SC4OSINT: A Story Clustering Approach to Optimize OSINT Analysis

Cyber Threat Intelligence (CTI) has become an indispensable element of cybersecurity operations. As a result, any mechanism or tool that alleviates the workload of security analysts is highly valuable to the cybersecurity community. Recent advancements in Natural Language Processing (NLP) enable efficient processing of news articles, leading us to propose a clustering approach based on the reported story. This allows Open Source Intelligence (OSINT) analysts to manage information overload and focus only on essential events. Therefore, the contributions of this paper are manyfold: (i) We identify the relevant requirements for designing an OSINT clustering tool, (ii) present a solution that can support such requirements, and (iii) evaluate the solution considering the needs of OSINT analysts. Our clustering approach, denoted as SC4OSINT, is inspired by an existing semi-supervised graph-based story clustering method and adapts it to the OSINT requirements. Unlike the original method, SC4OSINT is a fully unsupervised two-layer approach, which handles multilingual streaming data and uses sentence transformers to create fine-grained clusters. Additionally, it uses an unsupervised method to extract keywords, prioritize those relevant to the OSINT domain, and form keyword communities. These communities are further refined using document cosine similarity, a more efficient alternative to the pairwise document comparisons in the existing approach. We evaluate the SC4OSINT’s story clustering approach by having security experts rate the clustering quality across various model configurations. The results show that the best configuration achieves an average rating of 4.19/5, demonstrating the efficiency of our approach.