计算机科学 ›› 2018, Vol. 45 ›› Issue (6): 9-18.doi: 10.11896/j.issn.1002-137X.2018.06.002

• 综述 • 上一篇    下一篇

网络空间威胁情报共享技术综述

杨沛安1,2, 武杨1,3, 苏莉娅1,3, 刘宝旭1,3   

  1. 中国科学院大学 北京1000491;
    中国科学院高能物理研究所 北京1000492;
    中国科学院信息工程研究所 北京1000933
  • 收稿日期:2017-05-05 出版日期:2018-06-15 发布日期:2018-07-24
  • 作者简介:杨沛安(1988-),男,博士生,主要研究方向为网络信息安全、情报分析与共享,E-mail:yangpa@ihep.ac.cn;武 杨(1985-),男,博士,助理研究员,主要研究方向为网络安全、威胁情报,E-mail:youngywu@tencent.com(通信作者);苏莉娅(1993-),女,硕士生,主要研究方向为网络安全态势感知;刘宝旭(1972-),男,研究员,博士生导师,主要研究方向为网络攻防、态势感知等

Overview of Threat Intelligence Sharing Technologies in Cyberspace

YANG Pei-an1,2, WU Yang1,3, SU Li-ya1,3, LIU Bao-xu1,3   

  1. University of Chinese Academy of Sciences,Beijing 100049,China1;
    Institute of High Energy Physics,Chinese Academy of Sciences,Beijing 100049,China2;
    Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China3
  • Received:2017-05-05 Online:2018-06-15 Published:2018-07-24

摘要: 如今,以高级可持续威胁(APT)为代表的新型攻击越来越多,传统安全防御手段捉襟见肘,网络空间安全态势日趋严峻。威胁情报具有数据内容丰富、准确性高、可自动化处理等特点,将其用于网络安全分析中可以有效提高安全防御能力。因此,威胁情报越来越被关注,学术界和产业界已针对威胁情报分析与共享开展了相应研究。文中首先对威胁情报的价值、意义进行了分析,并对威胁情报和威胁情报厂商进行了分类;然后重点从威胁情报共享技术面临的主要问题出发,分析和总结了学术界和产业界针对这些问题进行的研究与尝试;最后展望了威胁情报共享领域未来的研究内容。

关键词: 网络空间安全, 威胁情报, 情报共享, 数据挖掘

Abstract: Nowadays,new kinds of cyber-attacks,such as APT and DDoS,have lower concealment,lower attack cost and huge attack effect.These advantages can let them easily escape from the detection of traditional cyber-attack mea-sures.Cyber-space security situation is becoming more and more severe.The detection and prevention of these attacks have become much harder.CTI(Cyber Threat Intelligence) based network defence has been proved to be a promising strategy to address this problem.In this case,both academic and business circle have put many efforts on CTI analysis and sharing.This paper introduced the meaning and value of CTI.Then aiming at the sharing for threat intelligence,it studied and reviewed the works and developments in CTI sharing deeply.In the end,it looked ahead to the future study of CTI sharing.

Key words: Cyberspace security, Threat intelligence, Intelligence sharing, Data mining

中图分类号: 

  • TP309.2
[1]LI J H.Overview of the technologies of threat intelligence sen-sing,sharing and analysis in cyber space [J].Chinese Journal of Network and Information Security,2016,2(2):16-29.(in Chinese)
李建华.网络空间威胁情报感知、共享与分析技术综述[J].网络与信息安全学报,2016,2(2):16-29.
[2]MA M H,FANG T,WANG Y.Analysis and Enlightenment of US Cybersecurity Information Sharing Mechanism [J].Journal of Intelligence,2016,35(3):17-23.(in Chinese)
马民虎,方婷,王玥.美国网络安全信息共享机制及对我国的启示[J].情报杂志,2016,35(3):17-23.
[3]CNCERT/CC.2016中国移动互联网发展状况及其安全报告[R].北京:互联网应急响应中心,2016.
[4]SUN Z.The Attack and Defense Technology Research of Advanced Persistent Threat[D].Shanghai:Shanghai Jiao Tong University,2015.(in Chinese)
孙增.高级持续性威胁(APT)的攻防技术研究[D].上海:上海交通大学,2015.
[5]CUI Y H,YAN L S,LI S F,et al.SD-Anti-DDoS:Fast and Efficient DDoS Defense in Software-Defined Networks [J].Journal of Network and Computer Applications,2016,68:65-79.
[6]YANG Z M,LI Q,LIU J R,et al.Research of Threat Intelligence Sharing and Using for Cyber Attack Attribution [J].Journal of Information Security Research,2015,1(1):31-36.(in Chinese)
杨泽明,李强,刘俊荣,等.面向攻击溯源的威胁情报共享利用研究 [J].信息安全研究,2015,1(1):31-36.
[7]OASIS.stix-v2.0-csprd01-part1-stix-core[EB/OL].[2017-02-24].https://oasis-open.github.io/cti-documentation/stix/review.
[8]BIANCO D J.The Pyramid of Pain:Intel-Driven Detection & Response to Increase Your Adversary’s Cost of Operations[EB/OL].http://rvasec.com/slides/2014/Bianco_Pyramid%20of%20Pain.pdf.
[9]FireEye.APT28:At the Center of the Storm [EB/OL].[2017-01-11].https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html.
[10]360天眼实验室.OceanLotus(海莲花)APT分析报告[EB/OL].http://bobao.360.cn/news/detail/1601.html.
[11]秉泽.“暗网”:你所不了解的互联网 [J].保密工作,2016(2):47-48.
[12]LI X.Research and Implementation of Identification for Tor Anonymous Communication Based on Meek[D].Beijing:Beijing Jiaotong University,2016.(in Chinese)
李响.基于Meek的Tor匿名通信识别方法的研究和实现[D].北京:北京交通大学,2016.
[13]Eclectic Iq.ABOUT STIX AND TAXII[OL].https://www.eclecticiq.com/stix-taxii.
[14]OASIS Cyber Threat Intelligence (CTI) TC.About STIX[EB/OL] .https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti-stix.
[15]OASIS Cyber Threat Intelligence (CTI) TC,The MITRE Corporation.TAXII 2.0 Draft 2[OL].https://docs.google.com/document/d/1eyhS3-fOlRkDB6N39Md6KZbvbCe3CjQlampiZPg-5u4.
[16]OASIS Cyber Threat Intelligence (CTI) TC.CybOX 2.1[OL].[2014-01-23].https://cyboxproject.github.io/releases/2.1.
[17]BURGER E W,GOODMAN M D,KAMPANASKIS P,et al. Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies [C]//Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security (WISCS’14).New York:ACM,2014:51-60.
[18]LIAO X J,YUAN K,WANG X F,et al.Acing the IOC Game:Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16).New York:ACM,2016:755-766.
[19]MANDIANT.Sophisticated Indicators for the Modern Threat Landscape:An Introduction to OpenIOC[EB/OL]. http://openioc.org/resources/An_Introduction_to_OpenIOC.pdf.
[20]BROWN S,GOMMERS J,SERRANO O.From Cyber Security Information Sharing to Threat Management[C]//Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security.New York:ACM,2015:43-49.
[21]FIELD J,BANGHART S,WALTERMIRE D.Resource-Oriented Lightweight Information Exchange draft-ietf-mile-rolie-01[EB/OL].(2015-12-02).https://tools.ietf.org/html/draft-ietf-mile-rolie-01.
[22]STEINBERGER J,SPEROTTO A,GOLLING M,et al.How to exchange security events Overview and evaluation of formats and protocols [C]//IFIP/IEEE International Symposium on Integrated Network Management.New York:IEEE,2015:261-269.
[23]STEINBERGER J,SPEROTTO A,BAIER H,et al.Collaborative attack mitigation and response:A survey[C]//IFIP/IEEE International Symposium on Integrated Network Management.New York:IEEE,2015:910-913.
[24]KAMPANAKIS P,PERROS H,BEYENE T.SDN-based solutions for Moving Target Defense network protection[C]//IEEE International Symposium on World of Wireless,Mobile and Multimedia Networks.New York: IEEE,2014:1-6.
[25]TAKAHASHI T,MIYAMOTO D.Structured cyber security information exchange for streamlining incident response operations[C]//NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.New York:IEEE,2016:949-954.
[26]USSATH M,JAEGER D,FENG C,et al.Pushing the Limits of Cyber Threat Intelligence:Extending STIX to Support Complex Patterns[M]// Information Technology:New Generations.New York:Springer International Publishing,2016:25-44.
[27]USSATH M,FENG C,MEINEL C.Concept for a security investigation framework[C]//International Conference on New Technologies,Mobility and Security.New York:IEEE,2015:1-5.
[28]ASGARLI E,BURGER E.Semantic ontologies for cyber threat sharing standards[C]//2016 IEEE Symposium on Technologies for Homeland Security (HST).Waltham:IEEE,2016:1-6.
[29]ZHAO W,WHITE G.A collaborative information sharing framework for Community Cyber Security[C]//Homeland Security.New York:IEEE,2012:457-462.
[30]KAMPANAKIS P.Security Automation and Threat Information-Sharing Options [J].IEEE Security & Privacy Magazine,2014,12(5):42-51.
[31]VÁZQUEZ D F,ACOSTA O P,BROWN S,et al.Conceptual framework for cyber defense information sharing within trust relationships [M].New York:IEEE,2012.
[32]HAASS J C,AHN G J,GRIMMELMANN F.ACTRA:A Case Study for Threat Information Sharing[C]//Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security(WISCS 2015).New York:ACM,2015:23-26.
[33]SANDHU R,KRISHNAN R,WHITE G B.Towards Secure Information Sharing models for community Cyber Security[C]//International Conference on Collaborative Computing:Networking,Applications and Worksharing.New York:IEEE,2010:1-6.
[34]TOSH D,SENGUPTA S,KAMHOUA C A,et al.Establishing evolutionary game models for cyber security information exchange (CYBEX) [J/OL].Journal of Computer & System Scien-ces,http://www.sciencedirect.com/science/article/pii/S002200001630085X?via%3Dihub.
[35]KAMHOUA C,MARTIN A,TOSH D K,et al.Cyber-Threats Information Sharing in Cloud Computing:A Game Theoretic Approach[C]//IEEE CS Cloud.New York:IEEE,2015:382-389.
[36]GARRIDO-PELAZ R,PASTRANA S.Shall We Collaborate?:A Model to Analyse the Benefits of Information Sharing[C]//ACM on Workshop on Information Sharing and Collaborative Security.New York:ACM,2016:15-24.
[37]QIAN P,WU M,LIU Z.A Method on Homomorphic Encryption Privacy-preserving for Cloud Computing [J].Journal of Chinese Computer Systems,2015,36(4):840-844.(in Chinese)
钱萍,吴蒙,刘镇.面向云计算的同态加密隐私保护方法[J].小型微型计算机系统,2015,36(4):840-844.
[38]WANG S H,HAN Z J,CHEN D W,et al.New construction of secure range query on encrypted data in cloud computing [J].Journal of Communications,2015,36(2):33-41.(in Chinese)
王少辉,韩志杰,陈丹伟,等.云环境下安全密文区间检索方案的新设计 [J].通信学报,2015,36(2):33-41.
[39]CAI K,ZHANG M,FENG D G.Secure Range Query with Single Assertion on Encrypted Data [J].Chinese Journal of Computers,2011,34(11):2093-2103.(in Chinese)
蔡克,张敏,冯登国.基于单断言的安全的密文区间检索[J].计算机学报,2011,34(11):2093-2103.
[40]TIAN H B,HE J J,FU L Q.A Privacy Preserving Fair Contract Signing Protocol based on Block Chains [J].Journal of Cryptologic Research,2017,4(2):187-198.(in Chinese)
田海博,何杰杰,付利青.基于公开区块链的隐私保护公平合同签署协议 [J].密码学报,2017,4(2):187-198.
[41]SHEN X,PEI Q Q,LIU X F.Survey of block chain [J].Chinese Journal of Network and Information Security,2016,2(11):11-20.(in Chinese)
沈鑫,裴庆祺,刘雪峰.区块链技术综述[J].网络与信息安全学报,2016,2(11):11-20.
[42]LI Y,HE J B,LI J H,et al.Research of America Cyber Threat Intelligence Sharing Frameworks and Standers [J].Secrecy Scien-ce and Technology,2016(6):16-21.(in Chinese)
李瑜,何建波,李俊华,等.美国网络威胁情报共享技术框架与标准浅析[J].保密科学技术,2016(6):16-21.
[43]LIN C X,XUE L M,HAN S.Analysis of the development and application of Network Security Threat Intelligence [J].Network Security Technology and Application,2016(6):12-13.(in Chinese)
林晨希,薛丽敏,韩松.浅析网络安全威胁情报的发展与应用[J].网络安全技术与应用,2016(6):12-13.
[44]ZHANG Q,LI J H.Research on real time performance analysis of information sharing model based on publish-subscribe [J].Military Operations Research and Systems Engineering,2013,27(1):33-35.(in Chinese)
张强,李建华.基于发布/订阅的信息共享模型实时性能分析研究[J].军事运筹与系统工程,2013,27(1):33-35.
[45]JASPER S E U S.Cyber Threat Intelligence Sharing Frameworks[J].International Journal of Intelligence & Counterintelligence,2017,30(1):53-65.
[46]QAMAR S,ANWAR Z,RAHMAN M A,et al.Data-driven analytics for cyber-threat intelligence and information sharing [J].Computers & Security,2017,67:35-58.
[47]AGRAWAL R,EVFIMIEVSKI A,SRIKANT R.Information sharing across private databases[C]//Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data.New York:ACM,2003:86-97.
[48]APPALA S,CAM-WINGET N,MCGREW D,et al.An Actionable Threat Intelligence system using a Publish-Subscribe communications model[C]//ACM Workshop on Information Sharing and Collaborative Security.New York:ACM,2015:61-70.
[49]DOG S E,TWEED A,ROUSE L R,et al.Strategic Cyber Threat Intelligence Sharing:A Case Study of IDS Logs[C]//International Conference on Computer Communication and Networks.New York:IEEE,2016:1-6.
[50]KSHETRI N.Recent US Cybersecurity Policy Initiatives:Challenges and Implications [J].Computer,2015,48(7):64-69.
[51]CHRISTOPHER A,AUDREY D.OCTAVESM*Threat Profiles[EB/OL].http://trygstad.rice.iit.edu:8000/Audits/octave/OCTAVEThreatProfiles(CERT).pdf.
[52]SILLABER C,SAUERWEIN C,MUSSMANN A,et al.Data Quality Challenges and Future Research Directions in Threat Intelligence Sharing Practice[C]//ACM on Workshop on Informa-tion Sharing and Collaborative Security.New York:ACM,2016:65-70.
[1] 张煜, 陆亿红, 黄德才. 基于密度峰值的加权犹豫模糊聚类算法[J]. 计算机科学, 2021, 48(1): 145-151.
[2] 游兰, 韩雪薇, 何正伟, 肖丝雨, 何渡, 潘筱萌. 基于改进Seq2Seq的短时AIS轨迹序列预测模型[J]. 计算机科学, 2020, 47(9): 169-174.
[3] 张素梅, 张波涛. 一种基于量子耗散粒子群的评估模型构建方法[J]. 计算机科学, 2020, 47(6A): 84-88.
[4] 袁得嵛, 章逸钒, 高见, 孙海春. 基于用户特征提取的新浪微博异常用户检测方法[J]. 计算机科学, 2020, 47(6A): 364-368.
[5] 邓甜甜, 熊荫乔, 何贤浩. 一种基于时序性告警的新型聚类算法[J]. 计算机科学, 2020, 47(6A): 440-443.
[6] 李莉. 基于判断聚合的分布式数据挖掘分类算法研究[J]. 计算机科学, 2020, 47(6A): 450-456.
[7] 余航, 魏炜, 谭征, 刘惊雷. 基于信任系统的条件偏好协同度量框架[J]. 计算机科学, 2020, 47(4): 74-84.
[8] 丁武, 马媛, 杜诗蕾, 李海辰, 丁公博, 王超. 基于XGBoost算法的多元水文时间序列趋势相似性挖掘[J]. 计算机科学, 2020, 47(11A): 459-463.
[9] 张成伟, 罗凤娥, 代毅. 基于数据挖掘的指定航班计划延误预测方法[J]. 计算机科学, 2020, 47(11A): 464-470.
[10] 陈沛, 郑万波, 刘文奇, 肖敏, 张凌霄. 基于多种模型的云南省农作物主产区域部分气候指标分析与预测[J]. 计算机科学, 2020, 47(11A): 496-503.
[11] 孙天旭, 赵蕴龙, 练作为, 孙毅, 蔡月啸. 基于时空数据的城市人流移动模式挖掘[J]. 计算机科学, 2020, 47(10): 91-96.
[12] 刘长赟,杨宇迪,周丽华,赵丽红. 带有时间标签的流行社交位置发现[J]. 计算机科学, 2019, 46(7): 186-194.
[13] 彭成, 贺婧, 池昊. 一种确定滑动窗口规模的边界距离算法[J]. 计算机科学, 2019, 46(6A): 482-487.
[14] 张维国. 面向知识推荐服务的选课决策[J]. 计算机科学, 2019, 46(6A): 507-510.
[15] 裴兰珍, 赵英俊, 王哲, 罗赟骞. 采用深度学习的DGA域名检测模型比较[J]. 计算机科学, 2019, 46(5): 111-115.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 编辑部. 新网站开通,欢迎大家订阅![J]. 计算机科学, 2018, 1(1): 1 .
[2] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75 .
[3] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[4] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[5] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[6] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99 .
[7] 周燕萍,业巧林. 基于L1-范数距离的最小二乘对支持向量机[J]. 计算机科学, 2018, 45(4): 100 -105 .
[8] 刘博艺,唐湘滟,程杰仁. 基于多生长时期模板匹配的玉米螟识别方法[J]. 计算机科学, 2018, 45(4): 106 -111 .
[9] 耿海军,施新刚,王之梁,尹霞,尹少平. 基于有向无环图的互联网域内节能路由算法[J]. 计算机科学, 2018, 45(4): 112 -116 .
[10] 崔琼,李建华,王宏,南明莉. 基于节点修复的网络化指挥信息系统弹性分析模型[J]. 计算机科学, 2018, 45(4): 117 -121 .