| With the growth of the use of the Internet and computer networks,cyber security threats have become more frequent.Cyber security has become a global issue from the perspective of economy,information security and national security.The severe network security situation has prompted researchers and network security companies to develop a large number of software and solutions.However,with the development of network attack means and technology,it is easy for the emerging network attack to bypass the traditional defense measures.These defense systems work independently of each other and do not effectively refine threat intelligence while generating a large number of log alerts.In order to make full use of threat intelligence,it is necessary to correlate threat intelligence to discover its hidden characteristics.This thesis designs and implements a threat association system based on semantic Web.The system introduces the graph database Neo4 j as a storage engine,and USES the threat association model designed based on semantic Web to constrain the uniqueness,structure and relevance of each data.System data import,data query,association calculation three modules.In the data import module,this thesis implements the graph database storage framework designed according to the threat association model,and completes the import of four categories of threat intelligence,including access behavior information,domain name information,malicious code intelligence information and threat intelligence report information.For the access behavior information,this thesis realizes the extraction of the implicit feature information of the access behavior information by the method of scene reproduction and detection system.As for the information import,this thesis implements the information import by constructing Cypher statement according to the threat association model based on semantic Web.In the data query module,this thesis implements the encapsulation function of the two query functions,the associated query and the sequential query.Which provides query across multiple nodes associated query function,temporal queries to threat the subject,domain name,IP address and attack activity four types of nodes as the breakthrough point,to provide attack sequence information,source IP address distribution information,the attack methods and attack industry distribution information distribution information query and visualization display,help network security analyst for temporal features and statistical characteristics of network attack.Based on the query information input by users,this thesis generates a custom Cypher query statement to realize the query of data.For timing data,this thesis presents the query results in the form of a chart.In the correlation computing module,this thesis realizes two functions: similarity calculation of attack activities and threat subject portrait.The similarity calculation of attack activity is used to compare the similarity of two attacks.In this thesis,Jaccard coefficient and cosine coefficient are used to calculate the similarity of attack activities,and the intermediate results are weighted by analytic hierarchy process(AHP).As for the threat subject portrait,this thesis adopts the method of generating Cypher statement to conduct multi-level correlation query of data,and then filter the query results to realize the portrait of the characteristics of the threat subject. |
PDF Full Text Request