基于知识图谱的网络安全事件数据推荐算法

doi:10.11959/j.issn.2096-109x.2023087

摘要/Abstract

摘要：

针对网络安全运维人员分析网络安全事件时难以及时准确找出所需的数据问题，提出基于知识图谱的网络安全事件数据推荐算法，利用网络威胁框架 ATT＆amp;CK 构造本体模型，根据本体模型建立网络威胁知识图谱，将攻击技术、漏洞、防御措施等离散的安全数据提炼为互相关联的安全知识。基于知识图谱提取实体数据，通过 TransH 算法进行实体向量化，并利用实体向量计算网络威胁数据实体间数据相似性。获取网络安全事件处置文献中网络安全数据实体作为运维人员处置行为，构造处置行为矩阵，通过行为矩阵实现网络威胁数据向量化表示，计算基于处置行为的网络威胁数据实体相似性。将网络威胁数据实体的相似度与基于处置行为的网络威胁数据实体的相似度进行融合，形成面向网络安全事件的数据推荐列表，实现基于用户行为的网络威胁领域间的关联。实验分析表明，在融合权重α=7和推荐数据量K=5时，所提算法最优，召回率和精确率分别为62.37%和 68.23%。所提算法在数据相似度的基础上加入了处置行为相似度，更接近事实处置行为，与其他算法相比，所提算法的召回率具有较大优势，精确率在推荐数据量小于10的范围内具有较大优势。

关键词: 网络威胁数据, 网络安全事件, 知识图谱, 相似度, 事件处置行为, 数据推荐

Abstract:

To address the difficulty faced by network security operation and maintenance personnel in timely and accurate identification of required data during network security event analysis, a recommendation algorithm based on a knowledge graph for network security events was proposed.The algorithm utilized the network threat framework ATT＆amp;CK to construct an ontology model and establish a network threat knowledge graph based on this model.It extracted relevant security data such as attack techniques, vulnerabilities, and defense measures into interconnected security knowledge within the knowledge graph.Entity data was extracted based on the knowledge graph, and entity vectors were obtained using the TransH algorithm.These entity vectors were then used to calculate data similarity between entities in network threat data.Disposal behaviors were extracted from literature on network security event handling and treated as network security data entities.A disposal behavior matrix was constructed, and the behavior matrix enabled the vector representation of network threat data.The similarity of network threat data entities was calculated based on disposal behaviors.Finally, the similarity between network threat data and threat data under network security event handling behavior was fused to generate a data recommendation list for network security events, which established correlations between network threat domains based on user behavior.Experimental results demonstrate that the algorithm performs optimally when the fusion weight α=7 and the recommended data volume K=5, achieving a recall rate of 62.37% and an accuracy rate of 68.23%.By incorporating disposition behavior similarity in addition to data similarity, the algorithm better represents factual disposition behavior.Compared to other algorithms, this algorithm exhibits significant advantages in recall rate and accuracy, particularly when the recommended data volume is less than 10.

Key words: network threat data, network security events, knowledge graph, similarity, event handling behavior, data recommendation

中图分类号:

TP393

祝现威, 刘伟, 刘自豪, 顾泽宇. 基于知识图谱的网络安全事件数据推荐算法[J]. 网络与信息安全学报, 2023, 9(6): 116-126.

Xianwei ZHU, Wei LIU, Zihao LIU, Zeyu GU. Data recommendation algorithm of network security event based on knowledge graph[J]. Chinese Journal of Network and Information Security, 2023, 9(6): 116-126.

图/表 15

图1

图2

表1

图3

图4

图5

表2

图7

图6

图8

图9

图10

图11

图12

图13

参考文献 16

[1]	张淑英 . 网络安全事件关联分析与态势评测技术研究[D]. 长春:吉林大学, 2012.
	ZHANG S Y . Research on correlation analysis and situation evaluation technology of network security events[D]. Changchun:Jilin University, 2012.
[2]	CUPPENS F , MIEGE A . Alert correlation in a cooperative intrusion detection framework[C]// Proceedings of 2002 IEEE symposium on Security and privacy, 2002: 202-215.
[3]	ZANG Y C , ZHOU T Y , GE X Y ,et al. An improved attack path discovery algorithm through compact graph planning[J]. IEEE Access, 2019,99:1.
[4]	LI K , ZHOU H , TU Z ,et al. Cskb:a cyber security knowledge base based on knowledge graph[C]// Proceedings of First International Conference on Security and Privacy in Digital Economy(SPDE 2020). 2020: 100-113.
[5]	SYED Z , PADIA A , FININ T ,et al. UCO:a unified cybersecurity ontology[C]// Proceedings of AAAI Workshop on Artificial Intelligence for Cyber Security. 2016: 14-22.
[6]	孙澄, 胡浩, 杨英杰 ,等. 基于网络防御知识图谱的 0day 攻击路径预测方法[J]. 网络与信息安全学报, 2022,8(1): 151-166.
	SUN C , HU H , YANG Y J ,et al. Prediction method of 0day attack path based on cyber defense knowledge graph[J]. Chinese Journal of Network and Information Security, 2022,8(1): 151-166.
[7]	WANG H , ZHANG F , WANG J ,et al. Ripplenet:propagating user preferences on the knowledge graph for recommender systems[C]// Proceedings of the 27th ACM International Conference on Information and Knowledge. 2018: 417-426.
[8]	WANG X , WANG D , XU C ,et al. Explainable reasoning over knowledge graphs for recommendation[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2019: 5329-5336.
[9]	RENDLE S , FREUDENTHALER C , GANTNER Z ,et al. BPR:Bayesian personalized ranking from implicit feedback[C]// Proceedings of UAI 2009. 2009: 452-461.
[10]	ZHANG F , YUAN N J , LIAN D ,et al. Collaborative knowledge base embedding for recommender systems[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2016: 353-362.
[11]	ZHAO H , YAO Q , LI J ,et al. Meta-graph based recommendation fusion over heterogeneous information networks[C]// Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2017: 635-644.
[12]	徐增林, 盛泳潘, 贺丽荣 ,等. 知识图谱技术综述[J]. 电子科技大学学报, 2016,45(4).
	XU Z L , SHENG Y P , HE L R ,et al. Overview of knowledge graph technology[J]. Journal of University of Electronic Science and Technology, 2016,45(4).
[13]	ZHOU X , ZHU Q , LIU P ,et al. Learning knowledge embeddings by combining limit-based scoring loss[C]// Proceedings of the 2017 ACM on Conference on Information and Knowledge Management. 2017: 1009-1018.
[14]	李忠伟, 高东, 刘昕 ,等. 基于知识图谱的海洋数值预报数据推荐算法[J]. 计算机工程与设计, 2023,44(5).
	LI Z W , GAO D , LIU X ,et al. Recommendation algorithm of marine numerical forecast data based on knowledge graph[J]. Computer Engineering and Design, 2023,44(5).
[15]	RANI U , BIDHAN K . Comparative assessment of extractive summarization:TextRank,TF-IDF and LDA[J]. Journal of Scientific Research, 2021(1).
[16]	GB/T 20986-2023. 信息安全技术网络安全事件分类分级指南[S].
	GB/T 20986-2023. Information security technology-classification of cyber security incidents[S].

名称	含义	说明
Software	软件	作为工具的可运行代码程序
Malware	恶意代码	主要包括僵尸主机、木马及蠕虫病毒等
Indicator	监测设备	主要指用于监测网络威胁设备，如流量分析、IPS/IDS、防火墙等
Port	端口	恶意代码或漏洞攻击利用的媒介
Vulnerability	漏洞	设备系统自身原因的脆弱性问题，主要分为不可远程利用漏洞和可远程利用漏洞
Course-of-action	防御措施	可以阻止攻击或防止危害进一步扩散的操作和手段
Attack-tactic	攻击战术	ATT＆CK中攻击者为达到目的的一类手段
Attack-technology	攻击技术	ATT＆CK中实现战术目的的一类技术

主题			数据
主题	u₁	u₂	u₃	…	u_m
V₁	1	0	0	…	1
V₂	0	1	1	…	1
V₃	0	0	0	…	0
…	…	…	…	…	…
V₁₃	1	0	0	…	0