基于知识图谱的网络安全事件数据推荐算法  被引量：2

作　　者：祝现威 刘伟 刘自豪 顾泽宇 ZHU Xianwei;LIU Wei;LIU Zihao;GU Zeyu(The 61660 Unit of PLA,Beijing 100080,China)

机构地区：[1]中国人民解放军61660部队,北京100080

出　　处：《网络与信息安全学报》2023年第6期116-126,共11页Chinese Journal of Network and Information Security

摘　　要：针对网络安全运维人员分析网络安全事件时难以及时准确找出所需的数据问题,提出基于知识图谱的网络安全事件数据推荐算法,利用网络威胁框架ATT&CK构造本体模型,根据本体模型建立网络威胁知识图谱,将攻击技术、漏洞、防御措施等离散的安全数据提炼为互相关联的安全知识。基于知识图谱提取实体数据,通过Trans H算法进行实体向量化,并利用实体向量计算网络威胁数据实体间数据相似性。获取网络安全事件处置文献中网络安全数据实体作为运维人员处置行为,构造处置行为矩阵,通过行为矩阵实现网络威胁数据向量化表示,计算基于处置行为的网络威胁数据实体相似性。将网络威胁数据实体的相似度与基于处置行为的网络威胁数据实体的相似度进行融合,形成面向网络安全事件的数据推荐列表,实现基于用户行为的网络威胁领域间的关联。实验分析表明,在融合权重α=7和推荐数据量K=5时,所提算法最优,召回率和精确率分别为62.37%和68.23%。所提算法在数据相似度的基础上加入了处置行为相似度,更接近事实处置行为,与其他算法相比,所提算法的召回率具有较大优势,精确率在推荐数据量小于10的范围内具有较大优势。To address the difficulty faced by network security operation and maintenance personnel in timely and accurate identification of required data during network security event analysis,a recommendation algorithm based on a knowledge graph for network security events was proposed.The algorithm utilized the network threat framework ATT&CK to construct an ontology model and establish a network threat knowledge graph based on this model.It extracted relevant security data such as attack techniques,vulnerabilities,and defense measures into interconnected security knowledge within the knowledge graph.Entity data was extracted based on the knowledge graph,and entity vectors were obtained using the TransH algorithm.These entity vectors were then used to calculate data similarity between entities in network threat data.Disposal behaviors were extracted from literature on network security event handling and treated as network security data entities.A disposal behavior matrix was constructed,and the behavior matrix enabled the vector representation of network threat data.The similarity of network threat data entities was calculated based on disposal behaviors.Finally,the similarity between network threat data and threat data under network security event handling behavior was fused to generate a data recommendation list for network security events,which established correlations between network threat domains based on user behavior.Experimental results demonstrate that the algorithm performs optimally when the fusion weightα=7 and the recommended data volume K=5,achieving a recall rate of 62.37%and an accuracy rate of 68.23%.By incorporating disposition behavior similarity in addition to data similarity,the algorithm better represents factual disposition behavior.Compared to other algorithms,this algorithm exhibits significant advantages in recall rate and accuracy,particularly when the recommended data volume is less than 10.

关 键 词：网络威胁数据 网络安全事件 知识图谱 相似度 事件处置行为 数据推荐 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]