摘要
随着网络安全威胁的不断演进,国内外安全企业纷纷建立了自己的威胁情报平台并提供服务。尽管业界制定了多种威胁情报的标准和规范以促进信息共享,但由于信任、隐私保护、利益分配等问题,实际的共享效果并不理想。针对现有威胁情报共享中存在的问题,提出了一种基于安全事件的威胁情报汇聚方法。该方法利用事件的语义特性重组威胁情报,简化了表达结构,提高了结构化程度,并利用改进的骨架法实现了模型的半自动化构建,提升了构建效率和形式化水平。将构建的威胁情报模型应用于大模型技术的训练与推演,可以有效支持未知情报的挖掘与安全事件的告警。本研究不仅为威胁情报的汇聚和共享提供了新的方法,也为网络安全防御能力的提升贡献了新思路。
As cyber threats continue to evolve,security enterprises both domestically and internationally have established their own threat intelligence platforms and provided services.Despite various standards and specifications proposed in the industry to facilitate information sharing,issues such as trust,privacy protection,and the distribution of benefits have hindered effective collaboration.Addressing the existing challenges in threat intelligence sharing,a threat intelligence aggregation method based on security events was proposed.This method reorganized threat intelligence by leveraging the semantic properties of events,simplifying the expression structure,and enhancing the level of structuration.Additionally,an improved skeleton method was utilized to achieve semi-automated model construction,thereby increasing construction efficiency and formalization.Applying the developed threat intelligence model to largescale model training and simulation could effectively support the mining of unknown intelligence and the alerting of security events.This research not only offers a novel approach to the aggregation and sharing of threat intelligence but also contributes new ideas for enhancing cybersecurity defense capabilities.
作者
赵洋
王鹏
于旸
翟立东
ZHAO Yang;WANG Peng;YU Yang;ZHAI Lidong(Institute of Information Engineering Chinese Academy of Sciences,Beijing 100193,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China;Tencent Technology(Shenzhen)Company Limited,Shenzhen 510660,China)
基金
国家自然科学基金(62376265)。
关键词
威胁情报
情报汇聚
安全事件
本体构建
本体评价
threat intelligence
intelligence aggregation
security incident
ontology construction
ontology evaluation
