一种基于暗网的威胁情报主动获取框架

信息安全研究 ›› 2020, Vol. 6 ›› Issue (2): 131-138.

一种基于暗网的威胁情报主动获取框架

黄莉峥¹,刘嘉勇²,郑荣锋²,李孟铭¹

1. 四川大学网络空间安全学院
2. 四川大学电子信息学院

收稿日期:2020-02-08 出版日期:2020-02-10 发布日期:2020-02-08
通讯作者: 黄莉峥
作者简介:黄莉峥硕士研究生,主要研究方向为网络威胁情报与信息安全. 763799659@qq.com 刘嘉勇教授,博士生导师,主要研究方向为网络信息安全、网络信息处理、大数据分析 ljy@scu.edu.cn 郑荣锋博士研究生,主要研究方向为网络流量分析、工控系统安全、嵌入式设备安全、网络威胁情报. qswhs@foxmial.com 李孟铭硕士研究生,主要研究方向为网络威胁情报与信息安全. 1252709530@qq.com.

A Framework for Proactive Acquisition of Threat Intelligence Based on Darknet

Received:2020-02-08 Online:2020-02-10 Published:2020-02-08

摘要/Abstract

摘要： 暗网信息相比于表网往往具有更强时新性，可用于威胁情报获取和研究.针对安全研究人员难以从海量暗网数据中迅速获取强时新性威胁情报的问题，提出一种基于暗网的威胁情报主动获取框架.框架包括暗网数据获取、数据筛选和威胁情报获取3个模块，针对暗网中的“恶意软件”、“黑客工具”和“数据泄露”3类信息，提出并使用信息量计算方法I@n(information at n)，利用暗网和表网信息出现的时间差，计算暗网信息在表网中的信息量.通过表网中的信息量与信息的时新性之间的规律，主动获取暗网中的强时新性威胁情报.实验表明，通过该框架可以从暗网中获取威胁情报，帮助安全分析人员及时应对未知网络威胁.

关键词: 暗网, 威胁情报, 机器学习, 多分类, 信息检索, 数据挖掘

Abstract: The information in the darknet tends to appear earlier than the surface web and can be used for threat intelligence acquisition and research. Aiming at the problem that security researchers cant quickly obtain the emerging threat information from the massive darknet data, a framework for a proactive acquisition of threat intelligence based on darknet is proposed. The framework includes three modules: dark network data acquisition, data filtering and threat intelligence acquisition. For the three types of information such as “malware”, “hacking tools” and “data leakage” in the darknet, the framework proposes and uses the information amount calculation method I@n (information at n), calculating the amount of dark network information in the surface network by using the difference in the time of information appearing in the darknet and the surface network. The updated threat information in the dark network is proactively acquired through the law between the amount of information in the surface network and the timeliness of the information. Experiments show that it is feasible to use this framework to acquire threat intelligence proactively from the darknet, helping security analysts respond to unknown cyber threats in a timely manner.

Key words: darknet, threat intelligence, machine learning, multi-classification, information retrieval, data mining

黄莉峥刘嘉勇郑荣锋李孟铭. 一种基于暗网的威胁情报主动获取框架[J]. 信息安全研究, 2020, 6(2): 131-138.

参考文献

[1] Rob McMillan. Definition: Threat intelligence [EB/OL]. (2013-03-16) [2019-09-26]. https://www.gartner.com/doc/2487216 [2] IntSights. Financial services threat landscape report: The dark web perspective[EB/OL](2018-08-01)[2019-09-26].https://intsights.com/resources/financial-services-threat-landscape-report-july-2018 [3] 王知津, 范淑杰, 王丽娜. 竞争情报搜集与利用中的信息资产[J]. 图书馆学研究,2011,4:2-6 [4] Konrad R, Philipp T, Carsten W, et al. Automatic analysis of malware behavior using machine learning[J]. Computer Science. 2011, 19(4): 639–668 [5] Elike H, Xavier B, Andrew H, et al. Threat analysis of IoT networks using artificial neural network intrusion detection system [C] //Proc of the 2016 Int Symp on Networks, Computers and Communications (ISNCC). Piscataway,NJ: IEEE, 2016 [6] Alan S, Richard E O, Tomasz R. Detection of known and unknown DDos attacks using artificial neural networks[J]. Neurocomputing, 2016, 172: 385–393 [7] 张清海. 唯有“精准”才能有效——对竞争情报支撑企业决策的再认识[J]. 竞争情报, 2014(3): 8-10 [8] Sabottke C, Suciu O, Dumitras T. Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits[C]//Proc of the 24th USENIX Security Symp. Berkeley, CA: USENIX Association, 2015 [9] Nunes E, Diab A, Gunn A, et al. Darknet and deepnet mining for proactive cybersecurity threat intelligence [C] //Proc of IEEE Conf on Intelligence and Security Informatics (ISI). Piscataway,NJ: IEEE, 2016: 7-12 [10] Dong Fangzhou, Yuan Shaoxian, Ou Haoran, et al. New cyber threat discovery from darknet marketplaces [C] //Proc of IEEE Conf on Big Data and Analytics (ICBDA). Piscataway,NJ: IEEE, 2018: 62-67 [11] Sapienza A, Bessi A, Damodaran S, et al. Early warnings of cyber threats in online discussions [C] //Proc of IEEE Int Conf on Data Mining Workshops (ICDMW).Piscataway NJ: IEEE, 2017: 667-674 [12] 张永超, 王宇平. 暗网资源挖掘的关键技术研究[D]. 西安: 西安电子科技大学, 2013 [13] 王黎, 帅建梅. 搜索引擎的相关性排序算法研究[D]. 合肥: 中国科学技术大学, 2010 [14] 陆伟, 刘屹, 孟睿, 等. 基于域加权聚类算法的网络輿情热点话题探测[J]. 数字图书馆论坛, 2011,8: 50-56 [15] 秦喜艳, 陆伟, 姜捷璞. 信息检索中的相关性判断和系统评价述评. 图书情报知识, 2009, 4: 89-94 [16] 朱红灿, 陈能华, 周永红. 计算Web页面信息熵的方法[J]. 计算机工程与设计. 2010, 31(1): 114-117 [17] 李涛，张景肖. 基于BT-SVM模型组合的动态加权多分类算法研究[J]. 统计与信息论坛. 2019, 34(1): 20-24 [18] 张谦, 高章敏, 刘嘉勇. 基于Word2vec的微博短文本分类研究[J]. 信息网络安全, 2017 (1): 57-62 [19] 周志华. 机器学习[M]. 北京: 清华大学出版社, 2016: 121-139 [20] Pedregosa F, Varoquaux G, Gramfort A, et al. Scikit-learn: Machine learning in Python[J]. Journal of Machine Learning Research, 2011, 12(10): 2825-2830 [21] Manning C D, Surdeanu M, Bauer J, et al. The stanford coreNLP natural language processing toolkit [C] //Proc of the 52nd Annual Meeting of the Association for Computational Linguistics. Stroudsburg,PA: ACL, 2014: 55-60