摘要: |
从自然语言描述文本中提取网络攻击知识存在语义鸿沟,导致TTPs威胁情报自动化利用低。为提高威胁情报自动分析效率,设计并实现了基于ATT&CK的APT攻击语义规则。首先,构建带标签的有向图语义规则模型,对自然语言文本描述的攻击技术进行知识化描述;其次,定义语义规则,阐释网络实体属性及其逻辑运算关系的形式化描述方法;最后,利用关键词组识别、知识抽取等自然语言处理技术,从攻击技术文本中抽取形成123个APT攻击语义规则,涵盖ATT&CK的115项技术和12种战术。利用模拟场景采集的APT攻击日志数据,对语义规则进行验证,实验结果表明,语义规则检出率达到93.1%,并具备一定的攻击上下文信息还原能力,可有效支撑威胁检测分析。 |
关键词: 语义规则 APT攻击 ATT&CK 威胁情报 自然语言处理 |
DOI:10.19363/J.cnki.cn10-1380/tn.2021.05.05 |
Received:July 04, 2020Revised:September 10, 2020 |
基金项目:本课题得到国家自然科学基金(No.61502528)资助。 |
|
Construction of APT Attack Semantic Rules Based on ATT&CK |
PAN Yafeng,ZHOU Tianyang,ZHU Junhu,ZENG Ziyi |
State Key Laboratory of Mathematical Engineering and Advanced Computing, Information & Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Information & Engineering University, Zhengzhou 450001, China;National Engineering Technology Research Center of the National Digital Switching System, Zhengzhou 450001, China |
Abstract: |
Aiming at the problem of semantic gap in the extraction of cyber attack knowledge from natural language description, which leads to low automatic utilization of tactics, techniques, and procedures (TTPs) threat intelligence, this paper designs and implements APT attacks semantic rules based on Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). First, we construct a labeled directed graph semantic rule model to describe the attack technology of natural language description, and then define semantic rules to explain the formal description method of network entity attributes and their logical operation relation. Finally, using natural language processing techniques such as phrase recognition and knowledge extraction, 123 APT attack semantic rules were extracted from the attack technical text, covering 115 techniques and 12 tactics of ATT&CK. After experimenting on the APT attack audit data collected in the simulation scenario to verify the semantic rules, experimental results show that the detection rate of semantic rules reaches 93.1%, and has a certain ability to reconstruct the context information of the attack behavior, which can effectively contribute to threat detection and analysis. |
Key words: semantic rules APT attack ATT&CK;threat intelligence natural language processing |