Management 12, 1 (09 2020), 177–200.
[42]
Esther Villar-Rodriguez, María Arostegi Pérez, Ana I. Torre-Bastida,
Cristina Regueiro Senderos, and Juan López-de-Armentia. 2023. Edge
intelligence secure frameworks: Current state and future challenges. Computers
& Security 130 (2023), 103278.
DOI:
http://dx.doi.org/10.1016/j.cose.2023.103278
[43]
Dianlei Xu, Tong Li, Yong Li, Xiang Su, Sasu Tarkoma, Tao Jiang, Jon Crowcroft,
and Pan Hui. 2020. Edge Intelligence: Architectures, Challenges, and Applications.
(2020).
DOI:
http://dx.doi.org/10.48550/arXiv.2003.12172 arXiv:cs.NI/2003.12172
O-10