Threat intelligence technology in network security situation awareness

• Main Authors: Yan YIN, Hongbin ZHANG, Bin LIU, Dongmei ZHAO
• Format: Article
• Language: zho
• Published: Hebei University of Science and Technology 2021-04-01
• Series: Journal of Hebei University of Science and Technology
• Subjects: network security; situation awareness; threat intelligence; stix; network attack and defense
• Online Access: http://xuebao.hebust.edu.cn/hbkjdx/ch/reader/create_pdf.aspx?file_no=b202102012&flag=1&journal_

General Secretary XI Jinping gave instructions at the symposium on cybersecurity and informatization in 2016: Strengthen the mining and analysis of big data,make better situation awareness and prevent risks in cybersecurity.In response to the call of national policies,many large industries and enterprises actively advocated,built and applied situation awareness systems to deal with the severe challenges faced by network security.Network security situation awareness is an effective means to ensure network security.It has become the focus of network security research to use situation awareness to discover potential threats and respond.At present,most of the proposed network security situation awareness technologies and methods are based on small-scale networks.With the continuous expansion of network scale and appearance of new advanced attack technologies such as APT,the accuracy of current situation awareness technology and the maneuverability reduced greatly.In recent years,the emergence of threat intelligence has brought new ideas to the research of situation awareness and become a new direction in the field of situation awareness.This paper mainly summarized the traditional situation awareness research and the application of threat intelligence in network security situation awareness.The traditional situation awareness research was generally divided into three parts,namely,situation perception,situation comprehension and situation projection.The process of network security situation awareness was to collect the security elements of the target system,and analyze the impact of security incidents.Finally,by using network security situation awareness,it can be realized the behavior recognition of various activities,attacks detection,evaluation and prediction of the network situation,so as to provide correct decisions for the network security response.The application of threat intelligence in network security situation awareness was discussed from three scenarios: 1) Situation perception: threat intelligence was used to identify attack behaviors,extract relevant attack characteristics and determine attack intentions,methods,and impact; 2) Situation comprehension: after determining the attack behavior and characteristics,the attack behavior was understood and the attacker's attack strategy was determined by sharing the disposition of the attack behavior in the threat intelligence; 3) Situation projection: by analyzing threat intelligence information such as attack events,attack techniques,and vulnerabilities,the risk faced by the current system was evaluated,and the possible attack was predicted.Threat intelligence is usually obtained by big data,distributed systems or other methods,and it has a strong ability to update autonomously.Threat intelligence can provide the most complete and latest security event data,which greatly improves the ability to detect new and advanced dangers in network security situation awareness.And by using the sharing mechanism in the threat intelligence,security stuff can understand the threat environment of their organization,such as attackers,tactical techniques used by them and defense strategies,which can helpenterprises understand the security threats they are facing or will be faced in the future.Threat intelligence can improve the accuracy and efficiency of situation awareness analysis,as well as the ability to respond to security incidents.