The National Natural Science Foundation of China (61672206,61572170), S&T Program of Hebei (18210109D, 20310701D，20310802D), High-level Talents Subsidy Project in Hebei Province (A2016002015), S&T research and development Program of Shijiazhuang (19SCX01006, 191130591A)
General secretary Xi Jinping gave instructions in 2016 at the cybersecurity and informatization work symposium: to strengthen big data mining and analysis, to make better situation awareness and to prevent risks in cybersecurity. In response to the call of national policies, many large industries and enterprises actively advocate, build and apply situational awareness systems to deal with the severe challenges faced by network security. Cyber security situation awareness refers to the collection of comprehensive security elements in the network environment, and performs data fusion on them. Not only a macroscopy understanding of the security situation but also a prediction of security trend can be made in this process, which can be used to effectively protect network security. The research on network security situation awareness is generally divided into three parts, namely, situation awareness, situation understanding and situation projection. The process of cyber security situation awareness is to collect the security elements of the target system, and analyze the impact of security incidents. Finally, by using cyber security situation awareness, it can be realized the behavior recognition of various activities, attacks detection, evaluation and prediction of the cyber situation in the network, so as used to provide correct decisions for the cyber security response. Using situation awareness to discover potential threats and respond to them has become the focus on the research. The cyber security situation awareness technologies and methods currently proposed are mostly based on small-scale networks. With the continuous expansion of network scales and appearance of new advanced attack technologies such as APT, the accuracy of current cyber situation awareness technologies is greatly reduced. Maneuverability has also been gradually decreased. In recent years, threat intelligence has brought new ideas about the research of situation awareness. Threat intelligence is evidence-based knowledge, including context, mechanism, label, meaning, and recommendations that can be implemented to deal with threats. The knowledge is related to existing or growing threats or hazards faced by assets, and can be used to give support or response to deal with them. Threat intelligence is usually obtained by using big data, distributed systems or other methods. With the help of threat intelligence, the efficiency and accuracy of situation awareness analysis can be improved greatly. At the same time, threat intelligence has a strong ability to update autonomously. As increase or updates of security incidents, threat intelligence will be updated accordingly to provide the latest security event data. The self-renewal ability of threat intelligence greatly improves the ability to detect new and advanced dangers in cyber security situation awareness. And by using the sharing mechanism in the threat intelligence, organizations of the same field can obtain targeted threat intelligence, so that security stuff can understand the threat environment of their organization, such as attackers, tactical techniques used by them and defense strategies, which can help organizations understand the security threats they are facing or will be faced in the future. The threat intelligence can improve the accuracy of situation comprehension and situation projection in the process of situation awareness, and improve the ability of security situation prediction and response to security incidents.