CN111581397A - Network attack tracing method, device and equipment based on knowledge graph - Google Patents
Network attack tracing method, device and equipment based on knowledge graph Download PDFInfo
- Publication number
- CN111581397A CN111581397A CN202010377539.4A CN202010377539A CN111581397A CN 111581397 A CN111581397 A CN 111581397A CN 202010377539 A CN202010377539 A CN 202010377539A CN 111581397 A CN111581397 A CN 111581397A
- Authority
- CN
- China
- Prior art keywords
- knowledge
- network
- graph
- network attack
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000001514 detection method Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract description 3
- 230000000875 corresponding effect Effects 0.000 description 14
- 238000012800 visualization Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000002265 prevention Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000010438 heat treatment Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Animal Behavior & Ethology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack tracing method based on a knowledge graph, which comprises the following steps: in the network operation process, carrying out signal detection on the network; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By applying the technical scheme provided by the embodiment of the invention, the calculation amount is greatly reduced, the time consumption is reduced, the searching speed is greatly improved, and the comprehensive and efficient identification of the network attack is realized. The invention also discloses a network attack tracing device, equipment and a storage medium, and has corresponding technical effects.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network attack tracing method, a network attack tracing device, network attack tracing equipment and a computer readable storage medium based on a knowledge graph.
Background
In recent years, network attack events are frequent, and trojan horse, worm and lasso software on the internet are layered endlessly, which poses a serious threat to network security. When a network attack event occurs, the network attack needs to be traced so as to find a solution as soon as possible and restore the network security.
The existing network attack tracing method mainly utilizes a network attack knowledge base based on a relational database to trace the source of the network attack. When complex condition searching is carried out, the searching speed is slow. For example, when searching for all computers with insecure connections established with the computer a and all computers with insecure connections established with the computers, the relational database needs to perform cartesian product correlation query through the outer chain of a plurality of database tables, which has huge calculation amount, long time consumption and slow searching speed.
In summary, how to effectively solve the problems of large calculation amount, long time consumption, low search speed and the like of the existing network attack tracing method is a problem which needs to be solved urgently by a person skilled in the art at present.
Disclosure of Invention
The invention aims to provide a network attack tracing method based on a knowledge graph, which greatly reduces the calculated amount, reduces the time consumption, greatly improves the searching speed and realizes the comprehensive and efficient identification of network attacks; another object of the present invention is to provide a cyber attack tracing apparatus, a cyber attack tracing device, and a computer readable storage medium.
In order to solve the technical problems, the invention provides the following technical scheme:
a network attack tracing method based on a knowledge graph comprises the following steps:
in the network operation process, carrying out signal detection on the network;
when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and utilizing each network knowledge graph to trace the network attack signal to obtain a network attack tracing result.
In a specific embodiment of the present invention, the process of establishing each network knowledge graph includes:
extracting knowledge from the operation data to obtain knowledge tuples; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
storing each said set of knowledge-tuples in a respective corresponding graph database;
sending the knowledge element group in each graph database to other graph databases in a message broadcasting mode;
and associating the knowledge groups with the same operation entity in each graph database to obtain each network knowledge graph.
In one embodiment of the present invention, sending the tuples of knowledge in each graph database to other graph databases in the form of message broadcasts comprises:
and transmitting the knowledge tuples in each graph database to other graph databases in a message broadcasting mode by using a data sharing mechanism of the block chain network.
In one embodiment of the present invention, the method further comprises:
when detecting that the number of the knowledge groups in each map database exceeds a preset value, determining the knowledge groups to be deleted;
and deleting the knowledge group to be deleted.
In a specific embodiment of the present invention, determining the set of knowledge groups to be deleted includes:
performing cold-hot sequencing on each knowledge element group in each map database respectively;
and determining the knowledge element group to be deleted according to the sequence of cold before hot.
A network attack tracing device based on knowledge graph includes:
the signal detection module is used for detecting signals of the network in the network operation process;
the system comprises a knowledge graph acquisition module, a network attack detection module and a network attack detection module, wherein the knowledge graph acquisition module is used for acquiring pre-established network knowledge graphs when a network attack signal is detected; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and the attack tracing module is used for carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result.
In a specific embodiment of the present invention, the system further includes a knowledge graph establishing module, where the knowledge graph establishing module includes:
the knowledge extraction submodule is used for extracting knowledge from the operation data of the network to obtain each knowledge element group; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
the knowledge group storage submodule is used for storing each knowledge group in a corresponding graph database;
the knowledge group sending submodule is used for sending the knowledge group in each graph database to other graph databases in a message broadcasting mode;
and the knowledge map obtaining submodule is used for associating the knowledge groups with the same operation entity in each map database to obtain each network knowledge map.
In a specific embodiment of the present invention, the knowledge group sending sub-module is specifically a module that sends the knowledge group in each graph database to other graph databases in a message broadcast manner by using a data sharing mechanism of a block chain network.
A network attack tracing device based on a knowledge graph comprises:
a memory for storing a computer program;
and the processor is used for realizing the steps of the network attack tracing method based on the knowledge graph when executing the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the knowledgegraph-based cyber attack tracing method as described above.
By applying the method provided by the embodiment of the invention, the signal detection is carried out on the network in the network operation process; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By pre-establishing the network knowledge graph with the mesh graph structure, when the network attack signal is detected, the network attack signal is traced by using each network knowledge graph. The network knowledge graph expresses knowledge contained in the operation data, changes abstract relation into visualization expression, and displays the visualization expression in comparison with the prior table form.
Correspondingly, the embodiment of the invention also provides a network attack tracing device, equipment and a computer readable storage medium corresponding to the network attack tracing method based on the knowledge graph, which have the technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of an implementation of a network attack tracing method based on a knowledge graph according to an embodiment of the present invention;
FIG. 2 is a flowchart of another implementation of a network attack tracing method based on a knowledge graph according to an embodiment of the present invention;
FIG. 3 is a block diagram of a knowledge chain according to an embodiment of the present invention;
FIG. 4 is a network knowledge graph corresponding to a network attack event in an embodiment of the present invention;
FIG. 5 is an overall architecture diagram of a knowledge chain in an embodiment of the invention;
FIG. 6 is a block diagram illustrating a network attack tracing apparatus based on a knowledge graph according to an embodiment of the present invention;
fig. 7 is a block diagram of a network attack tracing apparatus based on a knowledge graph in the embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart of an implementation of a network attack tracing method based on a knowledge graph according to an embodiment of the present invention, where the method may include the following steps:
s101: and in the network operation process, carrying out signal detection on the network.
And in the network operation process, carrying out signal detection on the network. If the flow range of the network in the normal operation state can be stored in advance, whether the flow of the network is between the pre-stored flow ranges can be detected in the network operation process.
S102: when a network attack signal is detected, acquiring each pre-established network knowledge graph; and each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network.
In the process of carrying out various operations on the network, a network knowledge graph of a mesh graph structure is constructed according to operation data in the network, so that the operation data with relation are correlated. When the network is detected to have a network attack signal by carrying out signal detection on the network, each pre-established network knowledge graph is obtained.
S103: and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result.
Each network knowledge graph has upstream and downstream information of each link involved in the attack, and the network knowledge graph can clearly display the relation between all the parties related to the interests of the network attack, so that the network knowledge graph is applied to an intrusion prevention system of each isolated network segment in the network and serves as an identification rule support of intrusion prevention equipment. After the network knowledge maps are obtained, the network attack signals are subjected to network attack tracing by using the network knowledge maps to obtain network attack tracing results. The network knowledge graph expresses knowledge contained in the operation data, changes abstract relation into visualization expression, and displays the visualization expression in comparison with the prior table form.
By applying the method provided by the embodiment of the invention, the signal detection is carried out on the network in the network operation process; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By pre-establishing the network knowledge graph with the mesh graph structure, when the network attack signal is detected, the network attack signal is traced by using each network knowledge graph. The network knowledge graph expresses knowledge contained in the operation data, changes abstract relation into visualization expression, and displays the visualization expression in comparison with the prior table form.
It should be noted that, based on the first embodiment, the embodiment of the present invention further provides a corresponding improvement scheme. In the following embodiments, steps that are the same as or correspond to those in the first embodiment may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the following modified embodiments.
Example two:
referring to fig. 2, fig. 2 is a flowchart of another implementation of a network attack tracing method based on a knowledge graph in an embodiment of the present invention, where the method may include the following steps:
s201: extracting knowledge from the operation data in the network to obtain knowledge tuples; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relation.
And when the operation data is generated in the network, extracting knowledge from the operation data in the network to obtain each knowledge tuple. Each knowledge tuple comprises an operation object, an operation means and an operated object, wherein the operation object and the operated object are marked as operation entities, and the operation means is marked as operation relations.
For example, the extraction objects of the network attack knowledge comprise attack identification information of a network intrusion detection system, a switch log, a router log, a firewall log, a terminal device log, an application log, an enterprise network asset base table and the like. The structure of the network attack knowledge can be simply seen as a multi-relationship graph, which is composed of nodes and edges, and is generally represented by "operation entities" as nodes in the graph and "operation relationships" as edges in the graph, wherein the relationship graph indicates that some operation relationship exists between two operation entities. In mapping to an actual network attack, an "operation entity" corresponds to a relevant operation object of the network attack, which may be an IP address, a device, an application, or a specific data object, and an "operation relationship" corresponds to an operation means, i.e., an action relationship, which may be an attack behavior, a dependent behavior, an operation behavior, or the like. For example, we can represent "IP address of attack" as operation entity, "attacked host" as operation entity, and "attack means" as operation relation, then the relation of node and edge can be represented by the triple of < "IP address", "attack means", and "attacked host". And performing knowledge extraction based on a triple knowledge structure on the related information of all the operation objects and the operated objects, and processing attack information into knowledge expression in a triple format. The extracted knowledge is presented in the form of a knowledge element group of < "operation entity", "operation relation" and "operation entity".
S202: each knowledge-tuple is stored in a respective corresponding graph database.
After each knowledge group is obtained by performing knowledge extraction on operation data in the network, each knowledge group is stored in a corresponding graph database.
As shown in fig. 3, for each operation on the network, a corresponding knowledge module is correspondingly established, each knowledge module is composed of a graph database and a message processing plug-in, and the knowledge modules are mutually communicated to form a knowledge chain. The message processing plug-in is mainly responsible for receiving and processing data messages (knowledge) and control instructions in the knowledge chain network, encrypting and decrypting the data messages, increasing, deleting, checking, modifying and the like of the graph database. A graph database is a type of database that is a non-relational database. The interest of the graph database is a graph formed by 'incidence relation', and the aim of the graph database is to store and analyze incidence relation between operation entities in a network, namely, the operation entities are abstracted into vertexes, and the operation relation between the operation entities is abstracted into edges. The map structure formed by the top points and the edges visually and naturally expresses all things correlation, and simultaneously solves the performance problem of deep retrieval of complex correlation relations. Since the knowledge structure itself is a data structure based on a relational graph, a graph database is used to store knowledge. The knowledge module is capable of supporting the current mainstream graph data on the market, including arangob, neo4j, orientardb, and allograph.
S203: and transmitting the knowledge tuples in each graph database to other graph databases in a message broadcasting mode by using a data sharing mechanism of the block chain network.
After the knowledge tuples are stored in the corresponding graph databases, the knowledge tuples in each graph database are sent to other graph databases in a message broadcasting mode by using a data sharing mechanism of a block chain network, so that the knowledge information with consistent versions is reserved in each graph data. The knowledge tuple is stored in a sharing mode by adopting the block chain network, and a network attack knowledge chain is created, so that the intrusion detection system can fully utilize the attack knowledge of the whole network, and the comprehensive and efficient identification of the network attack is realized.
S204: and associating the knowledge groups with the same operation entity in each graph database to obtain each network knowledge graph.
After the knowledge groups in each graph database are sent to other graph databases in a message broadcasting mode by using a data sharing mechanism of a block chain network, the knowledge groups with the same operation entities in each graph database are associated to obtain each network knowledge graph.
Such as knowledge tuple 1< "10.21.34.56", "DDos attack", "10.67.89.46" >, knowledge 2< "10.67.89.46", "subordination", "human resources department lee three" >, the association is: the host with IP address "10.21.34.56" attacks the host of human resources part three.
Each network knowledge graph involved in the network attack has upstream and downstream information of various links involved in the attack. Through the network knowledge graph, a user can clearly see all the interested parties of the network attack, and can trace the source of the attack and deeply analyze the influence. As shown in fig. 4, a network knowledge graph formed from a network attack event is depicted. The network attack 001 occurs in 2019, 5/1, the IP address of the host is 10.10.1.1, the OA system is mounted on the host, and the attack of the network attack 001 ends in failure.
As shown in fig. 5, for each network knowledge-graph in the knowledge-chain, the intrusion prevention systems applied to the respective isolated network segments in the network are supported as identification rules of the intrusion prevention devices.
S205: and in the network operation process, carrying out signal detection on the network.
S206: and when the network attack signal is detected, acquiring each pre-established network knowledge graph.
S207: and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result.
In one embodiment of the present invention, the method may further comprise the steps of:
the method comprises the following steps: when detecting that the number of the knowledge groups in each map database exceeds a preset value, determining the knowledge groups to be deleted;
step two: and carrying out deletion operation on the knowledge tuple to be deleted.
The network attack tracing method based on the knowledge graph provided by the embodiment of the invention can also comprise the steps of determining the knowledge tuples to be deleted and deleting the knowledge tuples to be deleted when detecting that the number of the knowledge tuples in each graph database exceeds a preset value. By cleaning the knowledge element group in the graph database, the storage space is saved, and the performance of the network system is improved.
In a specific embodiment of the present invention, determining the set of knowledge to be deleted may include the following steps:
the method comprises the following steps: respectively performing cold-hot sequencing on each knowledge element group in each graph database;
step two: and determining the knowledge element group to be deleted according to the sequence of cold before hot.
The knowledge groups in the graph databases can be respectively subjected to cold-hot sequencing, and the knowledge groups to be deleted are determined according to the sequence of cold first and hot second. Therefore, the knowledge element group with high data access frequency is not deleted, and the reliability of data is ensured.
Corresponding to the above method embodiments, the embodiments of the present invention further provide a network attack tracing apparatus, and the network attack tracing apparatus based on the knowledge graph described below and the network attack tracing method based on the knowledge graph described above may be referred to each other correspondingly.
Referring to fig. 6, fig. 6 is a block diagram of a structure of a network attack tracing apparatus based on a knowledge graph according to an embodiment of the present invention, where the apparatus may include:
the signal detection module 61 is used for detecting signals of the network in the network operation process;
a knowledge graph acquisition module 62, configured to acquire each network knowledge graph that is pre-established when a network attack signal is detected; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network;
and the attack tracing module 63 is configured to perform network attack tracing on the network attack signal by using each network knowledge graph to obtain a network attack tracing result.
By applying the device provided by the embodiment of the invention, the signal detection is carried out on the network in the network operation process; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By pre-establishing the network knowledge graph with the mesh graph structure, when the network attack signal is detected, the network attack signal is traced by using each network knowledge graph. The network knowledge graph expresses knowledge contained in the operation data, changes abstract relation into visualization expression, and displays the visualization expression in comparison with the prior table form.
In a specific embodiment of the present invention, the apparatus may further include a knowledge graph establishing module, where the knowledge graph establishing module includes:
the knowledge extraction submodule is used for extracting knowledge from the operation data of the network to obtain each knowledge element group; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relation;
the knowledge group storage submodule is used for storing each knowledge group in the corresponding graph database;
the knowledge group sending submodule is used for sending the knowledge group in each graph database to other graph databases in a message broadcasting mode;
and the knowledge map obtaining submodule is used for associating the knowledge tuples with the same operation entity in each graph database to obtain each network knowledge map.
In a specific embodiment of the present invention, the knowledge group sending sub-module is specifically a module that sends the knowledge group in each graph database to other graph databases in a message broadcast manner by using a data sharing mechanism of a block chain network.
In a specific embodiment of the present invention, the knowledge-graph establishing module may further include:
the to-be-deleted knowledge group determining submodule is used for determining the to-be-deleted knowledge group when the number of the knowledge groups in each map database is detected to exceed a preset value;
and the knowledge group deleting submodule is used for deleting the knowledge group to be deleted.
In a specific embodiment of the present invention, the to-be-deleted knowledgeset determining submodule includes:
a knowledge group cold-hot sequencing unit, for respectively performing cold-hot sequencing on each knowledge group in each map database;
and the to-be-deleted knowledge group determining unit is used for determining the to-be-deleted knowledge group according to the sequence of cooling before heating.
Corresponding to the above method embodiment, referring to fig. 7, fig. 7 is a schematic diagram of a network attack tracing apparatus based on a knowledge graph according to the present invention, where the apparatus may include:
a memory 71 for storing a computer program;
the processor 72, when executing the computer program stored in the memory 71, may implement the following steps:
in the network operation process, carrying out signal detection on the network; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By pre-establishing the network knowledge graph with the mesh graph structure, when the network attack signal is detected, the network attack signal is traced by using each network knowledge graph.
For the introduction of the device provided by the present invention, please refer to the above method embodiment, which is not described herein again.
Corresponding to the above method embodiment, the present invention further provides a computer-readable storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing the steps of:
in the network operation process, carrying out signal detection on the network; when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in a network; and carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result. By pre-establishing the network knowledge graph with the mesh graph structure, when the network attack signal is detected, the network attack signal is traced by using each network knowledge graph.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided by the present invention, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device, the apparatus and the computer-readable storage medium disclosed in the embodiments correspond to the method disclosed in the embodiments, so that the description is simple, and the relevant points can be referred to the description of the method.
The principle and the implementation of the present invention are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present invention. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (10)
1. A network attack tracing method based on a knowledge graph is characterized by comprising the following steps:
in the network operation process, carrying out signal detection on the network;
when a network attack signal is detected, acquiring each pre-established network knowledge graph; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and utilizing each network knowledge graph to trace the network attack signal to obtain a network attack tracing result.
2. The method of claim 1, wherein the process of establishing each network knowledge graph comprises:
extracting knowledge from the operation data to obtain knowledge tuples; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
storing each said set of knowledge-tuples in a respective corresponding graph database;
sending the knowledge element group in each graph database to other graph databases in a message broadcasting mode;
and associating the knowledge groups with the same operation entity in each graph database to obtain each network knowledge graph.
3. The method of claim 2, wherein sending the tuples of knowledge in each graph database to other graph databases in a message broadcast form comprises:
and transmitting the knowledge tuples in each graph database to other graph databases in a message broadcasting mode by using a data sharing mechanism of the block chain network.
4. The method for tracing network attacks based on the knowledge graph according to claim 2 or 3, further comprising:
when detecting that the number of the knowledge groups in each map database exceeds a preset value, determining the knowledge groups to be deleted;
and deleting the knowledge group to be deleted.
5. The network attack tracing method based on the knowledge graph of claim 4, wherein the determining the set of knowledge groups to be deleted comprises:
performing cold-hot sequencing on each knowledge element group in each map database respectively;
and determining the knowledge element group to be deleted according to the sequence of cold before hot.
6. A network attack tracing device based on knowledge graph is characterized by comprising:
the signal detection module is used for detecting signals of the network in the network operation process;
the system comprises a knowledge graph acquisition module, a network attack detection module and a network attack detection module, wherein the knowledge graph acquisition module is used for acquiring pre-established network knowledge graphs when a network attack signal is detected; each network knowledge graph is a graph of a mesh graph structure constructed according to operation data in the network;
and the attack tracing module is used for carrying out network attack tracing on the network attack signals by utilizing each network knowledge graph to obtain a network attack tracing result.
7. The apparatus of claim 6, further comprising a knowledge graph establishing module, wherein the knowledge graph establishing module comprises:
the knowledge extraction submodule is used for extracting knowledge from the operation data of the network to obtain each knowledge element group; wherein each knowledge tuple comprises an operation object, an operation means and an operated object; the operation object and the operated object are operation entities, and the operation means is an operation relationship;
the knowledge group storage submodule is used for storing each knowledge group in a corresponding graph database;
the knowledge group sending submodule is used for sending the knowledge group in each graph database to other graph databases in a message broadcasting mode;
and the knowledge map obtaining submodule is used for associating the knowledge groups with the same operation entity in each map database to obtain each network knowledge map.
8. The apparatus according to claim 7, wherein the tuple sending submodule is specifically a module that sends a tuple in each graph database to another graph database in a message broadcast manner by using a data sharing mechanism of a blockchain network.
9. A network attack tracing device based on knowledge graph is characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for tracing network attacks based on knowledge-graph according to any one of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the method for tracing a network attack based on a knowledge graph according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010377539.4A CN111581397A (en) | 2020-05-07 | 2020-05-07 | Network attack tracing method, device and equipment based on knowledge graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010377539.4A CN111581397A (en) | 2020-05-07 | 2020-05-07 | Network attack tracing method, device and equipment based on knowledge graph |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111581397A true CN111581397A (en) | 2020-08-25 |
Family
ID=72124703
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010377539.4A Pending CN111581397A (en) | 2020-05-07 | 2020-05-07 | Network attack tracing method, device and equipment based on knowledge graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111581397A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988331A (en) * | 2020-08-28 | 2020-11-24 | 清华大学 | DDoS attack tracking method and system based on block chain |
| CN112187716A (en) * | 2020-08-26 | 2021-01-05 | 中国科学院信息工程研究所 | Knowledge graph display method for malicious codes in network attack |
| CN112364173A (en) * | 2020-10-21 | 2021-02-12 | 中国电子科技网络信息安全有限公司 | IP address mechanism tracing method based on knowledge graph |
| CN112788064A (en) * | 2021-02-10 | 2021-05-11 | 中国电子科技集团公司第十五研究所 | Encryption network abnormal flow detection method based on knowledge graph |
| CN112910851A (en) * | 2021-01-16 | 2021-06-04 | 中国电子科技集团公司第十五研究所 | Data packet marking and tracing device based on knowledge graph |
| CN113364766A (en) * | 2021-06-03 | 2021-09-07 | 中国工商银行股份有限公司 | APT attack detection method and device |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114756837A (en) * | 2022-06-16 | 2022-07-15 | 湖北长江传媒数字出版有限公司 | Block chain-based digital content tracing method and system |
| CN115412372A (en) * | 2022-11-01 | 2022-11-29 | 中孚安全技术有限公司 | Network attack tracing method, system and equipment based on knowledge graph |
| CN114422224B (en) * | 2021-08-16 | 2023-08-29 | 中国人民解放军战略支援部队信息工程大学 | Threat information intelligent analysis method and system for attack tracing |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106897273A (en) * | 2017-04-12 | 2017-06-27 | 福州大学 | A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates |
| CN108196880A (en) * | 2017-12-11 | 2018-06-22 | 北京大学 | Software project knowledge mapping method for automatically constructing and system |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN108959433A (en) * | 2018-06-11 | 2018-12-07 | 北京大学 | A kind of method and system extracting knowledge mapping and question and answer from software project data |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109857917A (en) * | 2018-12-21 | 2019-06-07 | 中国科学院信息工程研究所 | Towards the security knowledge map construction method and system for threatening information |
| CN109885691A (en) * | 2019-01-08 | 2019-06-14 | 平安科技(深圳)有限公司 | Knowledge mapping complementing method, device, computer equipment and storage medium |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
-
2020
- 2020-05-07 CN CN202010377539.4A patent/CN111581397A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106897273A (en) * | 2017-04-12 | 2017-06-27 | 福州大学 | A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates |
| CN108196880A (en) * | 2017-12-11 | 2018-06-22 | 北京大学 | Software project knowledge mapping method for automatically constructing and system |
| CN108959433A (en) * | 2018-06-11 | 2018-12-07 | 北京大学 | A kind of method and system extracting knowledge mapping and question and answer from software project data |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109857917A (en) * | 2018-12-21 | 2019-06-07 | 中国科学院信息工程研究所 | Towards the security knowledge map construction method and system for threatening information |
| CN109885691A (en) * | 2019-01-08 | 2019-06-14 | 平安科技(深圳)有限公司 | Knowledge mapping complementing method, device, computer equipment and storage medium |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112187716A (en) * | 2020-08-26 | 2021-01-05 | 中国科学院信息工程研究所 | Knowledge graph display method for malicious codes in network attack |
| CN111988331A (en) * | 2020-08-28 | 2020-11-24 | 清华大学 | DDoS attack tracking method and system based on block chain |
| CN112364173A (en) * | 2020-10-21 | 2021-02-12 | 中国电子科技网络信息安全有限公司 | IP address mechanism tracing method based on knowledge graph |
| CN112364173B (en) * | 2020-10-21 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | IP address mechanism tracing method based on knowledge graph |
| CN112910851A (en) * | 2021-01-16 | 2021-06-04 | 中国电子科技集团公司第十五研究所 | Data packet marking and tracing device based on knowledge graph |
| CN112910851B (en) * | 2021-01-16 | 2021-10-15 | 中国电子科技集团公司第十五研究所 | Data packet marking and tracing device based on knowledge graph |
| CN112788064A (en) * | 2021-02-10 | 2021-05-11 | 中国电子科技集团公司第十五研究所 | Encryption network abnormal flow detection method based on knowledge graph |
| CN113364766A (en) * | 2021-06-03 | 2021-09-07 | 中国工商银行股份有限公司 | APT attack detection method and device |
| CN113364766B (en) * | 2021-06-03 | 2022-09-27 | 中国工商银行股份有限公司 | APT attack detection method and device |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
| CN113612763B (en) * | 2021-07-30 | 2022-06-03 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
| CN114422224B (en) * | 2021-08-16 | 2023-08-29 | 中国人民解放军战略支援部队信息工程大学 | Threat information intelligent analysis method and system for attack tracing |
| CN114363036B (en) * | 2021-12-30 | 2023-05-16 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114756837A (en) * | 2022-06-16 | 2022-07-15 | 湖北长江传媒数字出版有限公司 | Block chain-based digital content tracing method and system |
| CN114756837B (en) * | 2022-06-16 | 2022-08-30 | 湖北长江传媒数字出版有限公司 | Block chain-based digital content tracing method and system |
| CN115412372B (en) * | 2022-11-01 | 2023-03-24 | 中孚安全技术有限公司 | Network attack tracing method, system and equipment based on knowledge graph |
| CN115412372A (en) * | 2022-11-01 | 2022-11-29 | 中孚安全技术有限公司 | Network attack tracing method, system and equipment based on knowledge graph |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111581397A (en) | Network attack tracing method, device and equipment based on knowledge graph | |
| US11601475B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| US11196756B2 (en) | Identifying notable events based on execution of correlation searches | |
| CN108763031B (en) | Log-based threat information detection method and device | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| US11418525B2 (en) | Data processing method, device and storage medium | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| US20160226893A1 (en) | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| US20140195502A1 (en) | Multidimension column-based partitioning and storage | |
| CN111885007B (en) | Information tracing method, device, system and storage medium | |
| US20150317476A1 (en) | Distributed Pattern Discovery | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| Las-Casas et al. | A big data architecture for security data and its application to phishing characterization | |
| CN110830500B (en) | Network attack tracking method and device, electronic equipment and readable storage medium | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| Fatemi et al. | Threat hunting in windows using big security log data | |
| CN103036726A (en) | Method and device for network user management | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN115629945A (en) | Alarm processing method and device and electronic equipment | |
| CN110730165A (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200825 |
|
| RJ01 | Rejection of invention patent application after publication |