网络与信息安全学报 (Aug 2023)
Predicting correlation relationships of entities between attack patterns and techniques based on word embedding and graph convolutional network
Abstract
Threat analysis relies on knowledge bases that contain a large number of security entities.The scope and impact of security threats and risks are evaluated by modeling threat sources, attack capabilities, attack motivations, and threat paths, taking into consideration the vulnerability of assets in the system and the security measures implemented.However, the lack of entity relations between these knowledge bases hinders the security event tracking and attack path generation.To complement entity relations between CAPEC and ATT&CK techniques and enrich threat paths, an entity correlation prediction method called WGS was proposed, in which entity descriptions were analyzed based on word embedding and a graph convolution network.A Word2Vec model was trained in the proposed method for security domain to extract domain-specific semantic features and a GCN model to capture the co-occurrence between words and sentences in entity descriptions.The relationship between entities was predicted by a Siamese network that combines these two features.The inclusion of external semantic information helped address the few-shot learning problem caused by limited entity relations in the existing knowledge base.Additionally, dynamic negative sampling and regularization was applied in model training.Experiments conducted on CAPEC and ATT&CK database provided by MITRE demonstrate that WGS effectively separates related entity pairs from irrelevant ones in the sample space and accurately predicts new entity relations.The proposed method achieves higher prediction accuracy in few-shot learning and requires shorter training time and less computing resources compared to the Bert-based text similarity prediction models.It proves that word embedding and graph convolutional network based entity relation prediction method can extract new entity correlation relationships between attack patterns and techniques.This helps to abstract attack techniques and tactics from low-level vulnerabilities and weaknesses in security threat analysis.