Attack Organization Association And Judgment System Based On Multi-dimensional Analysis Of Threat Intelligence

With the development of modern society,the age of information,network and globalization has come,and the cyberspace has large-scale expanded to be a new ‘battle filed'.Cyberattacks and cybercrime are increasingly frequent.In particular,with high utilization methods,long lurking time and high risk,APT is becoming the biggest threat to network security,and it's often on an organizational scale.Under this circumstance,threat intelligence should emerge and become an important power in dealing with APT and the "stone" for building a new generation of security defense system,which is of the great significance for the research on network defense.However,large-scale attacks are emerging one after another,and lacking of efficient analysis methods makes us know little about attack organizations,and then there has not been an important breakthrough in related research.At the same time,the characteristics of cyberspace,dynamic,open,and complex,make threat intelligence multi-source,massive,and heterogeneous,leading to the difficult of obtaining,sharing and utilizing threat information.Therefore,in order to dig and exploit the deeper value of threat intelligence,strengthen research on attack organizations,master the relationship between attack organizations,and judge new attacks or organizations,solve the problem of judging the homology and consistency of attack organizations from business requirements,this paper mainly does the following work:(1)In consideration of the difficulty of obtaining threat information,this paper analyzes multiple sources of threat intelligence in detail,and selects multiple channels to achieve threat intelligence,finally builds a threat intelligence database.(2)Considering the low value density of threat intelligence,this paper analyzes several mature models of threat intelligence and proposes a multi-dimensional model of threat intelligence for attack organization association and judgment based on analysis method of the attack event.The multi-dimensional model extracts their characteristic indicators in dimension of time,space and content.A complete multi-dimensional model of threat intelligence analysis is established.(3)Considering the low utilization rate of threat intelligence,this paper proposes an attack organization association method based on similarity and an attack organization judgment method based on classification.According to the indicators of each dimension,the appropriate similarity algorithm is designed to realize the attack organization association;the attack events are used as the training samples,and the attack organizations as the class,and the LightGBM is used to implement the attack organization judgment model for attack organization consistency judgment.(4)In view of the demand from the market and user for research and application of attack organization,this paper designs and implements the attack organization association and judgment system based on the analysis of threat intelligence.The system includes five kinds of function: information reading function,query search function,intelligence management function,association analysis function.judgment function.After system testing,the system can provide valuable hint and analysis for network security defense based on threat intelligence.