基于Conformal Prediction的威胁情报繁殖方法

doi:10.3969/j.issn.1671-1122.2020.06.011

信息网络安全 ›› 2020, Vol. 20 ›› Issue (6): 90-95.doi: 10.3969/j.issn.1671-1122.2020.06.011

基于Conformal Prediction的威胁情报繁殖方法

张永生¹, 王志²(), 武艺杰², 杜振华³

1.中国民用航空华东地区空中交通管理局,上海 200335
2.南开大学网络空间安全学院,天津 300350
3.国家计算机病毒应急处理中心,天津 300457

收稿日期:2020-04-06 出版日期:2020-06-10 发布日期:2020-10-21
通讯作者: 王志 E-mail:zwang@nankai.edu.cn
作者简介:张永生（1966—）,男,内蒙古,高级工程师,硕士,主要研究方向为网络信息安全|王志（1981—）,男,山西,副教授,博士,主要研究方向为计算机病毒分析及防治技术|武艺杰（1993—）,女,山西,工程师,硕士,主要研究方向为网络信息安全|杜振华（1982—）,男,黑龙江,高级工程师,硕士,主要研究方向为网络信息安全
基金资助:
国家自然科学基金(61872202);民航安全能力建设项目(PESA2018079);民航安全能力建设项目(PESA2018082);民航安全能力建设项目(PESA2019073);民航安全能力建设项目[PESA2018079,PESA2018082,PESA2019073,](PESA2019074);计算机病毒防治技术国家工程实验室项目(发改办高技[2014]25号);中国民航大学信息安全测评中心开放课题(CAAC-ISECCA-201701);天津市新一代人工智能科技重大专项(19ZXZNGX00090)

Cyber Threat Intelligence Propagation Based on Conformal Prediction

ZHANG Yongsheng¹, WANG Zhi²(), WU Yijie², DU Zhenhua³

1. East China Regional Air Traffic Management Bureau, CAAC, Shanghai 200335, China
2. College of Cyber Science, Nankai University, Tianjin 300350, China
3. National Computer Virus Emergency Response Center, Tianjin 300457, China

Received:2020-04-06 Online:2020-06-10 Published:2020-10-21
Contact: WANG Zhi E-mail:zwang@nankai.edu.cn

摘要/Abstract

摘要：

未知网络威胁情报的获取和利用能力是当前网络空间安全领域的核心竞争力之一。网络威胁情报具有时效性短、变异速度快、数量大等特点。基于静态阈值的“0-1”检测方法无法充分利用和挖掘已知威胁情报的价值。文章提出一种基于 Conformal Prediction算法的网络威胁情报繁殖方法,在LSTM和XGBoost算法基础上,引入了统计学习的可信度模型,通过Confidence和Credibility两个指标来度量威胁情报的可靠性,充分挖掘已知威胁情报的内在价值;通过控制显著性水平,繁殖出错概率可控的未知情报,提升对网络攻击扩散的预判和遏制能力。实验结果表明,该方法对DGA恶意域名检测的F1数值可达到90%以上,繁殖出DGA恶意域名的错误率在2.5%以下。

关键词: 网络威胁情报, 恶意域名, 域名生成算法, 一致性预测

Abstract:

The ability to acquire and utilize unknown threat intelligence is the core competitiveness of the current cyberspace security. The threat intelligence has the characteristics of short-lived, fast mutation, large quantity and so on. Therefore, the detection method based on static threshold cannot fully utilize known threat intelligence. This paper proposes an approach of threat intelligence propagation method based on conformal prediction. By introducing the credibility and confidence from statistical learning, this approach could propagate unknown threat intelligence from known ones with selectable maximum error probability. The experimental results show that the average F1 score of DGA domain names detected by this approach is above 90%, meanwhile, the error rate of DGA domain name after propagation is under 2.5%.

Key words: threat intelligence, malicious domain, domain generation algorithm, conformal prediction

中图分类号:

TP309

张永生, 王志, 武艺杰, 杜振华. 基于Conformal Prediction的威胁情报繁殖方法[J]. 信息网络安全, 2020, 20(6): 90-95.

ZHANG Yongsheng, WANG Zhi, WU Yijie, DU Zhenhua. Cyber Threat Intelligence Propagation Based on Conformal Prediction[J]. Netinfo Security, 2020, 20(6): 90-95.

图/表 8

图1

图2

图3

图4

图5

图6

图7

图8

参考文献 10

[1]	WIEM T, HELMI R. A Survey on Technical Threat Tntelligence in the Age of Sophisticated Cyber Attacks[J]. Computer and Security, 2018,72(C):212-233.
[2]	SAMUEL S, DOMINIK T, PATRICK H. FANCI: Feature-based Automated NXDomain Classification and Intelligence [C]//USENIX. The 27th USENIX Security Symposium, August 15-17, 2018, Baltimore, MD, USA. Berkeley: USNIX Association, 2018: 1165-1181.
[3]	ZHANG Y, EGELMAN S, CRANOR L, et al. Phinding Phish: Evaluating Anti-phishing Tools[R]. Pittsburgh, Pennsylvania: CMU, CMU-CyLab-06-018, 2006.
[4]	SAHOO D, LIU C, HOI S C H. Malicious URL Detection Using Machine Learning: a Survey[EB/OL]. https://arxiv.org/pdf/1701.07179.pdf, 2020 -2-12.
[5]	WOODBRIDGE J, ANDERSON H S, AHUJA A, et al. Predicting Domain Generation Algorithms with Long Short-term Memory Networks[EB/OL]. https://arxiv.org/pdf/1611.00791.pdf, 2020 -2-11.
[6]	DAVUTH N, KIM S R. Classification of Malicious Domain Names using Support Vector Machine and Bi-gram Method[J]. International Journal of Security and Its Applications, 2013,7(1):51-58.
[7]	SAXE J, BERLIN K. eXpose: A Character-level Convolutional Neural Network with Embeddings for Detecting Malicious URLs, file paths and registry keys[EB/OL]. https://arxiv.org/pdf/1702.08568.pdf, 2020 -2-11.
[8]	SHI Yong, CHEN Gong, LI Juntao. Malicious Domain Name Detection Based on Extreme Machine Learning[J]. Neural Processing Letters, 2018,48(3):1347-1357.
[9]	HOCHREITER S, SCHMIDHUBER J. Long Short-term Memory[J]. Neural computation, 1997,9(8):1735-1780. URL pmid: 9377276
[10]	ROBERTO J, KUMAR S, SANTANU K D, et al. Transcend: Detecting Concept Drift in Malware Classification Models [C]//USENIX. The 26th USENIX Security Symposium, August 16-18, 2017, Vancouver, BC, Canada. Berkeley: USNIX Association, 2017: 625-642.

基于Conformal Prediction的威胁情报繁殖方法

Cyber Threat Intelligence Propagation Based on Conformal Prediction

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 10

相关文章 4

编辑推荐

Metrics

本文评价

[1]	吴警, 芦天亮, 杜彦辉. 基于Char-RNN改进模型的恶意域名训练数据生成技术[J]. 信息网络安全, 2020, 20(9): 6-11.
[2]	罗峥, 张学谦. 基于思维进化算法优化S-Kohonen神经网络的恶意域名检测模型[J]. 信息网络安全, 2020, 20(6): 82-89.
[3]	顾兆军, 任怡彤, 刘春波, 王志. 基于一致性预测算法的内网日志检测模型[J]. 信息网络安全, 2020, 20(3): 45-50.
[4]	徐丽萍, 郝文江. 美国政企网络威胁情报现状及对我国的启示[J]. 信息网络安全, 2016, 16(9): 278-284.