CN117544421A - Network threat detection method, device, medium and electronic equipment - Google Patents
Network threat detection method, device, medium and electronic equipment Download PDFInfo
- Publication number
- CN117544421A CN117544421A CN202410022133.2A CN202410022133A CN117544421A CN 117544421 A CN117544421 A CN 117544421A CN 202410022133 A CN202410022133 A CN 202410022133A CN 117544421 A CN117544421 A CN 117544421A
- Authority
- CN
- China
- Prior art keywords
- subgraph
- activity
- representation
- target activity
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 58
- 230000000694 effects Effects 0.000 claims abstract description 152
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims abstract description 27
- 238000013528 artificial neural network Methods 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 71
- 230000006378 damage Effects 0.000 claims description 22
- 238000012549 training Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 description 8
- 238000012550 audit Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000035945 sensitivity Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000011176 pooling Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000012935 Averaging Methods 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a network threat detection method, which comprises the following steps: constructing a system tracing graph, wherein the system tracing graph comprises m nodes; obtaining the representation of nodes to form a system activity subgraph through the characteristic representation of a tracing graph of the graph convolution neural network learning system; dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph; maximum learning of sample representation in the target activity subgraph is achieved through local-global mutual information, and the sample representation is optimized to obtain reasonable representation of the target activity subgraph; learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation; calculating a reconstruction error according to the reasonable representation of the target activity subgraph and the reconstructed graph vector representation; and detecting an abnormal activity subgraph according to the reconstruction error to realize threat detection. By using the method for detecting the network threat, fine attack activities can be detected efficiently, and the detection capability of unknown threats is ensured.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for detecting a network threat.
Background
APT (Advanced Persistent Threat ) is a complex form of network attack, which tends to be targeted to specific targets and can easily bypass reputation systems built up of traditional collapse indicators. Moreover, APT attacks tend to have low activity frequency, can be hidden for a long time, and have relatively long time interval between two associated attacks. The basic settings of network attack defense, such as an intrusion detection system and a data source detected by a firewall, are mainly traffic data, and the preset attack is responded by means of the existing rules. The result is either a large number of false positives due to the rigor of rule set-up; or because the detection rules are too loose and a large number of false negatives appear, the more and more complex attack activities are difficult to deal with.
It can be seen that it is difficult to deal with the severe challenges of current APT attacks if relying solely on inherent firewalls or rules of intrusion detection systems or reputation systems based on underlying collapse indicators. Research has therefore gradually turned in recent years to building traceability graphs using audit logs, with fine-grained event records in the system to mine potential threats. The existing researches based on the traceability map are mainly divided into two categories of misuse detection and anomaly detection, wherein a representative work based on the misuse detection is a SLEEUTH system, and a representative work based on the anomaly detection is UNICON.
Although the existing system has certain defensive capability for high hidden unknown threats, obvious short boards exist and are easy to be purposely bypassed by attackers. Taking a system based on misuse detection SLEUTH as an example, although relatively high-speed detection of attacks can be realized, the detection rules use code layer hard-coded rules, lack scalability, and do not have detection capability capable of defending more novel attacks. While for an anomaly detection system represented by UNICORN, although the anomaly detection system has certain capability of defending unknown threats, the characteristic of the current graph is characterized by using a sampled histogram, and the anomaly detection system is insensitive to fine activities on a tracing graph.
Under the large background that the bottom layer attack collapse index gradually collapses and the defense infrastructure gradually cannot effectively play roles, how to mine high-level features from attack activities to identify high-hidden unknown threats is a research hotspot in the current industry and academia, and in reality, a technical means capable of effectively detecting complex attacks by using features such as attack modes and the like is urgently needed to solve the problem that the detection capability of the unknown threats and the fine attack activities cannot be achieved.
Disclosure of Invention
The invention aims to provide a network threat detection method, a device, a medium and electronic equipment, which are used for solving the problem that the detection capability of unknown threats and fine attack activities cannot be achieved.
In a first aspect, the present invention provides a method for detecting a cyber threat, including: constructing a system tracing graph, wherein the system tracing graph comprises m nodes, and m is a positive integer; learning the characteristic representation of the system tracing graph through a graph convolution neural network to obtain the representation of the nodes to form a system activity subgraph; dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph, wherein n is a positive integer; maximizing learning of sample representations in the target activity subgraph through local-global mutual information, and optimizing the sample representations to obtain reasonable representations of the target activity subgraph; learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation; calculating a reconstruction error from the rational representation of the target activity subgraph and the reconstructed graph vector representation; and detecting an abnormal activity subgraph according to the reconstruction error to realize threat detection.
The network threat detection method provided by the invention has the beneficial effects that: the method for maximizing mutual information and detecting abnormal attack scenes through reconstruction errors are innovatively applied, so that fine attack activities can be efficiently detected, the detection capability of unknown threats is guaranteed, and the method has sensitivity of fine activities on a traceable graph and has obvious advantages compared with the existing method.
In a possible embodiment, learning a sample representation in the target activity subgraph by local-global mutual information maximization, optimizing the sample representation to obtain a rational representation of the target activity subgraph, includes: training an embedding function, and generating positive sample pairs in each target activity subgraph according to the embedding function; setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function; training a discriminant function, and obtaining a probability score of the positive sample pair and a probability score of the negative sample pair according to the discriminant function; and setting a loss function, and optimizing parameters of the embedded function and the discriminant function according to the loss function to obtain reasonable representation of the target activity subgraph.
Illustratively, the positive sample pair is a pairing of hidden features and global features after a single node is embedded in each target activity subgraph; and the negative sample pair is the pairing of the local characteristic and the global characteristic of the node after the change of the destruction function in each target activity subgraph.
In other possible embodiments, detecting an abnormal activity subgraph from the reconstruction error includes: when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value; and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
In a second aspect, the present invention also provides a cyber threat detection apparatus, the apparatus comprising: the system comprises a construction unit, a control unit and a control unit, wherein the construction unit is used for constructing a system traceability graph, and the system traceability graph comprises m nodes, wherein m is a positive integer;
the first learning unit is used for learning the characteristic representation of the system traceability graph through a graph convolution neural network to obtain the representation of the node to form a system activity subgraph;
the dividing unit is used for dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph, wherein n is a positive integer;
the second learning unit is used for learning the sample representation in the target activity subgraph through local-global mutual information maximization, and optimizing the sample representation to obtain the reasonable representation of the target activity subgraph;
the third learning unit is used for learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation;
a computing unit for computing a reconstruction error from the rational representation of the target activity subgraph and the reconstructed graph vector representation;
and the detection unit is used for detecting the abnormal activity subgraph according to the reconstruction error so as to realize threat detection.
The second learning unit learns the sample representation in the target activity subgraph through local-global mutual information maximization, optimizes the sample representation to obtain a reasonable representation of the target activity subgraph, and is specifically used for: training an embedding function, and generating positive sample pairs in each target activity subgraph according to the embedding function; setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function; training a discriminant function, and obtaining a probability score of the positive sample pair and a probability score of the negative sample pair according to the discriminant function; and setting a loss function, and optimizing parameters of the embedded function and the discriminant function according to the loss function to obtain reasonable representation of the target activity subgraph.
The positive sample pair is the pairing of hidden features and global features after a single node is embedded in each target activity subgraph; and the negative sample pair is the pairing of the local characteristic and the global characteristic of the node after the change of the destruction function in each target activity subgraph.
The detection unit detects an abnormal activity subgraph according to the reconstruction error, and is specifically configured to: when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value; and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
In a third aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the above-described network threat detection method.
In a fourth aspect, the present invention also provides an electronic device, including: a processor and a memory; the memory is used for storing a computer program; the processor is configured to execute the computer program stored in the memory, so that the electronic device executes the network threat detection method.
The advantageous effects concerning the above second to fourth aspects can be seen from the description of the above first aspect.
Drawings
Fig. 1 is a schematic flow chart of a network threat detection method according to an embodiment of the present invention;
FIG. 2 is a working frame diagram of a network threat detection method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a network threat detection apparatus according to an embodiment of the invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention. Unless otherwise defined, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. As used herein, the word "comprising" and the like means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof without precluding other elements or items.
Aiming at the problems existing in the prior art, the embodiment of the invention provides a network threat detection method, a network threat detection device, a network threat detection medium and electronic equipment.
The embodiment provides a network threat detection method. Referring to fig. 1 and 2, the method includes:
s101: and constructing a system tracing graph, wherein the system tracing graph comprises m nodes, and m is a positive integer.
In S101, in one possible embodiment, the traceability graph represents a relationship graph of interactions between system objects. The log data is converted into graph data by analyzing the structured audit log, multiple types of points and edges exist in the graph, multiple edges can exist between the two points, and the edges have directions, so that the graph belongs to a directed multiple graph.
The system tracing graph mainly comprises two major types of nodes, namely a host (mainly comprising a process and a thread) and an object (mainly comprising a file, a socket and the like), wherein the operation applied by the host to the object is the edge in the system tracing graph. Whether or not two nodes are originally connected, or how long the time interval generated by the two nodes is, the nodes with causal relation can be connected in the traceability graph.
In particular, audit logs are records that are automatically generated by a system or application during operation, for recording important operations, events, and anomalies of the system. The audit log may assist network security personnel in auditing and investigation, such as to discover attacks or abnormal behavior, to determine the origin and propagation path of an intrusion, and so forth. Audit logs typically contain the following information: 1. timestamp: recording the time of occurrence of the event; 2. user information: recording the user of the operation or event occurrence; 3. operation information: recording the type and content of the operation or event occurring; 4. device information: a device that records the occurrence of an operation or event. For example, linux audiod is an audit mechanism built in a Linux operating system, and is used for recording important operation, events and abnormal situations of the system. Linux audiod audits using two components, an event source for generating events and a controller for receiving and storing events. In addition, common auditing systems also include Event Trace for Windows (ETW) and DTrace, deployed on Windows and Unix systems, respectively. A provenance graph refers to a graph data structure used to record relationships between objects and events in a system. By constructing the traceability graph, the relation between the events and the system objects occurring in the system can be better known, so that network security personnel can be helped to discover threats and conduct investigation more quickly. The traceability map can help network security personnel find intrusion and quickly review events.
S102: and obtaining the representation of the nodes to form a system activity subgraph through the characteristic representation of the tracing graph of the graph rolling neural network learning system.
In S102, in one possible embodiment, a training graph convolutional neural network (GCN) model learns a representation of a traceability graph. Graph convolutional neural networks (GCNs) are spectral domain based models that can be approximated in practice as applying strictly localized filters to traverse the graph, so that information between neighboring nodes can be classified by graph convolution. Therefore, the invention learns the characteristic representation of the system tracing graph through the graph convolution neural network, and can obtain the representation of the nodes in the system tracing graph, thereby obtaining the representation graph of the nodes in the system tracing graph, namely the system activity subgraph. Specifically, after learning through the graph convolution neural network, a corresponding system activity subgraph can be obtained for each system traceability graph.
S103: dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph, wherein n is a positive integer.
In S103, in one possible embodiment, the system activity subgraphs are divided according to a preset time window, n system activity subgraphs in the time window can be obtained, and the n system activity subgraphs obtained by dividing are taken as target activity subgraphs, so that the target activity subgraphs are screened to determine whether abnormal activity subgraphs exist therein.
S104: and optimizing the sample representation to obtain a reasonable representation of the target activity subgraph by maximum learning of the sample representation in the target activity subgraph through the local-global mutual information.
In S104, in one possible embodiment, optimizing the sample representation to obtain a rational representation of the target activity subgraph by locally-globally learning the sample representation in the target activity subgraph at maximum mutual information includes: training an embedded function, and generating positive sample pairs in each target activity subgraph according to the embedded function; setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function; training a discriminant function, and obtaining a probability score of a positive sample pair and a probability score of a negative sample pair according to the discriminant function; and setting a loss function, optimizing parameters of the embedded function and the discriminator function according to the loss function, and obtaining reasonable representation of the target activity subgraph.
The positive sample pair is the pairing of hidden features and global features after a single node is embedded in each target activity subgraph; the negative sample pairs are pairs of local features and global features of nodes in each target activity subgraph after the local features and the global features are changed by the destruction function.
In a specific embodiment, a graph embedding model based on mutual information maximization is designed to process a target activity subgraph, wherein a training embedding function is used as an encoder. Specifically, for a target activity subgraphThere are a series of node features->Wherein->Representing target Activity subgraph->Node in->Representing target Activity subgraph->The set of edges in->Representing the number of nodes. In this embodiment, the goal is to learn an embedded representationWherein->Representing the encoded target activity subgraph +.>Set of embedded representations of middle nodes, +.>Representing an embedded function->Representing target Activity subgraph->Adjacent matrix of->Representing the hidden vector after embedding of a single node i. Since the graph neural network adopts the graph convolution network as a model, the embedded features are +.>The feature of the peripheral node is provided, so that the feature is called local feature, and the global feature can be obtained after the local feature is aggregated>. A specific method of aggregation is Average Pooling (Average Pooling), i.e. all +.>And (5) adding and averaging. In this embodiment, the negative sample is generated by setting the destruction function +.>. Specifically, the destruction function->The operation of (1) is to randomly scramble a certain local feature +.>Order of different dimensions of (e.g. original +)>Through destruction function->Change to->. The uncorrupted function->Disorder local feature->And global features->Pairing was taken as positive sample pair, noted +.>The method comprises the steps of carrying out a first treatment on the surface of the Will go through the destruction function->Change to->Is>The pairing was taken as a negative sample pair, noted +.>. Retraining a discriminant functionRepresenting the local-global pair probability score. Based on local-global mutual information maximization, loss function +.>The method comprises the following steps:wherein->Representing a destroyed function->The disturbed node feature set, +.>Representing the target activity subgraph after disruption of the disruption function>Adjacent matrix of->For the number of positive sample pairs +.>Is the number of negative pairs of samples. According to the loss function->Optimizing the embedding function->And discriminator function->Will result in a reasonable representation S of all activity subgraphs. After the process is learned well to obtain an embedded model, the model converges after training is completed, and each activity subgraph can be output by using the embedded model to obtain a reasonable representation S of the target activity subgraph. In this embodiment, contrast learning is used to maximize the similarity between positive pairs of samples while minimizing the similarity between negative pairs of samples, so that the learned features are more discriminative, i.e., the local-global mutual information is used to maximize the learned features.
In a possible embodiment, the target activity subgraph entered into the embedding model is preferably a normal benign activity subgraph.
S105: and learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation.
In S105, in one possible embodiment, a graph vector reconstruction model of the benign scene activity subgraph is learned using a multi-layer perceptron (MLP) as the model' S infrastructure.
S106: the reconstruction error is calculated from the rational representation of the target activity subgraph and the reconstructed graph vector representation.
In S106, in one possible embodiment, the mean square error (MSE, mean Square Error) of the embedded map vector and the reconstructed vector is minimized, and the specific calculation formula is:wherein->Representing the number of active subgraphs>Reasonable representation of target activity subgraph representing input, +.>Representing a reconstructed graph vector representation. The calculated mean square error is the reconstruction error.
S107: and detecting an abnormal activity subgraph according to the reconstruction error to realize threat detection.
In S107, in one possible embodiment, detecting an abnormal activity subgraph according to the reconstruction error includes: when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value; and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
In a possible embodiment, in the prediction stage, when a normal benign activity subgraph is input into the abnormal detection model through the embedded model, the obtained reconstruction error is smaller than or equal to a reconstruction error threshold, and when the abnormal activity subgraph is input, the obtained reconstruction error is larger than the reconstruction error threshold due to a certain difference between the behavior pattern of the abnormal activity subgraph and the normal benign activity. By setting a reasonable reconstruction error threshold, abnormal activity subgraphs can be effectively screened from normal benign activity subgraphs.
The network threat detection method provided by the invention innovatively adopts mutual information maximization as a graph embedding method, learns reasonable hidden vector representation of nodes in a high-dimensional space in a graph, learns a reconstruction model by using a multi-layer perceptron as a decoder, and finally detects the mode of an abnormal attack scene through reconstruction errors. The method can be used for efficiently detecting fine attack activities, guaranteeing the checking capability of unknown threats, guaranteeing expansibility through an incremental learning mode, and enabling embedded learning of the nodes to have sensitivity of the fine activities on a traceability graph. The system also maintains sensitivity to unknown attacks. The model fully utilizes the structural characteristics of the traceability graph, and can realize clear association for the attack activities aiming at a certain process target and with long time span, thereby improving the capability of long-stage analysis.
In addition, the invention has certain resistance to the pollution of training data. Although all the activity subgraphs used in the training process in the scheme of the invention are preferably benign scene activity subgraphs, even if data pollution exists, namely, even if the activity subgraphs used in the training process comprise part of malicious scene activity subgraphs, good training results can still be obtained as long as the proportion of the benign scene activity subgraphs is far beyond that of the malicious scene activity subgraphs.
Referring to fig. 3 of the specification, the embodiment also provides a network threat detection apparatus, which is configured to implement the above method embodiment. The device comprises:
the construction unit 301 is configured to construct a system traceability graph, where the system traceability graph includes m nodes, and m is a positive integer.
The first learning unit 302 is configured to learn, through a graph convolution neural network, a feature representation of a traceable graph of the system, and obtain a representation of a node to form a system activity subgraph.
The dividing unit 303 is configured to divide n system activity subgraphs according to a preset time window to obtain a target activity subgraph, where n is a positive integer.
A second learning unit 304, configured to learn the sample representation in the target activity subgraph through the local-global mutual information maximization, and optimize the sample representation to obtain a reasonable representation of the target activity subgraph.
And a third learning unit 305, configured to learn the graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation.
A calculation unit 306 for calculating a reconstruction error from the rational representation of the target activity subgraph and the reconstructed graph vector representation.
A detection unit 307 for detecting an abnormal activity subgraph according to the reconstruction error to realize threat detection.
The second learning unit learns sample representation in the target activity subgraph through local-global mutual information maximum, optimizes the sample representation to obtain reasonable representation of the target activity subgraph, and is specifically used for: training an embedded function, and generating positive sample pairs in each target activity subgraph according to the embedded function; setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function; training a discriminant function, and obtaining a probability score of a positive sample pair and a probability score of a negative sample pair according to the discriminant function; and setting a loss function, optimizing parameters of the embedded function and the discriminator function according to the loss function, and obtaining reasonable representation of the target activity subgraph.
The positive sample pair is the pairing of hidden features and global features after a single node is embedded in each target activity subgraph; the negative sample pairs are pairs of local features and global features of nodes in each target activity subgraph after the local features and the global features are changed by the destruction function.
The detection unit detects an abnormal activity subgraph according to the reconstruction error, and is specifically used for: when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value; and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
All relevant contents of each step related to the above method embodiment may be cited to the functional descriptions of the corresponding functional modules, which are not described herein.
In other embodiments of the present application, embodiments of the present application disclose an electronic device, as shown in fig. 4, the electronic device 400 may include: one or more processors 401; a memory 402; a display 403; one or more applications (not shown); and one or more computer programs 404, which may be connected via one or more communication buses 405. Wherein the one or more computer programs 404 are stored in the memory and configured to be executed by the one or more processors 401, the one or more computer programs 404 comprise instructions that can be used to perform the various steps as in the figures, drawings, and corresponding embodiments.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above. The specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
The functional units in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: flash memory, removable hard disk, read-only memory, random access memory, magnetic or optical disk, and the like.
The foregoing is merely a specific implementation of the embodiments of the present application, but the protection scope of the embodiments of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the embodiments of the present application should be covered by the protection scope of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for detecting a cyber threat, comprising:
constructing a system tracing graph, wherein the system tracing graph comprises m nodes, and m is a positive integer;
learning the characteristic representation of the system tracing graph through a graph convolution neural network to obtain the representation of the nodes to form a system activity subgraph;
dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph, wherein n is a positive integer;
maximizing learning of sample representations in the target activity subgraph through local-global mutual information, and optimizing the sample representations to obtain reasonable representations of the target activity subgraph;
learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation;
calculating a reconstruction error from the rational representation of the target activity subgraph and the reconstructed graph vector representation;
and detecting an abnormal activity subgraph according to the reconstruction error to realize threat detection.
2. The method of claim 1, wherein learning the sample representation in the target activity subgraph by local-global mutual information maximization, optimizing the sample representation to obtain a rational representation of the target activity subgraph, comprises:
training an embedding function, and generating positive sample pairs in each target activity subgraph according to the embedding function;
setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function;
training a discriminant function, and obtaining a probability score of the positive sample pair and a probability score of the negative sample pair according to the discriminant function;
and setting a loss function, and optimizing parameters of the embedded function and the discriminant function according to the loss function to obtain reasonable representation of the target activity subgraph.
3. The method of claim 2, wherein the positive sample pair is a pairing of hidden features embedded for a single node in each of the target activity subgraphs with global features;
and the negative sample pair is the pairing of the local characteristic and the global characteristic of the node after the change of the destruction function in each target activity subgraph.
4. The method of claim 1, wherein detecting an abnormal activity subgraph from the reconstruction error comprises:
when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value;
and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
5. A cyber threat detection apparatus, the apparatus comprising:
the system comprises a construction unit, a control unit and a control unit, wherein the construction unit is used for constructing a system traceability graph, and the system traceability graph comprises m nodes, wherein m is a positive integer;
the first learning unit is used for learning the characteristic representation of the system traceability graph through a graph convolution neural network to obtain the representation of the node to form a system activity subgraph;
the dividing unit is used for dividing n system activity subgraphs according to a preset time window to obtain a target activity subgraph, wherein n is a positive integer;
the second learning unit is used for learning the sample representation in the target activity subgraph through local-global mutual information maximization, and optimizing the sample representation to obtain the reasonable representation of the target activity subgraph;
the third learning unit is used for learning a graph vector reconstruction model of the target activity subgraph to obtain a reconstructed graph vector representation;
a computing unit for computing a reconstruction error from the rational representation of the target activity subgraph and the reconstructed graph vector representation;
and the detection unit is used for detecting the abnormal activity subgraph according to the reconstruction error so as to realize threat detection.
6. The apparatus according to claim 5, wherein the second learning unit learns the sample representation in the target activity sub-graph by local-global mutual information maximization, and optimizes the sample representation to obtain a rational representation of the target activity sub-graph, in particular for:
training an embedding function, and generating positive sample pairs in each target activity subgraph according to the embedding function;
setting a destruction function, and generating a negative sample pair in each target activity subgraph according to the destruction function;
training a discriminant function, and obtaining a probability score of the positive sample pair and a probability score of the negative sample pair according to the discriminant function;
and setting a loss function, and optimizing parameters of the embedded function and the discriminant function according to the loss function to obtain reasonable representation of the target activity subgraph.
7. The apparatus of claim 6, wherein the positive sample pair is a pairing of hidden features embedded with global features for a single node in each of the target activity subgraphs;
and the negative sample pair is the pairing of the local characteristic and the global characteristic of the node after the change of the destruction function in each target activity subgraph.
8. The apparatus according to claim 5, wherein the detection unit detects an abnormal activity subgraph from the reconstruction error, in particular for:
when threat detection is carried out, judging whether the reconstruction error of each system activity subgraph is larger than a set reconstruction error threshold value;
and when the reconstruction error of the system activity subgraph is larger than the reconstruction error threshold value, judging the system activity subgraph as an abnormal activity subgraph.
9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the network threat detection method of any of claims 1 to 4.
10. An electronic device, comprising: a processor and a memory;
the memory is used for storing a computer program;
the processor is configured to execute the computer program stored in the memory, so as to cause the electronic device to execute the network threat detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410022133.2A CN117544421B (en) | 2024-01-08 | 2024-01-08 | Network threat detection method, device, medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410022133.2A CN117544421B (en) | 2024-01-08 | 2024-01-08 | Network threat detection method, device, medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117544421A true CN117544421A (en) | 2024-02-09 |
| CN117544421B CN117544421B (en) | 2024-03-26 |
Family
ID=89796206
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410022133.2A Active CN117544421B (en) | 2024-01-08 | 2024-01-08 | Network threat detection method, device, medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544421B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10685293B1 (en) * | 2017-01-20 | 2020-06-16 | Cybraics, Inc. | Methods and systems for analyzing cybersecurity threats |
| CN111294332A (en) * | 2020-01-13 | 2020-06-16 | 交通银行股份有限公司 | Traffic anomaly detection and DNS channel anomaly detection system and method |
| US20210064751A1 (en) * | 2019-08-27 | 2021-03-04 | Nec Laboratories America, Inc. | Provenance-based threat detection tools and stealthy malware detection |
| CN115134160A (en) * | 2022-07-11 | 2022-09-30 | 中国科学院信息工程研究所 | Attack migration-based attack detection method and system |
| US20220329608A1 (en) * | 2021-04-02 | 2022-10-13 | Sift Science, Inc. | Systems and methods for intelligently constructing a backbone network graph and identifying and mitigating digital threats based thereon in a machine learning task-oriented digital threat mitigation platform |
| CN117041972A (en) * | 2023-09-11 | 2023-11-10 | 浙江大学 | Channel-space-time attention self-coding based anomaly detection method for vehicle networking sensor |
| CN117081798A (en) * | 2023-08-11 | 2023-11-17 | 广州大学 | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph |
-
2024
- 2024-01-08 CN CN202410022133.2A patent/CN117544421B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10685293B1 (en) * | 2017-01-20 | 2020-06-16 | Cybraics, Inc. | Methods and systems for analyzing cybersecurity threats |
| US20210064751A1 (en) * | 2019-08-27 | 2021-03-04 | Nec Laboratories America, Inc. | Provenance-based threat detection tools and stealthy malware detection |
| CN111294332A (en) * | 2020-01-13 | 2020-06-16 | 交通银行股份有限公司 | Traffic anomaly detection and DNS channel anomaly detection system and method |
| US20220329608A1 (en) * | 2021-04-02 | 2022-10-13 | Sift Science, Inc. | Systems and methods for intelligently constructing a backbone network graph and identifying and mitigating digital threats based thereon in a machine learning task-oriented digital threat mitigation platform |
| CN115134160A (en) * | 2022-07-11 | 2022-09-30 | 中国科学院信息工程研究所 | Attack migration-based attack detection method and system |
| CN117081798A (en) * | 2023-08-11 | 2023-11-17 | 广州大学 | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph |
| CN117041972A (en) * | 2023-09-11 | 2023-11-10 | 浙江大学 | Channel-space-time attention self-coding based anomaly detection method for vehicle networking sensor |
Non-Patent Citations (1)
| Title |
|---|
| YIXIN LUO等: "Anomaly detection for image data based on data distribution and reconstruction", 《SPRINGER》, 29 June 2023 (2023-06-29), pages 22500 - 22510 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117544421B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019210493B2 (en) | Anomaly detection to identify coordinated group attacks in computer networks | |
| US11522882B2 (en) | Detection of adversary lateral movement in multi-domain IIOT environments | |
| CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
| US9256735B2 (en) | Detecting emergent behavior in communications networks | |
| Alserhani et al. | MARS: multi-stage attack recognition system | |
| CN108616529B (en) | Anomaly detection method and system based on service flow | |
| Moothedath et al. | A game-theoretic approach for dynamic information flow tracking to detect multistage advanced persistent threats | |
| US20200134175A1 (en) | Chain of events representing an issue based on an enriched representation | |
| US11244043B2 (en) | Aggregating anomaly scores from anomaly detectors | |
| JP7069399B2 (en) | Systems and methods for reporting computer security incidents | |
| CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| Tao et al. | A hybrid alarm association method based on AP clustering and causality | |
| CN117544421B (en) | Network threat detection method, device, medium and electronic equipment | |
| CN117319051A (en) | Method and device for determining security threat information based on user entity behavior analysis | |
| Rastogi et al. | Network anomalies detection using statistical technique: A chi-square approach | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| Wang et al. | An end-to-end method for advanced persistent threats reconstruction in large-scale networks based on alert and log correlation | |
| Kalutarage | Effective monitoring of slow suspicious activites on computer networks. | |
| CN111832030A (en) | Data security audit device and method based on domestic password data identification | |
| Xu et al. | Development of computer network security management technology based on artificial intelligence under big data | |
| Tao et al. | Research Article A Hybrid Alarm Association Method Based on AP Clustering and Causality | |
| Pan et al. | AttackMiner: A Graph Neural Network Based Approach for Attack Detection from Audit Logs | |
| Xiao-ling et al. | A Hybrid Alarm Association Method Based on AP Clustering and Causality | |
| Zhou et al. | Representation-enhanced APT Detection Using Contrastive Learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |