引用本文: |
-
马春燕,杜翔宇,江钧,王旭仁,姜政伟,刘宝旭,封化民,张哲宇,王诗蕊.网络空间威胁情报处理技术综述[J].信息安全学报,已采用 [点击复制]
- MA Chunyan,DU Xiangyu,JIANG Jun,WANG Xuren,JIANG Zhengwei,LIU Baoxu,FENG Huamin,ZHANG Zheyu,WANG Shirui.Processing Technology for Cyber Threat Intelligence: A Survey[J].Journal of Cyber Security,Accept [点击复制]
|
|
|
|
本文已被:浏览 4383次 下载 220次 |
|
网络空间威胁情报处理技术综述 |
马春燕1,2, 杜翔宇1,2, 江钧1, 王旭仁3, 姜政伟1,2, 刘宝旭1,2, 封化民4, 张哲宇5, 王诗蕊5
|
|
(1.中国科学院信息工程研究所;2.中国科学院大学网络空间安全学院;3.首都师范大学信息工程学院;4.北京电子科技学院;5.国家工业信息安全发展研究中心) |
|
摘要: |
近年来,随着网络空间攻防对抗技术的不断发展,网络空间的国家级对抗锋芒毕露,高级可持续性威胁(Advanced Persistent Threat, APT)已经成为网络空间国家间对抗的重要手段。对于攻击者而言,其攻击方式更具多样性和复杂化。多样化的攻击切入点、高水平的入侵方式、系统化的工具使网络攻击成本降低,对于防御者而言,其检测和防御网络攻击的难度也逐渐增大。传统的安全防御大多依靠入侵检测系统、入侵防御系统等安全设备进行防御,这种静态防御方式难以有效应对新型的攻击。在这一严峻的形式下,传统的安全解决方案受到严峻的挑战,而网络空间威胁情报处理技术的出现为提升整个网络空间的防御水平带来了新的可能。目前,网络空间威胁情报已经成为产业界和学术界研究的热点问题,并持续引起关注,且广泛应用在威胁检测发现、攻击溯源归因和威胁预测预警等场景中。网络空间威胁情报对整个网络安全防御体系的作用日益明显,高效的威胁情报处理技术对发挥威胁情报的价值具有重要的意义。因此,本文首先阐述了常用的威胁情报定义和三类代表性的威胁情报及其内容,同时归纳了威胁情报的国内外发展与研究现状,然后围绕网络空间威胁情报生命周期对其关键处理技术进行了总结和讨论,包括威胁情报采集与融合、威胁情报分析与挖掘、威胁情报共享与交换、威胁情报应用与服务,通过分析了现有方法的优缺点和不足,并提出了可能的解决方案,最后,针对威胁情报本地化生产、隐蔽威胁情报挖掘、建立高效的情报共享机制、扩展威胁情报应用场景这四个具有挑战性的研究方向进行了展望。 |
关键词: 网络空间安全 网络空间威胁情报 情报挖掘 情报评估 情报应用 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.08 |
投稿时间:2022-01-08修订日期:2022-02-25 |
基金项目:国家科技攻关计划 |
|
Processing Technology for Cyber Threat Intelligence: A Survey |
MA Chunyan1,2, DU Xiangyu1,2, JIANG Jun1, WANG Xuren3, JIANG Zhengwei1,2, LIU Baoxu1,2, FENG Huamin4, ZHANG Zheyu5, WANG Shirui5
|
(1.Institute of Information Engineering, Chinese Academy of Sciences;2.School of Cyber Security, University of Chinese Academy of Sciences;3.Information Engineering College, Capital Normal University;4.Beijing Electronic Science & Technology Institute;5.China Industrial Control Systems Cyber Emergency Response Team) |
Abstract: |
With the continuous development of attack and defense countermeasure technology in cyberspace, the national confrontation in cyberspace has been exposed. Advanced Persistent Threat (APT) has become a crucial way of con-frontation among countries in cyberspace. Attack methods are more diverse and complicated for attackers. Diversi-fied attack entry points, high-level intrusion methods, systematic tools reduce the cost of cyber attacks. It is in-creasingly difficult for defenders to detect and defend against cyber attacks. Traditional security defense mostly relies on security devices such as intrusion detection system and intrusion prevention system. This static defense way cannot effectively deal with new attacks. Under this circumstance, the traditional security solutions are facing severe challenges. However, the emergence of cyber threat intelligence processing technology has brought new possibilities for improving the defense level for the entire cyberspace. At present, cyberspace threat intelligence has become a hot issue in the industry and academia, and continues to attract attention, and is widely used in many scenarios such as threat detection and discovery, attack attribution, threat prediction. Cyber threat intelligence plays an increasingly important role in the entire cyber security defense system. The efficient threat intelligence processing technology is of great significance to the value of threat intelligence. Therefore, this paper firstly briefly describes the definitions of threat intelligence commonly used, three kinds of representative threat intelligence and their contents, and reviews the development and research status of threat intelligence at home and abroad. Then we discusses and summarizes the key technologies of threat intelligence processing around the life cycle of cyber threat intelligence, including threat intelligence collection and fusion, threat intelligence analysis and mining, threat intelligence sharing and exchange, and threat intelligence application and service. By analyzing the advantages and shortcomings of existing solutions, we propose some possible solutions. Finally, the four challenging research di-rections, producing localized threat intelligence, mining hidden threat intelligence, establishing efficient intelli-gence sharing mechanism, extending threat intelligence application scenarios, are prospected. |
Key words: Cyber security Cyber threat intelligence intelligence mining intelligence evaluation intelligence application |
|
|
|
|
|