基于威胁情报语义规则抽取的智能变电站告警分析方法  

作　　者：王文婷[1,2] 刘远龙 刘潮 王赫 刘京[2] WANG Wenting;LIU Yuanlong;LIU Chao;WANG He;LIU Jing(Zhejiang University,Hangzhou Zhejiang 310058,China;State Grid Shandong Electric Power Institute,Jinan Shandong 250003,China;State Grid Shandong Electric Power Company,Jinan Shandong 250003,China;State Grid Siji Network Security Technology(Beijing)Co.,Ltd.,Beijing 102209,China;Northeast Electric Power University,Jilin Jilin 132012,China)

机构地区：[1]浙江大学,浙江杭州310058 [2]国网山东省电力公司电力科学研究院,山东济南250003 [3]国网山东省电力公司,山东济南250003 [4]国网思极网安科技(北京)有限公司,北京102209 [5]东北电力大学,吉林吉林132012

出　　处：《信息安全与通信保密》2024年第3期43-51,共9页Information Security and Communications Privacy

基　　金：国家电网有限公司科技项目“面向电力系统终端的模糊测试技术研究与应用”(5700-202316312A-1-1-ZN)。

摘　　要：威胁情报作为一种弥补攻防信息不对称的安全技术,能够帮助安防人员发现威胁行为,并采取相应的预防措施。近年来,威胁情报研究受到业界广泛关注,然而现有的研究对威胁情报的利用率较低,为此,提出了一种基于威胁情报语义规则抽取的智能变电站告警分析方法。首先,通过构建语义规则模型生成语义规则图,对攻击技术手段进行描述;其次,面向ATT&CK攻击技术文本构建语义规则抽取框架,对攻击技术文本进行知识抽取,从中得到语义规则。该方法在解决智能变电站告警信息冗余繁杂问题的同时,提升了威胁情报的利用率,实现了对高层级威胁情报的自动化分析与处理。As a kind of security technology to make up for the asymmetry of offensive and defensive information,threat intelligence could help security personnel find threatening behavior and take corresponding preventive measures.In recent years,threat intelligence research is widely concerned by the industry;however,the utilization rate of threat intelligence is low in existing research.Therefore,a smart substation alarm analysis method based on semantic rule extraction of threat intelligence is proposed.First,a semantic rule graph is generated by constructing a semantic rule model to describe the attack techniques.Then,a semantic rule extraction framework is constructed for ATT&CK(Adversarial Tactics,Techniques,and Common Knowledge)attack technique texts,and knowledge extraction is carried out on the attack technique text from which semantic rules are obtained.This method addresses the problem of redundant and complicated alarm information of smart substation while improving the utilization rate of threat intelligence and achieving the automatic analysis and processing of high-level threat intelligence.

关 键 词：威胁情报 智能变电站 ATT&CK框架 语义规则 知识抽取 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]