Journal of Xidian University ›› 2023, Vol. 50 ›› Issue (4): 65-75.doi: 10.19665/j.issn1001-2400.2023.04.007

• Special Issue on Cyberspace Security • Previous Articles     Next Articles

Research on threat intelligence extraction and knowledge graph construction technology

SHI Huiyang1,2(),WEI Jingxuan3(),CAI Xingye3(),WANG He4(),GAO Suixiang5,6(),ZHANG Yuqing1,2,4,6()   

  1. 1. School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 101408,China
    2. National Computer Network Intrusion Prevention Center,University of Chinese Academy of Sciences,Beijing 101408,China
    3. Shenyang Institute of Computing Technology,University of Chinese Academy of Sciences,Shenyang 110168,China
    4. School of Cyber Engineering,Xidian University,Xi’an 710071,China
    5. School of Mathematical Sciences,University of Chinese Academy of Sciences,Beijing 101408,China
    6. Zhongguancun Laboratory,Beijing 100094,China
  • Received:2023-01-19 Online:2023-08-20 Published:2023-10-17
  • Contact: Yuqing ZHANG;;;;;


At present,the infrastructure used by attackers can adapt to more target environments.After successfully invading the target,the attackers use legitimate user credentials to gain trust,and continuously learn to exploit new vulnerabilities to achieve the purpose of attacks.In order to combat attacks and to improve the quality and utilization efficiency of the threat intelligence,this paper constructs a knowledge mapping framework of threat intelligence through the following four processes:intelligence collection,information extraction,ontology construction,and knowledge reasoning.The proposed framework can realize the search for and correlation of essential indicators in the intelligence.Then,an indicator of compromise (IOC) recognition extraction method based on the Bert+BISLTM+CRF is proposed and a regular matching mechanism is applied to limit the output for identifying and extracting IOC information from the text information,followed by performing the structured threat information expression (STIX) standard format conversion.The accuracy and recall rate of this extraction model for the text information extraction are higher through horizontal and vertical comparison.Finally,by taking the APT1 as an example,this paper constructs the entity-relationship diagram of threat intelligence.The attack behavior is transformed into a structured format combined with the adversarial tactics,techniques,and common knowledge (ATT & CK) framework.A knowledge map of ontology and atomic ontology is established which is used to analyze the potential associations between data through the knowledge map associations and to discover potential associated information and attack agents in threat intelligence with similarity and correlation.The correlation analysis of threat intelligence is carried out,which provides the basis for the formulation of defense strategy.

Key words: threat intelligence, neural network, ontology, IOC extration, ATT&CK, knowledge graph

CLC Number: 

  • TP399