Research On The Evaluation Method Of Cyber Security Threat Intelligence Quality

In the past few years,the cyberspace security landscape has undergone fundamental changes.With the continuous application of new technologies such as machine learning,new cyberattack methods and attack tools are rapidly developing and iterating.The threat information facing cyberspace continues to grow,and traditional security Defensive methods are increasingly difficult to deal with.As a new security defense method,cyber threat intelligence is accepted by more and more organizations and individuals,and is regarded as an effective method to defend against new types of attacks in cyberspace.With the continuous development of the threat intelligence ecosystem,Threat intelligence is characterized by a wide range of sources,various types,unknown value,large scale,and strong timeliness.This leads to many threat intelligence platforms and communities containing many invalid,incomplete,and low-quality threat intelligence,which greatly hinders the threat The development and application of intelligence.Therefore,in view of the current quality problems in the field of threat intelligence,this thesis focuses on how to evaluate the quality of heterogeneous threat intelligence sources and how to evaluate the quality of large-scale heterogeneous threat intelligence.The main research contents of this thesis are as follows.First,for the problems of diverse threat intelligence sources,inconsistent formats,and unclear quality,a multi-dimensional quality evaluation method for heterogeneous threat intelligence sources,ISU-Measure,is proposed.The method firstly designed timeliness,activity,relevance,and completeness indicators in the dimension of threat intelligence content to quantify the quality of micro threat intelligence.Secondly,in the dimension of intelligence sources,the indicators of scale,periodicity and originality are proposed to measure the quality characteristics of threat intelligence sources.Then,the user index preference is designed for the user to adjust the user’s preference for the quantitative index,and the compound weight method is designed based on the Critic objective weight method and the user preference to form a quality quantitative evaluation model of heterogeneous threat intelligence sources.The real-time intelligence data of 12 mainstream threat intelligence sources are crawled for quality assessment experiments.The results show that the current mainstream threat intelligence sources still need to continue to improve relevance and completeness of threat intelligence.The composite weight method designed in this thesis is superior to the mean method and the single Critic weight method,which improves the adaptability and generality of the model.Compared with other research methods,ISU-Measure has obvious advantages in index coverage,acquisition difficulty,and distinction.Second,for the quality problem of large-scale heterogeneous threat intelligence content,a quality evaluation model of large-scale heterogeneous threat intelligence based on graph mining technology and random forest algorithm is proposed.The model includes three modules: multi-source heterogeneous threat intelligence collection and fusion,graph-based intelligence reasoning and enrichment,and random forest quality assessment algorithm based on multi-dimensional quality feature extraction.It provides a feasible solution for the quality evaluation of large-scale heterogeneous threat intelligence.The performance of the proposed model is evaluated based on real intelligence datasets verified by Virus Total,IBM X-Force Exchange,and 360 Threat Intelligence Center.The experimental results show that the classifier based on graph mining inference and feature enrichment has better classification effect,and the threat intelligence quality assessment model based on graph mining and random forest achieves higher precision and recall rate.The threat intelligence quality evaluation model is helpful for security practitioners to automatically screen out high-quality threat intelligence from large-scale heterogeneous threat intelligence from a wide range of sources,so as to improve the analysis and utilization efficiency of threat intelligence.