NDSS 2025 – Tweezers

Twitter has evolved into a frontline source of cyber‑threat intelligence, offering near‑instantaneous insights into emerging exploits, ransomware campaigns, and vulnerability disclosures. Yet the platform’s sheer volume and informal language create a noisy data environment that thwarts traditional keyword‑driven monitoring tools. Modern security teams therefore require sophisticated natural‑language techniques that can discern subtle contextual cues and attribute relevance to specific threat actors or incidents.

Tweezers answers this need with an event attribution‑centric embedding model that captures both the semantic meaning of tweets and their relational ties to known security events. By training on curated CTI datasets, the model learns to map tweets onto an event‑focused vector space, enabling precise similarity searches that outperform generic text embeddings and graph‑based approaches. In controlled experiments, Tweezers identified twice the number of true security events compared with leading baselines, while maintaining low false‑positive rates—a critical balance for analysts overwhelmed by alert fatigue.

Beyond detection, the framework powers practical applications such as longitudinal trend analysis, allowing organizations to visualize the rise and fall of specific threat vectors over time, and the pinpointing of influential security users who consistently share high‑value intelligence. These capabilities streamline the integration of social‑media CTI into existing security operations, enriching threat‑hunting workflows and informing proactive defense strategies. As adversaries continue to exploit public platforms for coordination, tools like Tweezers will become essential for maintaining situational awareness in an increasingly fast‑paced threat landscape.