Research and Design of an Automated Security Event Analysis and Handling Framework Based on Threat Intelligence

Abstract

In order to deeply explore and utilize the value of threat intelligence, strengthen research on attack organizations, and grasp the correlation between attack organizations, the author proposes the research and design of an automated security event analysis and handling framework based on threat intelligence. The author extracts the behavioral characteristics of the attack organization based on known APT attacks, and uses the machine learning framework Light GBM to establish a multi classification model to complete the analysis of unknown APT attack organizations. Through the study of multi-dimensional analysis of multi-source threat intelligence, attack organization correlation and judgment, an attack organization correlation and judgment system has been designed and implemented. The system includes six modules: threat intelligence collection module, threat intelligence multi-dimensional analysis module, attack organization fingerprint library module, attack organization correlation module, attack organization analysis module, and user module, providing attack organization correlation and judgment services for network security. The test results show that the intelligence reading and search query function can achieve the reading of various information of attack organizations, and achieve visual display of threat intelligence. The intelligence management function can achieve operations such as adding, deleting, and updating intelligence. The user management function of the system can achieve the management of administrator users and ordinary users. After testing, all functions of the system have been implemented and meet expectations.