There is plenty of threat-related information in open data sources. Early identification of emerging security threats from such information is an important part of security for deployed software and systems. While several cybersecurity event detection methods have been proposed to extract security events from unstructured text in open data sources, most of the existing methods focus on detecting events that have a large volume of mentions. On the contrary, to respond faster than attackers, security analysts and IT operators need to be aware of critical security events as early as possible, no matter how many mentions about an event are made. In this paper, we propose a novel event detection system that can quickly identify critical security events, such as new threats and resurgence of an attack or related event, from Twitter regardless of their volume of mentions. Unlike the existing methods, the proposed method triggers events by monitoring new words and re-emerging words, making it possible to narrow down candidate events among several hundreds of events. It then forms events by clustering tweets linked with the trigger words. This approach enables us to detect new and resurgent threats as early as possible. We empirically demonstrate that our system works promisingly over a wide range of threat types.

https://dl.acm.org/doi/10.1145/3320269.3384721