Abstract:

Threat intelligence is described in a variety of ways in the field of cyber security, there is an urgent need for a standard for the format description of threat intelligence, which can transform unformatted intelligence information into formatted data to provide support for the visual knowledge graph of intelligence. According to the description specification of STIX 2.0, many ontology elements adapted to network security threat information are extracted, a threat intelligence ontology model that can be shared, reused and extended is constructed, and the domain ontology, application ontology and atomic ontology are classified in detail. Finally, the model is applied in the Poisonivy attack event, and 61 entities and 102 relationships in the Poisonivy research report are extracted, and the extracted formatted data is imported into Gephi for visual expression. Through the construction of the threat intelligence ontology model, the transformation of intelligence information from unstructured to structured is completed, and the unified grammar is used for description. Finally, the important elements in the intelligence are expressed in the way of knowledge graph, and the network security event can be quickly located. The core elements and relationships between them provide an important basis for network security analysts and decision makers.

Key words: threat intelligence, ontology, cyber attacks, knowledge graph

摘要：

网络安全领域中威胁情报的描述方式多种多样，迫切需要一种对威胁情报格式化描述的标准，将非格式化情报信息，转化为格式化数据，为情报的可视化知识图谱提供支撑。针对STIX 2.0的描述规范，提取了适应于网络安全威胁情报中的本体元素，构建了一个可共享、重用、扩展的威胁情报本体模型，并对领域本体、应用本体和原子本体进行了详细分类。将该模型应用在Poisonivy攻击事件中，提取了Poisonivy研究报告中的61个实体，102个关系，并将抽取的格式化数据导入Gephi进行可视化表达。通过对威胁情报本体模型的构建，完成了情报信息从非结构化到结构化的转换，并使用统一的语法进行描述，最终以知识图谱的方式来表达情报中重要元素，可以快速定位网络安全事件中的核心元素及之间关系，为网络安全分析者和决策者，提供重要依据。

关键词: 威胁情报, 本体, 网络攻击, 知识图谱