基于关联增强的网络威胁情报技战术分类  被引量：6

作　　者：葛文翰 王俊峰[1] 唐宾徽 于忠坤 陈柏翰 余坚 GE Wen-Han;WANG Jun-Feng;TANG Bin-Hui;YU Zhong-Kun;CHEN Bo-Han;YU Jian(College of Computer Science,Sichuan University,Chengdu 610065,China;School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China)

机构地区：[1]四川大学计算机学院,成都610065 [2]四川大学网络空间安全学院,成都610065

出　　处：《四川大学学报（自然科学版）》2022年第2期94-102,共9页Journal of Sichuan University(Natural Science Edition)

基　　金：国家重点研发计划(2019QY1400);国家自然科学基金(U2133208);四川省青年科技创新研究团队基金(2022JDTD0014)。

摘　　要：网络威胁情报(Cyber Threat Intelligence, CTI)的技战术(Tactics, Techniques and Procedures, TTPs)分析能够为网络攻击事件提供全局视图,并揭示系统弱项,是网络攻击溯源的关键技术.现有分类TTPs方案面向抽象语言环境效果较差且不平均.本文提出一种基于关联增强的多标签深度学习模型RENet,通过使用结合上下文信息和多词语义的多标签分类器对战术和技术进行分类,并通过技战术条件转移矩阵将原有战术的分类结果转移到技术中增强技术分类.实验表明,RENet比其他分类模型有更精确的技战术分类效果与更快的收敛速度.在英文数据集上,RENet对技术和战术分类的F;分数比现有最好的模型分别提高4.62%和0.78%,在中文数据集上提高3.95%和3.77%.Tactics, Techniques and Procedures(TTPs) analysis in Cyber Threat Intelligence(CTI),is a key technique for cyberattack traceability which providing a global view of cyberattack events and revealing system weaknesses. Existing TTPs classification schemes are poorly and unevenly oriented to abstract language environments. In this paper, we propose a multi-label deep learning model based on association enhancement: RENet, which classifies tactics and techniques by using a multi-label classifier that combines contextual information and multiple word meanings, and enhances technique classification by transferring the classification results of the original tactics through a conditional transfer matrix from tactics to techniques. Experiments show that RENet has more accurate classification results of tactics and techniques with faster convergence than other classification models. The F1 scores of RENet for techniques and tactics classification are 4.62% and 0.78% higher than the best existing models on the English dataset, and 3.95% and 3.77% higher on the Chinese dataset, respectively.

关 键 词：网络威胁情报 技战术分析 多标签分类 关联增强 ATT&CK IoC识别 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]