网络安全态势感知中的威胁情报技术  被引量：11

作　　者：尹彦 张红斌[1,2] 刘滨 赵冬梅[2] YIN Yan;ZHANG Hongbin;LIU Bin;ZHAO Dongmei(School of Information Science and Engineering,Hebei University of Science and Technology»Shijiazhuang,Hebei 050018,China;Hebei Key Laboratory of Network and Information Security,Hebei Normal University,Shijiazhuang,Hebei 050024,China;School of Economics and Management,Hebei University of Science and Technology»Shijiazhuang»Hebei 050018,China;Research Center of Big Data and Social Computing,Hebei University of Science and Technology»Shijiazhuang,Hebei 050018,China)

机构地区：[1]河北科技大学信息科学与工程学院,河北石家庄050018 [2]河北师范大学河北省网络与信息安全重点实验室,河北石家庄050024 [3]河北科技大学经济管理学院,河北石家庄050018 [4]河北科技大学大数据与社会计算研究中心,河北石家庄050018

出　　处：《河北科技大学学报》2021年第2期195-204,共10页Journal of Hebei University of Science and Technology

基　　金：国家自然科学基金(61672206,61572170);河北省省级科技计划资助项目(18210109D,20310701D,20310802D);河北省高层次人才资助项目(A2016002015);石家庄市科学技术研究与发展计划项目(19SCX01006,191130591A)。

摘　　要：2016年,习近平总书记在全国网信工作座谈会上作出重要指示:要加强大数据挖掘分析,更好感知网络安全态势,做好风险防范。为应对网络安全面临的严峻挑战,很多大型行业及企业响应国家政策号召,积极倡导、建设和应用态势感知系统。网络安全态势感知是保障网络安全的有效手段,利用态势感知发现潜在威胁、做出响应已经成为网络安全的研究重点。目前提出的各种网络安全态势感知技术及方法,大多以小规模网络为研究背景。随着网络规模的扩大,出现了例如APT这样的新型高级攻击手段,导致态势感知技术的准确性大为降低,可操作性也变得更加困难。近年来,威胁情报的出现为态势感知的研究带来了新思路,成为态势感知研究领域的一个新方向。对传统态势感知研究和威胁情报在网络安全态势感知上的应用进行了归纳总结。传统网络安全态势感知的研究一般分为3部分,即态势察觉、态势理解、态势投射,主要过程是通过对目标系统安全要素的提取,分析安全事件的影响,最终实现对网络中各种活动的行为识别、察觉攻击,并对网络态势进行评估和预测,为网络安全响应提供正确决策。对威胁情报在网络安全态势感知上的应用从3个场景进行了讨论:1)态势察觉:利用威胁情报进行攻击行为的识别,提取相关的攻击特征,确定攻击意图、方法及影响;2)态势理解:确定攻击行为及其特征后,对攻击行为进行理解,通过共享威胁情报中攻击行为的处置方法,确定攻击者的攻击策略;3)态势投射:通过分析威胁情报中攻击事件、攻击技术、漏洞等信息,评估当前系统面临的风险,预测其可能遭受的攻击。威胁情报主要是利用大数据、分布式系统等收集方法获取的,具有很强的自主更新能力,能够提供最全、最新的安全事件数据,极大提高网络安全态势感知工作中对新型和高General Secretary XI Jinping gave instructions at the symposium on cybersecurity and informatization in 2016:Strengthen the mining and analysis of big data,make better situation awareness and prevent risks in cybersecurity.In response to the call of national policies,many large industries and enterprises actively advocated,built and applied situation awareness systems to deal with the severe challenges faced by network security.Network security situation awareness is an effective means to ensure network security.It has become the focus of network security research to use situation awareness to discover potential threats and respond.At present,most of the proposed network security situation awareness technologies and methods are based on small-scale networks.With the continuous expansion of network scale and appearance of new advanced attack technologies such as APT,the accuracy of current situation awareness technology and the maneuverability reduced greatly.In recent years,the emergence of threat intelligence has brought new ideas to the research of situation awareness and become a new direction in the field of situation awareness.This paper mainly summarized the traditional situation awareness research and the application of threat intelligence in network security situation awareness.The traditional situation awareness research was generally divided into three parts,namely,situation perception,situation comprehension and situation projection.The process of network security situation awareness was to collect the security elements of the target system,and analyze the impact of security incidents.Finally,by using network security situation awareness,it can be realized the behavior recognition of various activities,attacks detection,evaluation and prediction of the network situation,so as to provide correct decisions for the network security response.The application of threat intelligence in network security situation awareness was discussed from three scenarios:1)Situation perception:threat intelligence was used t

关 键 词：网络安全 态势感知 威胁情报 STIX 网络攻防 

分 类 号：TN958.98[电子电信—信号与信息处理]