CN113765847A - Information system APT attack resistance evaluation method based on threat information - Google Patents
Information system APT attack resistance evaluation method based on threat information Download PDFInfo
- Publication number
- CN113765847A CN113765847A CN202010488042.XA CN202010488042A CN113765847A CN 113765847 A CN113765847 A CN 113765847A CN 202010488042 A CN202010488042 A CN 202010488042A CN 113765847 A CN113765847 A CN 113765847A
- Authority
- CN
- China
- Prior art keywords
- threat
- threat intelligence
- evaluation
- toe
- apt attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an APT attack resistance evaluation method for an information system based on threat intelligence. The method comprises the following steps: 1. constructing a threat intelligence knowledge graph based on a network security threat intelligence knowledge ontology; 2. modeling by adopting an analytic hierarchy process according to the evaluation target of the TOE in the evaluation plan, and selecting an evaluation scheme; 3. selecting corresponding threat entity nodes in the threat information knowledge graph and paths from the nodes to APT attack organization nodes to generate threat information subgraphs for evaluating the TOE; 4. generating new similar threat information for each node data of the threat information subgraph by using a generation algorithm to generate a test case set; 5. and (3) executing a test on the TOE by using the test case set, recording a test result, and finally quantitatively calculating and evaluating the APT (anti-APT) attack capability of the TOE. Through the steps, the invention solves the problems that the existing evaluation method can not effectively test unknown threats and can not quantitatively analyze and evaluate the APT attack resistance of the TOE.
Description
One, the technical field
The invention belongs to the technical field of network security, and particularly relates to an APT attack resistance capability evaluation method for an information system based on threat intelligence.
Second, background Art
With the day-to-day change, accelerated penetration and deep application of network and information technology, social production and life styles have been profoundly changed: 1) the current social operation mode generally presents a networked development situation, and the network technology has profound influence on the development of the fields of international politics, economy, culture, military and the like; 2) the network non-territory causes the cross-national flow of network information, so that information resources increasingly become important production elements and social wealth, and the quantity of information mastered becomes an important mark of national soft strength and competitiveness; 3) to ensure competitive advantage and national interest, governments and large organizations are beginning to go to great lengths over the internet to collect informative information. In this context, entirely new cyberspace security threats have begun to emerge, and Advanced Persistent Threat (APT) attacks are one of the most threatening types of cyber attacks.
Since the APT attack is a network attack behavior with a definite purpose and specific targets, complex and precise malicious software and technologies are usually used, vulnerabilities in the system are utilized, and the specific targets are continuously monitored and sensitive data are stolen, the evaluation of the APT attack resistance of the information system becomes an important aspect of network security evaluation and risk evaluation. By evaluating the ability of the Evaluation object (TOE) to resist APT attacks, the property owner of the TOE can grasp the risk level of the current TOE and implement appropriate control to meet the security requirement based on the cost-effective principle.
Currently, the method for evaluating the APT attack resistance of an information system is generally used as follows:
1. extracting intrusion detection Indicators (IOCs) in threat intelligence to construct test cases to execute replay test
The method comprises the steps of extracting IOC information about APT attack activity in structured or unstructured threat intelligence data to serve as key features representing APT attack behaviors, replaying the extracted IOC information and sending the IOC information to the TOE, and evaluating the APT attack resistance of the TOE by judging whether safety control of the TOE is effective or not.
Although the method can construct the feature information of the APT attack activity as the test case, the extracted attack features are limited to the known attack activity features, the unknown APT attack activity can not be considered, and the APT attack resistance of the TOE can not be quantitatively evaluated.
2. Expert knowledge based construction of test cases to perform security tests
The method is based on the long-term monitoring of a network security analyst or a threat information big data engineer on the APT attack organization, induces the activity characteristics of the APT attack organization, manually or semi-automatically generates a test case set, sends the test case set to the TOE, and evaluates the anti-attack capability of the TOE.
Because the method is based on expert knowledge, a new attack mode can be constructed and added into the test case, but the method excessively depends on the effectiveness of the expert knowledge, the test result cannot be measured, and in addition, the generation strategy of the test case set cannot be automatically adjusted in an adaptive manner.
In summary, the main defects of the current evaluation method for the APT attack resistance capability of the information system are as follows: with the method 1, it is impossible to evaluate whether the security control of the TOE is effective for unknown threats; with the method 2, the ability of the TOE to resist the APT attack cannot be quantitatively analyzed and evaluated, and an acceptable confidence level guarantee cannot be provided for the evaluation result.
Third, the invention
1. Objects of the invention
Aiming at the problems in the existing method, the invention aims to provide an information system APT attack resistance capability evaluation method, which is based on big data of threat information, generates an evaluation model through an analytic hierarchy process, extracts and predicts the characteristics representing APT attack activity, constructs a test case set, quantitatively calculates the test result and realizes accurate and efficient information system APT attack resistance capability evaluation.
2. Technical scheme
An APT attack resistance evaluation method of an information system based on threat intelligence comprises the following steps:
step 101: collecting information associated with APT attack activity in multi-source threat intelligence based on an open-source or commercialized network security threat intelligence Ontology (Ontology), and constructing a threat intelligence knowledge graph;
step 102: modeling by adopting an Analytic Hierarchy Process (AHP) according to the evaluation target of the TOE in the evaluation plan, and selecting an evaluation scheme;
step 103: selecting corresponding entity nodes in the threat intelligence knowledge graph in the step 101 and paths from the entity nodes to APT attack organization entity nodes by using the evaluation scheme generated in the step 102 to generate a threat intelligence information subgraph for evaluating the TOE;
step 104: generating new similar threat information for each node data of the threat information subgraph in the step 103 by using a generation algorithm, and adding the new similar threat information to the test case set;
step 105: and (4) according to the test case set generated in the step 104, testing the TOE and recording a test result, and quantitatively calculating the APT (anti-APT) attack capability of the TOE by combining the evaluation model in the step 102.
The ontology of cyber-security threat intelligence described in step 101 refers to a standard or best practice commonly used in the industry, which specifies the organization form, data type, entity objects, relationships between entities, and threat intelligence exchange and sharing specifications of cyber-security threat intelligence.
The "multi-source threat intelligence" in step 101 refers to an APT attack organization activity report provided by a network security vendor, an open source security community, a commercial payment security big data supplier, and the like, which includes structured data and unstructured text data conforming to the industry standard.
Wherein, the method for constructing the threat intelligence knowledge graph in the step 101 comprises the following steps: (1) establishing a conversion mode for the structured threat intelligence data, and mapping the structured threat intelligence data into corresponding entities and relations in a knowledge body; (2) for unstructured data, Natural Language Processing (NLP) is used to extract key semantic information and map the key semantic information to corresponding entities and relationships in the ontology.
The "analytic hierarchy process" in step 102 refers to a system method that takes the evaluation scheme of the APT attack resistance capability of the information system as a decision target, decomposes the target into a plurality of sub-targets or criteria, further decomposes the target into a plurality of levels of multi-index (or criteria, constraints), each level defines test items with different granularity and meeting TOE evaluation requirements, and finally calculates the level single rank (weight) and total rank by a qualitative index fuzzy quantization method to be used as a multi-scheme optimization decision for selecting the test items to implement TOE evaluation.
The "selecting an evaluation scheme" in step 102 is performed as follows: (1) constructing an evaluation scheme three-layer model according to an AHP method, wherein: the target layer is a TOE evaluation target based on an organization security strategy, the criterion layer is an information system evaluation criterion based on standard and best practice, such as CC standard, and the scheme layer is a threat entity in the threat intelligence knowledge ontology in the step 101; (2) and constructing a judgment matrix to determine the weight of each factor of the scheme layer, selecting the threat entities which are larger than the threshold value in the scheme layer according to the preset threshold value, and adding the threat entities into the evaluation scheme for generating the test case set.
Wherein, the step 103 of selecting the corresponding entity node in the threat intelligence knowledge-graph refers to the step of mapping the threat entity in the evaluation scheme according to the step 102 to the node in the threat intelligence knowledge-graph of the step 101, and the node type includes the information of the visualized malicious software, the attack infrastructure and the like, and also includes the semantic information of the motivation, the intention, the purpose and the like of the abstracted APT attack activity.
The "path from an entity node to an entity node of the APT attack organization" in step 103 refers to finding one or more paths in the threat intelligence knowledge graph, the starting point is the node set selected in step 103, and the ending point is the node set representing entities such as the identity, attack mode, threat participants and the like of the APT attack organization.
The "generation algorithm" in step 104 is performed as follows: (1) for the structured threat intelligence data, a corresponding algorithm is given based on the data type, other characteristics of APT attack activity are predicted, and the new characteristics are used as test cases; (2) for unstructured threat intelligence data, an NLP text generation algorithm is used to generate similar texts, and the new texts are used as test cases or parts of the test cases.
Wherein, the "quantitative calculation of the ability of TOE to resist APT attack" described in step 105 is performed as follows: and (3) generating a weight list of different threat entities in the evaluation scheme on the effectiveness of the evaluation target by using the step 102, and performing weighted summation on the ratios of the test case sets of the TOE passing the test in the step 104 to obtain the APT attack resistance value of the TOE.
Through the steps, the invention realizes the evaluation method of the APT attack resistance capability of the information system based on the threat intelligence, and solves the problems that the existing evaluation method can not effectively test unknown threats and can not quantitatively analyze and evaluate the APT attack resistance capability of the TOE.
3. Advantages of the invention
By means of the technical scheme, the measurable evaluation scheme is generated by defining the threat intelligence knowledge map of the APT attack activity and using the analytic hierarchy process, so that the APT attack resistance of the information system can have an explicit confidence and the APT attack resistance of the information system can be quantitatively calculated.
Description of the drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Fifth, detailed description of the invention
In order to make the description of the technical solution clearer for the purpose of the method of the present invention, the following detailed description is made of specific embodiments.
Step S101: data related to APT attack activity in multi-source threat intelligence is collected by adopting an industrial structured threat intelligence standard STIX as a knowledge body, wherein the structured threat intelligence data is extracted by adopting an ioc-finder tool, and the unstructured threat intelligence data is extracted by adopting a Strnfordnlp tool set to obtain text SVO semantic information so as to construct a threat intelligence knowledge graph.
Step S102: and modeling an evaluation index system by using an Analytic Hierarchy Process (AHP) according to the characteristics of the TOE and the evaluation target, and generating an evaluation scheme. Typical examples of the evaluation target are: malicious code defense capability, abnormal data packet detection and defense capability, abnormal network flow record detection and defense capability, and host abnormal behavior detection and defense capability.
Step S103: according to the evaluation scheme generated in the step S102, traversing the threat entities in the threat intelligence knowledge graph in the step S101, using a depth-first search algorithm to find all paths between the threat entities and the APT attack organization entities, and generating sub-graphs containing the paths.
Step S104: and (5) constructing a test case set by adopting a generation algorithm aiming at different types for the threat information subgraph of the step S103. Typical threat types and generation algorithms are: an antagonistic sample generation algorithm for malicious code; DGA algorithm for domain names; a text similarity generation algorithm for email addresses.
Step S105: and step S104 is used for executing the test, weighting calculation is carried out on the test result, and the APT attack resistance of the TOE is quantitatively evaluated.
Although specific embodiments of the invention have been disclosed for purposes of illustration and to aid in the understanding of the contents of the invention and the manner in which it may be practiced, those skilled in the art will appreciate that: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (6)
1. An APT attack resistance evaluation method of an information system based on threat intelligence is characterized by comprising the following steps:
step 101: collecting information associated with APT attack activity in multi-source threat intelligence based on an open-source or commercialized network security threat intelligence Ontology (Ontology), and constructing a threat intelligence knowledge graph;
step 102: modeling by adopting an Analytic Hierarchy Process (AHP) according to the evaluation target of the TOE in the evaluation plan, and selecting an evaluation scheme;
step 103: selecting corresponding entity nodes in the threat intelligence knowledge graph in the step 101 and paths from the entity nodes to APT attack organization entity nodes by using the evaluation scheme generated in the step 102 to generate a threat intelligence information subgraph for evaluating the TOE;
step 104: generating new similar threat information for each node data of the threat information subgraph in the step 103 by using a generation algorithm, and adding the new similar threat information to the test case set;
step 105: and (4) according to the test case set generated in the step 104, testing the TOE and recording a test result, and quantitatively calculating the APT (anti-APT) attack capability of the TOE by combining the evaluation model in the step 102.
Through the steps, the invention realizes the evaluation method of the APT attack resistance capability of the information system based on the threat intelligence, and solves the problems that the existing evaluation method can not effectively test unknown threats and can not quantitatively analyze and evaluate the APT attack resistance capability of the TOE.
2. The method for evaluating the APT attack resistance capability of the information system based on the threat intelligence, according to claim 1, is characterized in that:
the "ontology of cyber-security threat intelligence" described in step 101 refers to a standard or best practice commonly used in the industry that specifies the organizational form, data type, entity objects, relationships between entities, and threat intelligence exchange and sharing specifications for cyber-security threat intelligence.
"multisource threat intelligence" as described in step 101, and "multisource threat intelligence" as described in step 101 refer to an APT attack organization activity report provided by a network security vendor, an open source security community, a commercial pay security big data supplier, including associated IOC information, etc., which includes structured data and unstructured text data that meet industry standards.
The "construct threat intelligence knowledge graph" described in step 101 is performed as follows: (1) establishing a conversion mode for the structured threat intelligence data, and mapping the structured threat intelligence data into corresponding entities and relations in a knowledge body; (2) for unstructured data, Natural Language Processing (NLP) is used to extract key semantic information and map the key semantic information to corresponding entities and relationships in the ontology.
3. The method for evaluating the APT attack resistance capability of the information system based on the threat intelligence, according to claim 1, is characterized in that:
the "analytic hierarchy process" in step 102 refers to a system method that takes an information system evaluation scheme for resisting APT attack as a decision target, decomposes the target into a plurality of sub-targets or criteria, further decomposes the target into a plurality of levels of multi-index (or criteria, constraints), each level defines test items with different granularity and meeting TOE evaluation requirements, and finally calculates a level list ordering (weight) and a total ordering by a qualitative index fuzzy quantization ten thousand method to be used as a multi-scheme optimization decision for selecting the test items to implement TOE evaluation.
The "choose to evaluate scenario" described in step 102 is performed as follows: (1) constructing an evaluation scheme three-layer model according to an AHP method, wherein: the target layer is a TOE evaluation target based on an organization security strategy, the criterion layer is an information system evaluation criterion based on standard and best practice, such as CC standard, and the scheme layer is a threat entity in the threat intelligence knowledge ontology in the step 101; (2) and constructing a judgment matrix to determine the weight of each factor of the scheme layer, selecting the threat entities which are larger than the threshold value in the scheme layer according to the preset threshold value, and adding the threat entities into the evaluation scheme for generating the test case set.
4. The method for evaluating the APT attack resistance capability of the information system based on the threat intelligence, according to claim 1, is characterized in that:
the "selecting a corresponding entity node in the threat intelligence knowledge graph" in step 103 refers to mapping the threat entity in the evaluation scheme according to step 102 to the node in the threat intelligence knowledge graph in step 101, and the node type includes information such as visualized malicious software and attack infrastructure, and also includes semantic information such as motivation, intention and purpose of abstract APT attack activity.
The "path from an entity node to an entity node of an APT attack organization" in step 103 refers to finding one or more paths in a threat intelligence knowledge graph, where the starting point is the node set selected in step 103, and the ending point is the node set representing entities such as the identity, attack mode, threat participants, and the like of the APT attack organization.
5. The method for evaluating the APT attack resistance capability of the information system based on the threat intelligence, according to claim 1, is characterized in that: the "generation algorithm" described in step 104 is performed as follows: (1) for the structured threat intelligence data, a corresponding algorithm is given based on the data type, other characteristics of APT attack activity are predicted, and the new characteristics are used as test cases; (2) for unstructured threat intelligence data, an NLP text generation algorithm is used to generate similar texts, and the new texts are used as test cases or parts of the test cases.
6. The method for evaluating the APT attack resistance capability of the information system based on the threat intelligence, according to claim 1, is characterized in that: "quantitatively calculate TOE resistance to APT attack" as described in step 105, the procedure is as follows: and (3) generating a weight list of different threat entities in the evaluation scheme on the effectiveness of the evaluation target by using the step 102, and performing weighted summation on the ratios of the test case sets of the TOE passing the test in the step 104 to obtain the APT attack resistance value of the TOE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010488042.XA CN113765847A (en) | 2020-06-02 | 2020-06-02 | Information system APT attack resistance evaluation method based on threat information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010488042.XA CN113765847A (en) | 2020-06-02 | 2020-06-02 | Information system APT attack resistance evaluation method based on threat information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113765847A true CN113765847A (en) | 2021-12-07 |
Family
ID=78782327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010488042.XA Pending CN113765847A (en) | 2020-06-02 | 2020-06-02 | Information system APT attack resistance evaluation method based on threat information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765847A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969759A (en) * | 2022-06-07 | 2022-08-30 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Asset safety assessment method, device, terminal and medium for industrial robot system |
| CN115567325A (en) * | 2022-12-02 | 2023-01-03 | 浙江工业大学 | Threat hunting method based on graph matching |
-
2020
- 2020-06-02 CN CN202010488042.XA patent/CN113765847A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969759A (en) * | 2022-06-07 | 2022-08-30 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Asset safety assessment method, device, terminal and medium for industrial robot system |
| CN114969759B (en) * | 2022-06-07 | 2024-04-05 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Asset security assessment method, device, terminal and medium of industrial robot system |
| CN115567325A (en) * | 2022-12-02 | 2023-01-03 | 浙江工业大学 | Threat hunting method based on graph matching |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112131882B (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| Linkov et al. | Fundamental concepts of cyber resilience: Introduction and overview | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| Kaynar | A taxonomy for attack graph generation and usage in network security | |
| Li et al. | Analysis framework of network security situational awareness and comparison of implementation methods | |
| Sommestad et al. | The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures | |
| Huth et al. | Guest editorial: A brief overview of data leakage and insider threats | |
| Elitzur et al. | Attack hypothesis generation | |
| Younis et al. | Comparing and evaluating CVSS base metrics and microsoft rating system | |
| Lee et al. | A semantic approach to improving machine readability of a large-scale attack graph | |
| Ajdani et al. | Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm | |
| CN113765847A (en) | Information system APT attack resistance evaluation method based on threat information | |
| Li et al. | Research on multi-target network security assessment with attack graph expert system model | |
| Abushark et al. | Cyber security analysis and evaluation for intrusion detection systems | |
| Almazrouei et al. | A review on attack graph analysis for iot vulnerability assessment: challenges, open issues, and future directions | |
| Roy et al. | Sok: The mitre att&ck framework in research and practice | |
| Yang et al. | Risk assessment method of IoT host based on attack graph | |
| You et al. | Review on cybersecurity risk assessment and evaluation and their approaches on maritime transportation | |
| Wen et al. | A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard | |
| Chen et al. | A risk assessment method based on software behavior | |
| Zhu et al. | Business process mining based insider threat detection system | |
| Kiran et al. | A Critical study of information security risk assessment using fuzzy and entropy methodologies | |
| Aouad et al. | Defender-centric Conceptual Cyber Exposure Ontology for Adaptive Cyber Risk Assessment. | |
| Jose et al. | Prediction of Network Attacks Using Supervised Machine Learning Algorithm | |
| Ye et al. | A Hybrid Model of RST and DST with its Application in Intrusion Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211207 |
|
| RJ01 | Rejection of invention patent application after publication |