基于词向量和图卷积的攻击模式与技术实体关联方法

Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network

安全威胁分析以包含大量安全实体的网络安全知识库为基础,对威胁源、攻击能力、攻击动机、威胁路径等建模,并结合资产的脆弱性及已部署的安全措施,评估威胁的影响范围、程度以及带来的安全风险。但是基础知识库部分实体之间的关联关系缺失,不利于实现安全事件追踪、攻击路径关联。针对CAPEC攻击模式和ATT&CK技术的实体关系缺失问题,提出一种基于词向量和图卷积的攻击模式与技术实体关联方法,即通过分析实体描述文本之间的关联度判断实体关系,达到不同知识库间实体关系的补充、丰富威胁路径的目的。提出的方法使用预训练的安全领域Word2Vec模型提取特定领域的语义信息,通过图卷积神经网络模型提取实体描述间的共现关系,进一步将两种特征输入孪生网络预测实体间的关联关系。为解决现有知识库中实体关系较少的小样本学习问题,通过词向量补充外部语义信息、模型训练时使用动态负采样和添加正则项避免过拟合。针对MITRE组织提供的CAPEC和ATT&CK知识库进行实验测试,结果表明,所提算法可以通过分析实体描述的语义信息,将有关系的实体对在样本空间内与无关系实体对分离,从而有效预测新的实体对的关联关系。在小样本条件下,所提方法的预测准确率高于基于Bert的文本相似度预测方法,同时训练时间更短、所需计算资源更少。实验结果证明,基于词向量和图卷积的攻击模式与技术实体关联方法可以挖掘出新的攻击模式与技术实体关联关系,安全威胁分析时有助于提高从安全漏洞和脆弱点等底层概念抽象出攻击技术和战术的能力。

Threat analysis relies on knowledge bases that contain a large number of security entities.The scope and impact of security threats and risks are evaluated by modeling threat sources,attack capabilities,attack motivations,and threat paths,taking into consideration the vulnerability of assets in the system and the security measures implemented.However,the lack of entity relations between these knowledge bases hinders the security event tracking and attack path generation.To complement entity relations between CAPEC and ATT&CK techniques and enrich threat paths,an entity correlation prediction method called WGS was proposed,in which entity descriptions were analyzed based on word embedding and a graph convolution network.A Word2Vec model was trained in the proposed method for security domain to extract domain-specific semantic features and a GCN model to capture the co-occurrence between words and sentences in entity descriptions.The relationship between entities was predicted by a Siamese network that combines these two features.The inclusion of external semantic information helped address the few-shot learning problem caused by limited entity relations in the existing knowledge base.Additionally,dynamic negative sampling and regularization was applied in model training.Experiments conducted on CAPEC and ATT&CK database provided by MITRE demonstrate that WGS effectively separates related entity pairs from irrelevant ones in the sample space and accurately predicts new entity relations.The proposed method achieves higher prediction accuracy in few-shot learning and requires shorter training time and less computing resources compared to the Bert-based text similarity prediction models.It proves that word embedding and graph convolutional network based entity relation prediction method can extract new entity correlation relationships between attack patterns and techniques.This helps to abstract attack techniques and tactics from low-level vulnerabilities and weaknesses in security threat analysis.