摘要
电网企业主要根据单一商业情报的读取完成安全事件响应,为解决其他情报源的标准化不足,海量安全日志提取情报信息难度大、现有情报特征筛选算法识别高级持续性威胁准确率不足等问题,设计了一组情报分析算法,整合电网企业未使用的其他情报源数据,统一情报接口标准;应用权重统计、频度分析、时间衰减与网站指纹识别算法,分析安全日志与黑客指纹信息,该算法数据处理能力达到百万级,黑客画像情报的生成率大幅提高。最终实现电网企业多种情报源的有效利用,提升识别高级持续性威胁的准确性。
Power grid enterprises mainly complete security incident response based on the single-source indicator of compromise(IoC).In order to cope with the insufficient standardization of other different IoCs,the difficulty of extracting IoCs from massive log produced by security equipments,and the lack of accuracy on current feature selection algorithm related to advanced persistent threats(APT),we propose a set of threat analysis algorithms which aggregates other multi-source IoCs to generate a unified interface.These algorithms also use weight statistics,frequency analysis,time decay and website fingerprint extracted algorithm to analyze security log and hackers fingerprints data.The data processing ability on these algorithms has reached millions,and the generation rate of hacker profile IoCs have greatly improved.These techniques can improve the efficiency of using multiple-source IoCs as well as the accuracy in analyzing advance persistent threats in power grid enterprise.
作者
张亚昊
胡威
节骜
ZHANG Yahao;HU Wei;JIE Ao(Network Security Monitoring Center,Information and Telecommunication Branch,State Grid Corporation of China,Beijing 100761,China;不详)
出处
《武汉理工大学学报(信息与管理工程版)》
2022年第2期220-226,共7页
Journal of Wuhan University of Technology:Information & Management Engineering
基金
国家自然科学基金项目(61971014)
北京市博士后工作经费资助项目(2017-22-030)
国家电网有限公司总部管理科技项目(5108-202117055A-0-0-00).
关键词
网络安全
威胁情报
统计分析
高级持续性威胁
聚类算法
cybersecurity
threat intelligence
statistical analysis
advanced persistent threat
clustering algorithms