Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits of threat intelligence include increased situational awareness and efficiency in security operations and improved prevention, detection, and response capabilities. To process, analyze, and correlate vast amounts of threat information and derive highly contextual intelligence that can be shared and consumed in meaningful times requires utilizing machine-understandable knowledge representation formats that embed the industry-required expressivity and are unambiguous. To a large extend, this is achieved by technologies like ontologies, interoperability schemas, and taxonomies. This research evaluates existing cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies for the purpose of measuring their high-level conceptual expressivity with regards to the who, what, why, where, when, and how elements of an adversarial attack in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology with existing efforts not being thoroughly designed, non-interoperable and ambiguous, and lacking semantic reasoning capability.
翻译:网络威胁情报是提供关于现有威胁或新出现的威胁的循证知识; 威胁情报的好处包括:在安全行动方面提高形势意识和效率,提高预防、检测和反应能力; 处理、分析、联系大量威胁信息,并获得可在有意义的时间分享和消费的高度背景情报,需要利用机器可理解的知识代表格式,这种格式将行业需要的表达性嵌入到行业所需的明确性之中; 在很大程度上,这是通过诸如本体学、互操作性化学和分类等技术实现的; 这项研究评估现有的与网络威胁-情报相关的本体、共享标准和分类,以衡量它们对于谁、为什么、何时以及如何在行动和技术指标之外进行对抗性攻击的高度概念上的直观性; 研究结果证实,除了行动和技术指标之外,还很少重视开发全面的网络威胁情报,而现有的努力没有彻底设计、互操作性和模糊性,缺乏语义推理能力。