基于词向量和图卷积的攻击模式与技术实体关联方法

doi:10.11959/j.issn.2096-109x.2023052

Abstract

Abstract:

Threat analysis relies on knowledge bases that contain a large number of security entities.The scope and impact of security threats and risks are evaluated by modeling threat sources, attack capabilities, attack motivations, and threat paths, taking into consideration the vulnerability of assets in the system and the security measures implemented.However, the lack of entity relations between these knowledge bases hinders the security event tracking and attack path generation.To complement entity relations between CAPEC and ATT＆amp;CK techniques and enrich threat paths, an entity correlation prediction method called WGS was proposed, in which entity descriptions were analyzed based on word embedding and a graph convolution network.A Word2Vec model was trained in the proposed method for security domain to extract domain-specific semantic features and a GCN model to capture the co-occurrence between words and sentences in entity descriptions.The relationship between entities was predicted by a Siamese network that combines these two features.The inclusion of external semantic information helped address the few-shot learning problem caused by limited entity relations in the existing knowledge base.Additionally, dynamic negative sampling and regularization was applied in model training.Experiments conducted on CAPEC and ATT＆amp;CK database provided by MITRE demonstrate that WGS effectively separates related entity pairs from irrelevant ones in the sample space and accurately predicts new entity relations.The proposed method achieves higher prediction accuracy in few-shot learning and requires shorter training time and less computing resources compared to the Bert-based text similarity prediction models.It proves that word embedding and graph convolutional network based entity relation prediction method can extract new entity correlation relationships between attack patterns and techniques.This helps to abstract attack techniques and tactics from low-level vulnerabilities and weaknesses in security threat analysis.

Key words: security entity correlation, natural language processing, graph convolution neural network, few-shot learning

CLC Number:

TP393

Weicheng QIU, Xiuzhen CHEN, Yinghua MA, Jin MA, Zhihong ZHOU. Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 40-52.

Figures/Tables 14

表项	CAPEC	ATT＆CK技术	描述
1	修改注册表运行键值	启动或登录自启动执行：活动设置	CAPEC：…在注册表中添加一个新的运行键值…在用户登录时启动…
			ATT＆CK：…通过添加注册表键值实现持久化…在用户登录计算机时执行…
2	HTTP泛洪	端点拒绝服务：应用程序耗尽泛洪	CAPEC：…使用HTTP执行泛洪攻击，目的是通过消耗应用层（如Web 服务）的资源来拒绝合法用户访问服务…
			ATT＆CK：…针对 Web 应用程序的资源密集型功能，造成拒绝服务（DoS）…
3	现有进程中包含代码	进程注入：动态链接库注入	CAPEC：…运行进程以在单独的实时进程的地址空间中执行任意代码…示例方法包括但不限于：动态链接库（DLL）注入…
			ATT＆CK：…DLL 注入是一种在单独的实时进程的地址空间中执行任意代码的方法…
4	JSON 劫持（又名JavaScript 劫持）	信息网络钓鱼：鱼叉式网络钓鱼链接	CAPEC：…攻击者让受害者访问其恶意页面，该页面包含脚本标记，其源指向易受攻击的系统…
			ATT＆CK：…发送带有恶意链接的鱼叉式网络钓鱼邮件，以引出可在定位过程中使用的敏感信息…
5	XML泛洪	端点拒绝服务：应用程序或系统利用	CAPEC：…使用XML消息执行泛洪攻击…XDoS的主要弱点是服务提供商通常必须检查、解析和验证XML消息…
			ATT＆CK：…利用可能导致应用程序或系统崩溃并拒绝用户可用的软件漏洞…
6	加密暴力破解	操作系统凭据转储	CAPEC：…对密钥空间执行暴力搜索，以确定解密密文并获取明文的密钥…
			ATT＆CK：…尝试转储凭据以获取帐户登录名和凭据材料，通常采用哈希或明文密码的形式…
7	窃听	网络嗅探	窃听与嗅探攻击不同，因为它不会发生在基于网络的通信通道（如IP流量）上

References 21

[1]	STROM B E , APPLEBAUM A , MILLER D P ,et al. Mitre att＆ck:design and philosophy[R]. Technical Report, 2018.
[2]	KIESLING E , EKELHART A , KURNIAWAN K ,et al. The SEPSES knowledge graph:an integrated resource for cybersecurity[C]// International Semantic Web Conference. 2019: 198-214.
[3]	GUO Y , LIU Z , HUANG C ,et al. CyberRel:joint entity and relation extraction for cybersecurity concepts[C]// International Conference on Information and Communications Security. 2021: 447-463.
[4]	XIAO H , XING Z , LI X ,et al. Embedding and predicting software security entity relationships:a knowledge graph based approach[C]// International Conference on Neural Information Processing. 2019: 50-63.
[5]	YUAN L , BAI Y , XING Z ,et al. Predicting entity relations across different security databases by using graph attention network[C]// 2021 IEEE 45th Annual Computers,Software,and Applications Conference (COMPSAC). 2021: 834-843.
[6]	DAS S S , SERRA E , HALAPPANAVAR M ,et al. V2W-BERT:a framework for effective hierarchical multiclass classification of software vulnerabilities[C]// 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA). 2021: 1-12.
[7]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. Holmes:real-time apt detection through correlation of suspicious information flows[C]// 2019 IEEE Symposium on Security and Privacy (SP). 2019: 1137-1152.
[8]	WU L , CHEN Y , SHEN K ,et al. Graph neural networks for natural language processing:a survey[J]. arXiv Preprint arXiv:2106.06090, 2021.
[9]	YAO L , MAO C , LUO Y . Graph convolutional networks for text classification[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2019: 7370-7377.
[10]	LIU B , NIU D , WEI H ,et al. Matching article pairs with graphical decomposition and convolutions[J]. arXiv Preprint arXiv:1802.07459, 2018.
[11]	REIMERS N , GUREVYCH I . Sentence-bert:sentence embeddings using siamese bert-networks[J]. arXiv Preprint arXiv:1908.10084, 2019.
[12]	DEVLIN J , CHANG M W , LEE K ,et al. Bert:pre-training of deep bidirectional transformers for language understanding[J]. arXiv Preprint arXiv:1810.04805, 2018.
[13]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[C]// Advances in Neural Information Processing Systems, 2017,30.
[14]	LIU Y , OTT M , GOYAL N ,et al. Roberta:a robustly optimized bert pretraining approach[J]. arXiv Preprint arXiv:1907.11692, 2019.
[15]	LAN Z , CHEN M , GOODMAN S ,et al. Albert:a lite bert for self-supervised learning of language representations[J]. arXiv Preprint arXiv:1909.11942, 2019.
[16]	YANG Z , DAI Z , YANG Y ,et al. Xlnet:generalized autoregressive pretraining for language understanding[C]// Advances in Neural Information Processing Systems, 2019,32.
[17]	LIU B , NIU D , WEI H ,et al. Matching article pairs with graphical decomposition and convolutions[J]. arXiv Preprint arXiv:1802.07459, 2018.
[18]	MIKOLOV T , CHEN K , CORRADO G ,et al. Efficient estimation of word representations in vector space[J]. arXiv Preprint arXiv:1301.3781, 2013.
[19]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv Preprint arXiv:1609.02907, 2016.
[20]	LE Q , MIKOLOV T . Distributed representations of sentences and documents[C]// International Conference on Machine Learning. PMLR, 2014: 1188-1196.
[21]	CER D , DIAB M , AGIRRE E ,et al. Semeval-2017 task 1:semantic textual similarity-multilingual and cross-lingual focused evaluation[J]. arXiv Preprint arXiv:1708.00055, 2017.

Metrics

Recommended 0

No Suggested Reading articles found!

知识库	实体个数/个	描述平均单词数/个	词汇量/个
CAPEC	525	57.71	1 346
ATT＆CK	552	121.27	1 805
CVE	148 264	31.70	12 552
CWE	922	48.92	1 604

操作系统	CPU	GPU
Ubuntu18.04-64 bit	Intel Core i5-8265U，	Nvidia Geforce RTX
Windows 10-64 bit	8 GB内存	2080 Ti，10 GB内存

方法分类	具体模型	训练细节	相似度评估
	TF-IDF	C-A数据集上计算	余弦相似度
基线方法	Doc2Vec	使用已训练模型	余弦相似度
	Word2Vec	使用已训练模型	余弦相似度
	Bert	预训练模型+C-A上微调	二分类
Bert及其变种微调	RoBerta	预训练模型+C-A上微调	二分类
	AlBert	预训练模型+C-A上微调	二分类
SOTA模型微调	Sentence Bert	预训练模型+C-A上微调	二分类
	XLNet	预训练模型+C-A上微调	二分类

方法	准确率	召回率	精度	F1值	训练时间
TF-IDF	70.41%	72.58%	69.57%	0.7104	＜1 min
Word2Vec	68.04%	76.08%	65.54%	0.7042	—
Doc2Vec	62.58%	70.52%	60.85%	0.6533	—
Bert (Base)	76.84%	81.33%	74.72%	0.7782	20 min
Roberta (Large)	83.16%	84.69%	82.18%	0.8342	＞2 h
ALBert (Base)	81.82%	85.71%	79.75%	0.8273	＞2 h
XLNet (Base)	78.57%	87.07%	74.46%	0.8025	＞2 h
Sentence Bert	82.40%	84.18%	81.32%	0.8272	＞1 h
WGS	87.10%	88.10%	86.41%	0.8724	＜5 min

方法	准确率	召回率	精度	F1值
GCN	79.59%	81.63%	78.43%	0.8000
Word2Vec	68.04%	76.08%	65.54%	0.7042
GCN+SIA	86.22%	87.75%	85.15%	0.8643
W2V+SIA	86.48%	87.76%	85.57%	0.8665
GCN+W2V+SIA	87.10%	88.10%	86.41%	0.8724
GCN+D2V+SIA	87.70%	88.10%	87.48%	0.8776

Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 21

Related Articles 1

Metrics

Recommended 0

方法	预测正确个数	预测正确率	交叉熵
WSG	41	20.5%	0.834 5
Bert	31	15.5%	6.299 3