摘要: |
网络空间新生威胁日趋复杂多变,传统安全防御手段已经捉肘见襟。网络安全威胁情报作为直接或潜在安全威胁的外部信息资源,可帮助安全人员快速甄别恶意威胁攻击并及时作出响应防御。开源威胁情报挖掘技术可从多方开源情报中获取高质量情报,极大弥补了传统威胁情报挖掘信息量单薄等不足。美国及欧洲是最早在政府层面开展开源情报挖掘技术研究的国家和地区,并将其作为政府的常规情报搜集手段。近年我国也在广泛采集整理网络开源威胁信息,并拓展开源威胁情报的应用。本文深入分析了近6年来开源威胁情报挖掘的一百多篇相关文献,系统梳理了威胁情报挖掘相关文献的技术理论以及在网络安全检测中的应用场景,归纳总结出了开源威胁情报挖掘的一般流程框架模型,并针对开源威胁情报采集与识别提取,开源威胁情报融合评价以及开源威胁情报关联应用三个关键场景进行了分析和论述,系统评述了这三部分研究工作中的细分热点方向,并从技术应用场景,所使用的技术,性能评估以及优缺点评价对各解决方案做了系统优劣势分析;最后分析总结了当前我国开源威胁情报挖掘中尚待解决的共性问题,并指出了未来的研究趋势与下一步研究方向。本文期望通过研究和分析已有的开源威胁情报研究概况,推进我国开源威胁情报挖掘分析工作的发展,提升国家网络安全的整体防御能力。 |
关键词: 开源威胁情报 识别提取 融合评价 关联分析 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.01.01 |
投稿时间:2021-05-21修订日期:2021-08-20 |
基金项目:本课题得到国家自然科学基金(No.61772429)、国家242信息安全专项(No.2021A017)与陕西省重点研发计划(No.2020ZDLGY08-01)资助。 |
|
Survey of Cyber Threat Intelligence Mining Based on Open Source Information Platform |
CUI Lin,YANG Libin,HE Qinglin,WANG Menghan,MA Jianfeng |
School of Cyberspace Security, Northwestern Polytechnical University, Xi'an 710129, China;National Internet Emergency Center, Beijing 100029, China;School of Cyber Engineering, Xidian University, Xi'an 710071, China |
Abstract: |
Traditional security defense measures are struggling to keep pace with the increasing sophistication of attack tools and methodologies. The emerging of network security threat intelligence is a promising approach for alleviating maliciously attacks, by providing additional information to depict full picture of the fast-evolving cyber threat situation. Open source cyber threat intelligence (OSCTI) mining technology can obtain high-quality intelligence from multiple open source intelligence, which makes up for the deficiency of traditional threat intelligence mining. The United States and Europe make efforts to implement relevant strategies for the sake of established developing OSCTI mining system. Rcentently, China also tends to expand the mining and application of OSCTI by deeming it as a key supplement of cyber security defense system, such as situation awareness platform, next-generation firewall and intrusion detection system. Under such circumstances, we conduct the first comprehensive and systematic survey of OSCTI mining solutions in this paper. We investigate hundreds of literatures on open source threat intelligence mining over the period 2015–2020 in depth, and systematically classify the process of OSCTI mining as three key perspectives on identification and extraction, fusion and evaluation, correlation analysis. We sketch the main idea and highlight the strengths and weaknesses of each solution type, and summarize the similarity and difference among solution types by analyzing technology application scenarios, technologies used, performance evaluation and advantages and disadvantages evaluation, etc. We further analyze the shortcomings of open source threat intelligence mining and application research in China at present, summarize four opportunities and challenges, suggest several potential trends and future directions in open source cyber threat intelligence mining allowing for a deeper and better investigating. We hope that it can provide academic researchers and industrial practitioners with useful and valuable references for combating serious cyber-attack, responding to the increasingly severe network security situation, and therefore securing internet ecosystem. |
Key words: open source cyber threat intelligence recognition and extraction fusion and evaluation correlation analysis |