摘要
2016年,习近平总书记在全国网信工作座谈会上作出重要指示:要加强大数据挖掘分析,更好感知网络安全态势,做好风险防范。为应对网络安全面临的严峻挑战,很多大型行业及企业响应国家政策号召,积极倡导、建设和应用态势感知系统。网络安全态势感知是保障网络安全的有效手段,利用态势感知发现潜在威胁、做出响应已经成为网络安全的研究重点。目前提出的各种网络安全态势感知技术及方法,大多以小规模网络为研究背景。随着网络规模的扩大,出现了例如APT这样的新型高级攻击手段,导致态势感知技术的准确性大为降低,可操作性也变得更加困难。近年来,威胁情报的出现为态势感知的研究带来了新思路,成为态势感知研究领域的一个新方向。对传统态势感知研究和威胁情报在网络安全态势感知上的应用进行了归纳总结。传统网络安全态势感知的研究一般分为3部分,即态势察觉、态势理解、态势投射,主要过程是通过对目标系统安全要素的提取,分析安全事件的影响,最终实现对网络中各种活动的行为识别、察觉攻击,并对网络态势进行评估和预测,为网络安全响应提供正确决策。对威胁情报在网络安全态势感知上的应用从3个场景进行了讨论:1)态势察觉:利用威胁情报进行攻击行为的识别,提取相关的攻击特征,确定攻击意图、方法及影响;2)态势理解:确定攻击行为及其特征后,对攻击行为进行理解,通过共享威胁情报中攻击行为的处置方法,确定攻击者的攻击策略;3)态势投射:通过分析威胁情报中攻击事件、攻击技术、漏洞等信息,评估当前系统面临的风险,预测其可能遭受的攻击。威胁情报主要是利用大数据、分布式系统等收集方法获取的,具有很强的自主更新能力,能够提供最全、最新的安全事件数据,极大提高网络安全态势感知工作中对新型和高级别危险的察觉能力。通过威胁情报共享机制,可使安全管理员对所处行业面临的威胁处境、攻击者类型、攻击技术及防御策略信息有更加深入的了解,对企业正在经历或潜在的威胁进行有效防御,提高态势感知分析的准确率与效率,以及对安全事件的响应能力。
General Secretary XI Jinping gave instructions at the symposium on cybersecurity and informatization in 2016:Strengthen the mining and analysis of big data,make better situation awareness and prevent risks in cybersecurity.In response to the call of national policies,many large industries and enterprises actively advocated,built and applied situation awareness systems to deal with the severe challenges faced by network security.Network security situation awareness is an effective means to ensure network security.It has become the focus of network security research to use situation awareness to discover potential threats and respond.At present,most of the proposed network security situation awareness technologies and methods are based on small-scale networks.With the continuous expansion of network scale and appearance of new advanced attack technologies such as APT,the accuracy of current situation awareness technology and the maneuverability reduced greatly.In recent years,the emergence of threat intelligence has brought new ideas to the research of situation awareness and become a new direction in the field of situation awareness.This paper mainly summarized the traditional situation awareness research and the application of threat intelligence in network security situation awareness.The traditional situation awareness research was generally divided into three parts,namely,situation perception,situation comprehension and situation projection.The process of network security situation awareness was to collect the security elements of the target system,and analyze the impact of security incidents.Finally,by using network security situation awareness,it can be realized the behavior recognition of various activities,attacks detection,evaluation and prediction of the network situation,so as to provide correct decisions for the network security response.The application of threat intelligence in network security situation awareness was discussed from three scenarios:1)Situation perception:threat intelligence was used to identify attack behaviors,extract relevant attack characteristics and determine attack intentions,methods,and impact;2)Situation comprehension:after determining the attack behavior and characteristics,the attack behavior was understood and the attacker’s attack strategy was determined by sharing the disposition of the attack behavior in the threat intelligence;3)Situation projection:by analyzing threat intelligence information such as attack events,attack techniques,and vulnerabilities,the risk faced by the current system was evaluated,and the possible attack was predicted.Threat intelligence is usually obtained by big data,distributed systems or other methods,and it has a strong ability to update autonomously.Threat intelligence can provide the most complete and latest security event data,which greatly improves the ability to detect new and advanced dangers in network security situation awareness.And by using the sharing mechanism in the threat intelligence,security stuff can understand the threat environment of their organization,such as attackers,tactical techniques used by them and defense strategies,which can helpenterprises understand the security threats they are facing or will be faced in the future.Threat intelligence can improve the accuracy and efficiency of situation awareness analysis,as well as the ability to respond to security incidents.
作者
尹彦
张红斌
刘滨
赵冬梅
YIN Yan;ZHANG Hongbin;LIU Bin;ZHAO Dongmei(School of Information Science and Engineering,Hebei University of Science and Technology»Shijiazhuang,Hebei 050018,China;Hebei Key Laboratory of Network and Information Security,Hebei Normal University,Shijiazhuang,Hebei 050024,China;School of Economics and Management,Hebei University of Science and Technology»Shijiazhuang»Hebei 050018,China;Research Center of Big Data and Social Computing,Hebei University of Science and Technology»Shijiazhuang,Hebei 050018,China)
出处
《河北科技大学学报》
CAS
北大核心
2021年第2期195-204,共10页
Journal of Hebei University of Science and Technology
基金
国家自然科学基金(61672206,61572170)
河北省省级科技计划资助项目(18210109D,20310701D,20310802D)
河北省高层次人才资助项目(A2016002015)
石家庄市科学技术研究与发展计划项目(19SCX01006,191130591A)。
关键词
网络安全
态势感知
威胁情报
STIX
网络攻防
network security
situation awareness
threat intelligence
STIX
network attack and defense