To address the challenge of acquiring high-quality, real-time Indicators of Compromise (IoCs) under dynamic network threats, this paper systematically evaluates Twitter’s reliability as a threat intelligence source. We propose a two-stage framework: (1) CNN-based classification of IoC-related tweets, and (2) quantitative credibility assessment integrating regex matching, multi-dimensional performance evaluation (correctness, timeliness, and overlap), and a social-account bot detection model. Our empirical study is the first to demonstrate that Twitter delivers malware IoCs earlier than mainstream platforms—with an average correctness of 92.3%, median disclosure latency of only 17 minutes, and ~14% representing novel, exclusive discoveries. The work further reveals the critical role of social bots in early-stage threat propagation and establishes a reproducible methodology and empirical benchmark for proactive, social-media-driven cyber defense.

Time-relevant and accurate threat information from public domains are essential for cyber security. In a constantly evolving threat landscape, such information assists security researchers in thwarting attack strategies. In this work, we collect and analyze threat-related information from Twitter to extract intelligence for proactive security. We first use a convolutional neural network to classify the tweets as containing or not valuable threat indicators. In particular, to gather threat intelligence from social media, the proposed approach collects pertinent Indicators of Compromise (IoCs) from tweets, such as IP addresses, URLs, File hashes, domain addresses, and CVE IDs. Then, we analyze the IoCs to confirm whether they are reliable and valuable for threat intelligence using performance indicators, such as correctness, timeliness, and overlap. We also evaluate how fast Twitter shares IoCs compared to existing threat intelligence services. Furthermore, through machine learning models, we classify Twitter accounts as either automated or human-operated and delve into the role of bot accounts in disseminating cyber threat information on social media. Our results demonstrate that Twitter is growing into a powerful platform for gathering precise and pertinent malware IoCs and a reliable source for mining threat intelligence.