基于词向量和图卷积的攻击模式与技术实体关联方法

doi:10.11959/j.issn.2096-109x.2023052

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (4): 40-52.doi: 10.11959/j.issn.2096-109x.2023052

• 学术论文 • 上一篇

基于词向量和图卷积的攻击模式与技术实体关联方法

裘炜程¹^,², 陈秀真¹^,², 马颖华¹^,², 马进¹^,², 周志洪¹^,²

¹ 上海交通大学网络安全技术研究院，上海 200240
² 上海市信息安全综合管理技术重点实验室，上海 200240

修回日期:2023-05-06 出版日期:2023-08-01 发布日期:2023-08-01
作者简介:裘炜程（1997- ），男，上海人，上海交通大学硕士生，主要研究方向为车联网信息安全、网络安全、人工智能
陈秀真（1977- ），女，山东聊城人，博士，上海交通大学副教授，主要研究方向为车联网信息安全、网络信息系统安全检测与评估、社交网络大数据分析
马颖华（1973- ），女，山东泰安人，博士，上海交通大学讲师，主要研究方向为网络内容安全、自然语言处理
马进（1977- ），女，山东滕州人，博士，上海交通大学高级工程师，主要研究方向为大数据与人工智能应用、车联网信息安全、网络空间安全综合管理新技术
周志洪（1979- )，男，江西九江人，上海交通大学讲师，主要研究方向为密码应用、安全测评、车联网安全
基金资助:
国家自然科学基金(U2003206);上海市科学技术委员会科技创新行动计划(22511101202)

Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network

Weicheng QIU¹^,², Xiuzhen CHEN¹^,², Yinghua MA¹^,², Jin MA¹^,², Zhihong ZHOU¹^,²

¹ Institute of Cyber Science and Technology, Shanghai Jiao Tong University, Shanghai 200240, China
² Shanghai Municipal Key Lab of Integrated Management Technology for Information Security, Shanghai 200240, China

Revised:2023-05-06 Online:2023-08-01 Published:2023-08-01
Supported by:
The National Natural Science Foundation of China(U2003206);Shanghai Science and Technology Com-mittee Science and Technology Innovation Action Plan(22511101202)

摘要/Abstract

摘要：

安全威胁分析以包含大量安全实体的网络安全知识库为基础，对威胁源、攻击能力、攻击动机、威胁路径等建模，并结合资产的脆弱性及已部署的安全措施，评估威胁的影响范围、程度以及带来的安全风险。但是基础知识库部分实体之间的关联关系缺失，不利于实现安全事件追踪、攻击路径关联。针对 CAPEC 攻击模式和ATT＆amp;CK技术的实体关系缺失问题，提出一种基于词向量和图卷积的攻击模式与技术实体关联方法，即通过分析实体描述文本之间的关联度判断实体关系，达到不同知识库间实体关系的补充、丰富威胁路径的目的。提出的方法使用预训练的安全领域Word2Vec模型提取特定领域的语义信息，通过图卷积神经网络模型提取实体描述间的共现关系，进一步将两种特征输入孪生网络预测实体间的关联关系。为解决现有知识库中实体关系较少的小样本学习问题，通过词向量补充外部语义信息、模型训练时使用动态负采样和添加正则项避免过拟合。针对MITRE组织提供的CAPEC和ATT＆amp;CK知识库进行实验测试，结果表明，所提算法可以通过分析实体描述的语义信息，将有关系的实体对在样本空间内与无关系实体对分离，从而有效预测新的实体对的关联关系。在小样本条件下，所提方法的预测准确率高于基于Bert 的文本相似度预测方法，同时训练时间更短、所需计算资源更少。实验结果证明，基于词向量和图卷积的攻击模式与技术实体关联方法可以挖掘出新的攻击模式与技术实体关联关系，安全威胁分析时有助于提高从安全漏洞和脆弱点等底层概念抽象出攻击技术和战术的能力。

关键词: 安全实体关联, 自然语言处理, 图卷积神经网络, 小样本学习

Abstract:

Threat analysis relies on knowledge bases that contain a large number of security entities.The scope and impact of security threats and risks are evaluated by modeling threat sources, attack capabilities, attack motivations, and threat paths, taking into consideration the vulnerability of assets in the system and the security measures implemented.However, the lack of entity relations between these knowledge bases hinders the security event tracking and attack path generation.To complement entity relations between CAPEC and ATT＆amp;CK techniques and enrich threat paths, an entity correlation prediction method called WGS was proposed, in which entity descriptions were analyzed based on word embedding and a graph convolution network.A Word2Vec model was trained in the proposed method for security domain to extract domain-specific semantic features and a GCN model to capture the co-occurrence between words and sentences in entity descriptions.The relationship between entities was predicted by a Siamese network that combines these two features.The inclusion of external semantic information helped address the few-shot learning problem caused by limited entity relations in the existing knowledge base.Additionally, dynamic negative sampling and regularization was applied in model training.Experiments conducted on CAPEC and ATT＆amp;CK database provided by MITRE demonstrate that WGS effectively separates related entity pairs from irrelevant ones in the sample space and accurately predicts new entity relations.The proposed method achieves higher prediction accuracy in few-shot learning and requires shorter training time and less computing resources compared to the Bert-based text similarity prediction models.It proves that word embedding and graph convolutional network based entity relation prediction method can extract new entity correlation relationships between attack patterns and techniques.This helps to abstract attack techniques and tactics from low-level vulnerabilities and weaknesses in security threat analysis.

Key words: security entity correlation, natural language processing, graph convolution neural network, few-shot learning

中图分类号:

TP393

裘炜程, 陈秀真, 马颖华, 马进, 周志洪. 基于词向量和图卷积的攻击模式与技术实体关联方法[J]. 网络与信息安全学报, 2023, 9(4): 40-52.

Weicheng QIU, Xiuzhen CHEN, Yinghua MA, Jin MA, Zhihong ZHOU. Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 40-52.

图/表 14

图1

图2

图3

表1

表2

图4

图5

图6

图7

表3

表4

表5

表6

表7

新实体关系预测结果分析Table 7 Analysis on predicting correlation results among new entities"

表项	CAPEC	ATT＆CK技术	描述
1	修改注册表运行键值	启动或登录自启动执行：活动设置	CAPEC：…在注册表中添加一个新的运行键值…在用户登录时启动…
			ATT＆CK：…通过添加注册表键值实现持久化…在用户登录计算机时执行…
2	HTTP泛洪	端点拒绝服务：应用程序耗尽泛洪	CAPEC：…使用HTTP执行泛洪攻击，目的是通过消耗应用层（如Web 服务）的资源来拒绝合法用户访问服务…
			ATT＆CK：…针对 Web 应用程序的资源密集型功能，造成拒绝服务（DoS）…
3	现有进程中包含代码	进程注入：动态链接库注入	CAPEC：…运行进程以在单独的实时进程的地址空间中执行任意代码…示例方法包括但不限于：动态链接库（DLL）注入…
			ATT＆CK：…DLL 注入是一种在单独的实时进程的地址空间中执行任意代码的方法…
4	JSON 劫持（又名JavaScript 劫持）	信息网络钓鱼：鱼叉式网络钓鱼链接	CAPEC：…攻击者让受害者访问其恶意页面，该页面包含脚本标记，其源指向易受攻击的系统…
			ATT＆CK：…发送带有恶意链接的鱼叉式网络钓鱼邮件，以引出可在定位过程中使用的敏感信息…
5	XML泛洪	端点拒绝服务：应用程序或系统利用	CAPEC：…使用XML消息执行泛洪攻击…XDoS的主要弱点是服务提供商通常必须检查、解析和验证XML消息…
			ATT＆CK：…利用可能导致应用程序或系统崩溃并拒绝用户可用的软件漏洞…
6	加密暴力破解	操作系统凭据转储	CAPEC：…对密钥空间执行暴力搜索，以确定解密密文并获取明文的密钥…
			ATT＆CK：…尝试转储凭据以获取帐户登录名和凭据材料，通常采用哈希或明文密码的形式…
7	窃听	网络嗅探	窃听与嗅探攻击不同，因为它不会发生在基于网络的通信通道（如IP流量）上

表7

参考文献 21

[1]	STROM B E , APPLEBAUM A , MILLER D P ,et al. Mitre att＆ck:design and philosophy[R]. Technical Report, 2018.
[2]	KIESLING E , EKELHART A , KURNIAWAN K ,et al. The SEPSES knowledge graph:an integrated resource for cybersecurity[C]// International Semantic Web Conference. 2019: 198-214.
[3]	GUO Y , LIU Z , HUANG C ,et al. CyberRel:joint entity and relation extraction for cybersecurity concepts[C]// International Conference on Information and Communications Security. 2021: 447-463.
[4]	XIAO H , XING Z , LI X ,et al. Embedding and predicting software security entity relationships:a knowledge graph based approach[C]// International Conference on Neural Information Processing. 2019: 50-63.
[5]	YUAN L , BAI Y , XING Z ,et al. Predicting entity relations across different security databases by using graph attention network[C]// 2021 IEEE 45th Annual Computers,Software,and Applications Conference (COMPSAC). 2021: 834-843.
[6]	DAS S S , SERRA E , HALAPPANAVAR M ,et al. V2W-BERT:a framework for effective hierarchical multiclass classification of software vulnerabilities[C]// 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA). 2021: 1-12.
[7]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. Holmes:real-time apt detection through correlation of suspicious information flows[C]// 2019 IEEE Symposium on Security and Privacy (SP). 2019: 1137-1152.
[8]	WU L , CHEN Y , SHEN K ,et al. Graph neural networks for natural language processing:a survey[J]. arXiv Preprint arXiv:2106.06090, 2021.
[9]	YAO L , MAO C , LUO Y . Graph convolutional networks for text classification[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2019: 7370-7377.
[10]	LIU B , NIU D , WEI H ,et al. Matching article pairs with graphical decomposition and convolutions[J]. arXiv Preprint arXiv:1802.07459, 2018.
[11]	REIMERS N , GUREVYCH I . Sentence-bert:sentence embeddings using siamese bert-networks[J]. arXiv Preprint arXiv:1908.10084, 2019.
[12]	DEVLIN J , CHANG M W , LEE K ,et al. Bert:pre-training of deep bidirectional transformers for language understanding[J]. arXiv Preprint arXiv:1810.04805, 2018.
[13]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[C]// Advances in Neural Information Processing Systems, 2017,30.
[14]	LIU Y , OTT M , GOYAL N ,et al. Roberta:a robustly optimized bert pretraining approach[J]. arXiv Preprint arXiv:1907.11692, 2019.
[15]	LAN Z , CHEN M , GOODMAN S ,et al. Albert:a lite bert for self-supervised learning of language representations[J]. arXiv Preprint arXiv:1909.11942, 2019.
[16]	YANG Z , DAI Z , YANG Y ,et al. Xlnet:generalized autoregressive pretraining for language understanding[C]// Advances in Neural Information Processing Systems, 2019,32.
[17]	LIU B , NIU D , WEI H ,et al. Matching article pairs with graphical decomposition and convolutions[J]. arXiv Preprint arXiv:1802.07459, 2018.
[18]	MIKOLOV T , CHEN K , CORRADO G ,et al. Efficient estimation of word representations in vector space[J]. arXiv Preprint arXiv:1301.3781, 2013.
[19]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv Preprint arXiv:1609.02907, 2016.
[20]	LE Q , MIKOLOV T . Distributed representations of sentences and documents[C]// International Conference on Machine Learning. PMLR, 2014: 1188-1196.
[21]	CER D , DIAB M , AGIRRE E ,et al. Semeval-2017 task 1:semantic textual similarity-multilingual and cross-lingual focused evaluation[J]. arXiv Preprint arXiv:1708.00055, 2017.

知识库	实体个数/个	描述平均单词数/个	词汇量/个
CAPEC	525	57.71	1 346
ATT＆CK	552	121.27	1 805
CVE	148 264	31.70	12 552
CWE	922	48.92	1 604

操作系统	CPU	GPU
Ubuntu18.04-64 bit	Intel Core i5-8265U，	Nvidia Geforce RTX
Windows 10-64 bit	8 GB内存	2080 Ti，10 GB内存

方法分类	具体模型	训练细节	相似度评估
	TF-IDF	C-A数据集上计算	余弦相似度
基线方法	Doc2Vec	使用已训练模型	余弦相似度
	Word2Vec	使用已训练模型	余弦相似度
	Bert	预训练模型+C-A上微调	二分类
Bert及其变种微调	RoBerta	预训练模型+C-A上微调	二分类
	AlBert	预训练模型+C-A上微调	二分类
SOTA模型微调	Sentence Bert	预训练模型+C-A上微调	二分类
	XLNet	预训练模型+C-A上微调	二分类

方法	准确率	召回率	精度	F1值	训练时间
TF-IDF	70.41%	72.58%	69.57%	0.7104	＜1 min
Word2Vec	68.04%	76.08%	65.54%	0.7042	—
Doc2Vec	62.58%	70.52%	60.85%	0.6533	—
Bert (Base)	76.84%	81.33%	74.72%	0.7782	20 min
Roberta (Large)	83.16%	84.69%	82.18%	0.8342	＞2 h
ALBert (Base)	81.82%	85.71%	79.75%	0.8273	＞2 h
XLNet (Base)	78.57%	87.07%	74.46%	0.8025	＞2 h
Sentence Bert	82.40%	84.18%	81.32%	0.8272	＞1 h
WGS	87.10%	88.10%	86.41%	0.8724	＜5 min

方法	准确率	召回率	精度	F1值
GCN	79.59%	81.63%	78.43%	0.8000
Word2Vec	68.04%	76.08%	65.54%	0.7042
GCN+SIA	86.22%	87.75%	85.15%	0.8643
W2V+SIA	86.48%	87.76%	85.57%	0.8665
GCN+W2V+SIA	87.10%	88.10%	86.41%	0.8724
GCN+D2V+SIA	87.70%	88.10%	87.48%	0.8776

基于词向量和图卷积的攻击模式与技术实体关联方法

Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 21

相关文章 1

Metrics

推荐阅读 0

方法	预测正确个数	预测正确率	交叉熵
WSG	41	20.5%	0.834 5
Bert	31	15.5%	6.299 3