网络安全态势感知中的威胁情报技术

2016年,习近平总书记在全国网信工作座谈会上作出重要指示:要加强大数据挖掘分析,更好感知网络安全态势,做好风险防范.为应对网络安全面临的严峻挑战,很多大型行业及企业响应国家政策号召,积极倡导、建设和应用态势感知系统.网络安全态势感知是保障网络安全的有效手段,利用态势感知发现潜在威胁、做出响应已经成为网络安全的研究重点...

Threat intelligence technology in network security situation awareness

General Secretary XI Jinping gave instructions at the symposium on cybersecurity and informatization in 2016: Strengthen the mining and analysis of big data,make better situation awareness and prevent risks in cybersecurity.In response to the call of national policies,many large industries and enterprises actively advocated,built and applied situation awareness systems to deal with the severe challenges faced by network security.Network security situation awareness is an effective means to ensure network security.It has become the focus of network security research to use situation awareness to discover potential threats and respond.At present,most of the proposed network security situation awareness technologies and methods are based on small-scale networks.With the continuous expansion of network scale and appearance of new advanced attack technologies such as APT,the accuracy of current situation awareness technology and the maneuverability reduced greatly.In recent years,the emergence of threat intelligence has brought new ideas to the research of situation awareness and become a new direction in the field of situation awareness.This paper mainly summarized the traditional situation awareness research and the application of threat intelligence in network security situation awareness.The traditional situation awareness research was generally divided into three parts,namely,situation perception,situation comprehension and situation projection.The process of network security situation awareness was to collect the security elements of the target system,and analyze the impact of security incidents.Finally,by using network security situation awareness,it can be realized the behavior recognition of various activities,attacks detection,evaluation and prediction of the network situation,so as to provide correct decisions for the network security response.The application of threat intelligence in network security situation awareness was discussed from three scenarios: 1) Situation perception: threat intelligence was used to identify attack behaviors,extract relevant attack characteristics and determine attack intentions,methods,and impact; 2) Situation comprehension: after determining the attack behavior and characteristics,the attack behavior was understood and the attacker''s attack strategy was determined by sharing the disposition of the attack behavior in the threat intelligence; 3) Situation projection: by analyzing threat intelligence information such as attack events,attack techniques,and vulnerabilities,the risk faced by the current system was evaluated,and the possible attack was predicted.Threat intelligence is usually obtained by big data,distributed systems or other methods,and it has a strong ability to update autonomously.Threat intelligence can provide the most complete and latest security event data,which greatly improves the ability to detect new and advanced dangers in network security situation awareness.And by using the sharing mechanism in the threat intelligence,security stuff can understand the threat environment of their organization,such as attackers,tactical techniques used by them and defense strategies,which can helpenterprises understand the security threats they are facing or will be faced in the future.Threat intelligence can improve the accuracy and efficiency of situation awareness analysis,as well as the ability to respond to security incidents.