Research On Construction Of Knowledge Graph For Cyber Threat Intelligence

With the rapid development of the Internet,various different forms of cyber attacks have emerged.In order to secure cyberspace,the use of firewalls,intrusion detection systems and other protection platforms are currently common means of defense.However,these traditional defenses cannot cope with advanced persistent threat attacks and zero-day attacks,which are creative forms of cyber attacks that are more harmful in degree than ordinary cyber attacks,as well as more insidious and continuous.Cyber threat intelligence is a valuable source of information on cyber attack behavior,containing indicator of compromise,tactics,techniques and procedures.Making full use of cyber threat intelligence and mining higher-level information is of great significance for cyber security defense,as well as for building a cyber security active defense system.In order to extract intelligence information from unstructured cyber threat intelligence,existing studies extract cyber threat indicators by regular expression matching and constructing a thesaurus,but the types of entities that can be extracted by this method are extremely limited;some other studies use natural language processing methods for entity extraction,but they lack systematic research,and do not integrate entity information through relationships to integrate inter-entity relationships and cannot extract higher-level cyber threat intelligence information.Knowledge graph is a technique for modeling the objective world using graph structure in the context of big data,which can effectively describe entities,inter-entity relationships and attributes.Using knowledge graph to build related technologies can effectively mine the high-level intelligence information in cyber threat intelligence,which precisely fits the need of cyber threat intelligence information extraction.Therefore,this thesis focuses on the knowledge graph construction for cyber threat intelligence,and uses the knowledge graph construction technology to extract the advanced intelligence information contained in cyber threat intelligence.The research in this thesis focuses on the key technologies of graph construction in the field of cyber threat intelligence,and focuses on the entity extraction technology and relationship classification technology for graph construction,which are described in this thesis as follows:1.For cyber threat intelligence entity extraction,a data augmentation-based entity extraction approach is proposed.Entity extraction is modeled as a named entity recognition task,an entity extraction dataset in the cyber threat intelligence domain is constructed,the effects of different named entity recognition models on the domain dataset are compared,and the BERT-BiLSTM-ATTN-CRF model is applied to entity extraction in the cyber threat intelligence domain.Aiming at the need of deep learning models for a large number of training set samples,this thesis proposes a data augmentation method applicable to the field of cyber threat intelligence.The F1 value of the entity extraction model using the data augmentation method is 91.86%at the highest,which is 1.09%higher than the F1 value without data augmentation.2.For the relationship classification of cyber threat intelligence,an entity relationship classification method for cyber threat intelligence is proposed.The relationship classification dataset of cyber threat intelligence domain is constructed,and then the relationship classification capability of different relationship classification models on the domain dataset is systematically explored,the RIFRE model is applied to the relationship classification of cyber threat intelligence domain,and the proposed data enhancement method is used to improve the model,the highest F1 value of the entity relationship classification model in this thesis is 86.93%,which is 0.91%higher than the F1 value without data augmentation.3.In this thesis,a knowledge graph construction and dynamic attack organization portraits system for cyber threat intelligence is designed and implemented.Using the proposed entity extraction method and entity relationship classification method,the relationship triples is extracted.The data collection and processing module,knowledge graph construction module and dynamic attack organization portraits module are designed and implemented,and then creatively apply the cyber threat intelligence knowledge graph to the analysis of attack organizations.