Machine learning-based method for identifying malicious behaviors of information system
Technical Field
The invention relates to a method for identifying malicious behaviors of an information system based on machine learning, which can realize real-time prediction of malicious behaviors in the system at a host layer and a network layer by carrying out topological graph modeling on host process behaviors and network session behaviors and using a graph convolution network technology in machine learning so as to avoid the possibility of further damaging important data.
Abbreviations and noun explanations:
GCN: called Graph conditional Network, Graph convolution Network.
GoogLeNet: a22-layer deep Network adopts the structure of Network-in-Network (Network InNet) of the Incepotion.
APT: the Advanced Persistent thread is an Advanced Persistent Threat, and refers to an attack form for carrying out long-term Persistent network attack on a specific target by using an Advanced attack means.
0day vulnerability: in the information security sense, the 0day vulnerability refers to vulnerability information which is known and mastered before the security patch is released, and can be used by hackers or criminals to attack enterprise or personal systems, steal or change data, and since thorough security measures are not in place, attackers can hardly prevent the vulnerability information.
Background
With the continuous development of informatization, more and more important information is stored in various informatization systems in the form of data, and sensitive information is not lacked. If the sensitive information is leaked maliciously or deleted and encrypted maliciously, huge loss can be brought to data owners and even society. Typical destructive means are Lesovirus and APT attacks.
The encryption type Lego software adopts a high-strength encryption algorithm to encrypt the user file. At present, no reliable precaution and detection measures are provided for encrypted Lego software, and once user data is encrypted by Lego software, the traditional antivirus software cannot do the same.
The APT is a "malicious commercial spy threat" which is a long-lasting consummated object for hackers to steal core data and aim at network attacks and attacks launched by clients. Such activities are often conducted and planned for a long period of time and are highly concealed. The APT attack method is to hide itself, steal data for a specific object in a long-term, planned and organized manner, and the actions of stealing data and collecting information in a digital space are the actions of 'network spy'.
The existing protective means is generally screened against known virus characteristics, and the following serious defects exist:
1. it is not effective against variant viruses. The Lexovirus variant is fast and can enter a host system for stealing or destroying through the detection of antivirus software before the antivirus software updates a virus feature library. Antivirus software typically cannot update the full virus library in real time, which provides a possibility for virus intrusion.
2. The 0day bug cannot be defended. In the information security sense, 0Day refers to the known and mastered vulnerability information before the security patch is released, which can be used by hackers or criminals to attack enterprise or personal systems, steal or change data, and since thorough security measures are not in place, attackers can hardly prevent it.
3. It is difficult to protect against APT attacks. APT attacks often place the focus of the attack on "slow-low" -slowly, silently moving from one intruded host to the next, where no network traffic can be monitored, and thus finding the data and target systems that they need, rendering the traditional traffic-based anomaly detection method ineffective.
Disclosure of Invention
The invention provides a method for identifying malicious behaviors of an information system based on machine learning, which can realize identification of the malicious behaviors in progress through a graph convolution network technology based on a host process behavior and a network layer session behavior so as to take measures to avoid further expansion of loss.
The method for identifying the malicious behaviors of the information system can identify the malicious behaviors from two layers.
1. Based on the host level, the behavior of the host process for accessing the file is modeled and judged, and the operations of illegal access, illegal modification, illegal deletion and the like of the data by a malicious process are prevented.
2. Based on the network layer, the network session behavior is modeled and judged, and network attack and virus diffusion of network malicious connection are prevented.
The malicious behavior identification method is divided into three modules, namely a graph conversion module, a training module and a graph convolution network module. The three modules are combined into two implementation processes, namely a training process and an identification process.
Fig. 1 is a diagram conversion module of the malicious behavior identification method according to the present invention, which includes an acquisition unit, a serialization unit, a diagram construction unit, and a diagram normalization unit.
The acquisition unit acquires the operation behavior and the network session behavior of the host process in real time, performs data cleaning on the acquired data, and sends the data to the serialization unit for serialization operation. The host process operation behavior acquired by the acquisition unit in real time comprises the following steps: registry operations (e.g., key and value creation, enumeration, lookup, deletion, etc.), file system operations (operations performed for local storage and remote file systems), network operations (UDP and TCP network activities, including source and destination addresses, port numbers, corresponding connections, disconnections, numbers and bytes of send and receive operations, etc.), process operations (e.g., parent process creation child process, process startup, thread creation, thread exit, process exit, and loading an executable image into the address space of a process, etc.), summaries (e.g., total kernel and user time since last summary event, memory usage, number of context switches, etc.). The network session operation behaviors collected by the collecting unit in real time comprise: source/destination IP addresses, source/destination port numbers, number of transmitted/received bytes, number of transmitted/received messages, transmission/reception rates, session duration, protocols, etc.
After receiving the behavior information sent by the acquisition unit, the serialization unit respectively carries out serialization operation according to the host process/network session, forms an event set on a timeline by a single process/network session, and sends an event set matrix to the graph construction unit.
After receiving the event set matrix, the graph construction unit constructs a topological graph according to the events of the host processes/network sessions, abstracts the topological graph into a topological graph formed by points and edges according to the state transition condition of each host process/network session, is used for describing the degree and state of connection among the events of the host process/network session, and transmits the degree and state to the graph convolution network unit.
And after receiving the topological graph, the graph normalization unit converts the topological graph into standard vector information which is used as the input of the graph convolution network module to carry out convolution of the spatial domain.
Fig. 2 is a training module of the malicious behavior recognition method according to the present invention, which includes a sample division unit, a model training unit, a model testing unit, a model adjustment unit, and an output model parameter unit.
And the sample dividing unit divides the vector set into a training set and a testing set by using a leave method, a K-fold cross-validation method and a self-service method according to a sample dividing strategy, and respectively sends the training set and the testing set to the model training unit and the model testing unit.
The model training unit is used for training each parameter of the graph convolution model by utilizing a square error, a cross entropy, a Hinge loss function and a random gradient descent optimization method according to an input training set and a mark thereof, and the parameters are sent to the model testing unit after being converged. The process model and the network session model respectively train parameters.
And the model test unit receives the test set and the model parameters, predicts on the model by using the vector of the training set, compares the prediction result with the test set mark, and observes the generalization capability performance of the model on the test set, such as calculation accuracy, recall rate, F-Score and the like.
If the generalization capability performance of the model on the test set meets the expectation, determining and outputting the model parameters; if the generalization capability performance of the model on the test set cannot meet the expectation, the hyper-parameters of the model are adjusted in the model adjusting unit, and the model parameters are trained again in the model training unit.
The graph convolution network module is implemented by using a 22-layer GoogLeNet, and FIG. 3 shows an inclusion structure and a two-layer full-connection structure in the GoogLeNet.
The Incep structure adopts convolution kernels with different sizes to match with receptive fields with different sizes, and fusion of features with different scales is carried out.
And the two layers of full connection structures are used for classification calculation.
Fig. 4 shows two implementation processes of the malicious behavior recognition method according to the present invention.
Firstly, in the training process, a large number of labeled event training sets are utilized, an input graph conversion module is converted into a standard vector set, an input training module calculates model parameters, the model parameters are input into a graph convolution network module, and a model is fixed. The model is generally not retrained again unless a large change in the application environment is assumed or it is deemed necessary to retrain the model. And respectively training corresponding model parameters by the host process and the network session.
And then entering an identification process, inputting the data to be identified of the host process/network session collected by the production environment into a graph conversion module, converting the data into a standard vector set input graph convolution network module, and calculating and outputting an identification result, wherein the identification result is dualized 0 or 1 and is used for marking normal/malicious behaviors.
The specific implementation mode is as follows:
the application of the present invention is illustrated by an ethernet environment.
FIG. 5 is a diagram illustrating a deployment manner of a convolution model gateway in the malicious behavior identification method according to the present invention
1. Firstly, a host process model and a network session model are trained by utilizing a training process of a convolution model in a malicious behavior recognition method, and the models are deployed in gateway equipment.
2. Client software is deployed in a host needing protection in an Ethernet environment, and host process behaviors are collected and reported to model equipment.
3. The gateway equipment where the model is located is deployed in an Ethernet environment, host process information reported by a client is received, meanwhile, a routing mirror mode or a policy routing mode is adopted to monitor flow in the Ethernet, and network session information is collected.
4. The collected host process/network session information is sent to the model gateway equipment for prediction, the host process is predicted to be malicious, and the model gateway equipment informs the host client to block the process; the network session is predicted to be malicious, and the session is blocked by the model gateway equipment, so that the purpose of protection is achieved.
Drawings
Fig. 1 is a schematic diagram of a graph transformation module of the malicious behavior identification method according to the present invention.
Fig. 2 is a schematic diagram of a graph training module of the malicious behavior recognition method according to the present invention.
Fig. 3 is a schematic diagram of an inclusion structure and two fully connected layers in a graph convolution network module of the malicious behavior identification method according to the present invention.
Fig. 4 is schematic diagrams of two implementation processes of the malicious behavior identification method according to the present invention.
Fig. 5 is a schematic diagram of a deployment manner of a convolution model gateway of the malicious behavior identification method according to the present invention.