CAVeCTIR: Matching Cyber Threat Intelligence Reports on Connected and Autonomous Vehicles Using Machine Learning

Connected and automated vehicles (CAVs) are getting a lot of attention these days as their technology becomes more mature and they benefit from the Internet-of-Vehicles (IoV) ecosystem. CAVs attract malicious activities that jeopardize security and safety dimensions. The cybersecurity systems of CAVs detect such activities, collect and analyze related information during and after the activity, and use cyber threat intelligence (CTI) to organize this information. Considering that CTI collected from various malicious activities may share common characteristics, it is critical to provide the cybersecurity stakeholders with quick and automatic ways of analysis and interrelation. This aims to help them perform more accurate and effective forensic investigations. To this end, we present CAVeCTIR, a novel approach that finds similarities between CTI reports that describe malicious activities detected on CAVs. CAVeCTIR uses advanced machine learning techniques and provides a quick, automated, and effective solution for clustering similar malicious activities. We applied CAVeCTIR in a series of experiments investigating almost 3000 malicious activities in simulation, real-world, and hybrid CAV environments, covering seven critical cyber-attack scenarios. The results showed that the DBSCAN algorithm identified seven no-overlapping core clusters characterized by high density. The results indicated that cybersecurity stakeholders could take advantage of CAVeCTIR by adopting the same or similar methods to analyze newly detected malicious activity, speed up the attack attribution process, and perform a more accurate forensics investigation.