| With the continuous growth of the application and scale of the Internet of Things,it has brought unprecedented network security threats and security risks.In this regard,the academic community proposes to use threat intelligence to warn and predict increasingly complex security issues.Threat intelligence,as a kind of network security big data,can effectively help defenders to better improve network security protection capabilities.Here,how to efficiently construct threat intelligence has become a core issue.However,in the current information security field,threat intelligence generally has the defects of high redundancy,single content,and non-uniform standards,and it is difficult to share.In this regard,this article constructs threat intelligence by analyzing and extracting malicious code and unstructured network threat intelligence.The main contents of this paper are as follows:(1)In view of the high redundancy of intelligence in the process of generating threat intelligence for malware and the inability to generate it quickly,the research puts forward a Real Time Automatic Generation of Malware Threat Intelligence(RAGTI)for malware families method.The RAGTI method is based on the open source malware analysis platform and the STIX2.0 standard.First,the malware analysis platform is used to obtain the running traces of malicious code,analyze and extract the features of the code running traces;then,combine the static features of the malware to comprehensively calculate the malware The fuzzy hash value of the feature is then used to cluster the malware using the improved CFSFDP algorithm;finally,threat intelligence that meets the STIX2.0 standard is generated based on the features of each type of malware family.Experiments have shown that this method can aggregate malware belonging to the same family with a high degree of similarity,so as to generate highly generalized,machine-readable,and real-time shareable threat intelligence for a certain malicious family software,which significantly increases the threat.The efficiency of intelligence generation.(2)Aiming at the problem that open source intelligence cannot be used effectively,the research proposed a Threat intelligence entity extraction-based open source intelligence(TIEEOSI)algorithm based on open source information.The TIEE-OSI algorithm first defines a set of named entities in the threat intelligence field based on the characteristics of the APT report itself and the STIX2.0 standard,including software,malware,vulnerabilities,attack tools,attackers,etc.First,manually label the collected APT reports according to the BIO format,construct a dictionary of the labeled entities,and use the dictionary to match the remaining unlabeled APT reports to expand the size of the data set;When the end-to-end entity extraction system of neural network is applied to the field of cyber threat intelligence,it cannot accurately label the threat intelligence entity category and its boundary.It proposes the fusion of word features,character features,entity boundary features,and context features of entity words.The research problem is modeled as a sequence labeling task;finally,a model framework is designed based on the deep learning model and the attention mechanism to more accurately identify cyber threat intelligence entities while increasing the speed of model training.Experimental results show that this method can effectively extract threat intelligence entities from massive heterogeneous data,which can be used for automated threat intelligence generation. |
PDF Full Text Request