The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

可以利用在线报告和社交媒体上的讨论的丰富资源来调查广泛的网络攻击。在本文中，我们研究了基于连续推文流的网络安全事件挖掘问题。与不考虑事件演化的传统静态方法相比，我们探索了历史事件和在线事件之间的相关性，以进行网络攻击事件发现和进化检测。我们提出了Cyber​​EM，这是一种新颖的事件演化模型，特别关注网络安全事件。设计了一种模式聚类算法和一种基于NMF的（非负矩阵分解）事件聚合算法，用于网络攻击指标的提取和事件演化的检测。我们利用属于网络安全领域的模式和网络安全语义上下文的模式来完善多个时间间隔内事件的进化相关性。此外，我们设计了一种动态事件推理算法，以发现网络安全事件并以在线方式更新事件汇总。通过使用大规模真实世界推文数据集进行的广泛评估，我们证明了拟议的Cyber​​EM模型在识别网络安全事件及其演变相关性方面优于现有方法。