Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DISINFOX: an open-source threat exchange platform serving intelligence on disinformation and influence operations

Felipe Sánchez González, Javier Pastor-Galindo, José A. Ruipérez-Valiente

TL;DR

DISINFOX introduces an open-source threat exchange for disinformation incidents, modeling events with DISARM TTPs and a STIX2-based data model within a Dockerized, modular stack. It provides a web frontend, a backend REST API, a public API, and an OpenCTI connector to enable interoperable CTI workflows that bridge disinformation analytics with traditional cybersecurity threat intelligence. A proof-of-concept demonstrates ingestion of over 100 disinformation incidents and seamless synchronization with OpenCTI, validating cross-platform interoperability and visualization of disinformation alongside cyber threats. The work delivers a reproducible, extensible platform for researchers, analysts, and policymakers to detect, investigate, and mitigate disinformation campaigns within a CTI-oriented ecosystem.

Abstract

This paper introduces DISINFOX, an open-source threat intelligence exchange platform for the structured collection, management, and dissemination of disinformation incidents and influence operations. Analysts can upload and correlate information manipulation and interference incidents, while clients can access and analyze the data through an interactive web interface or programmatically via a public API. This facilitates integration with other vendors, providing a unified view of cybersecurity and disinformation events. The solution is fully containerized using Docker, comprising a web-based frontend for user interaction, a backend REST API for managing core functionalities, and a public API for structured data retrieval, enabling seamless integration with existing Cyber Threat Intelligence (CTI) workflows. In particular, DISINFOX models the incidents through DISARM Tactics, Techniques, and Procedures (TTPs), a MITRE ATT&CK-like framework for disinformation, with a custom data model based on the Structured Threat Information eXpression (STIX2) standard. As an open-source solution, DISINFOX provides a reproducible and extensible hub for researchers, analysts, and policymakers seeking to enhance the detection, investigation, and mitigation of disinformation threats. The intelligence generated from a custom dataset has been tested and utilized by a local instance of OpenCTI, a mature CTI platform, via a custom-built connector, validating the platform with the exchange of more than 100 disinformation incidents.

DISINFOX: an open-source threat exchange platform serving intelligence on disinformation and influence operations

TL;DR

DISINFOX introduces an open-source threat exchange for disinformation incidents, modeling events with DISARM TTPs and a STIX2-based data model within a Dockerized, modular stack. It provides a web frontend, a backend REST API, a public API, and an OpenCTI connector to enable interoperable CTI workflows that bridge disinformation analytics with traditional cybersecurity threat intelligence. A proof-of-concept demonstrates ingestion of over 100 disinformation incidents and seamless synchronization with OpenCTI, validating cross-platform interoperability and visualization of disinformation alongside cyber threats. The work delivers a reproducible, extensible platform for researchers, analysts, and policymakers to detect, investigate, and mitigate disinformation campaigns within a CTI-oriented ecosystem.

Abstract

This paper introduces DISINFOX, an open-source threat intelligence exchange platform for the structured collection, management, and dissemination of disinformation incidents and influence operations. Analysts can upload and correlate information manipulation and interference incidents, while clients can access and analyze the data through an interactive web interface or programmatically via a public API. This facilitates integration with other vendors, providing a unified view of cybersecurity and disinformation events. The solution is fully containerized using Docker, comprising a web-based frontend for user interaction, a backend REST API for managing core functionalities, and a public API for structured data retrieval, enabling seamless integration with existing Cyber Threat Intelligence (CTI) workflows. In particular, DISINFOX models the incidents through DISARM Tactics, Techniques, and Procedures (TTPs), a MITRE ATT&CK-like framework for disinformation, with a custom data model based on the Structured Threat Information eXpression (STIX2) standard. As an open-source solution, DISINFOX provides a reproducible and extensible hub for researchers, analysts, and policymakers seeking to enhance the detection, investigation, and mitigation of disinformation threats. The intelligence generated from a custom dataset has been tested and utilized by a local instance of OpenCTI, a mature CTI platform, via a custom-built connector, validating the platform with the exchange of more than 100 disinformation incidents.

Paper Structure

This paper contains 15 sections, 8 figures, 1 table.

Table of Contents

  1. Motivation and significance
  2. Software description
  3. Software architecture
  4. Frontend
  5. Backend REST API
  6. Data Store
  7. Public REST API
  8. DISINFOX OpenCTI Connector
  9. Software functionalities
  10. Incident modeling
  11. Incident upload
  12. Automated STIX2 transformation
  13. Methods for incidents retrieval
  14. Incident synchronization and visualization in OpenCTI
  15. Conclusions

Figures (8)

  • Figure 1: DISINFOX architecture
  • Figure 2: DISINFOX lifecycle
  • Figure 3: Manual individual upload form.
  • Figure 4: DISINFOX dashboard
  • Figure 5: DISINFOX incident listing
  • ...and 3 more figures