CN112632535A - Attack detection method and device, electronic equipment and storage medium - Google Patents

Attack detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112632535A
CN112632535A CN202011507771.1A CN202011507771A CN112632535A CN 112632535 A CN112632535 A CN 112632535A CN 202011507771 A CN202011507771 A CN 202011507771A CN 112632535 A CN112632535 A CN 112632535A
Authority
CN
China
Prior art keywords
graph
sample
target
attack
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011507771.1A
Other languages
Chinese (zh)
Other versions
CN112632535B (en
Inventor
孟丹
郑阳
文雨
张博洋
张东雪
杨纯
杜莹莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202011507771.1A priority Critical patent/CN112632535B/en
Publication of CN112632535A publication Critical patent/CN112632535A/en
Application granted granted Critical
Publication of CN112632535B publication Critical patent/CN112632535B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring target instruction tracking information when a target program runs; determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information; and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph. According to the method, the defect of poor quality of an attack detection training sample in the prior art is overcome by obtaining target instruction tracking information when a target program runs, the entity relation graph between target instruction execution entities is determined based on the target instruction tracking information, the target program is detected through the graph neural network model, automatic feature representation learning and topology mode learning can be performed, the defect that the existing attack detection method excessively depends on artificial feature extraction and cannot capture a graph topology relation mode of a non-Euclidean space is overcome, and attack is accurately and reliably detected.

Description

Attack detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an attack detection method and apparatus, an electronic device, and a storage medium.
Background
Modern computer systems are being subjected to various attack programs at great risk, and it is therefore important to be able to detect attacks as accurately as possible.
The existing attack detection method only considers the relation mode of capturing Euclidean space during design and cannot adapt to the complex semantic mode of a computer program. The method comprises the steps of firstly converting the behaviors of a series of events into sequences in Euclidean space, forming a time sequence relation among the events, then learning a sequence mode from historical events and predicting the next events by using a sequence analysis technology, and if the actually occurring events and the predicted occurring events have large deviation, determining the events as suspicious threat behaviors. However, computer programming languages are typically well-crafted and are capable of generating not only semantic information in Euclidean space, but also complex semantic information in non-Euclidean space. Therefore, the existing attack detection and prevention can not effectively capture the topological characteristic pattern of the non-Euclidean space. Therefore, the detection result of the existing detection method is not always accurate and reliable.
Disclosure of Invention
The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, which are used for solving the defects of inaccuracy and reliability of an attack recognition result in the prior art and realizing the accurate and reliable detection of the attack.
In a first aspect, the present invention provides an attack detection method, including:
acquiring target instruction tracking information when a target program runs;
determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph.
According to the attack detection method provided by the invention, the method further comprises the following steps:
acquiring sample instruction tracking information when a central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information;
and establishing the graph neural network model based on the sample entity relationship graph.
According to the attack detection method provided by the invention, based on the sample instruction tracking information, a sample entity relation graph between sample instruction execution entities is determined, and the method comprises the following steps:
determining sample entities and relationships between sample entities based on the sample instruction trace information;
and establishing a sample entity relationship graph among the sample instruction execution entities by taking the sample entities as nodes of the sample entity relationship graph and taking the relationship among the sample entities as edges of the sample entity relationship graph.
According to the attack detection method provided by the invention, the establishment of the graph neural network model based on the sample entity relationship graph comprises the following steps:
marking the sample entity relationship graph;
and training the marked sample entity relation graph to obtain a graph neural network model.
According to the attack detection method provided by the invention, the training of the marked sample entity relationship graph to obtain the graph neural network model comprises the following steps:
acquiring a topological relation of entity nodes in the sample entity relation graph based on external connection of a neural network;
based on the connection in the neural network, converting the entity nodes in the sample entity relationship graph into low-dimensional vectors containing topological relations;
and deep learning the topological relation of the entity relation graph based on the low-dimensional vector containing the topological relation to obtain a graph neural network model.
According to the attack detection method provided by the invention, the detection of the target program as the attack program comprises the following steps:
and if the target program is an attack program of a preset type, identifying the type of the attack program based on the graph neural network model.
According to the attack detection method provided by the invention, the method further comprises the following steps:
and if the target program is not the preset type of attack program, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relationship graph.
In a second aspect, the present invention provides an attack detection apparatus, including:
the acquisition module is used for acquiring instruction tracking information when the target program runs;
the determining module is used for determining an entity relation graph between instruction execution entities based on the instruction tracking information;
and the detection module is used for detecting the target program as an attack program based on the graph neural network model and the entity relationship graph.
In a third aspect, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the attack detection method according to any one of the above aspects.
In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the attack detection method as described in any one of the above.
According to the attack detection method, the device, the electronic equipment and the storage medium, the target instruction tracking information when the target program to be detected runs is acquired for attack detection, the defect that the quality of an attack detection training sample is poor in the prior art is overcome, the target entity relation graph between target instruction execution entities is determined based on the target instruction tracking information, the target program is detected through the graph neural network model, automatic feature representation learning and topological pattern learning can be conducted based on the graph neural network learning method, the defects that the existing attack detection method excessively depends on manual work to conduct feature extraction and cannot capture a graph topological relation pattern of a non-Euclidean space are overcome, and attack can be accurately and reliably detected.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an attack detection method provided by the present invention;
FIG. 2 is a schematic diagram of entity relationship establishment provided by the present invention;
FIG. 3 is a second schematic diagram of entity relationship establishment provided by the present invention;
FIG. 4 is a schematic diagram of a neural network model architecture provided by the present invention;
FIG. 5 is a schematic diagram of a Heimdall neural network model detection system provided by the present invention;
FIG. 6 is a schematic structural diagram of an attack detection apparatus provided in the present invention;
fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Modern computer systems are being attacked by a variety of attacking programs, at great risk.
Taking transient attack as an example, an attacker of the transient attack usually uses security holes, such as fusing, ghost and the like, generated by hardware design defects of a micro-architecture of a processor to steal confidential information at any position in a shared memory with legal identity and minimum access authority, thereby destroying the basic security characteristic of the computer system, namely memory isolation. Moreover, memory isolation is a foundation of a multi-user computing environment (e.g., a multi-tenant cloud computing platform or a multi-user computing device), and transient attacks mainly destroy memory isolation and have serious destructiveness on confidentiality of a computer system.
The transient attack comprises two phases of transient instruction execution and hidden channel transmission. The former is used to generate time windows for information theft and access and encode confidential information, and the latter is used to recover encoded confidential information from within the micro-architecture. A common scenario for covert channel transmission is to receive stolen information by way of a cache-side channel attack, which often triggers a computer system to generate a large number of different types of hardware events, such as cache references, cache hits or misses, etc. Most of the existing transient attack detection methods collect the hardware events, and then adopt a machine learning analysis and modeling method to identify the transient attack.
However, this detection method mostly assumes that the buffer side channel attack is the receiving end of the transient attack covert channel transmission, and can only detect the transient attack based on the buffer side channel. In fact, the channel attack on the buffer side is only one way of transiently attacking the hidden channel transmission, and the detection method generally cannot detect transient attacks based on other hidden channels, and thus cannot detect variants of the transient attacks.
Secondly, the detection method collects bottom layer hardware events by means of a hardware performance counter, and cannot well represent complex semantic behaviors of upper layer application programs. The hardware performance counter is a register specially used for evaluating the hardware performance of a program during runtime, and generated data is statistical data of specific hardware events, and some valuable characteristic information is lost compared with instruction tracking data during runtime. And the acquisition and concurrency quantity of the events of the hardware performance counter of the modern processor is limited, the events are easy to interfere, and the capability of describing the complex semantics of the program by the data of the hardware performance counter is further limited.
Thirdly, the detection method only considers the relation mode of capturing the Euclidean space during design and cannot adapt to the complex semantic mode of the computer program. The method comprises the steps of firstly converting the behaviors of a series of events into sequences in Euclidean space, forming a time sequence relation among the events, then learning a sequence mode from historical events and predicting the next events by using a sequence analysis technology, and if the actually occurring events and the predicted occurring events have large deviation, determining the events as suspicious threat behaviors. However, computer programming languages are typically well-crafted and are capable of generating not only semantic information in Euclidean space, but also complex semantic information in non-Euclidean space.
In addition, the detection method is realized by mostly adopting the traditional machine learning technology, most of the work is concentrated on the design of preprocessing pipelines and data conversion, the characteristics need to be manually selected and constructed, and some valuable characteristic information is often omitted. More seriously, in order to support graph topology pattern learning with complex semantics, the traditional machine method usually relies on abstract graph statistics (e.g., degree or clustering coefficient), kernel functions or carefully designed features to measure local neighborhood structures, and these manually designed features cannot be adaptively optimized and adjusted in the learning process, are not flexible, and are more time-consuming and labor-consuming.
The latest work adopts a scheme based on information flow analysis, the method defines the safety semantics of a presumed execution link in the ghost attack, acquires the information flow of a program in a symbolic execution mode, and judges the program to be the ghost attack if the information flow of the program conforms to the definition of the safety semantics. The analysis method of the scheme is essentially a scheme based on rule matching and is a special solution facing ghost attacks. Thus, this scheme also fails to cope with the diverse varieties of transient attacks.
In order to overcome the defects in the above schemes, the present invention provides an attack detection method and apparatus, which are now introduced.
Fig. 1 is a schematic flow diagram of an attack detection method provided by the present invention, and as shown in fig. 1, the method includes the following steps:
step 100, acquiring target instruction tracking information when a target program runs;
specifically, in order to overcome the defect of poor detection quality of data of a hardware performance counter adopted by attack detection in the prior art, the invention adopts instruction tracking information for attack detection;
optionally, the attack detected by the present invention may be a transient attack;
in particular, the trace information is a sequential record of the operation of instructions at the time of program runtime. The instruction trace data of the program is raw information with richer feature information than the hardware performance counter data. Hardware performance counter data is a specific hardware event triggered by the scheduling of these instructions by the processor, however not all instruction execution triggers a hardware event and thus these hardware events do not capture the full program behavior. The invention obtains instruction tracking information with richer characteristic information, and solves the problem of poor quality of training samples of the existing attack detection method.
Therefore, in the invention, when the target program is detected, the target instruction tracking information of the target program in operation can be acquired.
Step 110, determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and establishing a target entity relation graph between target instruction execution entities by taking the target entities as nodes of the target entity relation graph and taking the relation between the target entities as the edges of the target entity relation graph.
Specifically, entities and relationships between entities in the target instruction trace information may be extracted for establishing a target entity relationship graph.
Specifically, when the target entity relationship graph is established based on the target instruction tracing information, since the entities in the target instruction tracing information include an instruction, an instruction opcode, and an instruction operand, the target entity relationship graph can be constructed by mainly considering three entity relationships:
(1) a sequence dependency between the target instructions;
(2) a causal dependency between a target instruction opcode and a target instruction operand;
(3) a data dependency between a target instruction operand and a target instruction operand.
To build the target entity relationship graph, the instruction may first be divided by the number of operands into: a zero operand instruction (instruction format [ opcode ]), a single operand instruction (instruction format [ opcode, operand ]), a double operand instruction (instruction format [ opcode, operand1, operand2]), and a triple operand instruction (instruction format [ opcode, operand1, operand2, operand3 ]).
Then, according to the three relationships between the entities, three composition rules are constructed:
(1) if opcode1 and opcode2 respectively represent operation codes of the two instructions, two new entity nodes, namely opcode1 and opcode2, and a new entity relationship edge opcode1- > opcode2 can be created;
(2) in addition to the zero-order operand instruction, there are causal dependencies between opcodes and operands within the other three types of instructions.
For the monocular operand instruction, two new entity nodes, namely opcode and operand, and a new entity relationship edge opcode- > operand can be created;
for a binocular operand instruction, three new entity nodes of opcode, operand1 and operand2 can be created, if operand1 represents a destination operand and operand2 represents a source operand, two entity relationship edges opcode 2- > opcode and opcode- > operand1 can be created;
wherein, if the comparison instruction is a comparison instruction, the operand1 and the operand2 are both source operands, and two entity relationship edges of operand2- > opcode and operand1- > opcode can be created;
for a three-purpose operand instruction, four new entity nodes of opcode, operand1, operand2 and operand3 can be created, if operand1 represents a destination operand, operand2 and operand3 represent source operands, and three new entity relationship edges opcode 2- > opcode, operand3- > opcode and operand- > operand1 can be created;
(3) if the operand in the non-zero-order operand instruction and the operand in other non-zero-order operand instructions have the dependency relationship of data read-after-write, the write operand entity node and the read operand entity node which have read-after-write dependency are combined into one node in the composition, and a new entity relationship edge can not be created any more.
Based on the three composition rules, the target entity relationship graph can be automatically constructed.
Fig. 2 is a schematic diagram of entity relationship establishment provided by the present invention, as shown in fig. 2, the left frame is the acquired original instruction tracking information, and the right frame is the schematic diagram of entity relationship established based on the instruction tracking information in the left frame. For the 3 rd instruction [ cmp% rbx,% rax ] in the left box, entity relationship edges mov- > cmp and cmp- > jbe may be generated according to rule 1, entity relationship edges% rax- > cmp and% rbx- > cmp according to rule 2, and read operand nodes% rax and% rbx in the% rax- > cmp and% rbx- > cmp entity relationship edges may be merged with write operand nodes% rax and% rbx generated in the 1 st and2 nd instructions according to rule 3.
And 120, detecting the target program as an attack program based on the graph neural network model and the target entity relationship graph.
Specifically, the Heimdall graph neural network is used as a high-level neural network technology, can perform automatic feature expression learning, converts entity nodes in an entity relation graph into low-dimensional vectors containing topological relations, and overcomes the defect that the existing attack detection method excessively depends on manual feature extraction and construction. Meanwhile, the graph neural network deeply learns the internal mode of the topological feature by using the low-dimensional vectors, so that the defect that the traditional attack detection method cannot capture the graph topological relation mode of the non-Euclidean space is overcome.
Therefore, after the target entity relationship diagram is determined, the target entity relationship diagram can be used as the input of the neural network model of the diagram, and whether the target program is an attack or not can be detected and judged.
Specifically, the target program can be detected and determined as an attack;
specifically, it may also be detected to determine that the target program is not an attack, such as a normal application program.
Taking transient attack as an example, an output model generated by the Heimdall graph neural network learning module can capture a topological characteristic mode of a target program, integrally depict the behavior of the target program, but not specially depict the behavior related to a cache side channel, and not only can identify the transient attack based on the cache side channel, but also can detect transient attack variants utilizing other hidden channels.
According to the attack detection method provided by the invention, the target instruction tracking information when the target program to be detected runs is obtained for attack detection, so that the defect that the quality of an attack detection training sample is poor in the prior art is solved, the target entity relation graph between target instruction execution entities is determined based on the target instruction tracking information, the target program is detected through the graph neural network model, the automatic feature representation learning and the topological pattern learning can be carried out based on the graph neural network learning method, the defects that the existing attack detection method excessively depends on manual work for feature extraction and cannot capture a graph topological relation pattern of a non-Euclidean space are solved, and the attack is accurately and reliably detected.
Optionally, the method further comprises:
acquiring sample instruction tracking information when a central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information;
and establishing the graph neural network model based on the sample entity relationship graph.
Specifically, in the present invention, before performing attack detection by using the graph neural network model, the graph neural network model may be established first.
Specifically, the Heimdall neural network can respectively extract a large amount of instruction trace information of the normal application program and the attack program as samples, so that the instruction trace information when the central processing unit runs can be collected as the samples, i.e., the sample instruction trace information.
Specifically, after sample instruction trace information is obtained, a sample entity relationship graph between sample instruction execution entities may be determined based on the sample instruction trace information; and establishing the graph neural network model based on the sample entity relationship graph.
Optionally, determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information includes:
determining sample entities and relationships between sample entities based on the sample instruction trace information;
and establishing a sample entity relationship graph among the sample instruction execution entities by taking the sample entities as nodes of the sample entity relationship graph and taking the relationship among the sample entities as edges of the sample entity relationship graph.
Specifically, when determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information, the sample entity relationship graph between the sample instruction execution entities may be established by using the sample entities as nodes of the sample entity relationship graph and using the relationships between the sample entities as edges of the sample entity relationship graph.
Specifically, when the sample entity relationship graph is established based on the sample instruction trace information, since the entities in the sample instruction trace information include instructions, instruction opcodes, and instruction operands, the establishment of the sample entity relationship graph may mainly consider three entity relationships:
(1) a sequential dependency between sample instructions;
(2) a causal dependency between a sample instruction opcode and a sample instruction operand;
(3) a data dependency between a sample instruction operand and a sample instruction operand.
To construct the sample entity relationship graph, the instruction may first be divided by the number of operands into: a zero operand instruction (instruction format [ opcode ]), a single operand instruction (instruction format [ opcode, operand ]), a double operand instruction (instruction format [ opcode, operand1, operand2]), and a triple operand instruction (instruction format [ opcode, operand1, operand2, operand3 ]).
Then, according to the three relationships between the entities, three composition rules are constructed:
(1) if opcode1 and opcode2 respectively represent operation codes of the two instructions, two new entity nodes, namely opcode1 and opcode2, and a new entity relationship edge opcode1- > opcode2 can be created;
(2) in addition to the zero-order operand instruction, there are causal dependencies between opcodes and operands within the other three types of instructions.
For the monocular operand instruction, two new entity nodes, namely opcode and operand, and a new entity relationship edge opcode- > operand can be created;
for a binocular operand instruction, three new entity nodes of opcode, operand1 and operand2 can be created, if operand1 represents a destination operand and operand2 represents a source operand, two entity relationship edges opcode 2- > opcode and opcode- > operand1 can be created;
wherein, if the comparison instruction is a comparison instruction, the operand1 and the operand2 are both source operands, and two entity relationship edges of operand2- > opcode and operand1- > opcode can be created;
for a three-purpose operand instruction, four new entity nodes of opcode, operand1, operand2 and operand3 can be created, if operand1 represents a destination operand, operand2 and operand3 represent source operands, and three new entity relationship edges opcode 2- > opcode, operand3- > opcode and operand- > operand1 can be created;
(3) if the operand in the non-zero-order operand instruction and the operand in other non-zero-order operand instructions have the dependency relationship of data read-after-write, the write operand entity node and the read operand entity node which have read-after-write dependency are combined into one node in the composition, and a new entity relationship edge can not be created any more.
Based on the three composition rules, the sample entity relationship graph can be automatically constructed.
Optionally, the building the graph neural network model based on the sample entity relationship graph includes:
marking the sample entity relationship graph;
and training the marked sample entity relation graph to obtain a graph neural network model.
Specifically, the Heimdall neural network may obtain a large number of entity relationship diagrams of the normal application program and the attack program respectively as sample entity relationship diagrams, and mark each sample entity relationship diagram, for example, label 0 and label 1, where 0 may be a mark of the normal application program, 1 may be a mark of the attack, and vice versa.
The graph-recurrent neural network technique can then be employed for supervised training and learning. And taking the labeled entity relation graph as model input, and training to obtain a graph neural network model.
Optionally, the training the labeled sample entity relationship graph to obtain a graph neural network model includes:
acquiring a topological relation of entity nodes in the sample entity relation graph based on external connection of a neural network;
based on the connection in the neural network, converting the entity nodes in the sample entity relationship graph into low-dimensional vectors containing topological relations;
and deep learning the topological relation of the entity relation graph based on the low-dimensional vector containing the topological relation to obtain a graph neural network model.
In particular, the neuron connections in the Heimdall graph neural network model may include external connections and internal connections.
The outer connections can be used to provide inputs to the graph neural network, and the inner connections can be used to convert the entity relationship graph into vectorized eigenexpressions and perform topology pattern learning based on the vectorized eigenexpressions.
Specifically, taking transient attack as an example, after Heimdall obtains entity relationship graphs of a large number of normal application programs and transient attack programs respectively and marks the entity relationship graphs as model inputs, the topological structures of the entity relationships can correspondingly form external connections of the graph neural network model, and internal connection structures of the graph neural network model can be initialized and set according to empirical knowledge, for example, 1) the number of hidden layer neurons should be set between the number of input layer neurons and the number of output layer neurons; 2) the number of hidden layer neurons should not exceed 2 times the number of input layer neurons. Therefore, the interconnection structure mainly comprises hyper-parameters such as the number of neural network layers and the number of neurons. And then, continuously trying new hyper-parameters by taking the accuracy of the optimized model as a target, and finally determining the internal connection structure of the graph neural network model.
Specifically, after the internal connection and the external connection are determined, the graph neural network model can convert the entity relationship graph into vectorized feature expression, deeply learn the internal topological feature mode of the entity relationship graph, further have the capability of identifying a normal application program and an attack program, and solve the problems that the existing attack detection method excessively depends on manual work to extract and construct features and the existing attack detection method cannot effectively learn complex topological semantics.
Therefore, the topological relation of the entity nodes in the sample entity relation graph can be obtained based on the external connection of the neural network; based on the connection in the neural network, converting the entity nodes in the sample entity relationship graph into low-dimensional vectors containing topological relations; and finally, deep learning is carried out on the topological relation of the entity relation graph based on the low-dimensional vector containing the topological relation, and a graph neural network model is obtained.
Fig. 3 is a second schematic diagram of establishing an entity relationship provided by the present invention, and as shown in fig. 3, in order to better describe a relationship between an entity relationship diagram and a neural network model architecture, nodes of the entity relationship diagram in fig. 2 may be numbered first, so as to obtain fig. 3.
It can be understood that the graph data structure has spatial characteristics, and the numbering sequence does not influence the construction of the graph neural network model.
Fig. 4 is a schematic diagram of a graph neural network model architecture provided by the present invention, and as shown in fig. 4, corresponding to the entity relationship diagram in fig. 3, the external connection of the graph neural network model architecture is determined by the entity relationship diagram, and the internal connection is correspondingly determined by the existing graph neural network model.
Optionally, the detecting that the target program is an attack program includes:
and if the target program is an attack program of a preset type, identifying the type of the attack program based on the graph neural network model.
Specifically, taking transient attack as an example, the transient attack based on the cache side channel belongs to known types of transient attacks, the Heimdall graph neural network in the invention can identify and distinguish the known types after learning and training, and the vectorization expression of the topological characteristics of the known types of transient attacks has a similarity relation with the topological characteristic pattern of the transient attack in the model, so that the graph neural network model, i.e., the Heimdall transient attack detection module, in the embodiment can directly adopt a classification algorithm for identification.
Alternatively, the known types may include, but are not limited to, at least one of the following: ghost attacks and fusing attacks; wherein the ghost attack includes using spectra-PHT, spectra-BTB, spectra-RSB, and spectra-STL types. The three categories of Spectre-PHT, Spectre-BTB and Spectre-RSB can be further subdivided into cross-address space types or same address space types. The fuse attacks include Meltdown-US, Meltdown-P, Meltdown-GP, Meltdown-NM, Meltdown-RW, Meltdown-PK, Meltdown-BR and Residual Meltdown types.
It is to be understood that the classification algorithm herein does not refer to a specific classification algorithm, but refers to a functional sub-module of the graph neural network model that can classify known types of attacks, and may not be a separate or independent algorithm, or may not be a separate or independent entity sub-module.
Specifically, the known types of attacks may be preset in the graph neural network model, for example, the graph neural network model with a classification function after training is set, including but not limited to a setting that can make the graph neural network model output different names of different types of attacks;
specifically, if the target program is an attack of a preset category, the category of the attack can be identified and obtained based on the graph neural network model; the name of the attack category may also be entered.
Optionally, the method further comprises:
and if the target program is not the preset type of attack program, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relationship graph.
Specifically, for the attacks of unknown types using other attack variants of hidden channels, although the Heimdall graph neural network learning module in the graph neural network model cannot directly learn the attacks of unknown types, the vectorized expression of the topological feature of the attack of unknown types deviates from the topological feature pattern of the normal application program and is more similar to the topological feature pattern of the attack in the model, so that the Heimdall attack detection module in the graph neural network model can identify the attacks by adopting an anomaly detection algorithm.
It should be understood that the anomaly detection algorithm herein does not refer to a specific anomaly detection algorithm, but refers to a functional sub-module that can detect an unknown type of attack in the graph neural network model, and may not be a separate or independent algorithm, or may not be a separate or independent entity sub-module.
Specifically, if the target program is not the preset type of attack program, the target program may be identified and determined to be an abnormal attack program based on the graph neural network model.
The learning method based on the graph neural network can utilize the low-dimensional vector generated by feature representation learning to deeply learn the internal mode of the topological feature, and solves the problem that the existing attack program detection method cannot learn the complex semantic mode; the detection method based on the graph neural network is used for accurately identifying the attack program and detecting possible variants of the attack program.
According to the attack detection method provided by the invention, the target instruction tracking information when the target program to be detected runs is obtained for attack detection, so that the defect that the quality of an attack detection training sample is poor in the prior art is solved, the target entity relation graph between target instruction execution entities is determined based on the target instruction tracking information, the target program is detected through the graph neural network model, the automatic feature representation learning and the topological pattern learning can be carried out based on the graph neural network learning method, the defects that the existing attack detection method excessively depends on manual work for feature extraction and cannot capture a graph topological relation pattern of a non-Euclidean space are solved, and the attack is accurately and reliably detected.
Fig. 5 is a schematic diagram of a Heimdall diagram neural network model detection system provided by the present invention, as shown in fig. 5, taking transient attack detection as an example, the system is composed of four key modules: the system comprises a program behavior data acquisition module, an entity relationship graph construction module, a graph neural network learning module and a transient attack detection module.
The program behavior data acquisition module is used for collecting instruction tracking information when the central processing unit runs;
the entity relationship graph building module is used for extracting entities in the instruction tracking information and the relationship among the entities;
the graph neural network learning module is used for performing automatic feature expression learning, converting entity nodes in the entity relationship graph into low-dimensional vectors containing topological relations, and solving the problem that the existing transient attack detection method excessively depends on manual feature extraction and construction. Meanwhile, the graph neural network deeply learns the internal mode of the topological feature by using the low-dimensional vectors, so that the problem that the existing transient attack detection method cannot effectively learn complex topological semantics is solved.
The transient attack detection module is used for identifying transient attacks based on the cache side channel and detecting transient attack variants utilizing other hidden channels.
It can be understood that the Heimdall diagram neural network model detection system of the present invention can implement all the method steps implemented by the attack detection method, and can achieve the same technical effects, which are not described herein again.
The following describes the attack detection device provided by the present invention, and the attack detection device described below and the attack detection method described above may be referred to in correspondence with each other.
Fig. 6 is a schematic structural diagram of an attack detection apparatus provided in the present invention, and as shown in fig. 6, the apparatus includes: an obtaining module 610, a determining module 620 and a detecting module 630, wherein:
the obtaining module 610 is configured to obtain instruction tracking information when the target program runs;
the determining module 620 is configured to determine an entity relationship graph between instruction execution entities based on the instruction tracing information;
the detecting module 630 is configured to detect that the target program is an attack program based on the graph neural network model and the entity relationship graph.
Specifically, the attack detection apparatus obtains instruction tracking information of the target program during running through the obtaining module 610; then, an entity relationship graph between the instruction execution entities is determined by the determining module 620 based on the instruction tracing information; finally, the target program can be detected as an attack program by the detection module 630 based on the graph neural network model and the entity relationship graph.
It can be understood that the attack detection device of the present invention can implement all the method steps implemented by the attack detection method, and can achieve the same technical effects, which are not described herein again.
The attack detection device provided by the invention solves the defect of poor quality of an attack detection training sample in the prior art by acquiring target instruction tracking information when a target program to be detected runs for attack detection, determines a target entity relation graph between target instruction execution entities based on the target instruction tracking information, further detects the target program through a graph neural network model, can be used for automatic feature representation learning and topological pattern learning based on a graph neural network learning method, solves the defect that the existing attack detection method excessively depends on manual work for feature extraction and cannot capture a graph topological relation pattern of a non-Euclidean space, and realizes accurate and reliable attack detection.
Fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. Processor 710 may call logic instructions in memory 730 to perform an attack detection method comprising:
acquiring target instruction tracking information when a target program runs;
determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph.
In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method for detecting attacks provided by the above methods, the method comprising:
acquiring target instruction tracking information when a target program runs;
determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the methods provided above to perform an attack detection method, the method comprising:
acquiring target instruction tracking information when a target program runs;
determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An attack detection method, comprising:
acquiring target instruction tracking information when a target program runs;
determining a target entity relation graph between target instruction execution entities based on the target instruction tracking information;
and detecting the target program as an attack program based on a graph neural network model and the target entity relationship graph.
2. The attack detection method according to claim 1, characterized in that the method further comprises:
acquiring sample instruction tracking information when a central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information;
and establishing the graph neural network model based on the sample entity relationship graph.
3. The attack detection method according to claim 2, wherein determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction trace information comprises:
determining sample entities and relationships between sample entities based on the sample instruction trace information;
and establishing a sample entity relationship graph among the sample instruction execution entities by taking the sample entities as nodes of the sample entity relationship graph and taking the relationship among the sample entities as edges of the sample entity relationship graph.
4. The attack detection method according to claim 3, wherein the building the graph neural network model based on the sample entity relationship graph comprises:
marking the sample entity relationship graph;
and training the marked sample entity relation graph to obtain a graph neural network model.
5. The attack detection method according to claim 4, wherein the training of the labeled sample entity relationship graph to obtain the graph neural network model comprises:
acquiring a topological relation of entity nodes in the sample entity relation graph based on external connection of a neural network;
based on the connection in the neural network, converting the entity nodes in the sample entity relationship graph into low-dimensional vectors containing topological relations;
and deep learning the topological relation of the entity relation graph based on the low-dimensional vector containing the topological relation to obtain a graph neural network model.
6. The attack detection method according to any one of claims 1 to 5, wherein the detecting that the target program is an attack program includes:
and if the target program is an attack program of a preset type, identifying the type of the attack program based on the graph neural network model.
7. The attack detection method according to any one of claims 1 to 5, characterized in that the method further comprises:
and if the target program is not the preset type of attack program, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relationship graph.
8. An attack detection apparatus, comprising:
the acquisition module is used for acquiring instruction tracking information when the target program runs;
the determining module is used for determining an entity relation graph between instruction execution entities based on the instruction tracking information;
and the detection module is used for detecting the target program as an attack program based on the graph neural network model and the entity relationship graph.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the attack detection method according to any of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the attack detection method according to any one of claims 1 to 7.
CN202011507771.1A 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium Active CN112632535B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011507771.1A CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011507771.1A CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112632535A true CN112632535A (en) 2021-04-09
CN112632535B CN112632535B (en) 2024-03-12

Family

ID=75317647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011507771.1A Active CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112632535B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN113672909A (en) * 2021-07-01 2021-11-19 华南理工大学 Method for detecting on-chip hot covert channel attack based on mode classification
CN113779649A (en) * 2021-09-08 2021-12-10 中国科学院上海高等研究院 Defense method for speculative execution attack
CN114302431A (en) * 2021-12-28 2022-04-08 中国电信股份有限公司 Network element configuration method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190005384A1 (en) * 2017-06-29 2019-01-03 General Electric Company Topology aware graph neural nets
US20190318085A1 (en) * 2019-06-27 2019-10-17 Intel Corporation Methods and apparatus to analyze computer system attack mechanisms
US20190354832A1 (en) * 2018-05-17 2019-11-21 Università della Svizzera italiana Method and system for learning on geometric domains using local operators
CN111027574A (en) * 2019-12-09 2020-04-17 中南大学 Building mode identification method based on graph convolution

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190005384A1 (en) * 2017-06-29 2019-01-03 General Electric Company Topology aware graph neural nets
US20190354832A1 (en) * 2018-05-17 2019-11-21 Università della Svizzera italiana Method and system for learning on geometric domains using local operators
US20190318085A1 (en) * 2019-06-27 2019-10-17 Intel Corporation Methods and apparatus to analyze computer system attack mechanisms
CN111027574A (en) * 2019-12-09 2020-04-17 中南大学 Building mode identification method based on graph convolution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
段亚男: "基于代码属性图和图卷积神经网络的软件漏洞检测方法研究", 万方硕士学位论文, pages 1 - 65 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221118A (en) * 2021-05-11 2021-08-06 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN113221118B (en) * 2021-05-11 2023-03-28 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN113672909A (en) * 2021-07-01 2021-11-19 华南理工大学 Method for detecting on-chip hot covert channel attack based on mode classification
CN113672909B (en) * 2021-07-01 2023-09-26 华南理工大学 Method for detecting on-chip heat hidden channel attack based on pattern classification
CN113779649A (en) * 2021-09-08 2021-12-10 中国科学院上海高等研究院 Defense method for speculative execution attack
CN114302431A (en) * 2021-12-28 2022-04-08 中国电信股份有限公司 Network element configuration method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112632535B (en) 2024-03-12

Similar Documents

Publication Publication Date Title
CN112632535A (en) Attack detection method and device, electronic equipment and storage medium
EP3651043B1 (en) Url attack detection method and apparatus, and electronic device
CA3037326C (en) Sparse neural network based anomaly detection in multi-dimensional time series
CN109583468B (en) Training sample acquisition method, sample prediction method and corresponding device
CN112491796B (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
CN111931179B (en) Cloud malicious program detection system and method based on deep learning
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN110766329B (en) Risk analysis method, device, equipment and medium for information assets
CN111865960A (en) Network intrusion scene analysis processing method, system, terminal and storage medium
CN114357190A (en) Data detection method and device, electronic equipment and storage medium
CN116405326B (en) Information security management method and system based on block chain
CN113657896A (en) Block chain transaction topological graph analysis method and device based on graph neural network
CN114036531A (en) Multi-scale code measurement-based software security vulnerability detection method
CN107506622A (en) A kind of software dynamic birthmark and plagiarism detection method based on memory object access sequence
CN113886832A (en) Intelligent contract vulnerability detection method, system, computer equipment and storage medium
CN116074092B (en) Attack scene reconstruction system based on heterogram attention network
CN117235600A (en) User abnormal behavior detection method and system
CN116232708A (en) Attack chain construction and attack tracing method and system based on text threat information
CN115774784A (en) Text object identification method and device
Osamor et al. Deep learning-based hybrid model for efficient anomaly detection
CN115757062A (en) Log anomaly detection method based on sentence embedding and Transformer-XL
CN111079145B (en) Malicious program detection method based on graph processing
CN113536322A (en) Intelligent contract reentry vulnerability detection method based on countermeasure neural network
CN112085281A (en) Method and device for detecting safety of business prediction model
CN115223206B (en) Working clothes wearing condition detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant