Abstract: With the increasingly complexity of cyberspace security, the attack attribution has become an important challenge for the security protection system. The emergence of threat intelligence provided plentiful data source support for the attack attribution, which makes large-scale attack attribution became possible. To realize effective attack attribution, based on the structure expression of the threat information, a light weight framework of threat intelligence sharing and utilization was proposed. It included threat intelligence expression, exchange and utilization, which can achieve the attack attribution result. Take the case of C2 relevant information, we described the expression of threat intelligence sharing and utilization, and verified the framework. Results show that the framework is practical, and can provide new technical means for attack attribution. In addition, based on the understanding of threat intelligence, several thinking about the construction of sharing and utilization mechanisms were promoted in the end.

Key words: attack attribution, threat intelligence, STIX, malicious code, cyber security

摘要： 网络空间安全形势日益复杂，攻击溯源成为安全防护体系面临的重要技术挑战，威胁情报的出现为攻击溯源提供了多来源数据支撑，从而使得大范围的攻击溯源成为可能. 为实现有效的攻击溯源，基于结构化威胁信息表达方法，提出了一种精简模式的威胁情报共享利用框架，包含威胁情报表示、交换和利用3个方面，以实现对攻击行为的追踪溯源. 以有关C2信息为例描述了威胁情报的共享利用表达方式，对该共享利用框架进行了验证，表明相关结果具有实用性，可以为攻击溯源工作提供新的技术手段.另外，还基于对威胁情报的理解，提出了共享利用机制建设的若干思考.

关键词: 攻击溯源, 威胁情报, 结构化威胁信息表达, 恶意代码, 网络空间安全