321
FeedRank: A Tamper-
resistant Method for the
Ranking of Cyber Threat
Intelligence Feeds
Abstract: Organizations increasingly rely on cyber threat intelligence feeds to protect
their infrastructure from attacks. These feeds typically list IP addresses or domains
associated with malicious activities such as spreading malware or participating
in a botnet. Today, there is a rich ecosystem of commercial and free cyber threat
intelligence feeds, making it difcult, yet essential, for network defenders to quantify
the quality and to select the optimal set of feeds to follow. Selecting too many or low-
quality feeds results in many false alerts, while considering too few feeds increases
the risk of missing relevant threats. Naïve individual metrics like size and update rate
Roland Meier
Department of Information Technology
and Electrical Engineering
ETH Zürich
Zürich, Switzerland
meierrol@ethz.ch
David Gugelmann
Exeon Analytics
Zürich, Switzerland
david.gugelmann@exeon.ch
Laurent Vanbever
Department of Information Technology
and Electrical Engineering
ETH Zürich
Zürich, Switzerland
lvanbever@ethz.ch
Cornelia Scherrer
Department of Information Technology
and Electrical Engineering
ETH Zürich
Zürich, Switzerland
cornelia.scherrer@alumni.ethz.ch
Vincent Lenders
Science and Technology
armasuisse
Thun, Switzerland
vincent.lenders@armasuisse.ch
2018 10th International Conference on Cyber Conict
CyCon X: Maximising Eects
T. Minárik, R. Jakschis, L. Lindström (Eds.)
2018 © NATO CCD COE Publications, Tallinn
Permission to make digital or hard copies of this publication for internal
use within NATO and for personal or educational use when for non-prot or
non-commercial purposes is granted providing that copies bear this notice
and a full citation on the rst page. Any other reproduction or transmission
requires prior written permission by NATO CCD COE.
