网络威胁情报分析框架研究和实现  

作　　者：何发镁[1] 刘润时 贾赛男 岳桓州 王旭仁[2] HE Famei;LIU Runshi;JIA Sainan;YUE Huanzhou;WANG Xuren(Library of Beijing Institute of Technology,Beijing 100081,China;College of Information Engineering,Capital Normal University,Beijing 100048,China)

机构地区：[1]北京理工大学图书馆,北京100081 [2]首都师范大学信息工程学院,北京100048

出　　处：《燕山大学学报》2024年第4期369-376,共8页Journal of Yanshan University

基　　金：国家自然科学基金资助项目(61872252);中科院战略先导项目(XDC02030200)。

摘　　要：网络威胁情报基于大量网络威胁数据,通过信息共享和集体协作,实现对网络威胁的快速预警、检测和响应。如何快速、准确地从海量威胁情报报告中自动提取涉及网络安全信息已成为研究的热点和难点。文中提出了一个网络威胁情报分析框架,总结目前对网络威胁情报的全周期处理流程。并给出了在此框架下应用实例:创建公开威胁情报数据集、提出网络威胁情报关键信息抽取算法、实现基于异质信息图的恶意IP⁃域名的关联认知等。文中实现了多种网络威胁情报实体识别深度学习模型,其中基于XLnet和字典相结合进行嵌入表达,模型准确率最好达到95.27%。论文提出的网络威胁情报分析框架可以作为非结构化网络威胁情报分析的指导依据,论文的实验结果可以作为网络威胁情报信息抽取工作的对比基线。Cyber Threat Intelligence(CTI)is based on a large amount of network threat intelligence data.Through information sharing and mass collaboration,rapid early warning,detection and response to network threat can be achieved.How to quickly and accurately extract network security information from massive CTI reports has become a hot and difficult research topic.In this article,a framework for analyzing cyber threat intelligence is proposed,and the current full cycle processing process for cyber threat intelligence is summarized.An application example under this framework is given:creating an open CTI dataset based on the BRAT tagging system,proposing an entity and relationship information extraction algorithm,realizing the association cognition of malicious IP domain names based on heterogeneous information maps,etc.Finally,the embedded expression based on the combination of XLnet and cyber security dictionary is proposed,which makes the accuracy rate of Named⁃entity recognition reach 95.27%,and serves as the reference and experimental baseline for the analysis and comparison of cyber threat intelligence entities′recognition,which is the basis of CTI analysis.

关 键 词：网络威胁情报 深度学习 多头注意力机制 命名实体识别 

分 类 号：TP391.1[自动化与计算机技术—计算机应用技术]