CN116319021B - Lateral movement detection method and device, electronic equipment and storage medium - Google Patents
Lateral movement detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116319021B CN116319021B CN202310292546.8A CN202310292546A CN116319021B CN 116319021 B CN116319021 B CN 116319021B CN 202310292546 A CN202310292546 A CN 202310292546A CN 116319021 B CN116319021 B CN 116319021B
- Authority
- CN
- China
- Prior art keywords
- attack
- chain
- login
- probability
- occurrence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for detecting lateral movement, an electronic device, and a storage medium, where the method includes: obtaining a login log; constructing a login state chain; calculating the probability of occurrence of a login state chain through a first hidden Markov model; judging based on the probability and a preset probability threshold, if the probability does not exceed the preset probability threshold, judging that password blasting behavior occurs, generating password blasting alarm, and continuing to execute; acquiring a front attack chain of the equipment; determining the probability of occurrence of the front attack chain and the probability of simultaneous occurrence of the front attack chain and the transverse movement through a second hidden Markov model; based on the length of the front attack chain, the probability of the front attack chain and the lateral movement occurring simultaneously, determining the alarm level of the lateral movement occurring, and generating a lateral movement alarm report to report the detection result. The invention can improve the reliability and accuracy of the transverse movement detection.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a lateral movement detection method, a lateral movement detection device, electronic equipment and a storage medium.
Background
The industrial control network information security mainly refers to that hardware, software and data in the system of the network system are protected from being damaged, altered and leaked by accident or malicious reasons, the system continuously and reliably operates normally, and network service is not interrupted.
Lateral movement refers to the process of moving from one infected system to another on the network, and is a means for an attacker to obtain more information and enlarge the occupied network area. The lateral movement is used as an attack tactic, and is characterized in that an attacker collects information of other parts of the system and performs attack activities by using network access rights illegally acquired at a certain point. If no appropriate precautions are taken, an attacker can access several other points in the network after gaining access to that point. Thus, detection of lateral movement is a critical ring in network security defense.
Currently, there is no very efficient and reliable way of detection for lateral movement tactics in the event of an attack.
Disclosure of Invention
Aiming at least part of the defects, the embodiment of the invention provides a lateral movement detection method, a device, electronic equipment and a storage medium, which can realize lateral movement detection by identifying password blasting.
In a first aspect, an embodiment of the present invention provides a lateral movement detection method, including the following steps:
acquiring a login log of equipment to be detected in an industrial control network;
constructing a login state chain based on the acquired login log; the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
taking the login state chain as an observation sequence, and calculating the occurrence probability of the login state chain through a trained first hidden Markov model;
judging based on the calculated probability and a preset probability threshold, if the calculated probability does not exceed the preset probability threshold, judging that password blasting behavior occurs, generating password blasting alarm, and continuing to execute the subsequent steps;
acquiring a front attack chain of the equipment; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
taking the front attack chain as an observation sequence, and determining the probability of occurrence of the front attack chain and the probability of simultaneous occurrence of the front attack chain and the transverse movement through a trained second hidden Markov model;
and determining the alarm level of occurrence of the transverse movement based on the length of the front attack chain, the occurrence probability of the front attack chain and the transverse movement, and generating a transverse movement alarm report to report a detection result.
Optionally, the building a login state chain based on the obtained login log includes:
extracting the login state and time of each login behavior based on the obtained login log;
determining the length range of a login state chain to be constructed and the time span of login behavior;
and constructing a login state chain meeting the length range and the time span based on the login state and time of each login behavior.
Optionally, the first hidden markov model is trained by:
acquiring a plurality of groups of sample login state chains; the sample login state chain is constructed based on a history login log, and consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
based on the obtained multiple groups of sample login state chains, determining initial probability distribution pi 1, state transition distribution A1 and observation probability distribution B1 of the login state chains through statistical analysis, and obtaining a first hidden Markov model lambada 1= (A1, B1, pi 1).
Optionally, the acquiring a front attack chain of the device includes:
acquiring alarm information of attack events which occur to the equipment, and determining time and technology of each attack event;
determining an attack tactic of the attack event according to the threat framework and the determined technology;
and constructing a front-end attack chain of the equipment based on the time of the attack event and the determined attack tactic.
Optionally, the second hidden markov model is trained by:
acquiring a plurality of groups of sample attack chains; the sample attack chain is determined according to historical attack events and comprises one or more attack tactics with sequence;
based on the obtained multiple groups of sample attack chains, determining initial probability distribution pi 2, state transition distribution A2 and observation probability distribution B2 of the attack chains through statistical analysis, and obtaining a second hidden Markov model lambada 2= (A2, B2, pi 2).
Optionally, the length of the login status chain to be built ranges from [5,10], the time span of the login behavior not exceeding 3 days.
Optionally, the determining the alarm level of occurrence of the lateral movement based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of occurrence of the front-end attack chain and the lateral movement simultaneously includes:
calculating an evaluation score based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement; the expression of the evaluation score is:
wherein a represents the front attack chain, length (a) represents the length of the front attack chain, the value range is (0, 9), P (a) represents the probability of occurrence of the front attack chain, P (AB) represents the probability of simultaneous occurrence of the front attack chain and the lateral movement, α, β and γ represent evaluation parameters, α+β+γ=9, and the value range of the evaluation score is (10, 100);
determining an alarm level of occurrence of lateral movement according to the evaluation score; the mapping relation between the alarm level of the lateral movement and the evaluation score is as follows: the value of the evaluation score is less than 30, the alarm level is low, the value of the evaluation score is not less than 30 and less than 50, the alarm level is medium, the value of the evaluation score is not less than 50, and the alarm level is high.
In a second aspect, an embodiment of the present invention further provides a lateral movement detection apparatus, including:
the log acquisition module is used for acquiring a log of equipment to be detected in the industrial control network;
the state chain construction module is used for constructing a login state chain based on the acquired login log; the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
the first probability calculation module is used for taking the login state chain as an observation sequence and calculating the occurrence probability of the login state chain through a trained first hidden Markov model;
the first alarm module is used for judging based on the calculated probability and a preset probability threshold, judging that password blasting behavior occurs if the calculated probability does not exceed the preset probability threshold, generating password blasting alarm, and calling the front tactical acquisition module, otherwise, calling the log acquisition module;
the front tactical acquisition module is used for acquiring a front attack chain of the equipment; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
the second probability calculation module is used for taking the front attack chain as an observation sequence and determining the probability of occurrence of the front attack chain and the probability of simultaneous occurrence of the front attack chain and the transverse movement through a trained second hidden Markov model;
and the second alarm module is used for determining the alarm level of occurrence of the transverse movement based on the length of the front attack chain, the occurrence probability of the front attack chain and the transverse movement, and generating a transverse movement alarm report to report the detection result.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method for detecting lateral movement according to any embodiment of the present specification is implemented.
In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium having a computer program stored thereon, which when executed in a computer, causes the computer to perform the lateral movement detection method according to any of the embodiments of the present specification.
The embodiment of the invention provides a lateral movement detection method, a device, electronic equipment and a storage medium, wherein a login state chain is constructed based on a login log, the probability of occurrence of the login state chain is calculated by using a hidden Markov model, whether password explosion behavior occurs or not is identified according to the probability, and the method and the device have a better identification effect on slow password explosion as a preliminary detection result of lateral movement; after the password blasting behavior is identified, the possibility of transverse movement is evaluated by combining the front attack chain of the device, the reliability of transverse movement detection is improved by integrating the front attack tactic information, automatic transverse movement detection can be realized, and the accuracy is higher.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a lateral movement detection method according to an embodiment of the present invention;
FIG. 2 is a hardware architecture diagram of an electronic device according to an embodiment of the present invention;
fig. 3 is a block diagram of a lateral movement detecting device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As previously mentioned, lateral movement refers to the process of moving from one infected system to another on the network, and is a means for an attacker to obtain more information and enlarge the occupied network area. The lateral movement is used as an attack tactic, and is characterized in that an attacker collects information of other parts of the system and performs attack activities by using network access rights illegally acquired at a certain point. If no appropriate precautions are taken, an attacker can access several other points in the network after gaining access to that point. Thus, detection of lateral movement is a critical ring in network security defense.
Password blasting is widely used by attackers as a technique for lateral movement. Therefore, the password explosion can be used as a break, and the lateral movement can be detected by identifying the password explosion. At present, a conventional password blasting identification mode is generally based on a time window and login failure times, and a rule or extracted features are established according to the time window and login failure times to identify and judge password blasting. Such a method is limited by a set time window, and the slow password bursting behavior detection effect is poor, and thus missed detection may be caused. While the identification of the single technology can initially detect the attack tactics corresponding to the technology, the detection reliability at this time is still to be improved because a complete verification chain for the attack tactics is not formed.
Referring to fig. 1, an embodiment of the present invention provides a lateral movement detection method, which includes:
step 100, obtaining a login log of equipment to be detected in an industrial control network;
logging behavior and occurrence time of the equipment are recorded in a log of the equipment;
102, constructing a login state chain based on the acquired login log;
the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
for example, 11000 indicates a five-log-in behavior, in which three logs-in fail after two logs-in succeed;
104, taking the login state chain as an observation sequence, and calculating the occurrence probability of the login state chain through a trained first hidden Markov model;
model parameters of the first hidden Markov model are determined through training;
step 106, judging based on the calculated probability and a preset probability threshold, if the calculated probability does not exceed the preset probability threshold, judging that password explosion behavior occurs, generating password explosion alarm, and continuing to execute the subsequent steps;
if the calculated probability exceeds the preset probability threshold, the password explosion behavior is considered not to occur, and the step 100 can be returned to monitor the equipment in the industrial control network continuously;
step 108, acquiring a front attack chain of the equipment; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
the front attack chain records front attack tactic information appearing on the equipment;
step 110, using the front-end attack chain as an observation sequence, and determining the probability of occurrence of the front-end attack chain and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement through a trained second hidden Markov model;
model parameters of the second hidden Markov model are determined through training;
and step 112, determining the alarm level of occurrence of the transverse movement based on the length of the front attack chain, the occurrence probability of the front attack chain and the transverse movement, and generating a transverse movement alarm report to report the detection result.
Hidden markov models are commonly used to solve three basic problems: probability calculation problems, learning problems, and prediction problems. In the embodiment of the invention, a login state chain is constructed, the probability of the current login state chain is calculated through a first hidden Markov model trained in advance, and whether equipment to be detected is attacked by the password blasting technology is judged according to the probability. Password explosion as a technique for implementing a lateral movement tactic, identification of password explosion means preliminary detection of the lateral movement tactic. After the password blasting behavior is identified, the method and the device are combined with the front attack chain of the device to judge the possibility that the currently suffered attack belongs to the transverse movement, and if the possibility that the currently suffered attack belongs to the transverse movement is higher, the current attack tactics can be considered to be detected as the transverse movement. The invention considers the problem of poor detection effect of the slow password blasting behavior in the prior art, realizes password blasting behavior identification by using a login state chain and a hidden Markov model (namely a first hidden Markov model), and improves the accuracy of identifying the password blasting behavior. In addition, the invention also considers that the attacker usually has other implementation of attack tactics as support before making transverse movement, and after recognizing password blasting behavior, the attacker combines the relevant information of other attack tactics to perfect the attack logic and path of the attacker, thereby further improving the reliability and accuracy of transverse movement detection.
Optionally, in step 102, "building a login status chain based on the obtained login log", including:
extracting the login state and time of each login behavior based on the obtained login log;
determining the length range of a login state chain to be constructed and the time span of login behavior;
and constructing a login state chain meeting the length range and the time span based on the login state and time of each login behavior.
According to the embodiment, the length of the login state chain is kept between a and b by controlling the construction logic of the login state chain, the time span of the corresponding login behavior is not more than T, and the login state chain can cover slow password explosion behaviors and judgment efficiency is not influenced by overlong login state chain. Preferably, the length range of the login state chain to be constructed is [5,10], the time span of the login behavior is not more than 3 days, namely a, b and T are respectively taken as 5,10 and 3 days, the recognition effect on the slow password blasting behavior can be effectively improved, and better calculation efficiency can be realized.
Optionally, in step 104, the first hidden markov model is trained by:
acquiring a plurality of groups of sample login state chains; the sample login state chain is constructed based on a history login log, and consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
based on the obtained multiple groups of sample login state chains, determining initial probability distribution pi 1, state transition distribution A1 and observation probability distribution B1 of the login state chains through statistical analysis, and obtaining a first hidden Markov model lambada 1= (A1, B1, pi 1).
The continuous historical login logs are collected, a sample login state chain is constructed, and the login state chain is observed to find that under normal conditions, the occurrence probabilities of different login state chains are obviously different. The probability calculation problem can be solved by using a trained hidden Markov model by taking a login state chain as an observation sequence, namely, given a first hidden Markov model λ1= (A1, B1, pi 1) and an observation sequence O= { O1, O, …, oT }, the probability P (O|λ1) that the observation sequence O appears under the first hidden Markov model λ1 is calculated.
Optionally, the password burst alarm generated in step 106 may include the login state chain as a probability corresponding to the observation sequence for further analysis and determination by the user.
Optionally, in step 108, the "acquire front attack chain of device" further includes:
acquiring alarm information of attack events which occur to the equipment, and determining time and technology of each attack event;
determining an attack tactic of the attack event according to the threat framework and the determined technology;
and constructing a front-end attack chain of the equipment based on the time of the attack event and the determined attack tactic.
With the above embodiment, it is possible to determine a front-end attack chain of a device, which does not include the current attack tactic (the current attack tactic is still in the detection process, and is not determined to be transverse detection). The threat framework is an alternative ATT & CK framework, and the core of the ATT & CK framework is TTPs which are displayed in a matrix form, namely Tactics, techniques and Procedures (Tactics, technology and steps), and the aim of an attacker is to obtain data from a stepping point and how each step in the process is to complete a task. According to the ATT & CK framework, an attacker would have the implementation of other attack tactics as support before making lateral movements, mainly including the following tactics: reconnaissance (Reconnaissance), resource development (Resource Development), initial Access (Initial Access), execution (Execution), persistence (Persistence), rights promotion (Privilege Escalation), defense escape (security evolution), credential acquisition (Credential Access), discovery (Discovery). The length of the front-end attack chain preferably does not exceed 9 so as not to affect the computational efficiency.
Optionally, in step 110, the second hidden markov model is trained by:
acquiring a plurality of groups of sample attack chains; the sample attack chain is determined according to historical attack events and comprises one or more attack tactics with sequence;
based on the obtained multiple groups of sample attack chains, determining initial probability distribution pi 2, state transition distribution A2 and observation probability distribution B2 of the attack chains through statistical analysis, and obtaining a second hidden Markov model lambada 2= (A2, B2, pi 2).
The invention utilizes the second hidden Markov model to determine the relevant probability of the attack chain so as to combine the primary detection result of the transverse movement and other prepositive attack tactic information in the attack chain, thereby improving the transverse movement detection accuracy based on password blasting and reducing false alarm events.
Optionally, step 112 further includes:
calculating an evaluation score based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement; the expression of the evaluation score is:
wherein a represents the front attack chain, length (a) represents the length of the front attack chain, the value range is (0, 9), P (a) represents the probability of occurrence of the front attack chain, P (AB) represents the probability of simultaneous occurrence of the front attack chain and the lateral movement, and according to the second hidden markov model, α, β and γ represent evaluation parameters, respectively corresponding to the evaluation of the front attack chain integrity, the front attack chain occurrence probability, and the influence of the conditional probability of occurrence of the current attack tactics on the final score on the premise of occurrence of the front attack chain, wherein the three values represent different final score emphasis directions, for example, increasing the value of α represents increasing the influence degree of the front attack chain integrity on the final score, and the value range of the evaluation score is (10, 100);
determining an alarm level of occurrence of lateral movement according to the evaluation score; the mapping relation between the alarm level of the lateral movement and the evaluation score is as follows: the value of the evaluation score is less than 30, the alarm level is low, the value of the evaluation score is not less than 30 and less than 50, the alarm level is medium, the value of the evaluation score is not less than 50, and the alarm level is high. The generated lateral movement alert report preferably includes alert levels and evaluation scores for further analysis by the user.
The above embodiment combines the attack path of the attack chain to evaluate the possibility of the current attack tactics to move transversely so as to determine the alarm level of the transverse movement detection result, and gives a specific evaluation scheme, namely a specific evaluation score calculation scheme. In other embodiments, the likelihood that the current attack tactics will move laterally may also be evaluated in other ways to determine the level of alert that lateral movement occurred.
As shown in fig. 2 and 3, an embodiment of the present invention provides a lateral movement detection device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 2, a hardware architecture diagram of an electronic device where a lateral movement detecting device is located according to an embodiment of the present invention is shown, where in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 2, the electronic device where the device is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 3, the device in a logic sense is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located and running the computer program. The lateral movement detection device provided in this embodiment includes:
the log obtaining module 301 is configured to obtain a log of a device to be detected in the industrial control network;
a state chain construction module 302, configured to construct a login state chain based on the obtained login log; the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
the first probability calculation module 303 is configured to calculate, using the login state chain as an observation sequence, a probability of occurrence of the login state chain through a trained first hidden markov model;
the first alarm module 304 is configured to determine based on the calculated probability and a preset probability threshold, determine that a password explosion behavior occurs if the calculated probability does not exceed the preset probability threshold, generate a password explosion alarm, and invoke the front tactical acquisition module, otherwise invoke the log acquisition module;
a front tactical acquisition module 305 for acquiring a front attack chain of the device; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
a second probability calculation module 306, configured to determine, using the front-end attack chain as an observation sequence and through a trained second hidden markov model, a probability of occurrence of the front-end attack chain and a probability of occurrence of simultaneous movement of the front-end attack chain and the lateral movement;
and the second alarm module 307 is configured to determine an alarm level of occurrence of lateral movement based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of occurrence of the front-end attack chain and the lateral movement, and generate a lateral movement alarm report to report a detection result.
In an embodiment of the present invention, the log obtaining module 301 may be used to perform the step 100 in the above method embodiment, the state chain building module 302 may be used to perform the step 102 in the above method embodiment, the first probability calculating module 303 may be used to perform the step 104 in the above method embodiment, the first alarm module 304 may be used to perform the step 106 in the above method embodiment, the pre-tactical obtaining module 305 may be used to perform the step 108 in the above method embodiment, the second probability calculating module 306 may be used to perform the step 110 in the above method embodiment, and the second alarm module 307 may be used to perform the step 112 in the above method embodiment.
Optionally, the state chain construction module 302 constructs a login state chain based on the obtained login log, including performing the following steps:
extracting the login state and time of each login behavior based on the obtained login log;
determining the length range of a login state chain to be constructed and the time span of login behavior;
and constructing a login state chain meeting the length range and the time span based on the login state and time of each login behavior.
Optionally, the first hidden markov model is trained by:
acquiring a plurality of groups of sample login state chains; the sample login state chain is constructed based on a history login log, and consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
based on the obtained multiple groups of sample login state chains, determining initial probability distribution pi 1, state transition distribution A1 and observation probability distribution B1 of the login state chains through statistical analysis, and obtaining a first hidden Markov model lambada 1= (A1, B1, pi 1).
Optionally, the pre-tactical acquisition module 305 acquires a pre-attack chain of the device, comprising performing the steps of:
acquiring alarm information of attack events which occur to the equipment, and determining time and technology of each attack event;
determining an attack tactic of the attack event according to the threat framework and the determined technology;
and constructing a front-end attack chain of the equipment based on the time of the attack event and the determined attack tactic.
Optionally, the second hidden markov model is trained by:
acquiring a plurality of groups of sample attack chains; the sample attack chain is determined according to historical attack events and comprises one or more attack tactics with sequence;
based on the obtained multiple groups of sample attack chains, determining initial probability distribution pi 2, state transition distribution A2 and observation probability distribution B2 of the attack chains through statistical analysis, and obtaining a second hidden Markov model lambada 2= (A2, B2, pi 2).
Optionally, the state chain construction module 302 constructs a login state chain, the length of the login state chain to be constructed ranges from [5,10], the time span of the login behavior is not more than 3 days.
Further, the second alarm module determines an alarm level of occurrence of lateral movement based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of occurrence of both the front-end attack chain and the lateral movement, comprising performing the steps of:
calculating an evaluation score based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement; the expression of the evaluation score is:
wherein a represents the front attack chain, length (a) represents the length of the front attack chain, the value range is (0, 9), P (a) represents the probability of occurrence of the front attack chain, P (AB) represents the probability of simultaneous occurrence of the front attack chain and the lateral movement, α, β and γ represent evaluation parameters, α+β+γ=9, and the value range of the evaluation score is (10, 100);
determining an alarm level of occurrence of lateral movement according to the evaluation score; the mapping relation between the alarm level of the lateral movement and the evaluation score is as follows: the value of the evaluation score is less than 30, the alarm level is low, the value of the evaluation score is not less than 30 and less than 50, the alarm level is medium, the value of the evaluation score is not less than 50, and the alarm level is high.
It should be understood that the structure illustrated in the embodiments of the present invention is not limited to a specific type of lateral movement detection device. In other embodiments of the invention, a lateral movement detection device may include more or fewer components than shown, or certain components may be combined, or certain components may be split, or different arrangements of components may be provided. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the transverse movement detection method in any embodiment of the invention when executing the computer program.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor causes the processor to perform a lateral movement detection method according to any of the embodiments of the present invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
The embodiment of the invention provides a lateral movement detection method, a device, electronic equipment and a storage medium, wherein a login state chain is constructed by collecting login logs of all the equipment, the occurrence probability of the state chain is calculated by using a hidden Markov model, the password blasting behavior is effectively identified, and then the detection reliability of the lateral movement behavior based on the password blasting can be improved by combining detection results of other tactics in an attack chain. The invention can provide basis for judging the importance of the related alarms, and is beneficial to further construction of attack chains and overall improvement of network security defense level.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (7)
1. A lateral movement detection method, characterized by comprising the steps of:
acquiring a login log of equipment to be detected in an industrial control network;
constructing a login state chain based on the acquired login log; the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
taking the login state chain as an observation sequence, and calculating the occurrence probability of the login state chain through a trained first hidden Markov model;
judging based on the calculated probability and a preset probability threshold, if the calculated probability does not exceed the preset probability threshold, judging that password blasting behavior occurs, generating password blasting alarm, and continuing to execute the subsequent steps;
acquiring a front attack chain of the equipment; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
taking the front attack chain as an observation sequence, and determining the probability of occurrence of the front attack chain and the probability of simultaneous occurrence of the front attack chain and the transverse movement through a trained second hidden Markov model;
determining an alarm level of occurrence of lateral movement based on the length of the front-end attack chain, the occurrence probability of the front-end attack chain and the lateral movement, and generating a lateral movement alarm report to report a detection result;
wherein the first hidden Markov model is trained by:
acquiring a plurality of groups of sample login state chains; the sample login state chain is constructed based on a history login log, and consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
based on the obtained multiple groups of sample login state chains, determining initial probability distribution pi 1, state transition distribution A1 and observation probability distribution B1 of the login state chains through statistical analysis to obtain a first hidden Markov model lambada 1= (A1, B1, pi 1);
the front-end attack chain of the acquisition device comprises:
acquiring alarm information of attack events which occur to the equipment, and determining time and technology of each attack event;
determining an attack tactic of the attack event according to the threat framework and the determined technology;
constructing a front-end attack chain of the equipment based on the time of the attack event and the determined attack tactic;
the second hidden Markov model is trained by:
acquiring a plurality of groups of sample attack chains; the sample attack chain is determined according to historical attack events and comprises one or more attack tactics with sequence;
based on the obtained multiple groups of sample attack chains, determining initial probability distribution pi 2, state transition distribution A2 and observation probability distribution B2 of the attack chains through statistical analysis, and obtaining a second hidden Markov model lambada 2= (A2, B2, pi 2).
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the constructing a login state chain based on the obtained login log includes:
extracting the login state and time of each login behavior based on the obtained login log;
determining the length range of a login state chain to be constructed and the time span of login behavior;
and constructing a login state chain meeting the length range and the time span based on the login state and time of each login behavior.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the length of the login state chain to be built ranges from [5,10], the time span of the login behavior is not more than 3 days.
4. The method of claim 3, wherein the step of,
the determining the alarm level of occurrence of the lateral movement based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement includes:
calculating an evaluation score based on the length of the front-end attack chain, the probability of occurrence of the front-end attack chain, and the probability of simultaneous occurrence of the front-end attack chain and the lateral movement; the expression of the evaluation score is:
wherein a represents the front attack chain, length (a) represents the length of the front attack chain, the value range is (0, 9), P (a) represents the probability of occurrence of the front attack chain, P (AB) represents the probability of simultaneous occurrence of the front attack chain and the lateral movement, α, β and γ represent evaluation parameters, α+β+γ=9, and the value range of the evaluation score is (10, 100);
determining an alarm level of occurrence of lateral movement according to the evaluation score; the mapping relation between the alarm level of the lateral movement and the evaluation score is as follows: the value of the evaluation score is less than 30, the alarm level is low, the value of the evaluation score is not less than 30 and less than 50, the alarm level is medium, the value of the evaluation score is not less than 50, and the alarm level is high.
5. A lateral movement detection device, characterized by comprising:
the log acquisition module is used for acquiring a log of equipment to be detected in the industrial control network;
the state chain construction module is used for constructing a login state chain based on the acquired login log; the login state comprises login success and login failure; the login state chain consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
the first probability calculation module is used for taking the login state chain as an observation sequence and calculating the occurrence probability of the login state chain through a trained first hidden Markov model;
the first alarm module is used for judging based on the calculated probability and a preset probability threshold, judging that password blasting behavior occurs if the calculated probability does not exceed the preset probability threshold, generating password blasting alarm, and calling the front tactical acquisition module, otherwise, calling the log acquisition module;
the front tactical acquisition module is used for acquiring a front attack chain of the equipment; the front-end attack chain comprises one or more attack tactics which are in sequence and already occur;
the second probability calculation module is used for taking the front attack chain as an observation sequence and determining the probability of occurrence of the front attack chain and the probability of simultaneous occurrence of the front attack chain and the transverse movement through a trained second hidden Markov model;
the second alarm module is used for determining the alarm level of occurrence of the transverse movement based on the length of the front attack chain, the occurrence probability of the front attack chain and the transverse movement, and generating a transverse movement alarm report to report a detection result;
wherein the first hidden Markov model is trained by:
acquiring a plurality of groups of sample login state chains; the sample login state chain is constructed based on a history login log, and consists of two numerical values of 0 and 1, wherein 0 represents login failure, 1 represents login success and is arranged according to the time sequence of login behaviors;
based on the obtained multiple groups of sample login state chains, determining initial probability distribution pi 1, state transition distribution A1 and observation probability distribution B1 of the login state chains through statistical analysis to obtain a first hidden Markov model lambada 1= (A1, B1, pi 1);
the front tactical acquisition module acquires a front attack chain of the device, comprising the following steps:
acquiring alarm information of attack events which occur to the equipment, and determining time and technology of each attack event;
determining an attack tactic of the attack event according to the threat framework and the determined technology;
constructing a front-end attack chain of the equipment based on the time of the attack event and the determined attack tactic;
the second hidden Markov model is trained by:
acquiring a plurality of groups of sample attack chains; the sample attack chain is determined according to historical attack events and comprises one or more attack tactics with sequence;
based on the obtained multiple groups of sample attack chains, determining initial probability distribution pi 2, state transition distribution A2 and observation probability distribution B2 of the attack chains through statistical analysis, and obtaining a second hidden Markov model lambada 2= (A2, B2, pi 2).
6. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the lateral movement detection method according to any of claims 1-4.
7. A storage medium having stored thereon a computer program, characterized in that the computer program, when executed in a computer, causes the computer to perform the lateral movement detection method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310292546.8A CN116319021B (en) | 2023-03-23 | 2023-03-23 | Lateral movement detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310292546.8A CN116319021B (en) | 2023-03-23 | 2023-03-23 | Lateral movement detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116319021A CN116319021A (en) | 2023-06-23 |
| CN116319021B true CN116319021B (en) | 2023-09-29 |
Family
ID=86819946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310292546.8A Active CN116319021B (en) | 2023-03-23 | 2023-03-23 | Lateral movement detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116319021B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106716958A (en) * | 2014-09-18 | 2017-05-24 | 微软技术许可有限责任公司 | Lateral movement detection |
| CN109936545A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | The detection method and relevant apparatus of Brute Force attack |
| US10673880B1 (en) * | 2016-09-26 | 2020-06-02 | Splunk Inc. | Anomaly detection to identify security threats |
| CN111581643A (en) * | 2020-05-07 | 2020-08-25 | 中国工商银行股份有限公司 | Penetration attack evaluation method and device, electronic equipment and readable storage medium |
| WO2021170249A1 (en) * | 2020-02-28 | 2021-09-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Cyberattack identification in a network environment |
| US11258825B1 (en) * | 2019-07-18 | 2022-02-22 | Trend Micro Incorporated | Computer network monitoring with event prediction |
| CN114598545A (en) * | 2022-03-23 | 2022-06-07 | 中国科学技术大学 | Internal security threat detection method, system, equipment and storage medium |
-
2023
- 2023-03-23 CN CN202310292546.8A patent/CN116319021B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106716958A (en) * | 2014-09-18 | 2017-05-24 | 微软技术许可有限责任公司 | Lateral movement detection |
| US10673880B1 (en) * | 2016-09-26 | 2020-06-02 | Splunk Inc. | Anomaly detection to identify security threats |
| CN109936545A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | The detection method and relevant apparatus of Brute Force attack |
| US11258825B1 (en) * | 2019-07-18 | 2022-02-22 | Trend Micro Incorporated | Computer network monitoring with event prediction |
| WO2021170249A1 (en) * | 2020-02-28 | 2021-09-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Cyberattack identification in a network environment |
| CN111581643A (en) * | 2020-05-07 | 2020-08-25 | 中国工商银行股份有限公司 | Penetration attack evaluation method and device, electronic equipment and readable storage medium |
| CN114598545A (en) * | 2022-03-23 | 2022-06-07 | 中国科学技术大学 | Internal security threat detection method, system, equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| FSM-Based Cyber Security Status Analysis Method;Yulu Qi 等;《IEEE》;全文 * |
| Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats;IBRAHIM GHAFIR 等;《IEEE》;全文 * |
| 基于主机日志的恶意登录异常检测方法研究;明泽;《硕士电子期刊》;全文 * |
| 基于探针和神经网络的APT攻击样本获取及分析方法研究;顾鸿杰;《硕士电子期刊》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116319021A (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Murtaza et al. | A host-based anomaly detection approach by representing system calls as states of kernel modules | |
| CN112866292B (en) | Attack behavior prediction method and device for multi-sample combination attack | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN116016198B (en) | Industrial control network topology security assessment method and device and computer equipment | |
| CN112637194A (en) | Security event detection method and device, electronic equipment and storage medium | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| CN116112211A (en) | Knowledge-graph-based network attack chain reduction method | |
| CN116248362A (en) | User abnormal network access behavior identification method based on double-layer hidden Markov chain | |
| CN114531283A (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN114584351A (en) | Monitoring method, monitoring device, electronic equipment and storage medium | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN116319021B (en) | Lateral movement detection method and device, electronic equipment and storage medium | |
| CN116962009A (en) | Network attack detection method and device | |
| Salazar et al. | Monitoring approaches for security and safety analysis: application to a load position system | |
| CN113225356B (en) | TTP-based network security threat hunting method and network equipment | |
| CN109918901A (en) | The method that real-time detection is attacked based on Cache | |
| CN113132414B (en) | Multi-step attack mode mining method | |
| CN115659351A (en) | Information security analysis method, system and equipment based on big data office | |
| CN115373834A (en) | Intrusion detection method based on process call chain | |
| CN113468555A (en) | Method, system and device for identifying client access behavior | |
| CN114584342B (en) | Network vulnerability recognition and detection system based on data analysis | |
| CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns | |
| CN111935144B (en) | Method and system for analyzing traffic safety | |
| CN115378738B (en) | Alarm filtering method, system and equipment based on classification algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |