基于多源异构数据的网络威胁情报质量评估方法  

作　　者：周景贤[1] 李其蔚 程志棚 ZHOU Jingxian;LI Qiwei;CHENG Zhipeng(Information Security Evaluation Center,CAUC,Tianjin 300300,China;College of Computer Science and Technology,CAUC,Tianjin 300300,China;Communication Network Center of North China Air Traffic Management Bureau,CAAC,Beijing 100621,China)

机构地区：[1]中国民航大学信息安全测评中心,天津300300 [2]中国民航大学计算机科学与技术学院,天津300300 [3]中国民用航空华北地区空中交通管理局通信网络中心,北京100621

出　　处：《中国民航大学学报》2024年第4期29-36,共8页Journal of Civil Aviation University of China

基　　金：民航安全能力建设资金项目(PESA2019074,PESA2021009)。

摘　　要：随着网络攻击形式的多样化和攻击手段的复杂化,网络威胁情报(CTI,cyber threat intelligence)已成为应对未知网络威胁的重要手段。为有效解决网络威胁情报因来源广和重复性高而导致其质量难以评估的问题,本文提出一种基于多源异构数据的网络威胁情报质量评估方法ISU-Measure(intelligence-source-user measure)。首先,设计及时性、活跃性、关联性、完整性作为量化指标来表征微观威胁情报的质量;其次,提出将规模性、周期性、独创性作为量化指标来评估威胁情报源整体质量;然后,针对用户需求差异性设计了用户指标偏好并与Critic权重法结合生成复合权重,同时对7个量化指标赋权构建量化评估模型。通过对12个主流威胁情报源的质量评估结果显示,ISU-Measure方法设计的复合权重法优于Critic权重法和均值法,相比其他研究方法在指标覆盖范围、获取难度、区分性上具有明显优势。With the diversification of cyber attacks forms and the complexity of attack methods,cyber threat intelligence(CTI)has become an important means of dealing with unknown cyber threats.To effectively solve the problem of difficulty to evaluate CTI quality due to the wide source and high repeatability,this paper proposes ISU-Measure(intelligent-source-user measure),a quality evaluation method of CTI based on multi-source heterogeneous data.Firstly,timeliness,activity,relevance and completeness are designed as quantitative indicators to characterize the quality of micro threat intelligence.Secondly,it is proposed to use scale,periodicity and originality as quantitative indicators to evaluate the overall quality of threat intelligence sources.Then,based on the differences in user needs,user indicator preferences are designed and combing with the Critic weighting method,composite weight is generated.At the same time,seven quantitative indicators are weighted to construct a quantitative evaluation model.The quality evaluation results of 12 mainstream threat intelligence sources show that the composite weighting method designed by the ISU-Measure method is superior to the Critic weighting method and the mean method,and has significant advantages in indicator coverage,acquisition difficulty and discrimination,compared with other research methods.

关 键 词：网络安全 威胁情报 多源情报 量化评估 Critic权重法 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]