| 基于注意力机制和特征融合的网络威胁情报技战术分类研究 |
| |
| 引用本文: | 于忠坤,王俊峰,唐宾徽,葛文翰.基于注意力机制和特征融合的网络威胁情报技战术分类研究[J].四川大学学报(自然科学版),2022,59(5):053003. |
| |
| 作者姓名: | 于忠坤 王俊峰 唐宾徽 葛文翰 |
| |
| 作者单位: | 四川大学计算机学院,四川大学计算机学院,四川大学网络空间安全学院,四川大学计算机学院 |
| |
| 基金项目: | 国家重点研发计划项目 (2018YFB0804503, 2019QY1400); 国家自然科学基金 (U20A20161, U1836103); 基础加强计划项目 (2019-JCJQ-ZD-113) |
| |
| 摘 要: | 在威胁情报包含的信息中,与网络攻击相关的战术、技术、程序(TTPs)是最能刻画组织行为的关键信息。但是,TTPs信息抽象层次高,并且通常存在于语法结构不规则的网络威胁情报文本中。这导致传统的人工分析方法以及基于特征工程的机器学习方法难以快速有效地从中分类出TTPs。使用单一的深度学习特征提取器则因无法提取文本语意中完整的邻域特征和序列特征,导致技战术分类精度低。
针对上述问题,本文提出一种基于注意力机制和特征融合的深度学习模型:ACRCNN,用于网络威胁情报中的战术与技术的分类。该模型通过卷积与循环神经网络同时提取网络威胁情报文本中的邻域与序列信息,再由卷积层与池化层进行深层次的特征抽取与降维,完成特征融合。然后,通过注意力层完成特征加权,最终经由全连接层完成战术与技术的分类。实验结果表明,ACRCNN在战术、技术分类任务中表现优异,在F1指标上达到了91.91%、83.86%,对比现有模型,分别提高了2.46%和4.94%。
|
| 关 键 词: | 网络威胁情报 技战术分类 深度学习 多标签分类 注意力机制 特征融合 |
| 收稿时间: | 2022/1/15 0:00:00 |
| 修稿时间: | 2022/2/11 0:00:00 |
Research on the classification of cyber threat intelligence techniques and tactics based on attention mechanism and feature fusion |
| |
| YU Zhong-Kun,WANG Jun-Feng,TANG Bin-Hui and GE Wen-Han.Research on the classification of cyber threat intelligence techniques and tactics based on attention mechanism and feature fusion[J].Journal of Sichuan University (Natural Science Edition),2022,59(5):053003. |
| |
| Authors: | YU Zhong-Kun WANG Jun-Feng TANG Bin-Hui and GE Wen-Han |
| |
| Institution: | College of Computer Science, Sichuan University,College of Computer Science, Sichuan University,School of Cyber Science and Engineering, Sichuan University,College of Computer Science, Sichuan University |
| |
| Abstract: | Among the information contained in cyber threat intelligence, the tactics, techniques, and procedures (TTPs) associated with cyber attacks are the key information that best portrays organisational behaviour. However, TTPs information has a high level of abstraction and is often found in cyber threat intelligence texts with irregular grammatical structures. This makes it difficult for traditional manual analysis methods and feature engineering-based machine learning methods to quickly and effectively classify TTPs from them, and the use of a single deep learning feature extractor leads to low accuracy in TTP classification because it cannot extract the complete neighbourhood features and sequence features in the text semantics.
To address these problems, this paper proposes a deep learning model based on attention mechanism and feature fusion: ACRCNN, for the classification of TTPs and techniques in cyber threat intelligence. The model extracts the neighbourhood and sequence information in the cyber threat intelligence text by convolutional and recurrent neural networks simultaneously, and then completes deep feature extraction and dimensionality reduction by convolutional and pooling layers to complete feature fusion. Then, feature weighting is completed by the attention layer, and finally the classification of tactics and techniques is completed by the fully connected layer. The experimental results show that ACRCNN performs well in tactical and technical classification tasks, achieving 91.91% and 83.86% in F1 metrics, which is an improvement of 2.46% and 4.94%, respectively, compared with existing models. |
| |
| Keywords: | |
|
| 点击此处可从《四川大学学报(自然科学版)》浏览原始摘要信息 |
| 点击此处可从《四川大学学报(自然科学版)》下载免费的PDF全文 |
|
