CN113660225A - Network attack event prediction method, system, device and medium based on time sequence point - Google Patents
Network attack event prediction method, system, device and medium based on time sequence point Download PDFInfo
- Publication number
- CN113660225A CN113660225A CN202110861448.2A CN202110861448A CN113660225A CN 113660225 A CN113660225 A CN 113660225A CN 202110861448 A CN202110861448 A CN 202110861448A CN 113660225 A CN113660225 A CN 113660225A
- Authority
- CN
- China
- Prior art keywords
- event
- attack
- time
- occurrence time
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 107
- 230000008569 process Effects 0.000 claims abstract description 51
- 239000013598 vector Substances 0.000 claims abstract description 49
- 238000012549 training Methods 0.000 claims abstract description 34
- 238000013528 artificial neural network Methods 0.000 claims abstract description 22
- 230000000306 recurrent effect Effects 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims abstract description 12
- 230000006399 behavior Effects 0.000 claims description 14
- 239000011159 matrix material Substances 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 40
- 230000000694 effects Effects 0.000 description 5
- 238000010801 machine learning Methods 0.000 description 5
- 238000004088 simulation Methods 0.000 description 4
- 238000013135 deep learning Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a network attack event prediction method, a system, a device and a medium based on time sequence points, wherein the method comprises the following steps: acquiring historical attack event data, generating a first event sequence according to the historical attack event data, and further determining the characteristics of the first event and the occurrence time of the event; constructing a first event map according to the first event characteristics, and further processing the first event map through a graph embedding algorithm to obtain a first characteristic vector; inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network for model training of a depth point process to obtain a trained time sequence point process model; and predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model. According to the invention, the event map is converted into the characteristic vector through map embedding, the characteristic vector and the time occurrence time are trained by utilizing the depth point process, the accuracy of network attack event prediction is improved, and the method can be widely applied to the technical field of network security.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a network attack event prediction method, a system, a device and a medium based on time sequence points.
Background
In the field of network security, it is crucial to accurately predict the next activity of an attacker. In order to predict the persistence of an attack and predict an impending attack event, it is often necessary to collect the behavior of an attacker and model it for later use. But ignoring the time dimension, predicted events often do not reflect reality. Therefore, by modeling a series of historical events of the network attack, each event corresponds to the occurrence time and the type of the event, and based on the series of historical events, the occurrence time and the type of the next network attack event can be effectively predicted.
In the prior art, the most widely used method is to find the network attack event based on the matching of the rules in a mode of detecting the system abnormity. In addition, predicting network attack events using machine learning methods can be roughly divided into two categories: supervised learning, namely training normal or abnormal sample data with labels, and predicting the event type of a new event to determine whether the event is a network attack event; and in the unsupervised learning, due to the lack of priori knowledge, the sample data without the labels are clustered, and the network attack event is detected through the outlier samples. The computer event response team of rockschid martin corporation proposed a killer Chain model (Kill Chain) to divide the attacker's attack process into seven different attack stages. Each stage has attack techniques available. The model can combine the attack techniques in each attack stage into an ordered attack process to achieve analysis and prediction of the behavior of the attacker. And the prediction of the variable sequence Markov model in the time sequence problem is to express the problem as a discrete time sequence prediction task and predict the most probable state of the next step according to the observed states of the attack sequence.
Obviously, if a network attack event needs to be predicted more accurately, the model needs to be more fit to the actual situation in reality, and then the time factor needs to be considered to form the network attack event prediction based on the time sequence point. It is a common way to find network attack events and model them according to a killer Chain model (Kill Chain) by means of system logging, traffic analysis, sample analysis, etc. The method for predicting the type of the network attack event by utilizing methods such as machine learning, deep learning and the like in large-scale data can really achieve good effects, but the time point of the network attack event which is possibly generated cannot be accurately predicted.
Therefore, the timing point problem faced by the current network attack event prediction has the following points: firstly, when modeling is carried out on the network historical attack events and prior knowledge is formed, the time factor is only used for data sequencing in a data set. The data in the collated data set forms a time-ordered sequence of events, but the time dimension is not taken into account when using the model for detection or analysis. Secondly, some deep learning methods, such as LSTM, take time into consideration in the model when performing detection analysis, and sequence events, but these times are all unit time. There are also some conventional timing point methods, such as poisson process, hokes process, etc. The time sequence point prediction process of the modes makes some settings on the intensity function, and the time of the intensity function is distributed in a linear mode. In the real world, the influence of the historical events on the intensity function is not necessarily linear accumulation or constant in duration. On the other hand, due to the complexity and diversity of attack types, the technology of attacker escape is more advanced, and the data collected is not necessarily comprehensive. The conventional time point process is not good for processing missing data, and only a part of events can be observed sometimes.
Disclosure of Invention
The present invention aims to solve at least to some extent one of the technical problems existing in the prior art.
Therefore, an object of an embodiment of the present invention is to provide a network attack event prediction method based on time sequence points, where an event graph representing event features is converted into feature vectors through graph embedding, then the feature vectors and time occurrence times are trained by using a deep point process technology, and the strength function of a cyclic neural network simulation point process is used to fully consider the influence of time factors on the strength function of the point process, thereby improving the accuracy of network attack event prediction.
Another objective of the embodiments of the present invention is to provide a network attack event prediction system based on a time sequence point.
In order to achieve the technical purpose, the technical scheme adopted by the embodiment of the invention comprises the following steps:
in a first aspect, an embodiment of the present invention provides a method for predicting a network attack event based on a time sequence point, including the following steps:
acquiring historical attack event data, generating a first event sequence according to the historical attack event data, and determining first event characteristics and event occurrence time according to the first event sequence;
constructing a first event map according to the first event characteristics, and further processing the first event map through a graph embedding algorithm to obtain a first characteristic vector;
inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network for model training of a depth point process to obtain a trained time sequence point process model;
and predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
Further, in an embodiment of the present invention, the step of acquiring historical attack event data, generating a first event sequence according to the historical attack event data, and determining a first event characteristic and an event occurrence time according to the first event sequence specifically includes:
obtaining historical attack event data, and screening and data conversion are carried out on the historical attack event data to obtain a first event sequence;
extracting event characteristics of a plurality of target events from the first event sequence as first event characteristics, and determining the event occurrence time according to the occurrence time of each target event.
Further, in an embodiment of the present invention, the step of constructing the first event map according to the first event feature specifically includes:
determining a plurality of event nodes according to the first event characteristics, and determining a father event node and a child event node of each event node according to the subordinate relationship among the target events;
and constructing a first event map according to the event nodes.
Further, in an embodiment of the present invention, the step of processing the first event map by using a graph embedding algorithm to obtain a first feature vector specifically includes:
determining a node set, an edge set and a subgraph set according to the first event graph, wherein the node set is composed of the event nodes, the edge set is composed of a plurality of directed edges, the directed edges are used for representing the dependency relationship between two event nodes, the subgraph set is composed of a plurality of subgraphs, and each subgraph comprises a central event node and event nodes adjacent to the central event node;
and according to the node set, the edge set and the sub-graph set, graph embedding is carried out through a graph2vec algorithm to obtain a vector representation matrix, and then a first feature vector is determined according to the vector representation matrix.
Further, in an embodiment of the present invention, the step of inputting the first feature vector and the event occurrence time into a pre-constructed recurrent neural network for model training of a deep point process specifically includes:
inputting the first feature vector and the event occurrence time into the recurrent neural network to obtain a network attack event identification result;
determining a loss value of training according to the network attack event recognition result and the event type of the first event sequence;
and updating the parameters of the recurrent neural network according to the loss value.
Further, in an embodiment of the present invention, the network attack event prediction method further includes the following steps:
and adding the predicted occurrence time and event type of the next network attack event into an attack behavior library.
Further, in an embodiment of the present invention, the network attack event prediction method further includes the following steps:
and determining the behavior portrait of the attacker according to the attack behavior library.
In a second aspect, an embodiment of the present invention provides a system for predicting a network attack event based on a time sequence point, including:
the system comprises a first event characteristic and event occurrence time determining module, a first event characteristic and event occurrence time determining module and a second event characteristic and event occurrence time determining module, wherein the first event characteristic and event occurrence time determining module is used for acquiring historical attack event data, generating a first event sequence according to the historical attack event data and further determining the first event characteristic and the event occurrence time according to the first event sequence;
the first feature vector determining module is used for constructing a first event map according to the first event features, and further processing the first event map through a graph embedding algorithm to obtain a first feature vector;
the model training module is used for inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network to carry out model training of a depth point process so as to obtain a trained time sequence point process model;
and the prediction module is used for predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
In a third aspect, an embodiment of the present invention provides a network attack event prediction apparatus based on a time sequence point, including:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, the at least one program causes the at least one processor to implement a method for predicting a time-series point-based network attack event as described above.
In a fourth aspect, the present invention further provides a computer-readable storage medium, in which a processor-executable program is stored, and when the processor-executable program is executed by a processor, the processor-executable program is configured to perform the above-mentioned network attack event prediction method based on a time-series point.
Advantages and benefits of the present invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention:
the method comprises the steps of obtaining historical attack event data, generating a first event sequence according to the historical attack event data, further determining first event characteristics and event occurrence time, then constructing a first event map according to the first event characteristics, obtaining a first characteristic vector by using a map embedding algorithm, inputting the first characteristic vector and the event occurrence time into a recurrent neural network to conduct model training of a depth point process, obtaining a time sequence point process model, and predicting the occurrence time and the event type of a next network attack event according to the time sequence point process model. According to the embodiment of the invention, the event map representing the event characteristics is converted into the characteristic vector through map embedding, then the characteristic vector and the time occurrence time are trained by using a depth point process technology, the strength function of a point process is simulated through a recurrent neural network, the influence of time factors on the strength function of the point process is fully considered, and the accuracy of network attack event prediction is improved.
Drawings
In order to more clearly illustrate the technical solution in the embodiment of the present invention, the following description is made on the drawings required to be used in the embodiment of the present invention, and it should be understood that the drawings in the following description are only for convenience and clarity of describing some embodiments in the technical solution of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart illustrating steps of a method for predicting a network attack event based on a time sequence point according to an embodiment of the present invention;
fig. 2 is a block diagram of a network attack event prediction system based on a time sequence point according to an embodiment of the present invention;
fig. 3 is a block diagram of a network attack event prediction apparatus based on a time sequence point according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. The step numbers in the following embodiments are provided only for convenience of illustration, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.
In the description of the present invention, the meaning of a plurality is two or more, if there is a description to the first and the second for the purpose of distinguishing technical features, it is not understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features or implicitly indicating the precedence of the indicated technical features. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art.
Referring to fig. 1, an embodiment of the present invention provides a method for predicting a network attack event based on a time sequence point, which specifically includes the following steps:
s101, historical attack event data are obtained, a first event sequence is generated according to the historical attack event data, and then first event characteristics and event occurrence time are determined according to the first event sequence.
Specifically, information such as system logs, traffic and the like is collected, historical attack event data is extracted from the information, and the data is in the state of original data when being acquired and needs to be subjected to data conversion. The data is converted into a first sequence of events according to the different forms it exhibits. Step S101 specifically includes the following steps:
s1011, acquiring historical attack event data, and screening and data converting the historical attack event data to obtain a first event sequence;
s1012, extracting event features of a plurality of target events from the first event sequence as first event features, and determining event occurrence times according to the occurrence times of the target events.
In the embodiment of the present invention, the influence of the time factor on the intensity function of the time sequence point process needs to be considered, so that the first event sequence needs to be converted into the form of the event occurrence time and the event characteristics.
S102, constructing a first event map according to the first event characteristics, and further processing the first event map through a map embedding algorithm to obtain a first characteristic vector.
Specifically, the first event graph is a relationship graph constructed according to first event characteristics, the first event graph comprises a plurality of event nodes and directed edges between adjacent event nodes, the event nodes are used for representing the event characteristics of each target event, and the directed edges are used for representing the dependency relationships between the target events represented by the adjacent event nodes. Because the dimension of the event feature is complex, the event map is constructed according to the first event feature, and then the event feature is embedded by using the map embedding method to form a word vector form related to the event feature, namely the first feature vector, so that the subsequent model training is facilitated.
As a further optional implementation manner, the step of constructing the first event map according to the first event characteristics specifically includes:
a1, determining a plurality of event nodes according to the first event characteristics, and determining a father event node and a son event node of each event node according to the subordinate relationship among target events;
and A2, constructing a first event map according to the event nodes.
As a further optional implementation manner, the step of processing the first event map by using a map embedding algorithm to obtain the first feature vector specifically includes:
b1, determining a node set, an edge set and a subgraph set according to the first event graph, wherein the node set is composed of event nodes, the edge set is composed of a plurality of directed edges, the directed edges are used for representing the dependency relationship between two event nodes, the subgraph set is composed of a plurality of subgraphs, and each subgraph comprises a central event node and an event node adjacent to the central event node;
b2, according to the node set, the edge set and the sub-graph set, graph embedding is carried out through a graph2vec algorithm to obtain a vector representation matrix, and then a first feature vector is determined according to the vector representation matrix.
Specifically, Graph Embedding (also called Network Embedding) is a process for mapping Graph data (usually a high-dimensional dense matrix) into a low-micro dense vector, and can well solve the problem that the Graph data is difficult to be efficiently input into a machine learning algorithm. According to the embodiment of the invention, a single vector can be used for representing the whole event map through the graph2vec algorithm, so that prediction can be made on the map level.
S103, inputting the first feature vector and the event occurrence time into a pre-constructed recurrent neural network to perform model training of a depth point process, and obtaining a trained time sequence point process model.
In particular, embodiments of the present invention employ a Recurrent Neural Network (RNN) to model the intensity function of the depth point process. The depth point process can obtain the optimal parameters through iterative optimization in a mode of RNN model self-continuous learning. Based on the hidden elements of the RNN model, a unified representation of historical attack events can be learned, and the conditional strength function can capture information from historical events and event markers. On the other hand, since the prediction of the event type also depends non-linearly on the time information of the historical attack event, when the two information are correlated with each other, the prediction performance of the model can also be improved.
As a further optional implementation, the first feature vector and the event occurrence time are input into a pre-constructed recurrent neural network for model training of the deep point process, which specifically includes:
c1, inputting the first feature vector and the event occurrence time into a recurrent neural network to obtain a network attack event identification result;
c2, determining a loss value of training according to the network attack event recognition result and the event type of the first event sequence;
and C3, updating the parameters of the recurrent neural network according to the loss value.
Specifically, for the recurrent neural network, the accuracy of the recognition result of the cyber attack event can be measured by a Loss Function (Loss Function), which is defined on a single training data and is used for measuring the prediction error of a training data, specifically, the Loss value of the training data is determined by the prediction result of the label and the model of the single training data on the training data. In actual training, a training data set has many training data, so a Cost Function (Cost Function) is generally adopted to measure the overall error of the training data set, and the Cost Function is defined on the whole training data set and is used for calculating the average value of prediction errors of all the training data, so that the prediction effect of the model can be measured better. For a general machine learning model, based on the cost function, and a regularization term for measuring the complexity of the model, the regularization term can be used as a training objective function, and based on the objective function, the loss value of the whole training data set can be obtained. There are many kinds of commonly used loss functions, such as 0-1 loss function, square loss function, absolute loss function, logarithmic loss function, cross entropy loss function, etc. all can be used as the loss function of the machine learning model, and are not described one by one here. In the embodiment of the invention, a loss function can be selected from the loss functions to determine the loss value of the training. And updating the parameters of the model by adopting a back propagation algorithm based on the trained loss value, and iterating for several rounds to obtain the trained time sequence point process model. Specifically, the number of iteration rounds may be preset, or training may be considered complete when the test set meets the accuracy requirement.
And S104, predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
Specifically, according to the trained time sequence point process model, the next network attack event can be predicted. Due to the existence of randomness, future events can be generated through simulation in order to improve the prediction accuracy of the model. Common simulation methods include Shedler-Lewis refinement algorithm and Ogata modified refinement algorithm.
As a further optional implementation manner, the network attack event prediction method further includes the following steps:
and S105, adding the predicted occurrence time and the predicted event type of the next network attack event into an attack behavior library.
As a further optional implementation manner, the network attack event prediction method further includes the following steps:
and S106, determining the behavior portrait of the attacker according to the attack behavior library.
Specifically, as the attacker escape technology is more advanced, the data of the collected attack events are not necessarily comprehensive, and for the condition of missing data, the embodiment of the invention can complement the attack chain of the historical attack event by efficiently predicting the occurrence time and the event type of the next network attack event and adding the attack behavior library, so that a richer attack behavior library is constructed, and the behavior portrait of the attacker is depicted more completely and clearly.
The method steps of the embodiments of the present invention are described above. It can be understood that the embodiment of the invention converts the event map representing the event features into the feature vector through map embedding, then trains the feature vector and the time occurrence time by using a depth point process technology, and fully considers the influence of time factors on the intensity function of the point process through the intensity function of the cyclic neural network simulation point process, thereby improving the accuracy of predicting the network attack event. In addition, for the improvement of the data processing effect of the missing information, the attack chain can be completed through a network attack event high-efficiency prediction method based on the time sequence point so as to reappear the TTP (campaign, Tactics and process) of the attacker; the embodiment of the invention combines the traditional time sequence point process and deep learning, improves the accuracy, has high efficiency and strong subsequent expandability, and further reduces the daily operation maintenance threshold of operation and maintenance personnel after the model is realized.
Referring to fig. 2, an embodiment of the present invention provides a network attack event prediction system based on a time sequence point, including:
the first event characteristic and event occurrence time determining module is used for acquiring historical attack event data, generating a first event sequence according to the historical attack event data and further determining the first event characteristic and event occurrence time according to the first event sequence;
the first feature vector determining module is used for constructing a first event map according to the first event features, and further processing the first event map through a graph embedding algorithm to obtain a first feature vector;
the model training module is used for inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network to carry out model training of a depth point process so as to obtain a trained time sequence point process model;
and the prediction module is used for predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
The contents in the above method embodiments are all applicable to the present system embodiment, the functions specifically implemented by the present system embodiment are the same as those in the above method embodiment, and the beneficial effects achieved by the present system embodiment are also the same as those achieved by the above method embodiment.
Referring to fig. 3, an embodiment of the present invention provides a network attack event prediction apparatus based on a time sequence point, including:
at least one processor;
at least one memory for storing at least one program;
when the at least one program is executed by the at least one processor, the at least one program causes the at least one processor to implement the method for predicting a network attack event based on a time-series point.
The contents in the above method embodiments are all applicable to the present apparatus embodiment, the functions specifically implemented by the present apparatus embodiment are the same as those in the above method embodiments, and the advantageous effects achieved by the present apparatus embodiment are also the same as those achieved by the above method embodiments.
An embodiment of the present invention further provides a computer-readable storage medium, in which a processor-executable program is stored, and when the processor-executable program is executed by a processor, the processor-executable program is configured to perform the above-mentioned network attack event prediction method based on a time sequence point.
The computer-readable storage medium of the embodiment of the invention can execute the network attack event prediction method based on the time sequence point provided by the embodiment of the method of the invention, can execute any combination implementation steps of the embodiment of the method, and has corresponding functions and beneficial effects of the method.
The embodiment of the invention also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The computer instructions may be read by a processor of a computer device from a computer-readable storage medium, and executed by the processor to cause the computer device to perform the method illustrated in fig. 1.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise stated to the contrary, one or more of the above-described functions and/or features may be integrated in a single physical device and/or software module, or one or more of the functions and/or features may be implemented in a separate physical device or software module. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer, given the nature, function, and internal relationship of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is defined by the appended claims and their full scope of equivalents.
The above functions, if implemented in the form of software functional units and sold or used as a separate product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the above method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Further, the computer readable medium could even be paper or another suitable medium upon which the above described program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the foregoing description of the specification, reference to the description of "one embodiment/example," "another embodiment/example," or "certain embodiments/examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A network attack event prediction method based on a time sequence point is characterized by comprising the following steps:
acquiring historical attack event data, generating a first event sequence according to the historical attack event data, and determining first event characteristics and event occurrence time according to the first event sequence;
constructing a first event map according to the first event characteristics, and further processing the first event map through a graph embedding algorithm to obtain a first characteristic vector;
inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network for model training of a depth point process to obtain a trained time sequence point process model;
and predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
2. The method according to claim 1, wherein the step of obtaining historical attack event data, generating a first event sequence according to the historical attack event data, and determining a first event characteristic and an event occurrence time according to the first event sequence specifically includes:
obtaining historical attack event data, and screening and data conversion are carried out on the historical attack event data to obtain a first event sequence;
extracting event characteristics of a plurality of target events from the first event sequence as first event characteristics, and determining the event occurrence time according to the occurrence time of each target event.
3. The method for predicting network attack events based on time series points according to claim 2, wherein the step of constructing a first event map according to the first event characteristics specifically comprises:
determining a plurality of event nodes according to the first event characteristics, and determining a father event node and a child event node of each event node according to the subordinate relationship among the target events;
and constructing a first event map according to the event nodes.
4. The method according to claim 3, wherein the step of processing the first event map by using a graph embedding algorithm to obtain a first feature vector specifically comprises:
determining a node set, an edge set and a subgraph set according to the first event graph, wherein the node set is composed of the event nodes, the edge set is composed of a plurality of directed edges, the directed edges are used for representing the dependency relationship between two event nodes, the subgraph set is composed of a plurality of subgraphs, and each subgraph comprises a central event node and event nodes adjacent to the central event node;
and according to the node set, the edge set and the sub-graph set, graph embedding is carried out through a graph2vec algorithm to obtain a vector representation matrix, and then a first feature vector is determined according to the vector representation matrix.
5. The method for predicting cyber attack events based on time sequence points according to claim 1, wherein the step of inputting the first feature vector and the event occurrence time into a pre-constructed recurrent neural network for model training of a deep point process specifically comprises:
inputting the first feature vector and the event occurrence time into the recurrent neural network to obtain a network attack event identification result;
determining a loss value of training according to the network attack event recognition result and the event type of the first event sequence; and updating the parameters of the recurrent neural network according to the loss value.
6. The method for predicting network attack events based on time sequence points according to any one of claims 1 to 5, wherein the method for predicting network attack events further comprises the following steps:
and adding the predicted occurrence time and event type of the next network attack event into an attack behavior library.
7. The method for predicting network attack events based on time sequence points according to claim 6, wherein the method for predicting network attack events further comprises the following steps:
and determining the behavior portrait of the attacker according to the attack behavior library.
8. A network attack event prediction system based on time sequence points is characterized by comprising:
the system comprises a first event characteristic and event occurrence time determining module, a first event characteristic and event occurrence time determining module and a second event characteristic and event occurrence time determining module, wherein the first event characteristic and event occurrence time determining module is used for acquiring historical attack event data, generating a first event sequence according to the historical attack event data and further determining the first event characteristic and the event occurrence time according to the first event sequence;
the first feature vector determining module is used for constructing a first event map according to the first event features, and further processing the first event map through a graph embedding algorithm to obtain a first feature vector;
the model training module is used for inputting the first characteristic vector and the event occurrence time into a pre-constructed recurrent neural network to carry out model training of a depth point process so as to obtain a trained time sequence point process model;
and the prediction module is used for predicting the occurrence time and the event type of the next network attack event according to the time sequence point process model.
9. A network attack event prediction device based on a time sequence point is characterized by comprising:
at least one processor;
at least one memory for storing at least one program;
when the at least one program is executed by the at least one processor, the at least one processor may implement the method for predicting the network attack event based on the time-series point according to any one of claims 1 to 7.
10. A computer-readable storage medium in which a processor-executable program is stored, wherein the processor-executable program, when executed by a processor, is configured to perform a method for predicting a time-series point-based cyber attack event according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110861448.2A CN113660225A (en) | 2021-07-29 | 2021-07-29 | Network attack event prediction method, system, device and medium based on time sequence point |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110861448.2A CN113660225A (en) | 2021-07-29 | 2021-07-29 | Network attack event prediction method, system, device and medium based on time sequence point |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113660225A true CN113660225A (en) | 2021-11-16 |
Family
ID=78478920
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110861448.2A Pending CN113660225A (en) | 2021-07-29 | 2021-07-29 | Network attack event prediction method, system, device and medium based on time sequence point |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113660225A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210021631A1 (en) * | 2019-07-19 | 2021-01-21 | Rochester Institute Of Technology | Cyberattack Forecasting Using Predictive Information |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114124565A (en) * | 2021-12-04 | 2022-03-01 | 东南大学 | Network intrusion detection method based on graph embedding |
| CN114944956A (en) * | 2022-05-27 | 2022-08-26 | 深信服科技股份有限公司 | Attack link detection method and device, electronic equipment and storage medium |
| CN115766258A (en) * | 2022-11-23 | 2023-03-07 | 西安电子科技大学 | Multi-stage attack trend prediction method and device based on causal graph and storage medium |
| CN116304885A (en) * | 2023-05-11 | 2023-06-23 | 之江实验室 | Event identification method, device and equipment based on graph node embedding |
| CN116738413A (en) * | 2023-06-05 | 2023-09-12 | 广州大学 | Method, system and device for back propagation attack investigation based on traceability graph |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108809959A (en) * | 2018-05-23 | 2018-11-13 | 郑州信大天瑞信息技术有限公司 | A kind of attack portrait method |
| US20190182274A1 (en) * | 2017-12-11 | 2019-06-13 | Radware, Ltd. | Techniques for predicting subsequent attacks in attack campaigns |
| CN111400456A (en) * | 2020-03-20 | 2020-07-10 | 北京百度网讯科技有限公司 | Information recommendation method and device |
| CN112328801A (en) * | 2020-09-28 | 2021-02-05 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Method for predicting group events by event knowledge graph |
| CN112351031A (en) * | 2020-11-05 | 2021-02-09 | 中国电子信息产业集团有限公司 | Generation method and device of attack behavior portrait, electronic equipment and storage medium |
| US20210064751A1 (en) * | 2019-08-27 | 2021-03-04 | Nec Laboratories America, Inc. | Provenance-based threat detection tools and stealthy malware detection |
| CN112822206A (en) * | 2021-01-29 | 2021-05-18 | 清华大学 | Network cooperative attack behavior prediction method and device and electronic equipment |
-
2021
- 2021-07-29 CN CN202110861448.2A patent/CN113660225A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190182274A1 (en) * | 2017-12-11 | 2019-06-13 | Radware, Ltd. | Techniques for predicting subsequent attacks in attack campaigns |
| CN108809959A (en) * | 2018-05-23 | 2018-11-13 | 郑州信大天瑞信息技术有限公司 | A kind of attack portrait method |
| US20210064751A1 (en) * | 2019-08-27 | 2021-03-04 | Nec Laboratories America, Inc. | Provenance-based threat detection tools and stealthy malware detection |
| CN111400456A (en) * | 2020-03-20 | 2020-07-10 | 北京百度网讯科技有限公司 | Information recommendation method and device |
| CN112328801A (en) * | 2020-09-28 | 2021-02-05 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Method for predicting group events by event knowledge graph |
| CN112351031A (en) * | 2020-11-05 | 2021-02-09 | 中国电子信息产业集团有限公司 | Generation method and device of attack behavior portrait, electronic equipment and storage medium |
| CN112822206A (en) * | 2021-01-29 | 2021-05-18 | 清华大学 | Network cooperative attack behavior prediction method and device and electronic equipment |
Non-Patent Citations (3)
| Title |
|---|
| 丁君怡等: "基于开源数据的武器装备知识图谱构建方法研究", 《指挥控制与仿真》 * |
| 任怡彤: ""系统日志的异常检测及分析研究"", 《万方数据库》 * |
| 顾兆军等: "基于一致性预测算法的内网日志检测模型", 《信息网络安全》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210021631A1 (en) * | 2019-07-19 | 2021-01-21 | Rochester Institute Of Technology | Cyberattack Forecasting Using Predictive Information |
| US11632386B2 (en) * | 2019-07-19 | 2023-04-18 | Rochester Institute Of Technology | Cyberattack forecasting using predictive information |
| CN114095270B (en) * | 2021-11-29 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114124565A (en) * | 2021-12-04 | 2022-03-01 | 东南大学 | Network intrusion detection method based on graph embedding |
| CN114124565B (en) * | 2021-12-04 | 2024-04-05 | 东南大学 | Network intrusion detection method based on graph embedding |
| CN114944956A (en) * | 2022-05-27 | 2022-08-26 | 深信服科技股份有限公司 | Attack link detection method and device, electronic equipment and storage medium |
| CN115766258B (en) * | 2022-11-23 | 2024-02-09 | 西安电子科技大学 | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph |
| CN115766258A (en) * | 2022-11-23 | 2023-03-07 | 西安电子科技大学 | Multi-stage attack trend prediction method and device based on causal graph and storage medium |
| CN116304885B (en) * | 2023-05-11 | 2023-08-22 | 之江实验室 | Event identification method, device and equipment based on graph node embedding |
| CN116304885A (en) * | 2023-05-11 | 2023-06-23 | 之江实验室 | Event identification method, device and equipment based on graph node embedding |
| CN116738413A (en) * | 2023-06-05 | 2023-09-12 | 广州大学 | Method, system and device for back propagation attack investigation based on traceability graph |
| CN116738413B (en) * | 2023-06-05 | 2024-02-13 | 广州大学 | Method, system and device for back propagation attack investigation based on traceability graph |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113660225A (en) | Network attack event prediction method, system, device and medium based on time sequence point | |
| US20200387796A1 (en) | Pre-processing for data-driven model creation | |
| CN111914873A (en) | Two-stage cloud server unsupervised anomaly prediction method | |
| CN110247910A (en) | A kind of detection method of abnormal flow, system and associated component | |
| Zeng et al. | Estimation of software defects fix effort using neural networks | |
| CN114357594A (en) | Bridge abnormity monitoring method, system, equipment and storage medium based on SCA-GRU | |
| CN117041017B (en) | Intelligent operation and maintenance management method and system for data center | |
| CN117034143A (en) | Distributed system fault diagnosis method and device based on machine learning | |
| CN115730947A (en) | Bank customer loss prediction method and device | |
| Patel et al. | Doctor for machines: a failure pattern analysis solution for industry 4.0 | |
| CN114897085A (en) | Clustering method based on closed subgraph link prediction and computer equipment | |
| CN113314188B (en) | Graph structure enhanced small sample learning method, system, equipment and storage medium | |
| CN114169604A (en) | Performance index abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN113986674A (en) | Method and device for detecting abnormity of time sequence data and electronic equipment | |
| CN113159441A (en) | Prediction method and device for implementation condition of banking business project | |
| CN117557127A (en) | Power grid dispatching system supporting platform reliability assessment method, system and storage medium | |
| US11176502B2 (en) | Analytical model training method for customer experience estimation | |
| CN114723554B (en) | Abnormal account identification method and device | |
| CN116910526A (en) | Model training method, device, communication equipment and readable storage medium | |
| CN115794548A (en) | Method and device for detecting log abnormity | |
| Wang et al. | Identifying execution anomalies for data intensive workflows using lightweight ML techniques | |
| ŞAHİN | The role of vulnerable software metrics on software maintainability prediction | |
| CN114781473A (en) | Method, device and equipment for predicting state of rail transit equipment and storage medium | |
| CN113723436A (en) | Data processing method and device, computer equipment and storage medium | |
| US11928466B2 (en) | Distributed representations of computing processes and events |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211116 |