Cross-Utility Threat Intelligence Sharing

• Cross-Utility Threat Intelligence Sharing is the systematic exchange of actionable cybersecurity data among diverse critical infrastructures to enhance threat detection and resilience.
• Modern systems employ federated learning, differential privacy, and blockchain protocols to reconcile heterogeneous data and maintain confidentiality.
• Empirical evaluations show high detection accuracy and scalability, with significant reductions in false positives compared to isolated approaches.

Cross-utility threat intelligence sharing is the systematic exchange of actionable cybersecurity data, indicators, and knowledge among independent critical infrastructure operators (e.g., power, water, gas, telecommunications) to enhance detection, mitigation, and resilience against cyber threats. Unlike intra-domain sharing, cross-utility platforms must reconcile heterogeneous data schemas, distinct operational threats, confidentiality requirements, and regulatory boundaries. Modern research explores collaborative, privacy-preserving mechanisms using federated learning, cryptographic protocols, and blockchain-based governance to facilitate scalable, secure, and effective information flow.

1. Architectural Paradigms for Cross-Utility Threat Intelligence Sharing

Cross-utility threat intelligence sharing systems feature distributed designs to accommodate diverse participants, strict confidentiality boundaries, and sector-specific technology stacks. Core architectural motifs include:

• Federated Learning (FL) Frameworks: Utilities train ML models locally on network traffic or logs, sharing only model parameters (weights) with a global coordinator for aggregation via FedAvg, thus preventing transfer of raw sensitive data. All participants adopt a standard feature schema (e.g., NetFlow v9), local preprocessing (e.g., identifier redaction, class balancing, min-max scaling), and controlled communication rounds. FL implementations may utilize a central trusted party, a neutral sector-wide security operation center, or even blockchain-based coordinators for decentralized orchestration (Sarhan et al., 2021).
• Policy-Driven, Selective Data Disclosure: Data producers use group-wise partitioning of threat intelligence objects (e.g., in STIX), combined with per-group access policies reflecting sector trust relationships, compliance requirements, and credential-driven authorizations. Differential (per-consumer, per-record) sharing is enforced by smart contracts and policy managers, with on-chain verifiability and auditability (Dunnett et al., 2022, Allouche et al., 2021).
• Blockchain and Distributed Ledger Infrastructures: Permissioned blockchains (Hyperledger Fabric, Ethereum, or custom chains) underpin accountability, access control, revocation, and audit logging. Sensitive data is symmetrically encrypted, stored off-chain (IPFS), and referenced on-chain via content hashes and minimal metadata. Fine-grained channels (e.g., by TLP color) scope access according to consortium membership and threat sensitivity (Ali et al., 2021, Nguyen et al., 2021).
• Hybrid Knowledge Graphs: Systems such as TINKER convert heterogeneous, unstructured CTI into structured knowledge graphs, harmonized via open ontologies (MALOnt, STIX, SWIMMER), enabling semantically rich, queryable cross-domain sharing via REST, SPARQL, and RDF exports (Rastogi et al., 2021).

2. Methodologies and Protocols for Privacy and Utility

To resolve the dual imperatives of actionable intelligence and data confidentiality, cross-utility systems leverage layered privacy-preserving techniques:

• Secure Aggregation and Differential Privacy: FL schemes integrate secure multiparty protocols (e.g., Bonawitz-style PRF masking, homomorphic encryption, or additive sharing) to hide individual model updates from global coordinators and peers. Optional differential privacy noise is injected at each utility client, further mitigating membership or reconstruction risks. Metrics such as accuracy, detection rate, precision, recall, F₁ score, and AUC are calculated to measure ML detector performance without exposing underlying sample labels (Sarhan et al., 2021).
• Attribute-Based and Homomorphic Encryption: Cryptosystems such as CP-ABE encode access policies into ciphertexts, allowing only attribute-qualified recipients to decrypt specific records. Partially or fully homomorphic schemes (e.g., Paillier) facilitate privacy-preserving analytics (common in data aggregation across utilities), while ZKP frameworks enforce location or time-bound access or right-to-be-forgotten controls (Pasumarthy et al., 8 Mar 2024).
• Local Differential Privacy for Fingerprinting: For detection in high-volume, compliance-sensitive domains (LLM prompt injection), threat events are transformed into privacy-preserving fingerprints via PII redaction, semantic embedding, binary quantization, and randomized response, achieving F₁ ≈ 0.94 and outperforming SimHash baselines (F₁ ≈ 0.77). Only these non-invertible encodings cross compliance boundaries (Gill et al., 6 Sep 2025).
• Knowledge Graph Semantic Abstraction: Automated NER and relation extraction, supported by semi-supervised learning, ingest unstructured CTI reports into entity-relation triples. Tensor-factorization (e.g., TuckER) supports link prediction for malware attribution, vulnerability discovery, and campaign association, while export via JSON-LD, RDF, and STIX supports interoperability (Rastogi et al., 2021).

3. Data Representation, Quality Assurance, and Interoperability

Critical factors for effective cross-utility sharing include standardized data schemas, robust provenance trails, and quality/reputation scoring:

• Schema Harmonization: All participants agree upon a sector-spanning feature set with field-level annotations for sensitivity (risk weights), e.g., NetFlow v9 for traffic, common entity classes in CTI knowledge graphs, or established STIX observables (Sarhan et al., 2021, Rastogi et al., 2021).
• Quality Metrics and Contributor Reputation: Alert, indicator, or model update quality is scored by freshness (age decay), verified/ground-truth accuracy, and contextual richness (metadata presence, ATT&CK mapping). Community-maintained exponentially weighted moving averages compute contributor reputation weights, which in turn throttle access or privilege levels (e.g., revoke high-precision feeds for low-reputation actors) (Mohaisen et al., 2017).
• Free-Riding and Incentive Mechanisms: Consumption is balanced by credit-based or token incentives (karma/reputation). Consumption without commensurate contribution is penalized (CCR ratio), enforced by smart contracts and enforced through access throttling or denial. Some systems deliver economic rewards or subscription discounts based on verified contribution quality (Nguyen et al., 2021, Allouche et al., 2021).
• Machine-Readable Playbooks and Automation: Uniform, machine-actionable metadata templates around standardized playbooks (e.g., CACAO) are adopted to enable automated intake, provenance, deprecation checks, and execution by downstream orchestrators. Integration with MISP or mapping to TAC ontologies ensures both operational automation and research-grade archiving (Mavroeidis et al., 2021).

4. Evaluation Metrics, Experimental Validation, and Performance

Empirical analyses for cross-utility sharing platforms report clear separation between local, federated, and centralized paradigms, and benchmark cryptographic and protocol overheads:

• Detection Effectiveness: FL-based sharing yields federated accuracy and detection rates (e.g., ≈90.8% on UNSW-NB15, ≈93.0% on BoT-IoT) close to centralized upper bounds (≈99.4%) and dramatically superior to local-only models (≈51.3%) (Sarhan et al., 2021). For distributed KDE-based anomaly detectors, advanced weight adaptation pipelines achieve recall@k ≈1.0 and 80% reductions in false positives under coordinated malware conditions (Ongun et al., 2021).
• Scalability and Overhead: Blockchain and fabric-based systems (e.g., TIPS, TRADE, CTIStore) deliver typical throughputs of ~90–1,000 tps with per-transaction commit latencies of 0.2–3 s. Modular designs (channels, off-chain storage, private data collections) provide horizontal scalability and GDPR-compliant right-to-be-forgotten enforcement (Pasumarthy et al., 8 Mar 2024, Nguyen et al., 2021, Dunnett et al., 2022).
• Storage and Search Efficiency: For fingerprint-based schemes, binary encoding with local DP yields ≈64x storage savings and up to 38x search speedup compared to floating-point embedding methods (Gill et al., 6 Sep 2025).
• Cryptography Overheads: ABE and HE cryptosystem routines yield per-operation times in the 20–150 ms range for typical threat report payloads; ZKP verification adds sub-200 ms, enabling on-chain integration without throughput degradation (Pasumarthy et al., 8 Mar 2024).
• Validation and Security Proofs: Formal proofs under ring-LWE, DP, and composable ledger models guarantee semantic security, resistance to gradient reconstruction, k-anonymity, and aggregate-only leakage, with limitations clearly tied to cryptanalytic or protocol assumptions (Trocoso-Pastoriza et al., 2022, Allouche et al., 2021).

5. Governance, Community Structures, and Practical Deployment

Long-term success of cross-utility sharing depends on carefully designed governance, community stratification, and operational guidance:

• Community Stratification and Data Differentiality: Tiered access regimes—high-trust sector peers (Tier 1), moderately trusted alliances (Tier 2), broad-consortium or regional partners (Tier 3)—are mapped to data sensitivity and routed through appropriate anonymization or DP pipelines (Mohaisen et al., 2017).
• Consortium and Chartering: Sector-wide or multi-sectoral governance boards define onboarding, cryptographic parameterization, policy arbitration, and periodic key rotation. Orchestration boards disseminate standardized schemas and minimum quality/inclusion criteria, while rotating authorities (required for threshold signatures, ring signatures) enforce identity unlinkability and accountability (Ali et al., 2021, Allouche et al., 2021).
• Federated and Interoperable Orchestration: Platforms integrate with SIEMs (via REST, SPARQL, or STIX) and enable chaining of differential privacy, MPC, or federated learning modules. TAXII/OpenDXL adapters, standardized object templates, and ontology mappings are employed to ensure broad accessibility (Rastogi et al., 2021, Mavroeidis et al., 2021).
• Incident-Driven or Real-Time Use Models: Operational models span continuous real-time feeds (via TAXII for zero-day events), batch-digest exchanges, and ad hoc incident-driven queries. Policy-driven control of who receives what and when is implemented at both infrastructure and cryptographic levels, often with time- and geo-fencing via ZKP (Mohaisen et al., 2017, Pasumarthy et al., 8 Mar 2024).

6. Open Challenges and Limitations

• Non-IID Data and Model Robustness: Heterogeneity of utility domains leads to non-i.i.d. data, which can slow convergence in FL schemes. Personalized FL, clustering, and adaptive weighting are recommended (Sarhan et al., 2021).
• Trust and Malicious Participants: Platforms must guard against sybil and poisoning attacks, as adversarial participants could attempt to distort or corrupt global models or supply malicious weights. Solutions include robust model aggregation, code-signed updates, and multi-party endorsement policies (Ongun et al., 2021, Ali et al., 2021).
• Privacy–Utility Trade-offs: Parameterization of DP budgets, embedding dimension, fingerprinting noise, and access thresholds must be continuously calibrated to balance detection effectiveness against regulatory requirements and business sensitivity (Gill et al., 6 Sep 2025).
• Incentive Modeling and Free-Riding: Sustaining long-term participation requires economic, reputational, or credit-based incentive mechanisms, with ongoing research into slashing, staking, and automated trust evaluation (Nguyen et al., 2021, Allouche et al., 2021).
• Standardization and Ecosystem Adoption: Deployment across sectors requires adoption of common schemas, extension of threat intelligence platforms to support new object types, and integration with legacy and next-generation automation engines (Mavroeidis et al., 2021).

---

References:

• Federated learning for cross-utility NIDS: (Sarhan et al., 2021)
• Privacy-preserving fingerprinting for LLM services: (Gill et al., 6 Sep 2025)
• Knowledge graph CTI: (Rastogi et al., 2021)
• Policy-driven, blockchain selective sharing: (Dunnett et al., 2022, Allouche et al., 2021)
• Permissioned DLT for trusted sharing: (Ali et al., 2021, Nguyen et al., 2021)
• Privacy-enhancing tech and federated analytics: (Trocoso-Pastoriza et al., 2022, Pasumarthy et al., 8 Mar 2024)
• ML-based cross-network indicator sharing: (Ongun et al., 2021)
• Tiered, incentive-compatible community models: (Mohaisen et al., 2017)
• Playbook metadata integration: (Mavroeidis et al., 2021)