摘要
威胁情报关联分析已成为网络攻击溯源的有效方式。从公开威胁情报源爬取了不同高级持续性威胁(APT)组织的威胁情报分析报告,并提出一种基于图注意力机制的威胁情报报告归类的方法,目的是检测新产生的威胁情报分析报告类别是否为已知的攻击组织,从而有助于进一步的专家分析。通过设计威胁情报知识图谱,提取战术和技术情报,对恶意样本、IP和域名进行属性挖掘,构建复杂网络,使用图注意力神经网络进行威胁情报报告节点分类。评估表明:所提方法在考虑类别分布不均衡的情况下,可以达到78%的准确率,达到对威胁情报报告所属组织进行有效判定的目的。
Threat intelligence correlation analysis has become an effective way to trace the source of cyber attacks.The threat intelligence analysis reports of different advanced persistent threat(APT) organizations were crawled from the public threat intelligence sources,and a threat intelligence report classification method based on graph attention mechanism was proposed,which was to detect whether the newly generated threat intelligence analysis report categories were known attack organizations,so as to facilitate further expert analysis.By designing a threat intelligence knowledge graph,extracting tactical and technical intelligence,mining the attributes of malicious samples,IPs and domain names,constructing a complex network,and using the graph attention neural network to classify the threat intelligence reporting nodes.Evaluation indicates that the method can achieve an accuracy rate of78% while considering the uneven distribution of categories,which can effectively achieve the purpose of judging the organization to which the threat intelligence report belongs.
作者
王婷
严寒冰
郎波
WANG Ting;YAN Hanbing;LANG Bo(School of Computer Science and Engineering,Beihang University,Beijing 100191,China;National Computer Network Emergency Response Technical Team/Coordination Center of China,Beijing 100029,China)
出处
《北京航空航天大学学报》
EI
CAS
CSCD
北大核心
2024年第7期2293-2303,共11页
Journal of Beijing University of Aeronautics and Astronautics
基金
国家重点研发计划(2019QY1400)。
关键词
威胁情报
高级持续性威胁组织
知识图谱
图注意力机制
攻击溯源
threat intelligence
advanced persistent threat organization
knowledge graph
graph attention mechanism
attack source tracing