融合威胁情报与知识图谱的网络攻击溯源方法  被引量：1

作　　者：张玉臣[1] 孙澄 姜迎畅 马军强[1] 胡浩[1] Zhang Yuchen;Sun Cheng;Jiang Yingchang;Ma Junqiang;Hu Hao(Information Engineering University of Strategic Support Force,Zhengzhou 450001)

机构地区：[1]战略支援部队信息工程大学,郑州450001

出　　处：《情报杂志》2024年第8期72-83,91,共13页Journal of Intelligence

基　　金：国家自然科学基金项目“面向多步攻击的网络安全性动态建模与态势推演分析方法研究”(编号:61902427)研究成果。

摘　　要：[研究目的]攻击溯源是网络空间安全保障的重要组成部分,面对网络空间数据海量、异质多元、结构松散等特点,亟需大数据分析与人工智能相结合,有效识别敌手攻击威胁,溯源攻击链和背后的攻击组织,并实施针对性防御。[研究方法]针对攻击威胁特征识别难的问题,提出了知识图谱驱动的网络攻击溯源方法,以脆弱性利用动作为核心构建攻击事件框架,并以事件为单位实施告警关联,重构攻击场景。在此基础上,利用威胁指纹知识图谱,整合已公开的威胁情报知识,并抽取攻击场景中的威胁特征作为指纹,分析两者相似性,溯源攻击者。[研究结论]实验结果表明,该方法能够利用攻击事件框架充实攻击行为的上下文信息,并基于知识图谱有效溯源攻击者,从而利用攻击者已有的威胁情报,增强高级可持续攻击威胁特征识别的全面性。[Research purpose]Attack traceability is an important part of cyberspace security assurance.Faced with the characteristics of massive,heterogeneous and diverse cyberspace data and loose structure,it is urgent to combine big data analysis with artificial intelligence to effectively identify the threat of enemy attacks,trace the attack chain and the attack organization behind it,and implement targeted defense.[Research method]Aiming at the problem that it is difficult to identify attack threat characteristics,this paper proposes a knowledge graph driven network attack traceability method.First,an attack event framework is constructed with vulnerability utilization action as the core,and alarm correlation is implemented on an event basis to reconstruct attack scenarios.On this basis,the threat fingerprint knowledge graph is used to integrate the published threat intelligence knowledge,extract the threat features in the attack scene as fingerprints,analyze the similarity between the two,and trace the attackers.[Research conclusion]The experimental results show that this method can enrich the context information of attack behavior by using the attack event framework,and effectively trace the attackers based on the knowledge graph,thus making use of the existing threat intelligence of attackers to enhance the comprehensiveness of advanced sustainable attack threat feature recognition.

关 键 词：威胁情报 威胁指纹 知识图谱 攻击溯源 威胁识别 场景重构 

分 类 号：D520[政治法律—政治学]