{"id":"https://openalex.org/W4416549583","doi":"https://doi.org/10.1145/3719027.3765026","title":"Can IOCs Impose Cost? The Effects of Publishing Threat Intelligence on Adversary Behavior","display_name":"Can IOCs Impose Cost? The Effects of Publishing Threat Intelligence on Adversary Behavior","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549583","doi":"https://doi.org/10.1145/3719027.3765026"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3765026","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765026","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3719027.3765026","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029707704","display_name":"Xander Bouwman","orcid":"https://orcid.org/0009-0005-7430-8942"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":true,"raw_author_name":"Xander Bouwman","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0009-0005-7430-8942","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5120421370","display_name":"Aksel Ethembabaoglu","orcid":"https://orcid.org/0009-0005-5738-7458"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Aksel Ethembabaoglu","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0009-0005-5738-7458","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035815974","display_name":"Bart Hermans","orcid":"https://orcid.org/0009-0000-0079-3408"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Bart Hermans","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0009-0000-0079-3408","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048211807","display_name":"Carlos Ga\u00f1\u00e1n","orcid":"https://orcid.org/0000-0002-4699-3007"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Carlos Ga\u00f1\u00e1n","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0002-4699-3007","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5012946294","display_name":"Michel van Eeten","orcid":"https://orcid.org/0000-0002-0338-2812"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Michel van Eeten","raw_affiliation_strings":["Delft University of Technology, Delft, Netherlands"],"raw_orcid":"https://orcid.org/0000-0002-0338-2812","affiliations":[{"raw_affiliation_string":"Delft University of Technology, Delft, Netherlands","institution_ids":["https://openalex.org/I98358874"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5029707704"],"corresponding_institution_ids":["https://openalex.org/I98358874"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.47648635,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"663","last_page":"677"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.46480000019073486,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.46480000019073486,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.22390000522136688,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.05649999901652336,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5375000238418579},{"id":"https://openalex.org/keywords/government","display_name":"Government (linguistics)","score":0.5073999762535095},{"id":"https://openalex.org/keywords/publishing","display_name":"Publishing","score":0.4790000021457672},{"id":"https://openalex.org/keywords/false-accusation","display_name":"False accusation","score":0.4154999852180481},{"id":"https://openalex.org/keywords/confidentiality","display_name":"Confidentiality","score":0.3917999863624573},{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.35929998755455017},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.35850000381469727},{"id":"https://openalex.org/keywords/cyber-attack","display_name":"Cyber-attack","score":0.34950000047683716},{"id":"https://openalex.org/keywords/publication","display_name":"Publication","score":0.3456999957561493},{"id":"https://openalex.org/keywords/bridging","display_name":"Bridging (networking)","score":0.34369999170303345}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6776000261306763},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5375000238418579},{"id":"https://openalex.org/C2778137410","wikidata":"https://www.wikidata.org/wiki/Q2732820","display_name":"Government (linguistics)","level":2,"score":0.5073999762535095},{"id":"https://openalex.org/C151719136","wikidata":"https://www.wikidata.org/wiki/Q3972943","display_name":"Publishing","level":2,"score":0.4790000021457672},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.4271000027656555},{"id":"https://openalex.org/C59577422","wikidata":"https://www.wikidata.org/wiki/Q10265143","display_name":"False accusation","level":2,"score":0.4154999852180481},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.40950000286102295},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.3917999863624573},{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.35929998755455017},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.35850000381469727},{"id":"https://openalex.org/C190253527","wikidata":"https://www.wikidata.org/wiki/Q295354","display_name":"Law and economics","level":1,"score":0.35109999775886536},{"id":"https://openalex.org/C201307755","wikidata":"https://www.wikidata.org/wiki/Q4071928","display_name":"Cyber-attack","level":2,"score":0.34950000047683716},{"id":"https://openalex.org/C41458344","wikidata":"https://www.wikidata.org/wiki/Q732577","display_name":"Publication","level":2,"score":0.3456999957561493},{"id":"https://openalex.org/C174348530","wikidata":"https://www.wikidata.org/wiki/Q188635","display_name":"Bridging (networking)","level":2,"score":0.34369999170303345},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.34040001034736633},{"id":"https://openalex.org/C517642484","wikidata":"https://www.wikidata.org/wiki/Q2388514","display_name":"Intelligence analysis","level":2,"score":0.3386000096797943},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.3328000009059906},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.3287999927997589},{"id":"https://openalex.org/C197115733","wikidata":"https://www.wikidata.org/wiki/Q1003136","display_name":"Forcing (mathematics)","level":2,"score":0.3278999924659729},{"id":"https://openalex.org/C2776050585","wikidata":"https://www.wikidata.org/wiki/Q7439360","display_name":"Scrutiny","level":2,"score":0.3253999948501587},{"id":"https://openalex.org/C2776552730","wikidata":"https://www.wikidata.org/wiki/Q189656","display_name":"Disinformation","level":3,"score":0.3197999894618988},{"id":"https://openalex.org/C171769113","wikidata":"https://www.wikidata.org/wiki/Q849340","display_name":"Cyberwarfare","level":2,"score":0.31709998846054077},{"id":"https://openalex.org/C53811970","wikidata":"https://www.wikidata.org/wiki/Q5062194","display_name":"Centrality","level":2,"score":0.31610000133514404},{"id":"https://openalex.org/C121858775","wikidata":"https://www.wikidata.org/wiki/Q18600568","display_name":"Information Operations","level":2,"score":0.31540000438690186},{"id":"https://openalex.org/C141141315","wikidata":"https://www.wikidata.org/wiki/Q2379942","display_name":"Guard (computer science)","level":2,"score":0.3075999915599823},{"id":"https://openalex.org/C2779797433","wikidata":"https://www.wikidata.org/wiki/Q632959","display_name":"Blacklisting","level":2,"score":0.3068999946117401},{"id":"https://openalex.org/C2781198186","wikidata":"https://www.wikidata.org/wiki/Q701521","display_name":"Collusion","level":2,"score":0.2946000099182129},{"id":"https://openalex.org/C188198153","wikidata":"https://www.wikidata.org/wiki/Q1613840","display_name":"Limiting","level":2,"score":0.2944999933242798},{"id":"https://openalex.org/C166052673","wikidata":"https://www.wikidata.org/wiki/Q83021","display_name":"Empirical evidence","level":2,"score":0.2809999883174896},{"id":"https://openalex.org/C95981142","wikidata":"https://www.wikidata.org/wiki/Q772532","display_name":"Peering","level":3,"score":0.2784999907016754},{"id":"https://openalex.org/C2778321746","wikidata":"https://www.wikidata.org/wiki/Q621922","display_name":"Distrust","level":2,"score":0.27390000224113464},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.2694000005722046},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.2648000121116638},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.26330000162124634},{"id":"https://openalex.org/C2777402642","wikidata":"https://www.wikidata.org/wiki/Q2557224","display_name":"Explanatory power","level":2,"score":0.2533000111579895},{"id":"https://openalex.org/C67463919","wikidata":"https://www.wikidata.org/wiki/Q392512","display_name":"Psychological nativism","level":3,"score":0.25220000743865967},{"id":"https://openalex.org/C2767350","wikidata":"https://www.wikidata.org/wiki/Q6662173","display_name":"Business intelligence","level":2,"score":0.25209999084472656},{"id":"https://openalex.org/C2781201115","wikidata":"https://www.wikidata.org/wiki/Q2912143","display_name":"Scapegoating","level":3,"score":0.2502000033855438}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3719027.3765026","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765026","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765026","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765026","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W1976413307","https://openalex.org/W2065890363","https://openalex.org/W2161020477","https://openalex.org/W2339166448","https://openalex.org/W2514644783","https://openalex.org/W2617416222","https://openalex.org/W2761388029","https://openalex.org/W2904027722","https://openalex.org/W2922853138","https://openalex.org/W2970963972","https://openalex.org/W3095431463","https://openalex.org/W3109678617","https://openalex.org/W3112066496","https://openalex.org/W3121948532","https://openalex.org/W4213167314","https://openalex.org/W4221018331","https://openalex.org/W4280511617","https://openalex.org/W4280624485","https://openalex.org/W4310557495","https://openalex.org/W4386214327","https://openalex.org/W4388241633","https://openalex.org/W4388867285","https://openalex.org/W4391095086"],"related_works":[],"abstract_inverted_index":{"Exposing":[0],"intrusion":[1],"campaigns":[2],"has":[3,165],"become":[4],"a":[5,32,38,85,122,179],"geopolitical":[6],"tool,":[7],"with":[8],"governments":[9],"and":[10,20,53,65,108,151,189,212],"commercial":[11,79],"firms":[12],"publishing":[13],"threat":[14,186,203],"intelligence":[15,204],"reports":[16],"about":[17],"hacking":[18],"attempts":[19],"modus":[21],"operandi.":[22],"U.S.":[23],"government":[24],"officials":[25],"have":[26],"explained":[27],"this":[28,58],"as":[29,37],"not":[30],"just":[31],"defensive":[33],"practice":[34],"but":[35],"also":[36,177],"way":[39],"to":[40,48,96,104,135,206],"'impose":[41],"cost'":[42],"on":[43,115],"attackers":[44,138],"by":[45,60,142],"forcing":[46],"them":[47],"develop":[49],"new":[50],"infrastructure,":[51],"tools,":[52],"techniques.":[54],"We":[55,176],"empirically":[56],"examine":[57],"claim":[59],"analyzing":[61],"attacker":[62,207],"behavior":[63],"before":[64,107],"after":[66,109],"publication":[67,163,191,205],"of":[68,70,88,155,185],"indicators":[69],"compromise":[71],"(IOCs).":[72],"Using":[73],"IOC":[74,190],"feeds":[75],"from":[76],"two":[77],"leading":[78],"providers,":[80],"we":[81],"matched":[82],"IOCs":[83,133],"against":[84],"large":[86],"dataset":[87],"real-world":[89],"network":[90],"traffic":[91],"metadata.":[92],"This":[93,195],"enabled":[94],"us":[95],"generate":[97],"sightings":[98],"retroactively,":[99],"capturing":[100],"malicious":[101,117],"activity":[102,188],"up":[103],"150":[105],"days":[106],"publication.":[110],"Unlike":[111],"prior":[112],"work":[113],"focused":[114],"post-publication":[116],"activity,":[118],"our":[119],"method":[120],"provides":[121],"more":[123],"complete":[124],"view":[125],"over":[126],"time.":[127],"Our":[128],"results":[129],"show":[130],"that":[131,137,162,172],"most":[132],"point":[134],"resources":[136],"had":[139],"already":[140],"abandoned":[141],"publication,":[143],"limiting":[144],"their":[145],"utility":[146],"for":[147,169,192],"detecting":[148],"ongoing":[149],"attacks":[150],"undermining":[152],"the":[153,183,198],"idea":[154],"'imposing":[156],"costs'.":[157],"Statistical":[158],"modeling":[159],"further":[160],"reveals":[161],"status":[164],"low":[166],"explanatory":[167],"power":[168],"sightings,":[170],"suggesting":[171],"confounding":[173],"variables":[174],"exist.":[175],"observed":[178],"30-day":[180],"delay":[181],"between":[182],"peak":[184],"actor":[187],"one":[193],"provider.":[194],"study":[196],"is":[197],"first":[199],"empirical":[200],"assessment":[201],"linking":[202],"behavior,":[208],"bridging":[209],"computer":[210],"science":[211],"international":[213],"relations.":[214]},"counts_by_year":[],"updated_date":"2025-11-28T17:06:41.841823","created_date":"2025-11-23T00:00:00"}