Libin Yang,Menghan Wang,Wei Lou

DOI: https://doi.org/10.1016/j.cose.2024.104079

2025-01-01

Abstract:The emergence of cyber threat intelligence (CTI) is a promising approach for alleviating malicious activities. However, the effectiveness of CTIs is heavily dependent on their quality. Current literature develops the CTI quality assessment ontology mainly from the perspective of CTI source or content separately, regardless of their availability in practice. In this paper, we propose an automated CTI quality assessment method that synthesizes the trustworthiness of CTI sources and the availability of CTI contents. Specifically, we model the interactions of CTI feeds as a correlation graph and propose an iterative algorithm to well discriminate the feeds’ trustworthiness. We elaborate a CTI content assessment together with a machine learning algorithm to automatically classify CTIs’ availability from a set of content metrics. A comprehensive CTI quality assessment is proposed by jointly considering the feed trustworthiness and content availability. Extensive experimental results on real datasets demonstrate that our proposed method can quantitatively as well as effectively assess CTI quality.

Zong-Xun Li,Yu-Jun Li,Yi-Wei Liu,Cheng Liu,Nan-Xin Zhou

DOI: https://doi.org/10.3390/sym15020337

2023-01-26

Symmetry

Abstract:Cyber threat intelligence (CTI) sharing has gradually become an important means of dealing with security threats. Considering the growth of cyber threat intelligence, the quick analysis of threats has become a hot topic at present. Researchers have proposed some machine learning and deep learning models to automatically analyze these immense amounts of cyber threat intelligence. However, due to a large amount of network security terminology in CTI, these models based on open-domain corpus perform poorly in the CTI automatic analysis task. To address this problem, we propose an automatic CTI analysis method named K-CTIAA, which can extract threat actions from unstructured CTI by pre-trained models and knowledge graphs. First, the related knowledge in knowledge graphs will be supplemented to the corresponding position in CTI through knowledge query and knowledge insertion, which help the pre-trained model understand the semantics of network security terms and extract threat actions. Second, K-CTIAA reduces the adverse effects of knowledge insertion, usually called the knowledge noise problem, by introducing a visibility matrix and modifying the calculation formula of the self-attention. Third, K-CTIAA maps corresponding countermeasures by using digital artifacts, which can provide some feasible suggestions to prevent attacks. In the test data set, the F1 score of K-CTIAA reaches 0.941. The experimental results show that K-CTIAA can improve the performance of automatic threat intelligence analysis and it has certain significance for dealing with security threats.

multidisciplinary sciences

Ming Liu,Zhi Xue,Xiangjian He,Jinjun Chen

DOI: https://doi.org/10.1109/mce.2019.2892220

2019-01-01

IEEE Consumer Electronics Magazine

Abstract:The term cyberthreat intelligence (CTI) is widespread and gaining much attention in the area of the Internet of Things (IoT), as CTI has shown capabilities regarding the defense of advanced persistent threats (APTs). The key component of CTI is the sharing of threat information, which conventionally was a time-consuming manual process.

Yansong Wang,Bo Lang,Nan Xiao,Yikai Chen

DOI: https://doi.org/10.1145/3579654.3579690

2022-01-01

Abstract:Nowadays, Cyber Threat Intelligence (CTI) has become increasingly important for detecting and defending against cyber threats. Researchers often construct CTI heterogeneous graphs to describe threat indicators and their associations. However, most existing link prediction methods of normal heterogeneous graphs show poor performance on CTI graphs, as they mainly focus on the topological features and ignore the attributes of the threat indicators. To address this limitation, this paper proposes Ctiap, a Cyber Threat Indicators Association Prediction model based on weighted fusion of the semantic and topological information. The model firstly aims at the semantic characteristics of threat indicators and the topology of CTI graph. We collected more than 20,000 samples through open web platforms to construct a real-word heterogeneous graph dataset of threat indicators. The experimental results show that the accuracy of our model reaches 93.08%, which is better than the state-of-the-art baseline methods.

Jun Zhao,Qiben Yan,Jianxin Li,Minglai Shao,Zuti He,Bo Li

DOI: https://doi.org/10.1016/j.cose.2020.101867

2020-08-01

Abstract:<p>Security organizations increasingly rely on Cyber Threat Intelligence (CTI) sharing to enhance resilience against cyber threats. However, its effectiveness remains dubious due to two major limitations: first, the existing approaches fail to identify the unseen types of <em>Indicator of compromise</em> (IOC); second, they are incapable of automatically generating categorized CTIs with domain tags (e.g., finance, government), which makes CTI sharing ineffective. To combat the challenges, this paper proposes TIMiner, a novel automated framework for CTI extraction and sharing based on social media data. Particularly, an efficient domain recognizer based on convolutional neural network is first implemented to identify CTIs' targeted domain. Then, an indicator of compromise (IOC) extraction approach based on word embedding and syntactic dependence is proposed, which provides the ability to identify unseen types of IOCs. Finally, the extracted IOC and its domain tag are integrated to generate a categorized CTI with specific-domain. TIMiner is capable of generating CTIs with domain tags automatically. With the categorized CTIs, <em>Threat-Index</em> is presented to quantify the severity of the threats toward different domains. Experimental results confirm that the proposed CTI domain recognizer and IOC extraction achieve superior performance with the accuracy exceeding 84% and 94%, respectively. Moreover, TIMiner stimulates new insights on the evolution of cyber attacks across multiple domains.</p>

computer science, information systems

Shuang Xun,Xiaoyong Li,Yali Gao

DOI: https://doi.org/10.1145/3390557.3394305

2020-01-01

Abstract:Cyberspace security issues are becoming more and more important, but traditional methods cannot cope with changing cyber-attack methods, which often leads to severe network paralysis and economic losses. Therefore, we propose an automatic identification model of threat intelligence (TI) based on convolutional neural network (CNN) called AITI. At first, the cyber crawler technology is used to obtain unstructured semantic text data from platforms such as security forums and blogs. Next, the semantic text is preprocessed and input into the word embedding model to extract feature vectors. Then, we build a classification model based on CNN and train it on the collected dataset. Finally, the trained CNN model is used to automatically identify TI from unstructured semantic text such as security articles. According to the experiment results, AITI have obtained the accuracy of 90.38% and the F1 Score of 91.16%. The experiments verified that AITI outperforms other models on multiple core metrics. AITI provides a practical solution for TI identification to a certain extent, which can improve the efficiency and accuracy of TI identification.

Ruyue Liu,Ziping Zhao,Chengjun Sun,Xiaoyu Yang,Xiaoli Gong,Jin Zhang

DOI: https://doi.org/10.1007/978-981-10-6385-5_30

2017-01-01

Abstract:As the form of cyber threats becomes more complex, which leads to a widespread concern about how to promote network security active defense system by using the exploding cyber threat intelligence. Basing on the content analysis method, introduces the precision, recall rate and timely rate on the basis of the change of time dimension, and analyzes the threat intelligence provider from three aspects. The validity of this method is verified by the test of massive source of threat data, which improves the efficiency of CIF analysis and makes it easy to analyze and extract the threat intelligence information quickly.

Jeonghun Cha,Sushil Kumar Singh,Yi Pan,Jong Hyuk Park

DOI: https://doi.org/10.3390/su12166401

IF: 3.9

2020-01-01

Sustainability

Abstract:Nowadays, the designing of cyber-physical systems has a significant role and plays a substantial part in developing a sustainable computing ecosystem for secure and scalable network architecture. The introduction of Cyber Threat Intelligence (CTI) has emerged as a new security system to mitigate existing cyber terrorism for advanced applications. CTI demands a lot of requirements at every step. In particular, data collection is a critical source of information for analysis and sharing; it is highly dependent on the reliability of the data. Although many feeds provide information on threats recently, it is essential to collect reliable data, as the data may be of unknown origin and provide information on unverified threats. Additionally, effective resource management needs to be put in place due to the large volume and diversity of the data. In this paper, we propose a blockchain-based cyber threat intelligence system architecture for sustainable computing in order to address issues such as reliability, privacy, scalability, and sustainability. The proposed system model can cooperate with multiple feeds that collect CTI data, create a reliable dataset, reduce network load, and measure organizations' contributions to motivate participation. To assess the proposed model's effectiveness, we perform the experimental analysis, taking into account various measures, including reliability, privacy, scalability, and sustainability. Experimental results of evaluation using the IP of 10 open source intelligence (OSINT) CTI feeds show that the proposed model saves about 15% of storage space compared to total network resources in a limited test environment.

Yali Gao,Xiaoyong Li,Hao Peng,Binxing Fang,Philip S. Yu

DOI: https://doi.org/10.1109/tkde.2020.2987019

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Cyber attacks have become increasingly complicated, persistent, organized, and weaponized. Faces with this situation, drives a rising number of organizations across the world are showing a growing willingness to leverage the open exchange of cyber threat intelligence (CTI) for obtaining a full picture of the fast-evolving cyber threat situation and protecting themselves against cyber-attacks. However, modeling CTI is challenging due to the explicit and implicit relationships among CTI and the heterogeneity of cyber-threat infrastructure nodes involved in CTI. Owing to the limited labels of cyber threat infrastructure nodes involved in CTI, automatically identifying the threat type of infrastructure nodes for early warning is also challenging. To tackle these challenges, a practical system called HinCTI is developed for modeling cyber threat intelligence and identifying threat types. We first design a threat intelligence meta-schema to depict the semantic relatedness of infrastructure nodes. We then model cyber threat intelligence on heterogeneous information network (HIN), which can integrate various types of infrastructure nodes and rich relations among them. Following, we define a meta-path and meta-graph instances-based threat Infrastructure similarity (MIIS) measure between threat infrastructure nodes and present a MIIS measure-based heterogeneous graph convolutional network (GCN) approach to identify the threat types of infrastructure nodes involved in CTI. Moreover, through the hierarchical regularization strategy, our model can alleviate the problem of overfitting and achieve good results in the threat type identification of infrastructure nodes. To the best of our knowledge, this work is the first to model CTI on HIN for threat identification and propose a heterogeneous GCN-based approach for threat type identification of infrastructure nodes. With HinCTI, comprehensive experiments are conducted on real-world datasets, and experimental results demonstrate that our proposed approach can significantly improve the performance of threat type identification compared to the existing state-of-the-art baseline methods. Our work is beneficial to greatly relieve security analysts from heavy analysis work and efficiently protect organizations against cyber-attacks.

Yali Gao,Xiaoyong Li,Jirui Li,Yunquan Gao,Ning Guo

DOI: https://doi.org/10.1109/bigdata.2018.8622111

2018-01-01

Abstract:More and more organizations and individuals start to pay attention to real-time threat intelligence to protect themselves from the complicated, organized, persistent and weaponized cyber attacks. However, most users worry about the trustworthiness of threat intelligence provided by TISPs (Threat Intelligence Sharing Platforms). The trust evaluation mechanism has become a hot topic in applications of TISPs. However, most current TISPs do not present any practical solution for trust evaluation of threat intelligence itself. In this paper, we propose a graph mining-based trust evaluation mechanism with multidimensional features for large-scale heterogeneous threat intelligence. This mechanism provides a feasible scheme and achieves the task of trust evaluation for TISP, through the integration of a trust-aware intelligence architecture model, a graph mining-based intelligence feature extraction method, and an automatic and interpretable trust evaluation algorithm. We implement this trust evaluation mechanism in a practical TISP (called GTTI), and evaluate the performance of our system on a real-world dataset from three popular cyber threat intelligence sharing platforms. Experimental results show that our mechanism can achieve 92.83% precision and 93.84% recall in trust evaluation. To the best of our knowledge, this work is the first to evaluate the trust level of heterogeneous threat intelligence automatically from the perspective of graph mining with multidimensional features including source, content, time, and feedback. Our work is beneficial to provide assistance on intelligence quality for the decision-making of human analysts, build a trust-aware threat intelligence sharing platform, and enhance the availability of heterogeneous threat intelligence to protect organizations against cyberspace attacks effectively.

Lingzi Li,Cheng Huang,Junren Chen

DOI: https://doi.org/10.1016/j.cose.2024.103815

IF: 5.105

2024-03-27

Computers & Security

Abstract:As cyber attacks are growing, Cyber Threat Intelligence (CTI) enhances the ability of security systems to resist novel cyber threats. However, since most CTI is unstructured data written in natural language, it needs to be understood and summarized by security experts to be effectively utilized. To address the problem, we adopt the ATT&CK matrix as the taxonomy to propose a method for automated mapping of unstructured threat intelligence to tactics and techniques. The proposed method contains a pre-processor for text denoising, a label extractor for classifying which tactics and techniques category the text belongs to, and a post-processor for correcting the classification results. The label extractor consists of two multi-label classifiers based on DistilBERT for tactics and techniques classification respectively. The post-processor corrects the classification results based on the relations between tactics, techniques, and sub-techniques in the matrix, eliminating errors caused by the independence between categories. In the evaluation, we collect the text data from the ATT&CK knowledge base and real cyber threat reports to build an experiment dataset, which contains 26,602 sentence samples. We apply the proposed method to the dataset to verify its effectiveness. The results show that the proposed method can accurately retrieve tactics and techniques with F0.5 score of 85.50% and 75.17% respectively, which outperforms the baseline method by about 10%.

computer science, information systems

Angel Kodituwakku,Clark Xu,Daniel Rogers,David K. Ahn,Errin W. Fulp

DOI: https://doi.org/10.1109/BigData59044.2023.10386664

2024-12-26

Abstract:Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several recent CVEs. The insights derived from this study aim to enhance cybersecurity defense strategies, particularly when dealing with dynamic cyber threats that continually adapt their Tactics, Techniques, and Procedures (TTPs). Utilizing IoCs sourced from multiple providers, we scrutinize the IoC publication rate. Our analysis delves into how various factors, including the inherent nature of a threat, its evolutionary trajectory, and its observability over time, influence the publication rate of IoCs. Our preliminary findings emphasize the critical need for cyber defenders to maintain a constant state of vigilance in updating their IoCs for any given vulnerability. This vigilance is warranted because the publication rate of IoCs may exhibit fluctuations over time. We observe a recurring pattern akin to an epidemic model, with an initial phase following the public disclosure of a vulnerability characterized by sparse IoC publications, followed by a sudden surge, and subsequently, a protracted period with a slower rate of IoC publication.

Cryptography and Security

Yue Lin,He Wang,Bowen Yang,Mingrui Liu,Yin Li,Yuqing Zhang

DOI: https://doi.org/10.1007/978-3-030-30619-9_18

2019-01-01

Abstract:In the process of increasing cybersecurity attack and defense confrontation, there is a natural asymmetry between the offensive and defense. The Cyber Threat Intelligence (CTI) sharing mechanism is an effective means to improve the emergency-response ability of the protection party. However, currently, there are no effective sharing schemes in the community network to facilitate cross-sector threat intelligence sharing. This paper presents a collaborative threat intelligence sharing mechanism based on the blackboard model, which can be used to identify potential risks, prevent cyber attacks at an early stage, and facilitate community incident response. According to the China National Standard “Cyber security threat information format”, we divide threat intelligence sharing into routine and attack-specific threat intelligence sharing. Also, we design an attack-specific threat intelligence sharing module based on the blackboard model and describe the sharing process. Finally, we design the blackboard monitoring mechanism as a Multi-Agent System (MAS) to realize many tasks in the sharing process. Our scheme is illustrated by several CTI sharing scenarios in the community.

Zongzong Wu,Fengxiao Tang,Ming Zhao,Yufeng Li

2024-08-15

Abstract:Cyber threat intelligence is a critical tool that many organizations and individuals use to protect themselves from sophisticated, organized, persistent, and weaponized cyber attacks. However, few studies have focused on the quality assessment of threat intelligence provided by intelligence platforms, and this work still requires manual analysis by cybersecurity experts. In this paper, we propose a knowledge graph-based verifier, a novel Cyber Threat Intelligence (CTI) quality assessment framework that combines knowledge graphs and Large Language Models (LLMs). Our approach introduces LLMs to automatically extract OSCTI key claims to be verified and utilizes a knowledge graph consisting of paragraphs for fact-checking. This method differs from the traditional way of constructing complex knowledge graphs with entities as nodes. By constructing knowledge graphs with paragraphs as nodes and semantic similarity as edges, it effectively enhances the semantic understanding ability of the model and simplifies labeling requirements. Additionally, to fill the gap in the research field, we created and made public the first dataset for threat intelligence assessment from heterogeneous sources. To the best of our knowledge, this work is the first to create a dataset on threat intelligence reliability verification, providing a reference for future research. Experimental results show that KGV (Knowledge Graph Verifier) significantly improves the performance of LLMs in intelligence quality assessment. Compared with traditional methods, we reduce a large amount of data annotation while the model still exhibits strong reasoning capabilities. Finally, our method can achieve XXX accuracy in network threat assessment.

Cryptography and Security,Information Retrieval

Peng Gao,Xiaoyuan Liu,Edward Choi,Sibo Ma,Xinyu Yang,Dawn Song

2024-10-31

Abstract:Open-source cyber threat intelligence (OSCTI) has become essential for keeping up with the rapidly changing threat landscape. However, current OSCTI gathering and management solutions mainly focus on structured Indicators of Compromise (IOC) feeds, which are low-level and isolated, providing only a narrow view of potential threats. Meanwhile, the extensive and interconnected knowledge found in the unstructured text of numerous OSCTI reports (e.g., security articles, threat reports) available publicly is still largely underexplored. To bridge the gap, we propose ThreatKG, an automated system for OSCTI gathering and management. ThreatKG efficiently collects a large number of OSCTI reports from multiple sources, leverages specialized AI-based techniques to extract high-quality knowledge about various threat entities and their relationships, and constructs and continuously updates a threat knowledge graph by integrating new OSCTI data. ThreatKG features a modular and extensible design, allowing for the addition of components to accommodate diverse OSCTI report structures and knowledge types. Our extensive evaluations demonstrate ThreatKG's practical effectiveness in enhancing threat knowledge gathering and management.

Cryptography and Security,Databases

Abel Yeboah-Ofori,Shareeful Islam,Sin Wee Lee,Zia Ush Shamszaman,Khan Muhammad,Meteb Altaf,Mabrook S. Al-Rakhami

DOI: https://doi.org/10.1109/access.2021.3087109

IF: 3.9

2021-01-01

IEEE Access

Abstract:Cyber Supply Chain (CSC) system is complex which involves different sub-systems performing various tasks. Security in supply chain is challenging due to the inherent vulnerabilities and threats from any part of the system which can be exploited at any point within the supply chain. This can cause a severe disruption on the overall business continuity. Therefore, it is paramount important to understand and predicate the threats so that organization can undertake necessary control measures for the supply chain security. Cyber Threat Intelligence (CTI) provides an intelligence analysis to discover unknown to known threats using various properties including threat actor skill and motivation, Tactics, Techniques, and Procedure (TT and P), and Indicator of Compromise (IoC). This paper aims to analyse and predicate threats to improve cyber supply chain security. We have applied Cyber Threat Intelligence (CTI) with Machine Learning (ML) techniques to analyse and predict the threats based on the CTI properties. That allows to identify the inherent CSC vulnerabilities so that appropriate control actions can be undertaken for the overall cybersecurity improvement. To demonstrate the applicability of our approach, CTI data is gathered and a number of ML algorithms, i.e., Logistic Regression (LG), Support Vector Machine (SVM), Random Forest (RF), and Decision Tree (DT), are used to develop predictive analytics using the Microsoft Malware Prediction dataset. The experiment considers attack and TTP as input parameters and vulnerabilities and Indicators of compromise (IoC) as output parameters. The results relating to the prediction reveal that Spyware/Ransomware and spear phishing are the most predictable threats in CSC. We have also recommended relevant controls to tackle these threats. We advocate using CTI data for the ML predicate model for the overall CSC cyber security improvement.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yinghui Wang,Yilong Ren,Zhiyong Cui,Haiyang Yu

2024-10-21

Abstract:Cybersecurity has become a crucial concern in the field of connected autonomous vehicles. Cyber threat intelligence (CTI), as the collection of cyber threat information, offers an ideal way for responding to emerging cyber threats and realizing proactive security defense. However, instant analysis and modeling of vehicle cybersecurity data is a fundamental challenge since its complex and professional context. In this paper, we suggest an automotive CTI modeling framework, Actim, to extract and analyse the interrelated relationships among cyber threat elements. Specifically, we first design a vehicle security-safety conceptual ontology model to depict various threat entity classes and their relations. Then, we manually annotate the first automobile CTI corpus by using real cybersecurity data, which comprises 908 threat intelligence texts, including 8195 entities and 4852 relationships. To effectively extract cyber threat entities and their relations, we propose an automotive CTI mining model based on cross-sentence context. Experiment results show that the proposed BERT-DocHiatt-BiLSTM-LSTM model exceeds the performance of existing methods. Finally, we define entity-relation matching rules and create a CTI knowledge graph that structurally fuses various elements of cyber threats. The Actim framework enables mining the intrinsic connections among threat entities, providing valuable insight on the evolving cyber threat landscape.

Cryptography and Security

Chunyan Ma,Zhengwei Jiang,Kai Zhang,Zhiting Ling,Jun Jiang,Yizhe You,Peian Yang,Huamin Feng

DOI: https://doi.org/10.1016/j.cose.2024.104141

IF: 5.105

2024-10-06

Computers & Security

Abstract:Cyber attack campaigns with multiple technical variants are becoming increasingly sophisticated and diverse, posing great threats to institutions and every individual. Cyber Threat Intelligence (CTI) offers a novel technical solution to transition from passive to active defense against cyber attacks. To counter these attacks, security practitioners need to condense CTIs from extensive CTI sources, primarily in the form of unstructured CTI reports. Unstructured CTI reports provide detailed threat information and describe multi-step attack behaviors, which are essential for uncovering complete attack scenarios. Nevertheless, automatic analysis of unstructured CTI reports is challenging. Furthermore, manual analysis is often limited to a few CTI sources. In this paper, we propose a multi-granular fusion framework for CTIs from massive CTI sources, comprising a comprehensive pipeline with six subtasks. Many current CTI extraction systems are limited by mining intelligence from a single source, thereby leading to challenges such as producing a fragmented view of attack campaigns and lower value density. We fuse the attack behaviors and attack techniques of the attack campaigns using innovative and improved multi-granular fusion methods and offer a comprehensive view of the attack. TIMFuser fills a critical gap in the automated analysis and fusion of multi-source CTIs, especially in the multi-granularity aspect. In our evaluation of 739 real-world CTI reports from 542 sources, experimental results demonstrate that TIMFuser can enable security analysts to obtain a complete view of real-world attack campaigns, in terms of fused attack behaviors and attack techniques.

computer science, information systems

Lei Li,Xiaoyong Li,Yali Gao

DOI: https://doi.org/10.1007/978-3-319-72395-2_1

2017-01-01

Abstract:With the gradually sharing of threat intelligences, users concern more about their trustworthiness, which is difficult to be judged. Some threat intelligence sharing platforms choose to show the risk or credibility, and inform users the trustworthiness of the threat intelligence. Several researchers have proposed the requirements and techniques for threat intelligence trust assessment. However, they do not present any tool-based or model solutions. In this paper, we present a Trustworthiness Determination Approach for Threat Intelligence (MTIV) to make up these shortcomings. First, we propose a framework to excavate threat intelligence via multiple sharing platforms, and extract multidimensional trustful features of the threat intelligence. Based on these, contributions of dimensional trustful features to the trustworthiness determination can be derived. Then we introduce Deep Belief Network (DBN) to determine the trustworthiness of the threat intelligence. The experimental results verify that MTIV is more effective than traditional methods. Our work will be of benefit to build a more credible threat intelligence sharing platform, and enhance the capability of real-time detection and resisting the cyberspace attacks.

Yuan Peng,Kaixing Huang,Weixun Tu,Chunjie Zhou

DOI: https://doi.org/10.1109/ddcls.2018.8516022

2018-01-01

Abstract:Rapid development and application of ICT technologies in industrial control systems (ICS) has introduced serious security problem, as the cyber-attack can cause physical damage, ensuring the cyber security is extremely important. Risk assessment is a key component in security protection process, but existing methods of risk assessment generally lack the capacity of quantification and the adaptability to the dynamic evolution of ICS. In this paper, we discuss a model-data integrated risk assessment method. In the proposed method, Bayesian network model is applied to achieve quantitative risk assessment, and the model is optimized dynamically using an online data-driven parameter learning strategy, which can improve the accuracy of real-time dynamic assessment result. The effectiveness of proposed method is demonstrated with a case study on a simulated process control system.