摘要
威胁建模是一种识别和应对威胁的结构化方法,STRIDE方法在实践中已经成为事实上的主流威胁识别技术。目前,对STRIDE威胁的分析和威胁识别规则的构建在很大程度上依赖于人类的专业知识,导致威胁识别规则不完整,威胁建模数据量不足,分析准确性和效率不足。随着每年新的互联网软件威胁的快速出现,迫切需要自动构建和更新一个相对完整的规则库,以提高威胁分析的有效性和自动化程度。本文基于STRIDE方法提出了结合类型规则和交互规则的完整的威胁识别规则模型,收集和整理了Web安全领域全面的规则库数据,构建了高质量的规则库。随后,本文提出了一种对STRIDE威胁进行分类的自动化方法(Text CPR)。该方法结合了Text CNN文本分类模型和产生式规则。首先,对数据进行预处理;然后,使用Text CNN分类模型确定威胁内容的漏洞基础类别;最后,通过产生式规则的方法获取对应其漏洞基础类别的STRIDE威胁类别。本文进一步提出了一种用于构建规则库的自动化方法(ACUTIRule)。此外,本文为规则库设计了自动更新机制,以确保其有效性。该方法首先基于TF-IDF算法获取核心动词短语组,并根据威胁分类生成的STRIDE类别与元素对照表组装关系三元组表达式;然后,使用文本相似度算法提取组件,将威胁描述文本、威胁类别和组件等进行组合,实现类型规则匹配生成;然后,根据组件关系表提取生成交互规则;最后,将两者整合为完整威胁识别规则库,并基于从开源威胁数据平台定时爬取的威胁以及规则自动构建方法实现规则库的自动更新。本文通过对比实验对所提出的方法进行评估,结果表明所提出的Text CPR方法在CNNVD数据集上的精度达到92.5%,召回率达到87.6%,F1-score达到89.3%。与基线方法相比,Text CPR方法显著提高了精度、召回率和F1-score,且分别提高了11.2%、8.2%和9.2%。为了验证ACUTIRule方法的有效性,本文对采用的基础类型规则库进行拓展作为测试规则集,以验证准确率。然后,通过定量指标将提出的ACUTIRule方法与人工构建方法进行对比。实验结果表明,自动构建规则的准确率达到89.5%。在将相同条目的威胁构建为可使用的规则方面,ACUTIRule方法比手动方法花费的时间要少得多,并且不需要额外的人力成本。与人工构建方法相比,该方法提高了规则构建的自动化程度和效率。
Threat modeling is a structured method for identifying and responding to threats,and the STRIDE method has become the de facto mainstream threat identification technology in practice.At present,the analysis of STRIDE threats and the construction of the rules for threat identification largely rely on human expertise,resulting in incomplete rules for threat identification and data volume of threat modeling as well as insufficient analysis accuracy and efficiency.Along with the rapid emergence of new Internet software threats every year,there is an urgent need to automatically construct and update a relatively complete rule base to leverage the effectiveness and automation of threat analysis.This paper proposes a complete threat identification rule model based on the STRIDE method,which combines type rules and interaction rules.Comprehensive rule base data in the domain of Web security is collected and sorted out,and a high-quality rule base is constructed.Then,this paper proposes an automated approach(TextCPR)for classifying STRIDE threats.The approach combines the TextCNN text classification model and production rules.First,the data is preprocessed;then,the vulnerability basic category of the threat content is determined by using the TextCNN classification model;finally,the STRIDE threat category corresponding to its vulnerability basic category is obtained by the method of production rules.This paper further proposes an automated approach(ACUTIRule)for constructing the rule base.In addition,this paper designs an automatic update mechanism for the rule base to ensure its effectiveness.The approach first obtains the core verb phrase group based on the TF-IDF algorithm,and assembles the triplet expression according to the STRIDE category generated by threat classification and the element comparison table;then text similarity algorithm is used to extract components,and threat description text,threat categories and components are combined to match and generate type rules;then the interaction rules are extracted and generated according to the component relation table;finally,the two are integrated into a complete threat identification rulebase,and the rulebase is automatically updated based on the threats periodically crawled from the open source threat data platform and the automatic rule construction approach.This paper evaluates the proposed approach by conducting comparative experiments,and the results show that the precision of the proposed TextCPR approach on the CNNVD dataset reached 92.5%,the recall at 87.6%,and the F1-score at 89.3%.Compared with the baseline method,the TextCPR approach significantly improve sprecision,recall,and F1-score by 11.2%,8.2%,and 9.2%respectively.In order to validate the effectiveness of the ACUTIRule approach,this paper expands the basic type rule base used as a test rule set to validate accuracy.Then,the proposed ACUTIRule approach is compared with the manual construction approach through quantitative indicators.The experimental results show that the accuracy of the automatically constructed rules reached 89.5%.The ACUTIRule approach takes much less time than the manual approach and requires no additional labor costs in terms of constructing the same entry threats into usable rules.Compared with manual construction approach,this approach improves the automation level and efficiency of rule construction.
作者
付昌兰
张贺
管兴政
李凤龙
FU Chang-Lan;ZHANG He;GUAN Xing-Zheng;LI Feng-Long(Software Institute,Nanjing University,Nanjing 210023;State Key Laboratory for Novel Software Technology(Nanjing University),Nanjing 210023;Huawei Cloud Computing Technologies Co.,Ltd.,Hangzhou 310053)
出处
《计算机学报》
北大核心
2026年第1期132-162,共31页
Chinese Journal of Computers
基金
江苏省自然科学基金(BK20241195)
江苏省重点研发计划(BE2021002-2)
国家自然科学基金青年基金(62202219,62302210)
CCF-华为胡杨林基金-软件工程专项(CCF-Huawei SE2021003)
南京大学计算机软件新技术全国重点实验室创新项目(ZZKT2025A12,ZZKT2025B18,ZZKT2025B20,ZZKT2025B22)
海外开放课题(KFKT2025A17,KFKT2025A19,KFKT2025A20,KFKT2024A02,KFKT2024A13,KFKT2024A14,KFKT2023A09,KFKT2023A10)资助。
关键词
威胁建模
STRIDE方法
威胁识别规则
威胁自动分类
规则模型自动构建和更新
threat modeling
STRIDE method
threat identification rules
threat automatic classification
automatic constructing and updating of rule models
