| With the development of Internet technology and the popularization of information technology in various industries,the number and types of data information in the network are increasing.Therefore,network security is also facing great challenges.Network threat intelligence,as the main reference ofnetwork security protection,can give huge help to network security technicians and has high reference value.At the same time,there are also many problems in the current cyber threat intelligence.At present,network threat intelligence is mainly collected independently by network security technicians(organizations)and presented in the form of text.Therefore,there are great differences in the network threat intelligence texts constructed by different network security technicians,and because of the sparse characteristics of network threat intelligence texts,there are many errors and redundant information,so the availability of network threat intelligence is poor at the present stage.In addition,multi-source network threat intelligence will increase the difficulty of integration and utilization,resulting in the consumption of a large number of human resources and computing resources in the process of data cleaning.Therefore,the research on the analysis technology of threat intelligence has become the top priority in the construction of standardized network threat intelligence.On the other hand,as a large-scale semantic network structure with strong relationships,knowledge graph has good event correlation and contains rich semantic information,which can directly describe the characteristics of events and the correlation between different events.Therefore,knowledge graph is very suitable for the standardization processing of multi-source heterogeneous network threat intelligence.Based on the above background,this paper carries out research on the construction technology of knowledge graph for network threat intelligence.Aiming at the characteristics of multi-source heterogeneous and sparse network threat intelligence,a knowledge graph construction model suitable for network threat intelligence is proposed and constructed by combining knowledge graph ontology construction and named entity recognition technology.The functions of entity extraction and network threat intelligence ontology construction in the construction of network threat intelligence knowledge map are realized,so as to achieve the purpose of independent construction of network threat intelligence knowledge map.In view of the above challenges and tasks,the main work of this paper is as follows:Firstly,according to the top-down construction characteristics of the network threat intelligence knowledge graph,and the real needs of network security personnel for the network threat intelligence knowledge graph,this paper constructs a suitable for network threat intelligence ontology.The construction task of cyber threat intelligence ontology is decomposed into two parts: cyber security ontology construction and cyber threat ontology construction,and the two ontologies are connected with each other through the intermediate entity concept,so as to break the isolation state of cyber threat ontology and cyber security ontology,and realize the asynchronous instantiation of cyber threat intelligence ontology.This method not only meets the actual requirements of cyber threat intelligence ontology construction,but also greatly reduces the cost of cyber threat intelligence ontology instantiation,and provides a strong foundation for the subsequent named entity recognition work.Secondly,aiming at the characteristics of low special entity recognition ability and low text knowledge content in the network threat intelligence named entity recognition task,this paper proposes a named entity recognition model suitable for network threat intelligence text.This method mainly adopts the method of mixed features to capture the network threat intelligence entities.According to the special heterogeneous characteristics of the entities in the network threat intelligence,a structure embedding method is proposed to capture the special structure entities.Aiming at the problem that the semantics of entities disappear in the training of named entity recognition,this paper proposes a semantic enhancement module suitable for the field of cyber threat intelligence.By externally adding network security words and general words,the semantic expression ability of entities in the encoded sequence is improved,so as to improve the accuracy of network threat intelligence entity annotation.Moreover,combined with the network threat intelligence ontology,the network threat intelligence knowledge graph was constructed to provide reference for network security personnel.Finally,in order to verify the effectiveness of the network threat intelligence knowledge graph model constructed in the text extraction of network threat intelligence,this paper carried out multi-angle experimental verification,to verify the extraction ability of network threat intelligence entity recognition model and the accuracy of network threat intelligence ontology construction.Experimental results show that compared with other generic named entity recognition models,the model proposed in this paper can not only effectively capture the mixed features of generic entities in the input sequence,but also greatly improve the performance of entity extraction for special domain.In addition,the constructed network threat intelligence ontology model can provide strong help to the named entity recognition model ofnetwork threat intelligence on the basis of refining the entity categories.Therefore,the model constructed in this paper has achieved good performance in the named entity recognition task of the general domain and the domain of network threat intelligence. |
PDF Full Text Request