Abstract: With the rapid growth of APT attacks and network security confrontations, a large number of threat intelligence information has been fully contributed in the war of information and network security defense.More and more security information, threat intelligence sources and network security manufacturers are emerging. The defense force provided by security manufacturers far exceeds that of hacker organizations in terms of personnel scale and hardware resources, but in reality, hacker organizations can still win most of the time. The evolution of attack technology leads the evolution of defense technology. Unconventional APT attacks need unconventional defense mechanisms. At present, threat intelligence is still in their early basic stage, and collection, sorting and application of tactical Threat Intelligence has begun to take shape.But tactical Threat Intelligence can not provide sufficient strategic depth for the defense, structured, TTPs level, intelligent analysis and machinereadable threat intelligence platform that can provide strategic value are being explored. Foreign research in this field is about five to ten years earlier than that in China. This paper proposes a framework construction idea of TTPs level threat intelligence platform, discussing the birth and development of APT, Threat Intelligence and other technical theories, technical logic, development status and future evolution, and how to build a TTP level threat intelligence platform that can be truly machinereadable and consumed base on the current security information resources. TTPs level threat intelligence platform is an infrastructure, which will support the development of threat intelligence to a mature form and serve as an effective strategic response guidance means for APT attacks, so as to realize the comprehensive improvement of national network security defense capability. Key wordsAPT attack; threat intelligence; natural language; artificial intelligence; knowledge graph; tactics, techniques, and procedures (TTPs); structured threat information expression (STIX) 

Key words: APT attack, threat intelligence, natural language, artificial intelligence, knowledge graph, tactics, techniques

摘要： 目前，随着互联网APT攻击与安全对抗的不断升级，大量威胁情报信息早已直接应用到信息与网络安全的攻防战争中.各种网络安全信息、网络安全厂商和威胁情报信源也越来越多.安全厂商所提供的防御力量无论从人员规模还是硬件资源上来说都远远超过黑客组织，而从实际情况来看黑客组织却仍屡屡得手.攻击技术的演化领导着防御技术的演变，非传统的APT攻击需要非传统的防御.目前威胁情报的演化还处于早期阶段，战术威胁情报的收集、整理、运用已经初具规模，但目前基于战术的威胁情报还不能给防御方提供足够的战略价值.而能够提供战略价值的结构化、TTPs级、可智能分析和机读的威胁情报平台却仍在探索之中，国外在此方面的研究比国内早5~10年.提出一种TTPs级威胁情报平台的构架建设思路，包括APT、威胁情报等技术理论的诞生及发展，技术逻辑，发展现状和未来演进以及如何基于目前的安全信息资源，构建出真正可机读消费的TTPs级威胁情报平台.TTPs级威胁情报平台是一种基础建设，它将支撑着威胁情报发展到成熟的形态，作为APT攻击的有效战略响应指导手段，从而实现国家网络安全防御能力的全面提升.关键词APT攻击；威胁情报；自然语言处理；人工智能；知识图谱；TTPs；结构化威胁信息表达

关键词: APT攻击, 威胁情报, 自然语言处理, 人工智能, 知识图谱, TTPs, 结构化威胁信息表达