原创 | 基于开源信息平台的开源威胁情报挖掘简述

作者 | 崔琳 杨黎斌 西北工业大学

         罗冰 何清林 国家互联网应急中心

摘要：网络空间新生威胁日趋复杂多变，威胁情报作为直接或潜在网络安全威胁的外部信息资源，可帮助安全人员快速甄别恶意威胁攻击并及时作出响应防御吗。开源威胁情报（OSTI）挖掘技术可从多方开源情报中获取高质量情报，极大弥补了传统威胁情报挖掘信息量单薄等不足。本文系统调研了近5年来国内外开源威胁情报挖掘及应用的相关文献，归纳总结了开源威胁情报挖掘应用的全景图，着重从开源威胁情报获取与识别提取，开源威胁情报融合评价以及开源威胁情报关联应用等三个场景进行了分析和论述，指出了这三部分研究工作中的细分热点方向，并对各解决方案做了系统优劣势分析；最后总结了开源威胁情报挖掘中尚待解决的共性问题。

关键词：开源威胁情报,识别提取,融合评价,关联分析；

一、引言

随着万物互联的时代到来，互联网由于其多源异构，泛在开放等特性，其面临的网络威胁与攻击日趋复杂多变。网络空间威胁情报(CTI)挖掘技术，通过收集、识别实时网络威胁信息并将其转化为威胁情报，可及时针对现今具有多态、复杂的高智能威胁与攻击做出及时响应防御。如图1所示，根据来源不同，威胁情报可分为内部威胁情报和外部威胁情报。其中内部威胁情报一般来源于目标系统中的内部安全事件信息，可通过入侵检测系统(IDS)等安全设备中的相关信息提纯获得；外部威胁情报包括：1、商业威胁情报，即安全厂商以产品形式出售或分享的商业威胁情报；2、开源威胁情报，在网络公开平台中分享的开源威胁情报。

图1  威胁情报分类

开源威胁情报，由于其快速、灵活、易于移植等特点，突破了其他威胁情报形式来源少，情报特征受限等不足，更加适应网络威胁攻击形式迭代更新频繁的环境，吸引了工业界与学术界的广泛关注。在工业界，开源威胁情报作为网络防御的一项重要手段，已经在部分厂商的实际情景中开始落地应用；在学术届，关于开源威胁情报挖掘的研究最早从2015年开始出现，以后逐年递增。我们系统调研分析了近5年来主流安全类期刊和会议上关于开源威胁情报挖掘的文献，共有一百余篇，如图2所示。

图2 基于开源信息平台开源威胁情报挖掘文献分布情况

本文对相关文献进行整理和归纳，总结出当今开源威胁情报挖掘的一般流程和框架模型，涵盖了开源情报的识别提取、融合评价、关联分析等三个细分方向的研究，并对各个细分方向的研究重点及相关技术方法做了针对性总结和归纳。学术研究热度连年上升反映出该领域已持续受到关注，研究和分析已有的开源威胁情报研究概况，对于进一步推进我国威胁情报挖掘分析工作的发展，提高国家网络安全的整体防御能力，具有重要的意义。

二、开源威胁情报挖掘整体框架

根据Friedman 和Bouchard《网络威胁情报权威指南》中给出的定义，威胁情报是指对企业可能产生潜在或直接危害的信息集合。这些威胁信息经过搜集、分析、整理，能帮助企业研判面临威胁并做出正确应对，以保护企业的关键资产。从开源情报的直观定义来看，开源情报在挖掘并应用到关键资产保护时，囊括了收集分析，质量评价及关联应用等基础需求。从这些基础需求出发，我们深入分析了威胁情报挖掘的一百多篇相关文献，系统梳理了各个文献方法的技术理论及应用场景，抽象归纳出开源威胁情报挖掘的一般流程框架模型。已有绝大部分开源威胁情报挖掘的研究工作都可以纳入到该框架中。如图3所示，

图3 开源威胁情报挖掘整体框架

开源威胁情报挖掘的整体框架自顶向下可分为开源威胁情报获取与识别提取，开源威胁情报融合评价和开源威胁情报关联分析三大关键模块。其中：开源威胁情报获取与识别提取主要集中于针对不同开源信息平台如技术文章、暗网论坛、社交媒体、web开源信息等，利用动态爬虫与检测更新等方法，获取获取威胁情报的基础信息，通过信息预处理、IOC提取等技术手段，将其转换成OpenIOC，STIX等标准化开源威胁情报格式；开源威胁情报融合评价主要是针对多源异构开源威胁情报基础数据进行整合、萃取和提炼，并研究建立相关质量评价指标对威胁情报的质量及可信性进行评价，为后续威胁情报和威胁攻击的关联挖掘提供输入线索；开源威胁情报的关联分析研究一般是综合运用Kill-Chain模型、钻石模型或异构信息网络能模型，在不同应用场景中结合已有开源威胁情报与实时流量数据，对威胁情报进行深度关联、碰撞、分析操作，以发现一些潜在的攻击行为。

三、开源威胁情报挖掘概况分析

3.1开源威胁情报获取与识别提取

这部分的研究工作主要集中于针对不同开源信息平台如技术文章、暗网论坛、社交媒体、web开源信息等，利用动态爬虫与检测更新等方法，获取获取威胁情报的基础信息。近期文献主要集中于研究设计自动化爬虫及解析技术，从安全论坛和博客等平台获得非结构化语义文本数据。这其中话题检测是威胁情报获取步骤涉及的关键技术，在当前研究工作中，主要用过命名实体识别结合SVM、逻辑回归、随机森林、朴素贝叶斯等机器学习分类方法进行话题分类，并过滤掉非安全与IOC无关的非结构化信息。

开源威胁情报另外一个重要流程是威胁情报的识别和提取。这部分工作包括信息预处理、IOC提取与威胁情报生成等子模块。其中信息预处理主要运用文本处理方法删除掉下载信息中的非用户生成信息；IOC提取一般是通过应用NLP中NER技术或其他人工智能技术，如正则表达式匹配，BiLSTM+CRF等，针对预处理过的非结构文本信息进行遍历定位出IOC，并应用机器挖掘技术获取目标实体关系，最终根据实际需要进行标准化威胁情报格式输出。开源威胁情报获取与识别提取具体文献工作概要可参考图4。另外我们也从情报获取场景，主要成果，所使用的技术及性能评价等方面对相关文献进行了详细解析，如表1所示。

图4  开源威胁情报获取与识别提取研究工作概览 

表1  开源威胁情报识别提取依提取场景文献对比分析

3.2开源威胁情报的融合评价

高质量的威胁情报一般具有时效性、准确性、完整性、丰富性、可操作性、场景相关性等特征。而由于开源威胁情报来源的开放性，导致其挖掘得到的情报信息也具有多源异构性，这将阻碍威胁情报的存储和共享，应用于实际场景检测时也可能引发漏报、误报等不可控问题。在实际应用时，一般需要对多源异构的开源威胁情报信息进行融合处理，结合一致性分析和去伪去重等操作，来改善开源威胁情报集成分析应用效率低下的问题。

具体开源威胁情报的融合评价研究工作详见图5，

图5  开源威胁情报的融合评价研究工作概览

可以看出，开源威胁情报的一致性分析一般利用本体构建技术，而通过关联和组合包含相同威胁信息的IOC是解决威胁情报去伪去重的重要手段。

开源威胁情报大多用于辅助支持安全决策或分析，未知来源和真实性的开源情报将影响决策的正确性和分析结果的准确性。同一类别的开源威胁情报可能有多个来源，数据质量良莠不齐，因此需要对情报质量进行筛选、评估，以得到高质量、高可信度的情报。开源威胁情报质量及可信性评价方法主要包含定性评价方法、基于定量指标的方法、基于图挖掘的方法等。除此之外，我们还注意到了一些有关开源威胁情报“数据中毒”的研究。

3.3开源威胁情报的关联分析

这部分是开源威胁情报深度挖掘研究的重点工作，当前大部分工作主要是针对输入开源威胁情报，综合运用Kill-Chain模型、钻石模型或异构信息网络能模型，结合已有开源威胁情报与实时流量数据，对威胁情报进行深度关联、碰撞、分析操作，以发现一些潜在的攻击行为，推理挖掘揭示出隐含的攻击链条等威胁信息等。以开源威胁情报为应用核心的关联分析研究工作较为热门，大致可分为网络狩猎，态势感知，恶意检测等三个应用场景。具体该子方向的研究工作总结如图6所示，详细技术细节对比详见表2。

其中威胁狩猎是采用威胁情报辅助的方法，针对网络和数据进行主动的和反复的搜索，从而检测出逃避现有安全防御措施的威胁目标，涉及图计算、模式匹配、领域特定语言等技术理论；态势感知是以威胁情报大数据为基础，掌握网络全局实况，从全局视角提升对安全威胁的发现识别，理解分析、响应处置能力。由于涉及和恶意攻击的策略博弈，因此在利用威胁情报进行态势感知分析时，近期有较多文献引入了博弈理论。开源威胁情报的恶意代码检测是指挖掘检测任何恶意侵害目标系统相关资产的代码或程序。利用开源威胁情报辅助恶意检测有助于更快发现威胁代码。常见方法是从开源威胁情报中提取相关检测知识，并与恶意软件的静态、动态特征数据进行关联，构建网络安全知识图谱来挖掘恶意软件行为。

图6  开源威胁情报关联分析研究工作概览

表2  开源威胁情报关联分析技术对比解析

四、总结

综合来看，开源威胁情报挖掘研究工作已经取得了许多突破，并成为了网络安全防护体系架构中的重要一环，尤其对实现网络安全态势感知以及应对新生网络威胁的狩猎起着至关重要的作用。但另一方面开源威胁情报挖掘研究中还存在一些问题，包括：开源威胁情报获取识别时效率较低，自动化分析提取技术的性能急需提升；不同源的威胁情报质量参差不齐，整合代价过高；缺少通用的威胁情报开发二次接口及有公信力的认证机构等。现有局限问题为未来开源威胁情报等威胁情报的发展提供了机遇和挑战，通过认识强化已有研究工作，有利于把握现有开源情报挖掘工作的研究方向，提升开源威胁情报挖掘技术的价值，进而提高我国综合网络安全威胁检测与应急响应能力。

参考文献

[1]FireEyeInc., Taking a Lean-Forward Approach to Combat Today’s Cyber Attacks, Tech. rep., FireEye; 2014.

[2]Shackleford,D.: Who’s using cyberthreatintelligence and how? – a SANS survey (2015). URLhttps://www.sans.org/reading- room/whitepapers/analyst/ cyberthreat-intelligence- how- 35767

[3]L.Obrst, P. Chase, and R. Markeloff. Developing an ontology of the cyber securitydomain. In STIDS, pages 49–56, 2012.

[4]ChismonD, Ruks M. Threat intelligence: Collecting, analysing,evaluating, MWRInfosecurity, UK Cert, United Kingdom;2015.

[5]杨沛安, 武杨, 苏莉娅,等. 网络空间威胁情报共享技术综述[J]. 计算机科学, 2018, v.45(06):15-24+32.

[6]CleanMX.http://lists.clean- mx.com/cgi- bin/mailman/listinfo/viruswatch/.

[7]PhishTank.https://www.phishtank.com/.

[8]威胁情报之“商业情报实现数据融合”是否为一个伪需求. https://zhuanlan.zhihu.com/p/196699007

[9]JoH, Kim J, Porras P, et al. GapFinder: Finding Inconsistency of SecurityInformation From Unstructured Text[J]. IEEE Transactions on InformationForensics and Security, 2020, 16: 86-99.

[10]HusariG, Al-Shaer E, Ahmed M, et al. Ttpdrill: Automatic and accurate extraction ofthreat actions from unstructured text of cti sources[C]//Proceedings of the33rd Annual Computer Security Applications Conference. 2017: 103-115.

[11]HusariG, Niu X, Chu B, et al. Using entropy and mutual information to extract threatactions from cyber threat intelligence[C]//2018 IEEE International Conferenceon Intelligence and Security Informatics (ISI). IEEE, 2018: 1-6.

[12]GaoP, Shao F, Liu X, et al. Enabling Efficient Cyber Threat Hunting With CyberThreat Intelligence[J]. arXiv preprint arXiv:2010.13637, 2020.

[13]ShuX, Araujo F, Schales D L, et al. Threat intelligence computing[C]//Proceedingsof the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018: 1883-1898.

[14]MilajerdiS M, Eshete B, Gjomemo R, et al. Poirot: Aligning attack behavior with kernelaudit records for cyber threat hunting[C]//Proceedings of the 2019 ACM SIGSACConference on Computer and Communications Security. 2019: 1795-1812.

[15]Ranade,Priyanka, et al. "Using deep neural networks to translate multi-lingualthreat intelligence." 2018 IEEE International Conference on Intelligenceand Security Informatics (ISI). IEEE, 2018.

[16]ZhangH, Yi Y, Wang J, et al. Network security situation awareness framework based onthreat intelligence[J]. Computers, Materials and Continua, 2018, 56(3):381-399.

[17]HusariG, Al-Shaer E, Chu B, et al. Learning APT chains from cyber threatintelligence[C]//Proceedings of the 6th Annual Symposium on Hot Topics in theScience of Security. 2019: 1-2.

[18]GaoY, Xiaoyong L I, Hao P, et al. HinCTI: A Cyber Threat Intelligence Modeling andIdentification System Based on Heterogeneous Information Network[J]. IEEETransactions on Knowledge and Data Engineering, 2020.

[19]ZhuZiyun , Dumitras Tudor.FeatureSmith: Automatically Engineering Features forMalware Detection by Mining the Security Literature.The 2016 ACM SIGSACConference, 10.1145/2976749.2978304:767-778.

[20]LandauerM, Skopik F, Wurzenberger M, et al. A Framework for Cyber Threat IntelligenceExtraction from Raw Log Data[C]//2019 IEEE International Conference on Big Data(Big Data). IEEE, 2019: 3200-3209.

[21]KurogomeY, Otsuki Y, Kawakoya Y, et al. EIGER: automated IOC generation for accurateand interpretable endpoint malware detection[C]//Proceedings of the 35th AnnualComputer Security Applications Conference. 2019: 687-701.

[22]CatakogluO, Balduzzi M, Balzarotti D. Automatic extraction of indicators of compromisefor web applications[C]//Proceedings of the 25th International Conference onWorld Wide Web. 2016: 333-343.

[23]EricM Hutchins, Michael J Cloppert, and Rohan M Amin. 2011. Intelligence-drivencomputer network defense informed by analysis of adversary campaigns andintrusion kill chains. Leading Issues in Information Warfare & SecurityResearch 1 (2011), 80.

[24]SabottkeC, Suciu O, DumitrașT. Vulnerability disclosure in the age of social media: Exploiting twitter forpredicting real-world exploits[C]//24th {USENIX} Security Symposium ({USENIX}Security 15). 2015: 1041-1056.

[25]M.Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, “Beyond heuristics: learning to classify vulnerabilities and predictexploits,” in Proceedings of the 16th ACM SIGKDDinternational conference on Knowledge discovery and data mining. ACM, 2010, pp.105–114.

[26]KhandpurR P , Ji T , Jan S , et al. Crowdsourcing Cybersecurity: Cyber Attack Detectionusing Social Media[J]. 2017.

[27]MittalS, Das P K, Mulwad V, et al. Cybertwitter: Using twitter to generate alerts forcybersecurity threats and vulnerabilities[C]//2016 IEEE/ACM InternationalConference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 2016:860-867.

[28]Benjamin,V., Li, W., Holt, T. and Chen, H. Exploring threats and vulnerabilities inhacker web: Forums, IRC and carding shops. IEEE, City, 2015.

[29]LeSceller Q, Karbab E M B, Debbabi M, et al. Sonar: Automatic detection of cybersecurity events over the twitter stream[C]//Proceedings of the 12thInternational Conference on Availability, Reliability and Security. 2017: 1-11.

[30]LiM, Zheng R, Liu L, et al. Extraction of Threat Actions from Threat-relatedArticles using Multi-Label Machine Learning Classification Method[C]//2019 2ndInternational Conference on Safety Produce Informatization (IICSPI). IEEE,2019: 428-431.

[31]XunS, Li X, Gao Y. AITI: An Automatic Identification Model of Threat IntelligenceBased on Convolutional Neural Network[C]//Proceedings of the 2020 the 4thInternational Conference on Innovation in Artificial Intelligence. 2020: 20-24.

[32]ZhaoY, Lang B, Liu M. Ontology-based unified model for heterogeneous threatintelligence integration and sharing[C]//2017 11th IEEE InternationalConference on Anti-Counterfeiting, Security, and Identification (ASID). IEEE,2017: 11-15.

[33]徐留杰，翟江涛，杨康，丁晨鹏. 一种多源网络安全威胁情报采集与封装技术[J]. 操作系统、网络体系与服务器技术, 2018.

[34]ZhuZ, Dumitras T. Chainsmith: Automatically learning the semantics of maliciouscampaigns by mining threat intelligence reports[C]//2018 IEEE EuropeanSymposium on Security and Privacy (EuroS&P). IEEE, 2018: 458-472.

[35]ZhaoJ, Yan Q, Li J, et al. TIMiner: Automatically Extracting and AnalyzingCategorized Cyber Threat Intelligence from Social Data[J]. Computers &Security, 2020: 101867.

[36]ZhangP, Ya J, Liu T, et al. iMCircle: Automatic Mining of Indicators of Compromisefrom the Web[C]//2019 IEEE Symposium on Computers and Communications (ISCC).IEEE, 2019: 1-6.

[37]Bou-HarbE. A probabilistic model to preprocess darknet data for cyber  threat intelligence generation[C]//2016 IEEEInternational Conference on Communications (ICC). IEEE, 2016: 1-6.

[38]LongZ, Tan L, Zhou S, et al. Collecting Indicators of Compromise from UnstructuredText of Cybersecurity Articles using Neural-Based Sequence Labelling[C]//2019International Joint Conference on Neural Networks (IJCNN). IEEE, 2019: 1-8.

[39]SchaberreiterT, Kupfersberger V, Rantos K, et al. A quantitative evaluation of trust in thequality of cyber threat intelligence sources[C]//Proceedings of the 14thInternational Conference on Availability, Reliability and Security. 2019:1-10..

[40]RamnaniR R, Shivaram K, Sengupta S. Semi-automated information  extraction from unstructured threatadvisories[C]//Proceedings of the  10thInnovations in Software Engineering Conference. 2017: 181-187.

[41]GhaziY, Anwar Z, Mumtaz R, et al. A supervised machine learning based approach forautomatically extracting high-level threat intelligence from unstructuredsources[C]//2018 International Conference on Frontiers of InformationTechnology (FIT). IEEE, 2018: 129-134.

[42]LiK, Wen H, Li H, et al. Security OSIF: Toward automatic discovery and analysisof event based cyber threat intelligence[C]//2018 IEEE SmartWorld, UbiquitousIntelligence & Computing, Advanced & Trusted Computing, ScalableComputing & Communications, Cloud & Big Data Computing, Internet ofPeople and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).IEEE, 2018: 741-747.

[43]NiakanlahijiA, Safarnejad L, Harper R, et al. IoCMiner: Automatic Extraction of Indicatorsof Compromise from Twitter[C]//2019 IEEE International Conference on Big Data(Big Data). IEEE, 2019: 4747-4754.

[44]LiaoX , Yuan K , Wang X F , et al. Acing the IOC Game: Toward Automatic Discoveryand Analysis of Open-Source Cyber Threat Intelligence[C]// Acm SigsacConference on Computer & Communications Security. ACM, 2016.

[45]GhaziY , Anwar Z , Mumtaz R , et al. A Supervised Machine Learning Based Approachfor Automatically Extracting High-Level Threat Intelligence from UnstructuredSources[C]// 2018 International Conference

[46]NunesE, Diab A, Gunn A, et al.  Darknet anddeepnet mining for proactive cybersecurity threat  intelligence[C]//2016 IEEE Conference onIntelligence and Security  Informatics(ISI). IEEE, 2016: 7-12.

[47]DeliuI, Leichter C, Franke K. Extracting cyber threat intelligence from hackerforums: Support vector machines versus convolutional neural networks[C]//2017IEEE International Conference on Big Data (Big Data). IEEE, 2017: 3648-3656.

[48]DeliuI, Leichter C, Franke K. Collecting cyber threat intelligence from hackerforums via a two-stage, hybrid process using support vector machines and latentdirichlet allocation[C]//2018 IEEE International Conference on Big Data (BigData). IEEE, 2018: 5008-5013.

[49]StevenJ. Vaughan-Nichols. It’s an open-source world:78 percent of companies run open-source software, Dec 2015.

[50]NeilL, Mittal S, Joshi A. Mining threat intelligence about open-source projects andlibraries from code repository issues and bug reports[C]//2018 IEEEInternational Conference on Intelligence and Security Informatics (ISI). IEEE,2018: 7-12.

[51]Github.https://github.com

[52]Gitlab.https://about.gitlab.com/.

[53]Bitbucket.https://bitbucket.org.

[54]StuderR, Benjamins V R, Fensel D. Knowledge engineering: principles and methods[J].Data & knowledge engineering, 1998, 25(1-2): 161-197.

[55]DrumondL, Girardi R. A Survey of Ontology Learning Procedures[J]. WONTO, 2008, 427:1-13.

[56]董聪, 姜波, 卢志刚, 等. 面向网络空间安全情报的知识图谱综述[J]. 信息安全学报, 2020, 5(5): 56-76.

[57]威胁情报的上下文、标示及能够执行的建议. 

https://www.freebuf.com/articles/neopoints/188175.html

[58]ModiA, Sun Z, Panwar A, et al. Towards automated threat intelligencefusion[C]//2016 IEEE 2nd International Conference on Collaboration and InternetComputing (CIC). IEEE, 2016: 408-416.

[59]AzevedoR, Medeiros I, Bessani A. PURE: Generating quality threat intelligence byclustering and correlating OSINT[C]//2019 18th IEEE International Conference OnTrust, Security And Privacy In Computing And Communications/13th IEEEInternational Conference On Big Data Science And Engineering(TrustCom/BigDataSE). IEEE, 2019: 483-490.

[60]Y.Gao, X. Li, J. Li, Y. Gao and N. Guo, "Graph Mining-based Trust EvaluationMechanism with Multidimensional Features for Large-scale Heterogeneous ThreatIntelligence," 2018 IEEE International Conference on Big Data (Big Data),Seattle, WA, USA, 2018, pp. 1272-1277, doi:

[61]R.Meier, C. Scherrer, D. Gugelmann, V. Lenders and L. Vanbever, "FeedRank: Atamper- resistant method for the ranking of cyber threat intelligencefeeds," 2018 10th International Conference on Cyber Conflict (CyCon),Tallinn, 2018, pp. 321-344, doi: 10.23919/CYCON.2018.8405024.

[62]程翔龙. 基于机器学习的威胁情报可信分析系统的研究[D].北京邮电大学,2019.

[63]Al-IbrahimO, Mohaisen A, Kamhoua C, et al. Beyond free riding: quality of indicators forassessing participation in information sharing for threat intelligence[J].arXiv preprint arXiv:1702.00552, 2017.

[64]李蕾. 网络空间中威胁情报可信度多维度分析模型研究[D].北京邮电大学,2018.

[65]L.Qiang, J. Zhengwei, Y. Zeming, L. Baoxu, W. Xin and Z. Yunan, "A QualityEvaluation Method of Cyber Threat Intelligence in User Perspective," 201817th IEEE International Conference On Trust, Security And Privacy In ComputingAnd Communications/ 12th IEEE International Conference On Big Data Science AndEngineering (TrustCom/BigDataSE), New York, NY, 2018, pp. 269-276, doi:10.1109/TrustCom/BigDataSE.2018.00049.

[66]LiV G, Dunn M, Pearce P, et al. Reading the tea leaves: A comparative analysis ofthreat intelligence[C]//28th {USENIX} Security Symposium ({USENIX} Security19). 2019: 851-867.

[67]SchaberreiterT, Kupfersberger V, Rantos K, et al. A quantitative evaluation of trust in thequality of cyber threat intelligence sources[C]//Proceedings of the 14thInternational Conference on Availability, Reliability and Security. 2019: 1-10.

[68]SchletteD, Böhm F, Caselli M, et al. Measuring and visualizing cyber threat intelligencequality[J]. International Journal of Information Security, 2020: 1-18.

[69]刘汉生,唐洪玉,薄明霞,牛剑锋,李天博,李玲晓.基于机器学习的多源威胁情报质量评价方法[J].电信科学,2020,36(01):119-126.

[70]GriffioenH, Booij T, Doerr C. Quality Evaluation of Cyber Threat IntelligenceFeeds[C]//International Conference on Applied Cryptography and NetworkSecurity. Springer, Cham, 2020: 277-296.

[71]BouwmanX, Griffioen H, Egbers J, et al. A different cup of {TI}? The added value ofcommercial threat intelligence[C]//29th {USENIX} Security Symposium ({USENIX}Security 20). 2020: 433-450.

[72]deMelo e Silva A, Costa Gondim J J, de Oliveira Albuquerque R, et al. AMethodology to Evaluate Standards and Platforms within Cyber ThreatIntelligence[J]. Future Internet, 2020, 12(6): 108.

[73]MahlanguT, January S, Mashiane T, et al. Data Poisoning: Achilles Heel of Cyber ThreatIntelligence Systems[C]//Proceedings of the ICCWS 2019 14th InternationalConference on Cyber Warfare and Security: ICCWS. 2019.

[74]KhuranaN, Mittal S, Piplai A, et al. Preventing poisoning attacks on AI based threatintelligence systems[C]//2019 IEEE 29th International Workshop on MachineLearning for Signal Processing (MLSP). IEEE, 2019: 1-6.

[75]ThreatHunting Report 2017

[76]ZhangH, Yi Y, Wang J, et al. Network attack prediction method based on  threat intelligence for IoT[J]. MultimediaTools and Applications, 2019, 78(21): 30257-30270.

[77]Arnold,Nolan, et al. "Dark-Net Ecosystem Cyber-Threat Intelligence (CTI)Tool." 2019 IEEE International Conference on Intelligence and SecurityInformatics (ISI). IEEE, 2019.

[78]KimE, Kim K, Shin D, et al. CyTIME: Cyber Threat Intelligence ManagEment frameworkfor automatically generating security rules[C]//Proceedings of the 13thInternational Conference on Future Internet Technologies. 2018: 1-5.

[79]安全能力落地最重要，态势感知不是“地图炮”. 凤凰资讯.

[80]WangJ, Yi Y, Zhang H, et al. Network attack prediction method based on threatintelligence[C]//International Conference on Cloud Computing and Security.Springer, Cham, 2018: 151-160.

[81]ZhangH, Yi Y, Wang J, et al. Network attack prediction method based on threat intelligencefor IoT[J]. Multimedia Tools and Applications, 2019, 78(21): 30257-30270.

[82]GrishamJ, Samtani S, Patton M, et al. Identifying mobile malware and key threat actorsin online hacker forums for proactive cyber threat intelligence[C]//2017 IEEEInternational Conference on Intelligence and Security Informatics (ISI). IEEE,2017: 13-18.

[83]Bou-HarbE, Lucia W, Forti N, et al. Cyber meets control: A novel  federated approach for resilient cpsleveraging real cyber threat intelligence[J]. IEEE Communications Magazine, 2017, 55(5): 198-204.

[84]SerketzisN, Katos V, Ilioudis C, et al. Improving Forensic Triage Efficiency throughCyber Threat Intelligence[J]. Future Internet, 2019, 11(7): 162.

[85]ZhuZiyun , Dumitras Tudor.FeatureSmith: Automatically Engineering Features forMalware Detection by Mining the Security Literature.The 2016 ACM SIGSACConference, 10.1145/2976749.2978304:767-778

[86]Moustafa,Nour, et al. "A new threat intelligence scheme for safeguarding industry4.0 systems." IEEE Access 6 (2018): 32910-32924.

[87]ZhouY, Wang P. An ensemble learning approach for XSS attack detection  with domain knowledge and threatintelligence[J]. Computers & Security, 2019, 82: 261-269.

[88]汪鑫, 武杨, 卢志刚. 基于威胁情报平台的恶意URL检测研究[J]. 计算机科学,2018, 045(003):124-130,170.

[89]黄莉峥, 刘嘉勇, 郑荣锋,等. 一种基于暗网的威胁情报主动获取框架[J]. 信息安全研究, 2020.

[90]TheLinux Audit Framework. https://github.com/linux-audit/.

[91]ETWevents in the common language runtime. https://msdn.microsoft.com/en-us/library/ff357719(v=vs.110).aspx.

[92]Sysdig.http://www.sysdig.org/.

[93]VishwanathanS V N, Schraudolph N N, Kondor R, et al. Graph kernels[J]. Journal of MachineLearning Research, 2010, 11: 1201-1242.

[94]GschwandtnerM, Demetz L, Gander M, et al. Integrating threat intelligence to enhance anorganization's information security management[C]//Proceedings of the 13thInternational Conference on Availability, Reliability and Security. 2018: 1-8.

[95]SerketzisN , Katos V , Ilioudis C , et al. Actionable threat intelligence for digitalforensics readiness[J]. Information and Computer Security, 2019.

[96]GandotraE, Bansal D, Sofat S. A  framework forgenerating malware threat intelligence[J]. Scalable  Computing: Practice and Experience, 2017,18(3): 195-206.

[97]HuX, Jang J, Wang T, et al. Scalable malware classification with  multifaceted content features and threatintelligence[J]. IBM Journal of Research and Development, 2016, 60(4): 6: 1-6:11.

[98]PiplaiA, Mittal S, Abdelsalam M, et al. Knowledge enrichment by fusingrepresentations for malware threat intelligence and behavior[C]//2020 IEEEInternational Conference on Intelligence and Security Informatics (ISI). IEEE,2020: 1-6.

[99]IbrahimA, Thiruvady D, Schneider J, et al. The Challenges of Leveraging ThreatIntelligence to Stop Data Breaches[J]. Front. Comput. Sci. 2:  36. doi: 10.3389/fcomp, 2020.

[100]LeeK C, Hsieh C H, Wei L J, et al. Sec-Buzzer: cyber security emerging  topic mining with open threat intelligenceretrieval and timeline event annotation[J]. Soft Computing, 2017, 21(11): 2883-2896.

[101]ModiA, Sun Z, Panwar A, et al. Towards automated threat intelligencefusion[C]//2016 IEEE 2nd International Conference on Collaboration and InternetComputing (CIC). IEEE, 2016: 408-416. 

[102]AzevedoR, Medeiros I, Bessani A. PURE: Generating quality threat intelligence byclustering and correlating OSINT[C]//2019 18th IEEE International Conference OnTrust, Security And Privacy In Computing And Communications/13th IEEEInternational Conference On Big Data Science And Engineering(TrustCom/BigDataSE). IEEE, 2019: 483-490.

[103]UriasV E, Stout W M S, Lin H W. Gathering threat intelligence through computernetwork deception[C]//2016 IEEE Symposium on Technologies for Homeland Security(HST). IEEE, 2016: 1-6.

[104]KumarS, Janet B, Eswari R. Multi Platform Honeypot for Generation of Cyber ThreatIntelligence[C]//2019 IEEE 9th International Conference on Advanced Computing(IACC). IEEE, 2019: 25-29.

[105]WilliamsR, Samtani S, Patton M, et al. Incremental hacker forum exploit collection andclassification for proactive cyber threat intelligence: An exploratorystudy[C]//2018 IEEE International Conference on Intelligence and SecurityInformatics (ISI). IEEE, 2018: 94-99.

[106]AmpelB, Samtani S, Zhu H, et al. Labeling Hacker Exploits for Proactive Cyber ThreatIntelligence: A Deep Transfer Learning Approach[C]//2020 IEEE International Conferenceon Intelligence and Security Informatics (ISI). IEEE, 2020: 1-6.

[107]Xiao,Zhifeng. "Towards a two-phase unsupervised system for cybersecurityconcepts extraction." 2017 13th International Conference on NaturalComputation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD). IEEE, 2017.

[108]王沁心, and 杨望. "基于STIX 标准的威胁情报实体抽取研究." 网络空间安全 11.8 (2020): 16.

[109]YiF, Jiang B, Wang L, et al. Cybersecurity Named Entity Recognition UsingMulti-Modal Ensemble Learning[J]. IEEE Access, 2020, 8: 63214-63224.

[110]PenningtonJ, Socher R, Manning C D. Glove: Global vectors for wordrepresentation[C]//Proceedings of the 2014 conference on empirical methods innatural language processing (EMNLP). 2014: 1532-1543.

[111]ZhangX, Zhao J, LeCun Y. Character-level convolutional networks for textclassification[J]. arXiv preprint arXiv:1509.01626, 2015.

[112]SamtaniS, Chinn K, Larson C, et al. Azsecure hacker assets portal: Cyber threatintelligence and malware analysis[C]//2016 IEEE conference on intelligence andsecurity informatics (ISI). Ieee, 2016: 19-24

[113]BrenemanJ. Kernel Methods for Pattern Analysis[J]. 2005.

[114]EricPrud’hommeaux and AndySeaborne. SPARQL query language. http://www.w3.org/TR/rdf-sparql-query/.

[115]QamarS, Anwar Z, Rahman M A, et al. Data-driven analytics for cyber-threatintelligence and information sharing[J]. Computers & Security, 2017, 67:35-58.

[116]MamdaniE H, Assilian S. An experiment in linguistic synthesis with a fuzzy logiccontroller[J]. International journal of man-machine studies, 1975, 7(1): 1-13.

[117]WangX, Xiong Z, Du X, et al. NER in Threat Intelligence Domain with TSFL[C]//CCFInternational Conference on Natural Language Processing and Chinese Computing.Springer, Cham, 2020: 157-169.

[118]GaoP, Shao F, Liu X, et al. Enabling Efficient Cyber Threat Hunting With CyberThreat Intelligence[J]. arXiv preprint arXiv:2010.13637, 2020.

[119]SanjeevK, Janet B, Eswari R. Automated Cyber Threat Intelligence Generation fromHoneypot Data[M]//Inventive Communication and Computational Technologies.Springer, Singapore, 2020: 591-598.  

[120]TundisA, Ruppert S, Mühlhäuser M. On theAutomated Assessment of Open-Source Cyber Threat IntelligenceSources[C]//International Conference on Computational Science. Springer, Cham,2020: 453-467.

[121]NoorU , Anwar Z , Altmann J , et al. Customer-Oriented Ranking of Cyber ThreatIntelligence Service Providers[J]. Electronic Commerce Research andApplications, 2020, 41:100976.

[122]AfzalisereshtN, Miao Y, Michalska S, et al. From logs to stories: human-centred data miningfor cyber threat intelligence[J]. IEEE Access, 2020, 8: 19089-19099.

[123]MengesF, Putz B, Pernul G. DEALER: decentralized incentives for threat intelligencereporting and exchange[J]. International Journal of Information Security, 2020:1-21.

[124]BÜBERE, ŞAHİNGÖZ Ö K. Blockchain BasedInformation Sharing Mechanism for Cyber Threat Intelligence[J]. Balkan Journalof Electrical and Computer Engineering, 2020, 8(3): 242-253.

[125]YucelC, Chalkias I, Mallis D, et al. On the assessment of completeness andtimeliness of actionable cyber threat intelligence artefacts[C]//InternationalConference on Multimedia Communications, Services and Security. Springer, Cham,2020: 51-66.

[126]Opensource threat intelligence discovery based on topic detection, 2020

[127]WagnerT D, Mahbub K, Palomar E, et al. Cyber threat intelligence sharing: Survey andresearch directions[J]. Computers & Security, 2019, 87: 101589.

[128]SchaberreiterT, Kupfersberger V, Rantos K, et al. A quantitative evaluation of trust in thequality of cyber threat intelligence sources[C]//Proceedings of the 14thInternational Conference on Availability, Reliability and Security. 2019: 1-10.

转载请注明来源：关键基础设施安全应急响应中心

本文始发于微信公众号（关键基础设施安全应急响应中心）：原创 | 基于开源信息平台的开源威胁情报挖掘简述