CN111581397A - A network attack source tracing method, device and device based on knowledge graph - Google Patents

A network attack source tracing method, device and device based on knowledge graph Download PDF

Info

Publication number
CN111581397A
CN111581397A CN202010377539.4A CN202010377539A CN111581397A CN 111581397 A CN111581397 A CN 111581397A CN 202010377539 A CN202010377539 A CN 202010377539A CN 111581397 A CN111581397 A CN 111581397A
Authority
CN
China
Prior art keywords
network
knowledge
graph
network attack
knowledge graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010377539.4A
Other languages
Chinese (zh)
Inventor
陈霖
许爱东
陈昊
孙强强
匡晓云
杨祎巍
徐培明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
China South Power Grid International Co ltd
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, Shenzhen Power Supply Bureau Co Ltd filed Critical China South Power Grid International Co ltd
Priority to CN202010377539.4A priority Critical patent/CN111581397A/en
Publication of CN111581397A publication Critical patent/CN111581397A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于知识图谱的网络攻击溯源方法,该方法包括以下步骤:在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。应用本发明实施例所提供的技术方案,较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别。本发明还公开了一种网络攻击溯源装置、设备及存储介质,具有相应技术效果。

Figure 202010377539

The invention discloses a network attack source tracing method based on a knowledge graph. The method comprises the following steps: during the network operation process, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; Among them, each network knowledge graph is a graph of a network graph structure constructed according to the operation data in the network; each network knowledge graph is used to trace the network attack signal to the network attack source, and obtain the network attack source tracing result. The application of the technical solutions provided by the embodiments of the present invention greatly reduces the amount of calculation, reduces the time-consuming, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks. The invention also discloses a network attack source tracing device, equipment and storage medium, which have corresponding technical effects.

Figure 202010377539

Description

一种基于知识图谱的网络攻击溯源方法、装置及设备A network attack source tracing method, device and device based on knowledge graph

技术领域technical field

本发明涉及网络安全技术领域,特别是涉及一种基于知识图谱的网络攻击溯源方法、装置、设备及计算机可读存储介质。The present invention relates to the technical field of network security, and in particular, to a method, device, device and computer-readable storage medium for tracing the source of a network attack based on a knowledge graph.

背景技术Background technique

近年来,网络攻击事件频发,互联网上的木马、蠕虫、勒索软件层出不穷,这对网络安全形成了严重的威胁。当发生网络攻击事件时,需要对网络攻击进行溯源,以便尽快找到解决办法,恢复网络安全。In recent years, network attacks have occurred frequently, and Trojan horses, worms, and ransomware have emerged in an endless stream on the Internet, which poses a serious threat to network security. When a network attack occurs, it is necessary to trace the source of the network attack, so as to find a solution as soon as possible and restore network security.

现有的网络攻击溯源方法主要是利用以关系型数据库为基础的网络攻击知识库进行网络攻击溯源。在进行复杂条件的搜索时,搜索速度慢。比如在进行“搜索与A计算机有建立过非安全连接的所有计算机,以及与这些计算机建立过非安全连接的所有计算机”这样的搜索时,关系型数据库要通过多张数据库表的外链进行笛卡尔积关联查询,计算量巨大,耗时长,搜索速度慢。The existing network attack source tracing methods mainly use the network attack knowledge base based on relational database to trace the network attack source. When searching with complex conditions, the search speed is slow. For example, when performing a search such as "search for all computers that have established an insecure connection with computer A, and all computers that have established an insecure connection with these computers", the relational database needs to pass multiple database tables. The Karl product association query has a huge amount of calculation, a long time, and a slow search speed.

综上所述,如何有效地解决现有的网络攻击溯源方法计算量大,耗时长,搜索速度慢等问题,是目前本领域技术人员急需解决的问题。To sum up, how to effectively solve the problems of the existing network attack source tracing methods, such as large amount of calculation, long time consumption, slow search speed, etc., is an urgent problem to be solved by those skilled in the art at present.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种基于知识图谱的网络攻击溯源方法,该方法较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别;本发明的另一目的是提供一种网络攻击溯源装置、设备及计算机可读存储介质。The purpose of the present invention is to provide a network attack source tracing method based on knowledge graph, which greatly reduces the amount of calculation, reduces the time consumption, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks; the present invention Another object of the present invention is to provide a network attack source tracing device, equipment and computer-readable storage medium.

为解决上述技术问题,本发明提供如下技术方案:In order to solve the above-mentioned technical problems, the present invention provides the following technical solutions:

一种基于知识图谱的网络攻击溯源方法,包括:A network attack source tracing method based on knowledge graph, including:

在网络运行过程中,对所述网络进行信号检测;During network operation, signal detection is performed on the network;

当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各所述网络知识图谱为根据所述网络中操作数据构建得到的网状图结构的图谱;When a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein each of the network knowledge graphs is a graph of a network graph structure constructed according to the operation data in the network;

利用各所述网络知识图谱对所述网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。The network attack source is traced to the network attack signal by using each of the network knowledge graphs to obtain a network attack source tracing result.

在本发明的一种具体实施方式中,各所述网络知识图谱的建立过程包括:In a specific embodiment of the present invention, the process of establishing each of the network knowledge graphs includes:

对所述操作数据进行知识抽取,得到各知识元组;其中,每个知识元组包括操作对象、操作手段以及被操作对象;所述操作对象和所述被操作对象为操作实体,所述操作手段为操作关系;Perform knowledge extraction on the operation data to obtain each knowledge tuple; wherein, each knowledge tuple includes an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation The means are operational relationships;

将各所述知识元组存储在各自对应的图数据库中;storing each of the knowledge tuples in their corresponding graph databases;

通过消息广播形式将每个图数据库中的知识元组发送至其他图数据库;Send knowledge tuples in each graph database to other graph databases through message broadcasting;

对每个图数据库中具有相同操作实体的知识元组进行关联,得到各所述网络知识图谱。Correlate knowledge tuples with the same operational entities in each graph database to obtain each of the network knowledge graphs.

在本发明的一种具体实施方式中,通过消息广播形式将每个图数据库中的知识元组发送至其他图数据库,包括:In a specific embodiment of the present invention, the knowledge tuples in each graph database are sent to other graph databases through message broadcasting, including:

利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库。Using the data sharing mechanism of the blockchain network, the knowledge tuples in each graph database are sent to other graph databases through message broadcasting.

在本发明的一种具体实施方式中,还包括:In a specific embodiment of the present invention, it also includes:

当检测到各所述图数据库中知识元组的数量超过预设值时,确定待删除知识元组;When it is detected that the number of knowledge tuples in each of the graph databases exceeds a preset value, determining the knowledge tuples to be deleted;

对所述待删除知识元组进行删除操作。A deletion operation is performed on the knowledge tuple to be deleted.

在本发明的一种具体实施方式中,确定待删除知识元组,包括:In a specific embodiment of the present invention, determining the knowledge tuple to be deleted includes:

分别对各所述图数据库中的各所述知识元组进行冷热排序;respectively perform cold and hot sorting on each of the knowledge tuples in each of the graph databases;

按照先冷后热的顺序确定所述待删除知识元组。The knowledge tuples to be deleted are determined in the order of hot first and then hot.

一种基于知识图谱的网络攻击溯源装置,包括:A network attack source tracing device based on knowledge graph, comprising:

信号检测模块,用于在网络运行过程中,对所述网络进行信号检测;a signal detection module for performing signal detection on the network during network operation;

知识图谱获取模块,用于当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各所述网络知识图谱为根据所述网络中操作数据构建得到的网状图结构的图谱;A knowledge graph acquisition module, configured to acquire each pre-established network knowledge graph when a network attack signal is detected; wherein each of the network knowledge graphs is a graph of a network graph structure constructed according to the operation data in the network;

攻击溯源模块,用于利用各所述网络知识图谱对所述网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。The attack source tracing module is configured to use each of the network knowledge graphs to trace the network attack signal to the network attack source, and obtain the network attack source tracing result.

在本发明的一种具体实施方式中,还包括知识图谱建立模块,所述知识图谱建立模块包括:In a specific embodiment of the present invention, it also includes a knowledge graph establishment module, and the knowledge graph establishment module includes:

知识抽取子模块,用于对所述网络的操作数据进行知识抽取,得到各知识元组;其中,每个知识元组包括操作对象、操作手段以及被操作对象;所述操作对象和所述被操作对象为操作实体,所述操作手段为操作关系;The knowledge extraction submodule is used to extract knowledge from the operation data of the network to obtain each knowledge tuple; wherein, each knowledge tuple includes an operation object, an operation means and an object to be operated; the operation object and the object to be operated The operation object is an operation entity, and the operation means is an operation relationship;

知识元组存储子模块,用于将各所述知识元组存储在各自对应的图数据库中;a knowledge tuple storage submodule, used for storing each of the knowledge tuples in the respective corresponding graph databases;

知识元组发送子模块,用于通过消息广播形式将每个图数据库中的知识元组发送至其他图数据库;The knowledge tuple sending sub-module is used to send the knowledge tuple in each graph database to other graph databases through message broadcasting;

知识图谱获得子模块,用于对每个图数据库中具有相同操作实体的知识元组进行关联,得到各所述网络知识图谱。The knowledge graph obtaining sub-module is used for associating knowledge tuples with the same operational entities in each graph database to obtain each of the network knowledge graphs.

在本发明的一种具体实施方式中,所述知识元组发送子模块具体为利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库的模块。In a specific embodiment of the present invention, the knowledge tuple sending sub-module specifically uses the data sharing mechanism of the blockchain network to send the knowledge tuple in each graph database to other graph databases through message broadcasting. module.

一种基于知识图谱的网络攻击溯源设备,包括:A network attack source tracing device based on knowledge graph, including:

存储器,用于存储计算机程序;memory for storing computer programs;

处理器,用于执行所述计算机程序时实现如前所述基于知识图谱的网络攻击溯源方法的步骤。The processor is configured to implement the steps of the method for tracing the source of a network attack based on the knowledge graph as described above when executing the computer program.

一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如前所述基于知识图谱的网络攻击溯源方法的步骤。A computer-readable storage medium storing a computer program on the computer-readable storage medium, when the computer program is executed by a processor, implements the steps of the method for tracing the source of a network attack based on a knowledge graph as described above.

应用本发明实施例所提供的方法,在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。通过预先建立网状图结构的网络知识图谱,当检测到网络攻击信号时,利用各网络知识图谱对网络攻击信号进行网络攻击溯源。网络知识图谱对操作数据包含的知识进行表达,将抽象的关系变成形象化的表达,对比现有的表格形式展示,本发明不需要进行大量外链关联计算,能够更加直观地捕捉到知识中的关键信息,较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别。By applying the method provided by the embodiment of the present invention, in the process of network operation, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein, each network knowledge graph is based on the operation in the network. The graph of the network graph structure obtained by constructing the data; using each network knowledge graph to trace the network attack signal to the source of the network attack, and obtain the result of the source of the network attack. By pre-establishing a network knowledge graph with a network graph structure, when a network attack signal is detected, each network knowledge graph is used to trace the network attack signal to the network attack source. The network knowledge graph expresses the knowledge contained in the operation data, and turns the abstract relationship into a visual expression. Compared with the existing tabular display, the present invention does not need to perform a large number of external link association calculations, and can capture the knowledge more intuitively. It greatly reduces the amount of calculation, reduces the time-consuming, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks.

相应的,本发明实施例还提供了与上述基于知识图谱的网络攻击溯源方法相对应的网络攻击溯源装置、设备和计算机可读存储介质,具有上述技术效果,在此不再赘述。Correspondingly, the embodiments of the present invention also provide a network attack source tracing apparatus, device, and computer-readable storage medium corresponding to the above-mentioned knowledge graph-based network attack source tracing method, which have the above technical effects, and are not repeated here.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明实施例中基于知识图谱的网络攻击溯源方法的一种实施流程图;Fig. 1 is a kind of implementation flow chart of the network attack source tracing method based on knowledge graph in the embodiment of the present invention;

图2为本发明实施例中基于知识图谱的网络攻击溯源方法的另一种实施流程图;Fig. 2 is another implementation flow chart of the network attack source tracing method based on knowledge graph in the embodiment of the present invention;

图3为本发明实施例中一种知识链的结构框图;3 is a structural block diagram of a knowledge chain in an embodiment of the present invention;

图4为本发明实施例中一种网络攻击事件对应的网络知识图谱;4 is a network knowledge graph corresponding to a network attack event in an embodiment of the present invention;

图5为本发明实施例中一种知识链的整体架构图;FIG. 5 is an overall architecture diagram of a knowledge chain in an embodiment of the present invention;

图6为本发明实施例中一种基于知识图谱的网络攻击溯源装置的结构框图;6 is a structural block diagram of a network attack source tracing device based on a knowledge graph in an embodiment of the present invention;

图7为本发明实施例中一种基于知识图谱的网络攻击溯源设备的结构框图。FIG. 7 is a structural block diagram of a network attack source tracing device based on a knowledge graph in an embodiment of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make those skilled in the art better understand the solution of the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are only some, but not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

实施例一:Example 1:

参见图1,图1为本发明实施例中基于知识图谱的网络攻击溯源方法的一种实施流程图,该方法可以包括以下步骤:Referring to FIG. 1, FIG. 1 is an implementation flowchart of a method for tracing the source of a network attack based on a knowledge graph in an embodiment of the present invention, and the method may include the following steps:

S101:在网络运行过程中,对网络进行信号检测。S101: During the network operation process, perform signal detection on the network.

在网络运行过程中,对网络进行信号检测。如可以预先存储网络在正常运行状态下的流量范围,可以在网络运行过程中检测网络的流量是否处于预存的流量范围之间。During network operation, signal detection is performed on the network. For example, the traffic range of the network in a normal operation state can be pre-stored, and whether the network traffic is within the pre-stored traffic range can be detected during the network operation process.

S102:当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱。S102: When a network attack signal is detected, obtain each pre-established network knowledge graph; wherein each network knowledge graph is a graph of a network graph structure constructed according to the operation data in the network.

在对网络进行各种操作的过程中,根据网络中操作数据构建得到的网状图结构的网络知识图谱,使得存在联系的操作数据之间相互关联。当通过对网络进行信号检测,检测到存在网络攻击信号时,获取预建立的各网络知识图谱。In the process of performing various operations on the network, the network knowledge graph of the network graph structure is constructed according to the operation data in the network, so that the connected operation data are related to each other. When a network attack signal is detected by performing signal detection on the network, the pre-established knowledge graph of each network is acquired.

S103:利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。S103: Use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result.

每个网络知识图谱具有攻击涉及的各个环节的上下游信息,网络知识图谱能够清晰地显示网络攻击的利益相关各方之间的联系,因此,将网络知识图谱应用于网络中各个隔离网段的入侵防御系统,作为入侵防护设备的识别规则支撑。在获取到各网络知识图谱之后,利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。网络知识图谱对操作数据包含的知识进行表达,将抽象的关系变成形象化的表达,对比现有的表格形式展示,本发明不需要进行大量外链关联计算,能够更加直观地捕捉到知识中的关键信息,较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别。Each network knowledge graph has the upstream and downstream information of each link involved in the attack, and the network knowledge graph can clearly show the connection between the stakeholders of the network attack. Therefore, the network knowledge graph is applied to each isolated network segment in the network. Intrusion prevention system, as the support of identification rules of intrusion prevention equipment. After obtaining each network knowledge graph, use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result. The network knowledge graph expresses the knowledge contained in the operation data, and turns the abstract relationship into a visual expression. Compared with the existing tabular display, the present invention does not need to perform a large number of external link association calculations, and can capture the knowledge more intuitively. It greatly reduces the amount of calculation, reduces the time-consuming, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks.

应用本发明实施例所提供的方法,在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。通过预先建立网状图结构的网络知识图谱,当检测到网络攻击信号时,利用各网络知识图谱对网络攻击信号进行网络攻击溯源。网络知识图谱对操作数据包含的知识进行表达,将抽象的关系变成形象化的表达,对比现有的表格形式展示,本发明不需要进行大量外链关联计算,能够更加直观地捕捉到知识中的关键信息,较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别。By applying the method provided by the embodiment of the present invention, in the process of network operation, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein, each network knowledge graph is based on the operation in the network. The graph of the network graph structure obtained by constructing the data; using each network knowledge graph to trace the network attack signal to the source of the network attack, and obtain the result of the source of the network attack. By pre-establishing a network knowledge graph with a network graph structure, when a network attack signal is detected, each network knowledge graph is used to trace the network attack signal to the network attack source. The network knowledge graph expresses the knowledge contained in the operation data, and turns the abstract relationship into a visual expression. Compared with the existing tabular display, the present invention does not need to perform a large number of external link association calculations, and can capture the knowledge more intuitively. It greatly reduces the amount of calculation, reduces the time-consuming, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks.

需要说明的是,基于上述实施例一,本发明实施例还提供了相应的改进方案。在后续实施例中涉及与上述实施例一中相同步骤或相应步骤之间可相互参考,相应的有益效果也可相互参照,在下文的改进实施例中不再一一赘述。It should be noted that, based on the foregoing first embodiment, the embodiment of the present invention also provides a corresponding improvement solution. In subsequent embodiments, the same steps or corresponding steps in the above-mentioned first embodiment can be referred to each other, and corresponding beneficial effects can also be referred to each other, which will not be repeated in the following improved embodiments.

实施例二:Embodiment 2:

参见图2,图2为本发明实施例中基于知识图谱的网络攻击溯源方法的另一种实施流程图,该方法可以包括以下步骤:Referring to FIG. 2, FIG. 2 is another implementation flowchart of the method for tracing the source of a network attack based on a knowledge graph in an embodiment of the present invention, and the method may include the following steps:

S201:对网络中的操作数据进行知识抽取,得到各知识元组;其中,每个知识元组包括操作对象、操作手段以及被操作对象;操作对象和被操作对象为操作实体,操作手段为操作关系。S201: Perform knowledge extraction on the operation data in the network to obtain each knowledge tuple; wherein, each knowledge tuple includes an operation object, an operation means and an operated object; the operation object and the operated object are the operation entity, and the operation means is the operation relation.

当网络中产生操作数据时,对网络中的操作数据进行知识抽取,得到各知识元组。每个知识元组包括操作对象、操作手段以及被操作对象,并且将操作对象和被操作对象记为操作实体,将操作手段记为操作关系。When operation data is generated in the network, knowledge extraction is performed on the operation data in the network to obtain each knowledge tuple. Each knowledge tuple includes an operation object, an operation means, and an operated object, and the operation object and the operated object are recorded as an operation entity, and the operation means is recorded as an operation relationship.

如网络攻击知识的抽取对象包括网络入侵检测系统的攻击识别信息、交换机日志、路由器日志、防火墙日志、终端设备日志、应用日志、企业网络资产库表等。网络攻击知识的结构可以简单地看成一个多关系图,由节点和边来构成,通常用“操作实体”表示为图中的节点,用“操作关系”表示为图中的边,该关系图表示着两个操作实体之间存在着某种操作关系。映射到实际的网络攻击中,“操作实体”则对应于网络攻击的相关操作对象,可以是IP地址、设备、应用或具体的数据对象,“操作关系”则对应于操作手段,即动作关系,可以是攻击行为、从属行为、操作行为等。例如,我们可以将“攻击的IP地址”表示为操作实体,“被攻主机”表示为操作实体,“攻击手段”表现为操作关系,那么可以用<“ip地址”,“攻击手段”,“被攻主机”>的三元组来表示节点和边的关系。所有操作对象和被操作对象的相关信息进行基于三元组知识结构的知识抽取,将攻击信息处理为三元组格式的知识表达。抽取出来的知识将呈现为<“操作实体”,“操作关系”,“操作实体”>的知识元组形式。For example, the extraction objects of network attack knowledge include attack identification information of network intrusion detection system, switch logs, router logs, firewall logs, terminal equipment logs, application logs, enterprise network asset database tables, etc. The structure of network attack knowledge can be simply regarded as a multi-relational graph, which is composed of nodes and edges. Usually, “operational entities” are used to represent nodes in the graph, and “operational relationships” are used to represent edges in the graph. Indicates that there is an operational relationship between two operational entities. Mapped to the actual network attack, the "operation entity" corresponds to the relevant operation object of the network attack, which can be an IP address, a device, an application or a specific data object, and the "operation relationship" corresponds to the operation means, that is, the action relationship. It can be aggressive behavior, subordinate behavior, operational behavior, etc. For example, we can express the "attack IP address" as the operation entity, "attack host" as the operation entity, and "attack method" as the operation relationship, then we can use <"ip address", "attack method", " The triplet of the attacked host "> to represent the relationship between nodes and edges. Knowledge extraction based on triple knowledge structure is carried out on all operating objects and related information of manipulated objects, and the attack information is processed into knowledge representation in triple format. The extracted knowledge will be presented in the form of a knowledge tuple of <"operation entity", "operation relation", "operation entity">.

S202:将各知识元组存储在各自对应的图数据库中。S202: Store each knowledge tuple in the corresponding graph database.

在通过对网络中的操作数据进行知识抽取,得到各知识元组之后,将各知识元组存储在各自对应的图数据库中。After each knowledge tuple is obtained by performing knowledge extraction on the operation data in the network, each knowledge tuple is stored in its corresponding graph database.

如图3所示,对于对网络的每次操作都对应建立有相应的知识模块,每个知识模块由一个图数据库和消息处理插件组成,各知识模块之间相互连通,构成知识链。消息处理插件主要负责对知识链网络中的数据消息(知识)和控制指令进行接收和处理,负责对数据消息进行加解密以及对图数据库的增删查改等操作。图数据库是一种数据库类型,属于非关系型数据库。图数据库的关注点是“关联关系”形成的图,其目标是对网络中的操作实体与操作实体之间的关联关系进行存储与分析,即将操作实体抽象为顶点、将操作实体之间的操作关系抽象为边。通过顶点和边形成的图谱结构,直观自然的表达万物关联,同时解决了复杂关联关系深层检索的性能问题。由于知识结构本身是基于关系图的数据结构,因此采用图数据库对知识进行存储。知识模块能够支持当前市面上主流的图数据,包括arangob、neo4j、orientdb和allegrograph。As shown in Figure 3, a corresponding knowledge module is established for each operation on the network. Each knowledge module consists of a graph database and a message processing plug-in. The knowledge modules are connected to each other to form a knowledge chain. The message processing plug-in is mainly responsible for receiving and processing data messages (knowledge) and control instructions in the knowledge chain network, encrypting and decrypting data messages, and adding, deleting, checking, and modifying graph databases. A graph database is a type of database that is a non-relational database. The focus of the graph database is the graph formed by the "association relationship", and its goal is to store and analyze the association relationship between the operating entities and the operating entities in the network, that is, abstract the operating entities into vertices, and abstract the operations between the operating entities. Relationships are abstracted as edges. Through the graph structure formed by vertices and edges, the relationship between all things is intuitively and naturally expressed, and the performance problem of deep retrieval of complex relationship relationships is solved. Since the knowledge structure itself is a data structure based on a relational graph, a graph database is used to store knowledge. The knowledge module can support mainstream graph data on the market, including arangob, neo4j, orientdb and allegrograph.

S203:利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库。S203: Use the data sharing mechanism of the blockchain network to send the knowledge tuple in each graph database to other graph databases through message broadcasting.

在将各知识元组存储在各自对应的图数据库中之后,利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库,从而使得每个图数据中将留存版本相一致的知识信息。通过采用区块链网络对知识元组进行共享式存储,打造网络攻击知识链,有利于入侵检测系统充分运用全网的攻击知识,实现对网络攻击的全面高效识别。After each knowledge tuple is stored in its corresponding graph database, the knowledge tuple in each graph database is sent to other graph databases through message broadcasting by using the data sharing mechanism of the blockchain network, so that each graph The knowledge information with the same version will be retained in the data. By using the blockchain network to share the storage of knowledge tuples to create a network attack knowledge chain, it is beneficial for the intrusion detection system to make full use of the attack knowledge of the entire network and realize comprehensive and efficient identification of network attacks.

S204:对每个图数据库中具有相同操作实体的知识元组进行关联,得到各网络知识图谱。S204 : Associate knowledge tuples with the same operation entity in each graph database to obtain each network knowledge graph.

在利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库之后,对每个图数据库中具有相同操作实体的知识元组进行关联,得到各网络知识图谱。After using the data sharing mechanism of the blockchain network to send the knowledge tuples in each graph database to other graph databases through message broadcasting, correlate the knowledge tuples with the same operational entities in each graph database, and obtain each graph database. Network Knowledge Graph.

比如知识元组1<“10.21.34.56”,“DDos攻击”,“10.67.89.46”>,知识2<“10.67.89.46”,“从属于”,“人力资源部门李三”>,关联起来则是:IP地址为“10.21.34.56”的主机攻击人力资源部李三的主机。For example, knowledge tuple 1<"10.21.34.56", "DDos attack", "10.67.89.46">, knowledge 2<"10.67.89.46", "Subordinate", "Li San of Human Resources Department">, the association is Yes: The host with the IP address "10.21.34.56" attacked the host of Li San of the Human Resources Department.

每个涉及网络攻击的网络知识图谱具有攻击涉及的各个环节的上下游信息。通过网络知识图谱,用户可以清晰地看到网络攻击的利益相关各方,且能对攻击进行溯源和对影响进行深入分析。如图4所示,描述了一次网络攻击事件形成的网络知识图谱。该网络攻击001发生于2019年5月1日,其攻击的主机的IP地址为10.10.1.1,主机搭载的是OA系统,网络攻击001的攻击以失败告终。Each network knowledge graph involved in a network attack has upstream and downstream information of each link involved in the attack. Through the network knowledge graph, users can clearly see the stakeholders of the network attack, and can trace the source of the attack and conduct in-depth analysis of the impact. As shown in Figure 4, the network knowledge graph formed by a network attack event is described. The network attack 001 occurred on May 1, 2019. The IP address of the attacked host was 10.10.1.1, and the host was equipped with an OA system. The attack of network attack 001 ended in failure.

如图5所示,对于知识链中的每个网络知识图谱将应用于网络中各个隔离网段的入侵防御系统,作为入侵防护设备的识别规则支撑。As shown in Figure 5, for each network knowledge graph in the knowledge chain, it will be applied to the intrusion prevention system of each isolated network segment in the network, as the support of the identification rules of the intrusion prevention equipment.

S205:在网络运行过程中,对网络进行信号检测。S205: During the network operation process, perform signal detection on the network.

S206:当检测到网络攻击信号时,获取预建立的各网络知识图谱。S206: When a network attack signal is detected, obtain each pre-established network knowledge graph.

S207:利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。S207: Use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result.

在本发明的一种具体实施方式中,该方法还可以包括以下步骤:In a specific embodiment of the present invention, the method may further comprise the following steps:

步骤一:当检测到各图数据库中知识元组的数量超过预设值时,确定待删除知识元组;Step 1: When it is detected that the number of knowledge tuples in each graph database exceeds a preset value, determine the knowledge tuples to be deleted;

步骤二:对待删除知识元组进行删除操作。Step 2: Delete the knowledge tuple to be deleted.

本发明实施例所提供的基于知识图谱的网络攻击溯源方法,还可以包括当检测到各图数据库中知识元组的数量超过预设值时,确定待删除知识元组,并对待删除知识元组进行删除操作。通过对图数据库中的知识元组进行清理,节省存储空间,提升了网络系统的性能。The method for tracing the source of a network attack based on a knowledge graph provided by the embodiment of the present invention may further include, when it is detected that the number of knowledge tuples in each graph database exceeds a preset value, determining the knowledge tuple to be deleted, and determining the knowledge tuple to be deleted. Perform delete operation. By cleaning the knowledge tuples in the graph database, the storage space is saved and the performance of the network system is improved.

在本发明的一种具体实施方式中,确定待删除知识元组,可以包括以下步骤:In a specific embodiment of the present invention, determining the knowledge tuple to be deleted may include the following steps:

步骤一:分别对各图数据库中的各知识元组进行冷热排序;Step 1: Sort each knowledge tuple in each graph database by hot and cold;

步骤二:按照先冷后热的顺序确定待删除知识元组。Step 2: Determine the knowledge tuples to be deleted in the order of cold first and then hot.

可以分别对各图数据库中的各知识元组进行冷热排序,按照先冷后热的顺序确定待删除知识元组。从而保证数据访问频率高的知识元组不被删除,保证了数据的可靠性。The knowledge tuples in each graph database can be sorted by cold and hot respectively, and the knowledge tuples to be deleted are determined according to the order of cold first and then hot. Thus, it is ensured that knowledge tuples with high data access frequency are not deleted, and the reliability of the data is ensured.

相应于上面的方法实施例,本发明实施例还提供了一种网络攻击溯源装置,下文描述的基于知识图谱的网络攻击溯源装置与上文描述的基于知识图谱的网络攻击溯源方法可相互对应参照。Corresponding to the above method embodiments, the embodiments of the present invention further provide a network attack source tracing device. The knowledge graph-based network attack source tracing device described below and the knowledge graph-based network attack source tracing method described above may refer to each other correspondingly. .

参见图6,图6为本发明实施例中一种基于知识图谱的网络攻击溯源装置的结构框图,该装置可以包括:Referring to FIG. 6, FIG. 6 is a structural block diagram of a knowledge graph-based network attack source tracing device in an embodiment of the present invention, and the device may include:

信号检测模块61,用于在网络运行过程中,对网络进行信号检测;The signal detection module 61 is used for performing signal detection on the network during the operation of the network;

知识图谱获取模块62,用于当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;The knowledge graph acquiring module 62 is configured to acquire each pre-established network knowledge graph when a network attack signal is detected; wherein, each network knowledge graph is a graph of a network graph structure constructed according to the operation data in the network;

攻击溯源模块63,用于利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。The attack source tracing module 63 is configured to use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result.

应用本发明实施例所提供的装置,在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。通过预先建立网状图结构的网络知识图谱,当检测到网络攻击信号时,利用各网络知识图谱对网络攻击信号进行网络攻击溯源。网络知识图谱对操作数据包含的知识进行表达,将抽象的关系变成形象化的表达,对比现有的表格形式展示,本发明不需要进行大量外链关联计算,能够更加直观地捕捉到知识中的关键信息,较大地降低了计算量,减少了耗时,较大地提升了搜索速度,实现了对网络攻击的全面高效识别。By applying the device provided by the embodiment of the present invention, during the network operation process, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein, each network knowledge graph is based on the operation in the network. The graph of the network graph structure obtained by constructing the data; using each network knowledge graph to trace the network attack signal to the source of the network attack, and obtain the result of the source of the network attack. By pre-establishing a network knowledge graph with a network graph structure, when a network attack signal is detected, each network knowledge graph is used to trace the network attack signal to the network attack source. The network knowledge graph expresses the knowledge contained in the operation data, and turns the abstract relationship into a visual expression. Compared with the existing tabular display, the present invention does not need to perform a large number of external link association calculations, and can capture the knowledge more intuitively. It greatly reduces the amount of calculation, reduces the time-consuming, greatly improves the search speed, and realizes comprehensive and efficient identification of network attacks.

在本发明的一种具体实施方式中,该装置还可以包括知识图谱建立模块,知识图谱建立模块包括:In a specific embodiment of the present invention, the device may further include a knowledge graph establishment module, and the knowledge graph establishment module includes:

知识抽取子模块,用于对网络的操作数据进行知识抽取,得到各知识元组;其中,每个知识元组包括操作对象、操作手段以及被操作对象;操作对象和被操作对象为操作实体,操作手段为操作关系;The knowledge extraction sub-module is used to extract knowledge from the operation data of the network to obtain each knowledge tuple; wherein, each knowledge tuple includes the operation object, the operation means and the operated object; the operation object and the operated object are the operation entities, The means of operation is the operation relationship;

知识元组存储子模块,用于将各知识元组存储在各自对应的图数据库中;The knowledge tuple storage sub-module is used to store each knowledge tuple in the corresponding graph database;

知识元组发送子模块,用于通过消息广播形式将每个图数据库中的知识元组发送至其他图数据库;The knowledge tuple sending sub-module is used to send the knowledge tuple in each graph database to other graph databases through message broadcasting;

知识图谱获得子模块,用于对每个图数据库中具有相同操作实体的知识元组进行关联,得到各网络知识图谱。The knowledge graph obtaining sub-module is used to associate knowledge tuples with the same operational entities in each graph database to obtain each network knowledge graph.

在本发明的一种具体实施方式中,知识元组发送子模块具体为利用区块链网络的数据共享机制将每个图数据库中的知识元组通过消息广播形式发送至其他图数据库的模块。In a specific embodiment of the present invention, the knowledge tuple sending sub-module is specifically a module that uses the data sharing mechanism of the blockchain network to send the knowledge tuple in each graph database to other graph databases through message broadcasting.

在本发明的一种具体实施方式中,知识图谱建立模块还可以包括:In a specific embodiment of the present invention, the knowledge graph establishment module may further include:

待删除知识元组确定子模块,用于当检测到各所述图数据库中知识元组的数量超过预设值时,确定待删除知识元组;A knowledge tuple determination submodule to be deleted, configured to determine the knowledge tuple to be deleted when it is detected that the number of knowledge tuples in each of the graph databases exceeds a preset value;

知识元组删除子模块,用于对所述待删除知识元组进行删除操作。The knowledge tuple deletion sub-module is used to delete the knowledge tuple to be deleted.

在本发明的一种具体实施方式中,待删除知识元组确定子模块包括:In a specific embodiment of the present invention, the sub-module for determining the knowledge tuple to be deleted includes:

知识元组冷热排序单元,用于分别对各所述图数据库中的各所述知识元组进行冷热排序;A knowledge tuple hot and cold sorting unit, configured to perform cold and hot sorting on each of the knowledge tuples in each of the graph databases;

待删除知识元组确定单元,用于按照先冷后热的顺序确定所述待删除知识元组。The to-be-deleted knowledge tuple determination unit is configured to determine the to-be-deleted knowledge tuple in the order of cold first and then hot.

相应于上面的方法实施例,参见图7,图7为本发明所提供的基于知识图谱的网络攻击溯源设备的示意图,该设备可以包括:Corresponding to the above method embodiment, see FIG. 7 , which is a schematic diagram of a network attack source tracing device based on knowledge graph provided by the present invention, and the device may include:

存储器71,用于存储计算机程序;memory 71 for storing computer programs;

处理器72,用于执行上述存储器71存储的计算机程序时可实现如下步骤:The processor 72 can implement the following steps when executing the computer program stored in the above-mentioned memory 71:

在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。通过预先建立网状图结构的网络知识图谱,当检测到网络攻击信号时,利用各网络知识图谱对网络攻击信号进行网络攻击溯源。In the process of network operation, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein, each network knowledge graph is a graph of a network graph structure constructed according to the operation data in the network ; Use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result. By pre-establishing a network knowledge graph with a network graph structure, when a network attack signal is detected, each network knowledge graph is used to trace the network attack signal to the network attack source.

对于本发明提供的设备的介绍请参照上述方法实施例,本发明在此不做赘述。For the introduction of the device provided by the present invention, please refer to the above method embodiments, which will not be repeated in the present invention.

相应于上面的方法实施例,本发明还提供一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时可实现如下步骤:Corresponding to the above method embodiments, the present invention also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the following steps can be implemented:

在网络运行过程中,对网络进行信号检测;当检测到网络攻击信号时,获取预建立的各网络知识图谱;其中,各网络知识图谱为根据网络中操作数据构建得到的网状图结构的图谱;利用各网络知识图谱对网络攻击信号进行网络攻击溯源,得到网络攻击溯源结果。通过预先建立网状图结构的网络知识图谱,当检测到网络攻击信号时,利用各网络知识图谱对网络攻击信号进行网络攻击溯源。In the process of network operation, signal detection is performed on the network; when a network attack signal is detected, each pre-established network knowledge graph is obtained; wherein, each network knowledge graph is a graph of a network graph structure constructed according to the operation data in the network ; Use each network knowledge graph to trace the network attack signal to the network attack source, and obtain the network attack source tracing result. By pre-establishing a network knowledge graph with a network graph structure, when a network attack signal is detected, each network knowledge graph is used to trace the network attack signal to the network attack source.

该计算机可读存储介质可以包括:U盘、移动硬盘、只读存储器(Read-OnlyMemory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The computer-readable storage medium may include: a USB flash drive, a removable hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk or an optical disk, etc., which can store program codes. medium.

对于本发明提供的计算机可读存储介质的介绍请参照上述方法实施例,本发明在此不做赘述。For the introduction of the computer-readable storage medium provided by the present invention, please refer to the foregoing method embodiments, which will not be repeated in the present invention.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置、设备及计算机可读存储介质而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other. For the apparatuses, devices, and computer-readable storage media disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the descriptions are relatively simple, and reference may be made to the descriptions of the methods for related parts.

本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的技术方案及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。The principles and implementations of the present invention are described herein by using specific examples, and the descriptions of the above embodiments are only used to help understand the technical solutions and core ideas of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can also be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.

Claims (10)

1. A network attack tracing method based on a knowledge graph is characterized by comprising the following steps:
in the network operation process, carrying out signal detection on the network;
when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and utilizing each network knowledge graph to trace the network attack signal to obtain a network attack tracing result.
2. The method of claim 1, wherein the process of establishing each network knowledge graph comprises:
extracting knowledge from the operation data to obtain knowledge tuples; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
storing each said set of knowledge-tuples in a respective corresponding graph database;
sending the knowledge element group in each graph database to other graph databases in a message broadcasting mode;
and associating the knowledge groups with the same operation entity in each graph database to obtain each network knowledge graph.
3. The method of claim 2, wherein sending the tuples of knowledge in each graph database to other graph databases in a message broadcast form comprises:
and transmitting the knowledge tuples in each graph database to other graph databases in a message broadcasting mode by using a data sharing mechanism of the block chain network.
4. The method for tracing network attacks based on the knowledge graph according to claim 2 or 3, further comprising:
when detecting that the number of the knowledge groups in each map database exceeds a preset value, determining the knowledge groups to be deleted;
and deleting the knowledge group to be deleted.
5. The network attack tracing method based on the knowledge graph of claim 4, wherein the determining the set of knowledge groups to be deleted comprises:
performing cold-hot sequencing on each knowledge element group in each map database respectively;
and determining the knowledge element group to be deleted according to the sequence of cold before hot.
6. A network attack tracing device based on knowledge graph is characterized by comprising:
the signal detection module is used for detecting signals of the network in the network operation process;
the system comprises a knowledge graph acquisition module, a network attack detection module and a network attack detection module, wherein the knowledge graph acquisition module is used for acquiring pre-established network knowledge graphs when a network attack signal is detected; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and the attack tracing module is used for carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result.
7. The apparatus of claim 6, further comprising a knowledge graph establishing module, wherein the knowledge graph establishing module comprises:
the knowledge extraction submodule is used for extracting knowledge from the operation data of the network to obtain each knowledge element group; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
the knowledge group storage submodule is used for storing each knowledge group in a corresponding graph database;
the knowledge group sending submodule is used for sending the knowledge group in each graph database to other graph databases in a message broadcasting mode;
and the knowledge map obtaining submodule is used for associating the knowledge groups with the same operation entity in each map database to obtain each network knowledge map.
8. The apparatus according to claim 7, wherein the tuple sending submodule is specifically a module that sends a tuple in each graph database to another graph database in a message broadcast manner by using a data sharing mechanism of a blockchain network.
9. A network attack tracing device based on knowledge graph is characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for tracing network attacks based on knowledge-graph according to any one of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the method for tracing a network attack based on a knowledge graph according to any one of claims 1 to 5.
CN202010377539.4A 2020-05-07 2020-05-07 A network attack source tracing method, device and device based on knowledge graph Pending CN111581397A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010377539.4A CN111581397A (en) 2020-05-07 2020-05-07 A network attack source tracing method, device and device based on knowledge graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010377539.4A CN111581397A (en) 2020-05-07 2020-05-07 A network attack source tracing method, device and device based on knowledge graph

Publications (1)

Publication Number Publication Date
CN111581397A true CN111581397A (en) 2020-08-25

Family

ID=72124703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010377539.4A Pending CN111581397A (en) 2020-05-07 2020-05-07 A network attack source tracing method, device and device based on knowledge graph

Country Status (1)

Country Link
CN (1) CN111581397A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988331A (en) * 2020-08-28 2020-11-24 清华大学 Blockchain-based DDoS attack tracking method and system
CN112187716A (en) * 2020-08-26 2021-01-05 中国科学院信息工程研究所 A Knowledge Graph Display Method for Malicious Codes in Network Attacks
CN112364173A (en) * 2020-10-21 2021-02-12 中国电子科技网络信息安全有限公司 IP address mechanism tracing method based on knowledge graph
CN112788064A (en) * 2021-02-10 2021-05-11 中国电子科技集团公司第十五研究所 Encryption network abnormal flow detection method based on knowledge graph
CN112910851A (en) * 2021-01-16 2021-06-04 中国电子科技集团公司第十五研究所 Data packet marking and tracing device based on knowledge graph
CN113364766A (en) * 2021-06-03 2021-09-07 中国工商银行股份有限公司 APT attack detection method and device
CN113612763A (en) * 2021-07-30 2021-11-05 北京交通大学 Network attack detection device and method based on network security malicious behavior knowledge base
CN114363036A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Network attack path acquisition method and device and electronic equipment
CN114756837A (en) * 2022-06-16 2022-07-15 湖北长江传媒数字出版有限公司 Block chain-based digital content tracing method and system
CN115412372A (en) * 2022-11-01 2022-11-29 中孚安全技术有限公司 Network attack tracing method, system and equipment based on knowledge graph
CN114422224B (en) * 2021-08-16 2023-08-29 中国人民解放军战略支援部队信息工程大学 Threat intelligence intelligent analysis method and system for attack traceability

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106897273A (en) * 2017-04-12 2017-06-27 福州大学 A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates
CN108196880A (en) * 2017-12-11 2018-06-22 北京大学 Software project knowledge mapping method for automatically constructing and system
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN108959433A (en) * 2018-06-11 2018-12-07 北京大学 A kind of method and system extracting knowledge mapping and question and answer from software project data
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Association analysis method of network security knowledge graph based on space-ground integrated network
CN109857917A (en) * 2018-12-21 2019-06-07 中国科学院信息工程研究所 Towards the security knowledge map construction method and system for threatening information
CN109885691A (en) * 2019-01-08 2019-06-14 平安科技(深圳)有限公司 Knowledge mapping complementing method, device, computer equipment and storage medium
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106897273A (en) * 2017-04-12 2017-06-27 福州大学 A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates
CN108196880A (en) * 2017-12-11 2018-06-22 北京大学 Software project knowledge mapping method for automatically constructing and system
CN108959433A (en) * 2018-06-11 2018-12-07 北京大学 A kind of method and system extracting knowledge mapping and question and answer from software project data
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Association analysis method of network security knowledge graph based on space-ground integrated network
CN109857917A (en) * 2018-12-21 2019-06-07 中国科学院信息工程研究所 Towards the security knowledge map construction method and system for threatening information
CN109885691A (en) * 2019-01-08 2019-06-14 平安科技(深圳)有限公司 Knowledge mapping complementing method, device, computer equipment and storage medium
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187716A (en) * 2020-08-26 2021-01-05 中国科学院信息工程研究所 A Knowledge Graph Display Method for Malicious Codes in Network Attacks
CN111988331A (en) * 2020-08-28 2020-11-24 清华大学 Blockchain-based DDoS attack tracking method and system
CN112364173A (en) * 2020-10-21 2021-02-12 中国电子科技网络信息安全有限公司 IP address mechanism tracing method based on knowledge graph
CN112364173B (en) * 2020-10-21 2022-03-18 中国电子科技网络信息安全有限公司 IP address mechanism tracing method based on knowledge graph
CN112910851A (en) * 2021-01-16 2021-06-04 中国电子科技集团公司第十五研究所 Data packet marking and tracing device based on knowledge graph
CN112910851B (en) * 2021-01-16 2021-10-15 中国电子科技集团公司第十五研究所 Data packet marking traceability device based on knowledge graph
CN112788064A (en) * 2021-02-10 2021-05-11 中国电子科技集团公司第十五研究所 Encryption network abnormal flow detection method based on knowledge graph
CN113364766A (en) * 2021-06-03 2021-09-07 中国工商银行股份有限公司 APT attack detection method and device
CN113364766B (en) * 2021-06-03 2022-09-27 中国工商银行股份有限公司 APT attack detection method and device
CN113612763A (en) * 2021-07-30 2021-11-05 北京交通大学 Network attack detection device and method based on network security malicious behavior knowledge base
CN113612763B (en) * 2021-07-30 2022-06-03 北京交通大学 Network attack detection device and method based on network security malicious behavior knowledge base
CN114422224B (en) * 2021-08-16 2023-08-29 中国人民解放军战略支援部队信息工程大学 Threat intelligence intelligent analysis method and system for attack traceability
CN114363036B (en) * 2021-12-30 2023-05-16 绿盟科技集团股份有限公司 Network attack path acquisition method and device and electronic equipment
CN114363036A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Network attack path acquisition method and device and electronic equipment
CN114756837A (en) * 2022-06-16 2022-07-15 湖北长江传媒数字出版有限公司 Block chain-based digital content tracing method and system
CN114756837B (en) * 2022-06-16 2022-08-30 湖北长江传媒数字出版有限公司 Block chain-based digital content tracing method and system
CN115412372B (en) * 2022-11-01 2023-03-24 中孚安全技术有限公司 Network attack tracing method, system and equipment based on knowledge graph
CN115412372A (en) * 2022-11-01 2022-11-29 中孚安全技术有限公司 Network attack tracing method, system and equipment based on knowledge graph

Similar Documents

Publication Publication Date Title
CN111581397A (en) A network attack source tracing method, device and device based on knowledge graph
CN108763031B (en) A log-based threat intelligence detection method and device
US11030311B1 (en) Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise
CN111935170B (en) Network abnormal flow detection method, device and equipment
CN104601556B (en) A kind of attack detection method and system towards WEB
CN112100545A (en) Visualization method, apparatus, device and readable storage medium of network assets
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN109271793B (en) Device category identification method and system for IoT cloud platform
US10129280B2 (en) Modular event pipeline
CN110188538B (en) Method and device for detecting data using sandbox cluster
CN111049786A (en) A network attack detection method, device, equipment and storage medium
CN107302534A (en) A kind of DDoS network attack detecting methods and device based on big data platform
CN110737891A (en) A host intrusion detection method and device
JP2015222471A (en) Malicious communication pattern detecting device, malicious communication pattern detecting method, and malicious communication pattern detecting program
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
CN109756467A (en) Method and device for identifying a phishing website
CN112910895A (en) Network attack behavior detection method and device, computer equipment and system
CN103455597A (en) Distributed information hiding detection method facing mass web images
WO2016107306A1 (en) Message subscription method, processing node device and message bus
CN115766258B (en) Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph
CN107832611B (en) A bot detection and classification method combining dynamic and static features
CN110830500B (en) Network attack tracking method and device, electronic equipment and readable storage medium
CN110008701B (en) Static detection rule extraction method and detection method based on ELF file features
CN117560228B (en) Real-time attack detection method and system for streaming source graph based on label and graph alignment
CN110188537B (en) Data separation storage method and device, storage medium, and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200825