CN116614245A - Attack path modeling method and system based on multi-source alarm log compression - Google Patents
Attack path modeling method and system based on multi-source alarm log compression Download PDFInfo
- Publication number
- CN116614245A CN116614245A CN202310177705.XA CN202310177705A CN116614245A CN 116614245 A CN116614245 A CN 116614245A CN 202310177705 A CN202310177705 A CN 202310177705A CN 116614245 A CN116614245 A CN 116614245A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- event
- threat
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007906 compression Methods 0.000 title claims abstract description 48
- 230000006835 compression Effects 0.000 title claims abstract description 44
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000007781 pre-processing Methods 0.000 claims abstract description 11
- 238000011156 evaluation Methods 0.000 claims abstract description 10
- 238000001514 detection method Methods 0.000 claims description 27
- 230000002776 aggregation Effects 0.000 claims description 11
- 238000004220 aggregation Methods 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 6
- 238000012098 association analyses Methods 0.000 claims description 4
- 230000007704 transition Effects 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 2
- 238000010219 correlation analysis Methods 0.000 claims description 2
- 238000013508 migration Methods 0.000 claims description 2
- 230000005012 migration Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101100025911 Mus musculus Ncoa3 gene Proteins 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an attack path modeling method and system based on multi-source alarm log compression, wherein the method comprises the following steps: step S1: collecting alarm logs generated by a plurality of network security engine sources, and performing preprocessing operation to obtain preprocessed alarm logs; step S2: combining the alarm logs into the same cluster according to the similarity among the alarm logs after homologous preprocessing to form a network attack event; step S3: carrying out association compression on the multisource network attack event based on time continuity and attack continuity to obtain a compressed network attack event and carrying out confidence scoring on the compressed network attack event; step S4: constructing an attack graph for the network attack event after compression scoring by using a time Petri network to obtain all possible attack paths; step S5: and carrying out recommendation evaluation on the attack path after carrying out confidence scoring on the attack IP and the single-step attack path by using third-party threat information. The method provided by the invention constructs the attack path with high credibility by analyzing the massive alarm logs generated by the multi-source network security engine source.
Description
Technical Field
The invention relates to the field of network security, in particular to an attack path modeling method and system based on multi-source alarm log compression.
Background
In order to monitor possible network attack events, current technology deploys various network security engines in the communication network to obtain alarm logs. Network maintainers can search network attack events and attack paths existing in the alarm logs through analyzing various types of alarm logs so as to complete maintenance management of the communication network. However, as the variety and number of network security engines in the communication network continue to increase, a large number of open source exploit codes and automated attack tools are widely utilized, and the network security engines generate a large number of alarm logs every day. Secondly, the attribute structure of the generated alarm log also has certain difference due to the difference of detection principles of the multi-network security engine source. Massive multi-source alarm logs can generate huge consumption of software and hardware resources for network attack events and attack path analysis processes, and the analysis difficulty is definitely increased by the heterogeneous attribute and the redundant attribute in the logs.
Compression screening of the alarm logs generated by the multi-network security engine source is essential to the overall attack path analysis process. However, since the analysis of the attack path is highly dependent on the context, if one or several attack phases are discarded, the continuity of the overall attack on the attack path is broken, and it cannot be determined whether the attack path is established. Therefore, how to effectively compress the number of massive multi-source alarm logs and ensure uninterrupted attack paths becomes a problem to be solved.
Disclosure of Invention
In order to solve the technical problems, the invention provides an attack path modeling method and system based on multi-source alarm log compression.
The technical scheme of the invention is as follows: an attack path modeling method based on multi-source alarm log compression comprises the following steps:
step S1: collecting alarm logs generated by a plurality of network security engine sources, and preprocessing the alarm logs to obtain preprocessed alarm logs, wherein the network security engine sources comprise: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine;
step S2: respectively calculating the similarity between the preprocessed alarm logs generated by the homologous security engine, and clustering the preprocessed alarm logs higher than a threshold value into the same cluster to form a network attack event;
step S3: carrying out association compression on the network attack event generated by the multi-source security engine aggregation based on time continuity and attack continuity to obtain a compressed network attack event; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat level, and the compressed and scored network attack event is obtained;
step S4: constructing an attack graph of the compressed and scored network attack event by using a time Petri network, carrying out attack modeling by using a node state table, and restoring and outputting all possible attack paths from an attack node to a target node;
step S5: and confidence scoring is carried out on the attack IP and the single-step attack path by using third-party threat information, and recommendation evaluation is carried out on all links of the attack path according to the scoring condition.
Compared with the prior art, the invention has the following advantages:
1. the invention discloses an attack path modeling method based on multi-source alarm log compression, which is used for carrying out association compression on alarm logs from three directions of time state, attack continuity and attack threat confidence score, and completing compression screening of massive logs on the premise of not cutting off the attack paths and ensuring that key information is not lost, thereby realizing efficient construction of the attack paths.
2. The invention carries out association analysis on the basis of the alarm logs generated by the multi-network security engine source and the threat information of the third party, and effectively solves the problem that the attack path is completely modeled based on the flow layer under the condition that the end-side logs cannot be obtained under the gateway of the network, thereby truly reflecting the security protection level of the whole communication network.
Drawings
FIG. 1 is a flowchart of an attack path modeling method based on multi-source alarm log compression in an embodiment of the invention;
FIG. 2 is a schematic diagram of a compression process based on time continuity in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a compression process based on attack continuity in an embodiment of the present invention;
fig. 4 is a block diagram of an attack path modeling system based on multi-source alarm log compression in an embodiment of the present invention.
Detailed Description
The invention provides an attack path modeling method based on multi-source alarm log compression, which constructs an attack path with high reliability by analyzing massive alarm logs generated by a multi-source network security engine source.
The present invention will be further described in detail below with reference to the accompanying drawings by way of specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
Example 1
As shown in fig. 1, the attack path modeling method based on multi-source alarm log compression provided by the embodiment of the invention includes the following steps:
step S1: collecting alarm logs generated by a plurality of network security engine sources, and preprocessing the alarm logs to obtain preprocessed alarm logs, wherein the network security engine sources comprise: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine;
step S2: respectively calculating the similarity between the preprocessed alarm logs generated by the homologous security engine, and clustering the preprocessed alarm logs higher than a threshold value into the same cluster to form a network attack event;
step S3: carrying out association compression on network attack events generated by multi-source security engine aggregation based on time continuity and attack continuity to obtain compressed network attack events; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat degree, and the network attack event after compression scoring is obtained;
step S4: constructing an attack graph of the compressed and scored network attack event by using a time Petri network, carrying out attack modeling by using a node state table, and restoring and outputting all possible attack paths from an attack node to a target node;
step S5: and confidence scoring is carried out on the attack IP and the single-step attack path by using third-party threat information, and recommendation evaluation is carried out on all links of the attack path according to the scoring condition.
In one embodiment, step S1 described above: collecting alarm logs generated by a plurality of network security engine sources, and preprocessing the alarm logs to obtain preprocessed alarm logs, wherein the network security engine sources comprise: the controlled flow detection engine, the CVE vulnerability flow detection engine and the malicious DNS flow detection engine specifically comprise:
collecting alarm logs from a plurality of network security engine sources, comprising: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine.
Taking a controlled flow detection engine as an example, the embodiment of the invention carries out preprocessing operation on the collected alarm logs, and the specific steps are as follows:
1. data cleaning operation: filling the acquired vacant values in the engine alarm log into a complete state and removing repeated data in the log to only leave different log information, wherein the method comprises the following specific steps of:
(1) Null value processing: judging the perfection of the attribute of the alarm log of the controlled flow detection equipment, wherein the perfection comprises a source/destination IP address, a source/destination port, an attack name and attack time, when the attribute lacks 2 or more, the attribute is filtered, otherwise, the vacancy value is filled completely by a Null character.
(2) Repeating data processing: the log is subjected to sorting operation through the key word of 'occurrence time', a window T=60 s with a fixed size is then determined, the log is continuously slid on the sorted data set, the records in the window are detected, duplicate records are deleted after the identical records are found, and only different log information is left.
2. Data normalization operation: the security device log is defined in a standardized manner, after the selected log related attribute is determined, the security device log is defined in a formatted manner by adopting an expanded IDMEF (Intrusion Detection Message Exchange Format) alarm format, and the following three standardized log formats are prepared as shown in table 1:
table 1 normalized log format listing
In the definition of the normalized log format, the meaning of the attribute value is shown in table 1.
Table 2 correspondence between various log attributes and meanings
| Attributes of | Meaning of | Attributes of | Meaning of |
| logID | Journal number ID | Time | Time attributes of event records |
| Device | Device type | Result | Event outcome |
| Prioroty | Event priority | Message | Event related information |
| User | Login user name | Protocol | Protocol type |
| sourcelP/sourcePort | Source IP/source port | Inpackage/outpackege | Receiving/transmitting data packets |
| destIP/destPort | Destination IP/destination port | Sent/receive | Number of received/transmitted bytes |
| operation | Command for an operation | PCname/PCip | Computer name/ip address |
In one embodiment, step S2 above: the similarity between the preprocessed alarm logs generated by the homologous security engine is calculated respectively, and the preprocessed alarm logs higher than a threshold value are clustered and combined into the same cluster to form a network attack event, which comprises the following steps:
step S21: the similarity of each attribute between the preprocessed alarm logs generated by the homologous security engine is calculated by using the following formula, wherein the attributes comprise: IP address, port, log number, device type, event related information, and time;
wherein w is i The weight of the ith attribute, n is the number of the attributes and X i Is the ith attribute of log X, Y i Is the ith attribute of log Y;
table 3 illustrates the weight assignment of each attribute, taking the alarm log of the controlled flow detection engine as an example.
Table 3 weight assignment of attributes
| Attributes of | IP address | Port (port) | Journal numbering | Device type | Event related information |
| Weighting of | 4 | 4 | 1 | 2 | 2 |
Step S22: determining a similarity threshold, and merging the preprocessed alarm log clusters higher than the similarity threshold into the same cluster;
firstly initializing time, a similarity threshold value and the number of clusters, setting an initial cluster as a first log record input by controlled flow detection equipment, calculating the similarity between a log generated subsequently and the center point of each cluster, and determining the maximum similarity of the log; comparing the maximum similarity of the log with a threshold value set during initialization, and adding the log into the cluster if the maximum similarity is larger than the threshold value; otherwise, a cluster is re-established, and the current cluster number is updated;
step S23: the method comprises the following specific steps of:
(1) The method comprises the steps of selecting all the attack types and the data of the description information of the log with the same attack types and the same description information;
(2) Only picking out the first data information which can embody the type information corresponding to the log most from the attack type and the description information;
(3) And merging log time attributes in a certain time interval.
In one embodiment, the step S3: carrying out association compression on network attack events generated by multi-source security engine aggregation based on time continuity and attack continuity to obtain compressed network attack events; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat degree, and the network attack event after compression scoring is obtained, which comprises the following steps:
step S31: compressing according to the time state of the network attack event of the same type, carrying out association analysis on the time continuity based on the attack, and carrying out merging compression when the attack IP, the attacked IP and the attack types are the same and the attack time interval is smaller than the time interval delta t specified by the system;
as shown in fig. 2, a compression process based on time continuity is illustrated;
step S32: compressing according to the states of continuity of network attack events of different attack types, and based on the correlation analysis of the attack on the continuity of the attack, when the attack IP and the attacked IP are the same, the attack time interval is smaller than the time interval delta t specified by the system, and the former of the attack types forms inclusion for the latter, merging and compressing are carried out;
as shown in fig. 3, a compression process based on attack continuity is illustrated;
step S33: confidence scoring is carried out on the compressed network attack event based on the improved D-S evidence theory, and the compressed and scored network attack event is obtained, wherein the specific steps are as follows:
(1) Establishing an identification framework for attack event fusion;
(2) Judging the occurrence condition of the corresponding network attack by utilizing the network attack event obtained after the aggregation of the logs generated by the multi-network security engine source, and dividing the attack event into: the attack has occurred, the attack has not occurred and whether the attack has occurred cannot be judged according to the currently known information;
(3) Considering the confidence level of the attack event, and analyzing evidence threatening the network system according to the characteristics of the D-S evidence theory;
(4) Determining an allocation function and a weight of the basic confidence coefficient, and taking the degree of the various types of network security engines for identifying the attack as the basic confidence coefficient of the corresponding attack event; the basic confidence allocation function is shown in the following formula:
wherein m is k The credibility of the attack event appears for the kth time; m is m k-1 The credibility of the attack event appears for the k-1 th time; n is the number of attack events, and 1 is added to each attack occurrence; u (U) k-1 Determining whether the attack event information actually generated by the network security engine is correct (0) (1) or not according to the previous fusion result, wherein the initial value is 1; n (N) 0 Is constant and is used for limiting the false alarm rate and adjusting the convergence speed.
In one embodiment, step S4 above: constructing an attack graph of the network attack event after compression scoring by using a time Petri network, carrying out attack modeling by a node state table, and restoring and outputting all possible attack paths from an attack node to a target node, wherein the method specifically comprises the following steps of:
step S41: ordering the network attack events after compression scoring according to time;
step S42: initializing a main time Petri network;
step S43: inputting an attack IP and an attacked IP as nodes according to time for iteration;
step S44: when a node generates state transition, constructing a sub-time Petri network of the transition node, and constructing an attack state relation table of the node;
step S45: merging the change migration of the sub-time Petri network to the main time Petri network, and checking the global relation; repeating the steps S43-S45 until the construction of the Petri network is completed at the main time;
step S46: and given the retrieval conditions, restoring all attack paths from the attack node to the target node is completed.
The attack path construction algorithm based on the main time Petri network in the embodiment of the invention is as follows:
1:procedure RETRIEVAL_BY_TPN(dataset,Attack_IP,Attacked_IP)
2:dataset←sort_by_tim(dataset)
3:main_tpn←TP(Null)
4:for data in dataset do
5:updat(main_tpn,data)
6:if then(State_change(data))
7:tmp_tpn←TP(data)
8:end if
9:merg(main_tpn,tmp_tpn)
10:end for
11:return Search(Attack_IP,Attacked_IP)
12:end procedure
in one embodiment, the step S5 is as follows: confidence scoring is carried out on the attack IP and the single-step attack path by using third-party threat information, and recommendation evaluation is carried out on all links of the attack path according to the scoring condition, and the method specifically comprises the following steps:
step S51: acquiring threat information API interface provided by a third party security manufacturer and threat information with IP history;
as shown in table 4, threat intelligence is presented.
TABLE 4 threat intelligence sample form
Step S52: scoring the attack IP and the attacked IP in the attack path according to the following formula by combining threat time, threat type and attack confidence degree existing in the IP in threat information;
s is threat confidence of IP; t (T) c The total length of time that is the duration of a single attack in threat intelligence; t (T) i The total time length of the ith attack in threat intelligence; q (Q) score Scoring the threat of the attack in threat information; f (F) L The threat level is determined by the threat level in threat information; alpha i The type of the attack is determined by the threat type in the threat information and the type of the attack; attack_type data A determined attack type for the attack IP; attack_type info Is the attack type in threat intelligence; n is the historical attack number of the IP;
step S53: single attacks are scored for attack confidence by threat confidence scores for the attack IP and the attacked IP:
M=S attack (1-S attacked )
wherein M is attack confidence score of single attack; s is S attack Threat confidence score for attack IP; s is S attacked Threat confidence for attacked IPDividing;
step S54: according to the attack confidence score of the single attack, calculating the full link attack confidence score of the attack path:
wherein W is the full link attack confidence score of the complete attack path; m is M i The attack confidence score is the ith attack under the complete attack path.
The invention discloses an attack path modeling method based on multi-source alarm log compression, which is used for carrying out association compression on alarm logs from three directions of time state, attack continuity and attack threat confidence score, and completing compression screening of massive logs on the premise of not cutting off the attack paths and ensuring that key information is not lost, thereby realizing efficient construction of the attack paths.
The invention carries out association analysis on the basis of the alarm logs generated by the multi-network security engine source and the threat information of the third party, and effectively solves the problem that the attack path is completely modeled based on the flow layer under the condition that the end-side logs cannot be obtained under the gateway of the network, thereby truly reflecting the security protection level of the whole communication network.
Example two
As shown in fig. 4, an embodiment of the present invention provides an attack path modeling system based on multi-source alarm log compression, including the following modules:
the data collection and preprocessing module 61 is configured to collect alarm logs generated by a plurality of network security engine sources, and perform a preprocessing operation on the alarm logs to obtain preprocessed alarm logs, where the network security engine sources include: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine;
the homologous log aggregation module 62 is configured to calculate similarities between the preprocessed alarm logs generated by the homologous security engine, and cluster the preprocessed alarm logs higher than a threshold into the same cluster, so as to form a network attack event;
the multi-source log aggregation module 63 is configured to aggregate network attack events generated by the multi-source security engine, perform association compression based on time continuity and attack continuity, and obtain compressed network attack events; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat degree, and the network attack event after compression scoring is obtained;
the attack path restoration module 64 is configured to perform attack graph construction on the network attack event after compression scoring by using the time Petri network, perform attack modeling through the node state table, and restore and output all possible attack paths from the attack node to the target node;
and the attack path recommendation evaluation module 65 is configured to score confidence of the attack IP and the single-step attack path by using third-party threat information, and perform recommendation evaluation on all links of the attack path according to the scoring condition.
The above examples are provided for the purpose of describing the present invention only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalents and modifications that do not depart from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (6)
1. An attack path modeling method based on multi-source alarm log compression is characterized by comprising the following steps:
step S1: collecting alarm logs generated by a plurality of network security engine sources, and preprocessing the alarm logs to obtain preprocessed alarm logs, wherein the network security engine sources comprise: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine;
step S2: respectively calculating the similarity between the preprocessed alarm logs generated by the homologous security engine, and clustering the preprocessed alarm logs higher than a threshold value into the same cluster to form a network attack event;
step S3: carrying out association compression on the network attack event generated by the multi-source security engine aggregation based on time continuity and attack continuity to obtain a compressed network attack event; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat level, and the compressed and scored network attack event is obtained;
step S4: constructing an attack graph of the compressed and scored network attack event by using a time Petri network, carrying out attack modeling by using a node state table, and restoring and outputting all possible attack paths from an attack node to a target node;
step S5: and confidence scoring is carried out on the attack IP and the single-step attack path by using third-party threat information, and recommendation evaluation is carried out on all links of the attack path according to the scoring condition.
2. The attack path modeling method based on multi-source alarm log compression according to claim 1, wherein the step S2: the similarity between the preprocessed alarm logs generated by the homologous security engine is calculated respectively, and the preprocessed alarm logs higher than a threshold value are clustered and combined into the same cluster to form a network attack event, which comprises the following steps:
step S21: and calculating the similarity of each attribute among the preprocessed alarm logs generated by the homologous security engine by using the following formula, wherein the attribute comprises: IP address, port, log number, device type, event related information, and time;
wherein w is i The weight of the ith attribute, n is the number of the attributes and X i Is the ith attribute of log X, Y i Is the ith attribute of log Y;
step S22: determining a similarity threshold, and merging the preprocessed alarm log clusters higher than the similarity threshold into the same cluster;
step S23: and merging the preprocessed alarm logs in the cluster to generate a network attack event.
3. The attack path modeling method based on multi-source alarm log compression according to claim 2, wherein the step S3: carrying out association compression on the network attack event generated by the multi-source security engine aggregation based on time continuity and attack continuity to obtain a compressed network attack event; and confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat degree, so as to obtain the compressed and scored network attack event, which comprises the following steps:
step S31: compressing according to the time state of the network attack event of the same type, carrying out association analysis on the time continuity based on the attack, and carrying out merging compression when the attack IP, the attacked IP and the attack types are the same and the attack time interval is smaller than the time interval delta t specified by the system;
step S32: compressing according to the states of continuity of the network attack events of different attack types, and based on the correlation analysis of the attack on the continuity of the attack, when the attack IP and the attacked IP are the same, the attack time interval is smaller than the time interval delta t specified by the system, and the former of the attack types performs merging compression when the former of the attack types forms inclusion for the latter;
step S33: and carrying out confidence scoring on the compressed network attack event based on the improved D-S evidence theory to obtain the compressed and scored network attack event.
4. The attack path modeling method based on multi-source alarm log compression according to claim 3, wherein the step S4: constructing an attack graph of the network attack event after compression scoring by using a time Petri network, carrying out attack modeling by a node state table, and restoring and outputting all possible attack paths from an attack node to a target node, wherein the method specifically comprises the following steps of:
step S41: ordering the network attack events after compression scoring according to time;
step S42: initializing a main time Petri network;
step S43: inputting an attack IP and an attacked IP as nodes according to time for iteration;
step S44: when the node generates state transition, constructing a sub-time Petri network of the transition node, and constructing an attack state relation table of the node;
step S45: merging the change migration of the sub-time Petri network to the main time Petri network, and checking the global relation; repeating the steps S43-S45 until the construction of the main time Petri network is completed;
step S46: and given the retrieval conditions, restoring all attack paths from the attack node to the target node is completed.
5. The attack path modeling method based on multi-source alarm log compression according to claim 4, wherein the step S5: confidence scoring is carried out on the attack IP and the single-step attack path by using third-party threat information, and recommendation evaluation is carried out on all links of the attack path according to the scoring condition, and the method specifically comprises the following steps:
step S51: acquiring threat information API interface provided by a third party security manufacturer and threat information with IP history;
step S52: scoring the attack IP and the attacked IP in the attack path according to the following formula by combining the threat time, the threat type and the attack confidence degree of the IP in the threat information;
s is threat confidence of IP; t (T) c The total length of time that is the duration of a single attack in threat intelligence; t (T) i The total time length of the ith attack in threat intelligence; q (Q) score Scoring the threat of the attack in threat information; f (F) L For threat level, threat in threat intelligenceDetermining the grade; alpha i The type of the attack is determined by the threat type in the threat information and the type of the attack; attack_type data A determined attack type for the attack IP; attack_type info Is the attack type in threat intelligence; n is the historical attack number of the IP;
step S53: single attacks are scored for attack confidence by threat confidence scores for the attack IP and the attacked IP:
M=S attack (1S attacked )
wherein M is attack confidence score of single attack; s is S attack Threat confidence score for attack IP; s is S attacked Threat confidence for the attacked IP;
step S54: according to the attack confidence score of the single attack, calculating the full link attack confidence score of the attack path:
wherein W is the full link attack confidence score of the complete attack path; m is M i The attack confidence score is the ith attack under the complete attack path.
6. An attack path modeling system based on multi-source alarm log compression is characterized by comprising the following modules:
the data acquisition and preprocessing module is used for collecting alarm logs generated by a plurality of network security engine sources and preprocessing the alarm logs to obtain preprocessed alarm logs, wherein the network security engine sources comprise: a controlled traffic detection engine, a CVE vulnerability traffic detection engine, and a malicious DNS traffic detection engine;
the homologous log aggregation module is used for respectively calculating the similarity between the preprocessed alarm logs generated by the homologous security engine, and clustering the preprocessed alarm logs higher than a threshold value into the same cluster to form a network attack event;
the multi-source log aggregation module is used for carrying out association compression on the network attack event generated by the multi-source security engine aggregation based on time continuity and attack continuity to obtain a compressed network attack event; confidence scoring is carried out on the compressed network attack event according to the occurrence state of the network attack event and the attack threat level, and the compressed and scored network attack event is obtained;
the attack path restoration module is used for constructing an attack graph for the compressed and scored network attack event by using the time Petri network, carrying out attack modeling by a node state table, and restoring and outputting all possible attack paths from the attack node to the target node;
and the attack path recommendation evaluation module is used for performing confidence scoring on the attack IP and the single-step attack path by using third-party threat information and performing recommendation evaluation on all links of the attack path according to the scoring condition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310177705.XA CN116614245A (en) | 2023-02-17 | 2023-02-17 | Attack path modeling method and system based on multi-source alarm log compression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310177705.XA CN116614245A (en) | 2023-02-17 | 2023-02-17 | Attack path modeling method and system based on multi-source alarm log compression |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116614245A true CN116614245A (en) | 2023-08-18 |
Family
ID=87677065
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310177705.XA Pending CN116614245A (en) | 2023-02-17 | 2023-02-17 | Attack path modeling method and system based on multi-source alarm log compression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116614245A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061250A (en) * | 2023-10-12 | 2023-11-14 | 中孚安全技术有限公司 | Network security early warning method, system, equipment and medium based on data center |
-
2023
- 2023-02-17 CN CN202310177705.XA patent/CN116614245A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061250A (en) * | 2023-10-12 | 2023-11-14 | 中孚安全技术有限公司 | Network security early warning method, system, equipment and medium based on data center |
| CN117061250B (en) * | 2023-10-12 | 2023-12-15 | 中孚安全技术有限公司 | Network security early warning method, system, equipment and medium based on data center |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102520044B1 (en) | Alert log compression method, device, and system, and storage medium | |
| CN107241226B (en) | Fuzzy test method based on industrial control private protocol | |
| CN108964995B (en) | Log correlation analysis method based on time axis event | |
| CN107517216B (en) | Network security event correlation method | |
| CN109189736B (en) | Method and device for generating alarm association rule | |
| CN111475804A (en) | Alarm prediction method and system | |
| US11966319B2 (en) | Identifying anomalies in a data center using composite metrics and/or machine learning | |
| CN113342564A (en) | Log auditing method and device, electronic equipment and medium | |
| CN109218321A (en) | A kind of network inbreak detection method and system | |
| CN112217674B (en) | Alarm root cause identification method based on causal network mining and graph attention network | |
| CN112769605B (en) | Heterogeneous multi-cloud operation and maintenance management method and hybrid cloud platform | |
| JP2009527839A (en) | Method and system for transaction monitoring in a communication network | |
| CN112039906B (en) | Cloud computing-oriented network flow anomaly detection system and method | |
| CN111126437B (en) | Abnormal group detection method based on weighted dynamic network representation learning | |
| CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
| CN116614245A (en) | Attack path modeling method and system based on multi-source alarm log compression | |
| CN110135603B (en) | Power network alarm space characteristic analysis method based on improved entropy weight method | |
| KR20210115991A (en) | Method and apparatus for detecting network anomaly using analyzing time-series data | |
| CN113723452A (en) | Large-scale anomaly detection system based on KPI clustering | |
| CN116192459A (en) | Edge node network security threat monitoring method based on edge-to-edge cooperation | |
| CN114401516A (en) | 5G slice network anomaly detection method based on virtual network traffic analysis | |
| CN113890820A (en) | Data center network fault node diagnosis method and system | |
| CN116502171B (en) | Network security information dynamic detection system based on big data analysis algorithm | |
| CN115037559B (en) | Data safety monitoring system based on flow, electronic equipment and storage medium | |
| CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |