CN112632535B - Attack detection method, attack detection device, electronic equipment and storage medium - Google Patents

Attack detection method, attack detection device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112632535B
CN112632535B CN202011507771.1A CN202011507771A CN112632535B CN 112632535 B CN112632535 B CN 112632535B CN 202011507771 A CN202011507771 A CN 202011507771A CN 112632535 B CN112632535 B CN 112632535B
Authority
CN
China
Prior art keywords
sample
graph
neural network
target
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011507771.1A
Other languages
Chinese (zh)
Other versions
CN112632535A (en
Inventor
孟丹
郑阳
文雨
张博洋
张东雪
杨纯
杜莹莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202011507771.1A priority Critical patent/CN112632535B/en
Publication of CN112632535A publication Critical patent/CN112632535A/en
Application granted granted Critical
Publication of CN112632535B publication Critical patent/CN112632535B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Virology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, wherein the attack detection method comprises the following steps: acquiring target instruction tracking information of a target program during operation; determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information; and detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph. According to the method, the defect of poor quality of the attack detection training sample in the prior art is overcome by acquiring the target instruction tracking information when the target program runs, the entity relation diagram among target instruction execution entities is determined based on the target instruction tracking information, and then the target program is detected through the graph neural network model, so that automatic characteristic representation learning and topology mode learning can be performed, the defect that the existing attack detection method excessively depends on manual characteristic extraction and cannot capture the graph topology relation mode of a non-European space is overcome, and the attack is accurately and reliably detected.

Description

Attack detection method, attack detection device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an attack detection method, an attack detection device, an electronic device, and a storage medium.
Background
Modern computer systems are being attacked by a variety of attacking programs, which are at great risk, and it is therefore important to be able to detect attacks as accurately as possible.
The existing attack detection method only considers the relation mode of capturing European space when designing, and cannot adapt to the complex semantic mode of a computer program. The method first converts the behavior of a series of events into sequences in European space, the sequences form a time sequence relation among the events, then uses sequence analysis technology to learn sequence patterns from historical events and predict the next events, and if the actually occurring events deviate greatly from the predicted events, the events are considered to be suspicious threat behaviors. However, computer program languages are generally primitive, capable of generating not only semantic information in European space, but also complex semantic information in non-European space. Therefore, the current attack detection method cannot effectively capture the topological characteristic pattern of the non-European space. Therefore, the detection result of the existing detection method is not necessarily accurate and reliable.
Disclosure of Invention
The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, which are used for solving the defect that an attack identification result is inaccurate and reliable in the prior art and realizing accurate and reliable attack detection.
In a first aspect, the present invention provides an attack detection method, including:
acquiring target instruction tracking information of a target program during operation;
determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
and detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph.
According to the attack detection method provided by the invention, the method further comprises the following steps:
acquiring sample instruction tracking information when the central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction tracking information;
and establishing the graph neural network model based on the sample entity relation graph.
According to the attack detection method provided by the invention, based on the sample instruction tracking information, a sample entity relation diagram between sample instruction execution entities is determined, and the attack detection method comprises the following steps:
determining a sample entity and a relationship between sample entities based on the sample instruction tracking information;
and establishing a sample entity relation diagram between the sample instruction execution entities by taking the sample entities as nodes of the sample entity relation diagram and taking the relation between the sample entities as edges of the sample entity relation diagram.
According to the attack detection method provided by the invention, the establishing of the graph neural network model based on the sample entity relation graph comprises the following steps:
marking the sample entity relation graph;
training the marked sample entity relation graph to obtain a graph neural network model.
According to the attack detection method provided by the invention, training is carried out on the marked sample entity relation graph to obtain a graph neural network model, and the attack detection method comprises the following steps:
based on the neural network external connection, obtaining the topological relation of the entity nodes in the sample entity relation graph;
based on the connection in the neural network, converting the entity nodes in the sample entity relation graph into low-dimensional vectors containing topological relations;
and based on the low-dimensional vector containing the topological relation, performing deep learning on the topological relation of the entity relation graph to obtain a graph neural network model.
According to the attack detection method provided by the invention, the detection of the target program as an attack program comprises the following steps:
and if the target program is an attack program of a preset class, identifying the class of the attack program based on a graph neural network model.
According to the attack detection method provided by the invention, the method further comprises the following steps:
And if the target program is not the attack program of the preset category, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relation graph.
In a second aspect, the present invention provides an attack detection device comprising:
the acquisition module is used for acquiring instruction tracking information of the target program in running;
the determining module is used for determining an entity relation diagram between instruction execution entities based on the instruction tracking information;
and the detection module is used for detecting that the target program is an attack program based on the graph neural network model and the entity relation graph.
In a third aspect, the present invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of any one of the attack detection methods described above when the program is executed.
In a fourth aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the attack detection method according to any of the above.
According to the attack detection method, the device, the electronic equipment and the storage medium, the defect of poor quality of an attack detection training sample in the prior art is overcome by acquiring the target instruction tracking information when the target program to be detected runs and using the target instruction tracking information to attack detection, the target entity relation diagram among target instruction execution entities is determined based on the target instruction tracking information, the target program is detected through a graph neural network model, and the automatic feature representation learning and topology pattern learning can be performed based on the learning method of the graph neural network, so that the defect that the existing attack detection method excessively relies on manual feature extraction and cannot capture the graph topology relation pattern of a non-European space is overcome, and the attack is accurately and reliably detected.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of an attack detection method provided by the invention;
FIG. 2 is a schematic diagram of the establishment of an entity relationship according to the present invention;
FIG. 3 is a diagram illustrating a second embodiment of the present invention;
FIG. 4 is a schematic diagram of the neural network model architecture provided by the present invention;
FIG. 5 is a schematic diagram of a detection system for a neural network model of a Heimdall diagram provided by the invention;
FIG. 6 is a schematic diagram of an attack detection device according to the present invention;
fig. 7 is a schematic diagram of the physical structure of the electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Modern computer systems are being attacked by a variety of attacking programs, at great risk.
Taking transient attack as an example, an attacker of the transient attack generally uses security holes, such as fusing, ghost and the like, generated by the hardware design defect of the micro-architecture of the processor to steal confidential information at any position in the shared memory with legal identity and minimum access rights, thereby destroying the security basic characteristic of the computer system, namely memory isolation. Moreover, memory isolation is a cornerstone of a multi-user computing environment (e.g., a multi-tenant cloud computing platform or a multi-user computing device), and transient attacks have serious damage to confidentiality of a computer system by taking memory isolation as a main means.
Transient attacks involve two phases, transient instruction execution and hidden channel transmission. The former is used to generate a time window for information theft and access and encode the confidential information, and the latter is used to recover the encoded confidential information from within the microarchitecture. A common situation for covert channel transmission is to use a cache-side channel attack to receive stolen information, which tends to trigger a computer system to generate a large number of different types of hardware events, such as cache references, cache hits or misses, etc. Most of the existing transient attack detection methods collect these hardware events, and then use machine learning analysis and modeling methods to identify transient attacks.
However, most of the detection methods assume that the buffer side channel attack is used as a receiving end of transient attack hidden channel transmission, and only transient attack based on the buffer side channel can be detected. In fact, the buffer side channel attack is only one way of transient attack hidden channel transmission, and the detection method cannot detect transient attacks based on other hidden channels, so that variations of the transient attacks cannot be detected.
Secondly, the detection method relies on a hardware performance counter to collect the bottom hardware events, and cannot better represent the complex semantic behaviors of the upper application program. The hardware performance counter is a register dedicated to evaluating the performance of the hardware at the time of program execution, and the data generated is statistical data of specific hardware events, and some valuable characteristic information is lost compared with instruction trace data at the time of execution. Moreover, the hardware performance counter events of the modern processor are limited in collection concurrency quantity and easy to interfere, and the capability of the hardware performance counter data for describing complex semantics of the program is further limited.
Again, this detection method only considers the relationship pattern of capturing the euclidean space during design, and cannot adapt to the complex semantic pattern of the computer program. The method first converts the behavior of a series of events into sequences in European space, the sequences form a time sequence relation among the events, then uses sequence analysis technology to learn sequence patterns from historical events and predict the next events, and if the actually occurring events deviate greatly from the predicted events, the events are considered to be suspicious threat behaviors. However, computer program languages are generally primitive, capable of generating not only semantic information in European space, but also complex semantic information in non-European space.
In addition, most of the detection methods are realized by adopting traditional machine learning technology, most of the work is concentrated on the design of preprocessing pipelines and data conversion, and the characteristics are needed to be selected and constructed manually, so that some valuable characteristic information is often omitted. More seriously, to support graph topology pattern learning of complex semantics, conventional machine methods typically rely on abstract graph statistics (e.g., degree or cluster coefficients), kernel functions, or carefully designed features to measure local neighborhood structures, which cannot be adaptively optimized during learning, are inflexible, and are more time-consuming and laborious.
The latest work adopts a scheme based on information flow analysis, the method defines the security semantics of the speculative execution link in the ghost attack, the information flow of the program is acquired in a symbol execution mode, and if the information flow of the program accords with the definition of the security semantics, the program is judged to be the ghost attack. The analysis method of the scheme is essentially a scheme based on rule matching and is a special solution for ghost attack. Thus, this approach also fails to cope with diverse variations of transient attacks.
In order to overcome the defects in the scheme, the invention provides an attack detection method and an attack detection device, and the method and the device are now described.
Fig. 1 is a schematic flow chart of an attack detection method provided by the present invention, as shown in fig. 1, the method includes the following steps:
step 100, obtaining target instruction tracking information when a target program runs;
specifically, in order to overcome the defect of poor detection quality of hardware performance counter data adopted in attack detection in the prior art, the invention adopts instruction tracking information for attack detection;
alternatively, the attack detected by the present invention may be a transient attack;
specifically, the trace information is a sequential record of program runtime instruction operations. Instruction trace data of a program is original information with more abundant feature information compared with hardware performance counter data. Hardware performance counter data is a specific hardware event triggered by the processor scheduling execution of these instructions, however not all instruction execution triggers a hardware event, and thus these hardware events do not capture the full program behavior. The method acquires the instruction tracking information with more abundant characteristic information, and solves the problem of poor quality of training samples in the existing attack detection method.
Therefore, in the invention, when the target program is detected, the target instruction tracking information of the target program in running can be obtained.
Step 110, determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
and establishing a target entity relationship diagram between target instruction execution entities by taking the target entities as nodes of the target entity relationship diagram and taking the relationship between the target entities as edges of the target entity relationship diagram.
Specifically, the entity and the relationship between entities in the target instruction tracking information can be extracted, so as to build a target entity relationship graph.
Specifically, when the target entity relationship graph is built based on the target instruction tracking information, because the entities in the target instruction tracking information include instructions, instruction operation codes and instruction operands, the building of the target entity relationship graph can mainly consider three entity relationships:
(1) Order dependency between target instructions;
(2) Causal dependencies between target instruction opcodes and target instruction operands;
(3) Data dependency between target instruction operands and target instruction operands.
To construct a target entity relationship graph, an instruction may first be divided into, by number of operands: zero-order operand instructions (instruction format [ opcode ]), single-order operand instructions (instruction format [ opcode, op-and ]), double-order operand instructions (instruction format [ opcode, op-and-1, op-and-2 ]), and triple-order operand instructions (instruction format [ opcode, op-and-1, op-and-2, op-and-3 ]).
Then, three composition rules are constructed according to three relations between entities:
(1) If the operation codes of the front and rear instructions are respectively represented by the opcode1 and the opcode2, two new entity nodes of the opcode1 and the opcode2 and a new entity relation side opcode1- > opcode2 can be created;
(2) In addition to zero-order operand instructions, there are also causal dependencies between opcodes and operands within the three other types of instructions.
For a monocular operand instruction, two new entity nodes of an opcode and a new entity relation side opcode- > opcode can be created;
for a binocular operand instruction, three new entity nodes opcode, operand and op and2 can be created, if op and1 represents a destination operand and op and2 represents a source operand, two entity relationship edges op and2- > op code and op code- > op and1 can be created;
if the comparison instruction is a comparison instruction, the operation 1 and the operation 2 are both source operands, two entity relationship edges of the operation 2- > operation and the operation 1- > operation can be created;
for a three-destination operand instruction, four new entity nodes opcode, operand, op and2 and op and3 can be created, if op and1 represents a destination operand and op and2 and op and3 represent source operands, three new entity relationship edges op and2- > opcode, operand- > op code and op code- > op and1 can be created;
(3) If the operands in the non-zero order operand instruction and the operands in other non-zero order operand instructions have a data read-after-write dependency, the write operand entity node and the read operand entity node with the read-after-write dependency are combined into one node in the composition, and a new entity relationship edge can be not created any more.
Based on the three composition rules, the target entity relationship graph can be automatically constructed.
Fig. 2 is one of the schematic diagrams for establishing the entity relationship provided by the present invention, as shown in fig. 2, the left frame is the original instruction tracking information collected, and the right side is the schematic diagram for establishing the entity relationship based on the instruction tracking information in the left frame. For the 3 rd instruction [ cmp% rbx,% rax ] in the left box, entity relationship edges mov- > cmp and cmp- > jbe may be generated according to rule 1, entity relationship edges% rax- > cmp and% rbx- > cmp may be generated according to rule 2, and the read operand nodes% rax and% rbx in the% rax- > cmp and% rbx- > cmp entity relationship edges may be merged with the write operand nodes% rax and% rbx generated in the 1 st and 2 nd instructions according to rule 3.
And step 120, detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph.
Specifically, the Heimdall graph neural network is used as an advanced neural network technology, can perform automatic feature expression learning, converts entity nodes in the entity relation graph into low-dimensional vectors containing topological relations, and solves the defect that the existing attack detection method excessively relies on manpower to perform feature extraction and construction. Meanwhile, the graph neural network utilizes the low-dimensional vectors to deeply learn the inherent modes of the topological features, so that the defect that the existing attack detection method cannot capture the graph topological relation modes of the non-European space is overcome.
Therefore, after the target entity relation diagram is determined, the target entity relation diagram can be used as the input of the graph neural network model, and whether the target program is an attack or not can be detected and judged.
Specifically, the target program may be detected and determined to be an attack;
specifically, it may also be detected that the target program is not an attack, such as a normal application program.
Taking transient attack as an example, an output model generated by the Heimdall graph neural network learning module can capture the topological characteristic mode of the target program, integrally describe the behavior of the target program, and not specially describe the related behavior of the cache side channel, so that the transient attack based on the cache side channel can be identified, and transient attack variants utilizing other hidden channels can be detected.
According to the attack detection method provided by the invention, the defect of poor quality of an attack detection training sample in the prior art is overcome by acquiring the target instruction tracking information of the target program to be detected during running and then determining the target entity relation diagram among target instruction execution entities based on the target instruction tracking information, and then detecting the target program through a graph neural network model, and the learning method based on the graph neural network can be used for carrying out automatic feature representation learning and topology pattern learning, so that the defect that the existing attack detection method excessively relies on manual feature extraction and cannot capture the graph topology relation pattern of a non-European space is overcome, and the attack is accurately and reliably detected.
Optionally, the method further comprises:
acquiring sample instruction tracking information when the central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction tracking information;
and establishing the graph neural network model based on the sample entity relation graph.
Specifically, in the present invention, before attack detection is performed using the graph neural network model, the graph neural network model may be first established.
Specifically, the Heimdall neural network can extract instruction trace information of a large number of normal application programs and attack programs as samples, respectively, so that the instruction trace information during the running of the central processing unit can be collected first as samples, namely, sample instruction trace information.
Specifically, after the sample instruction tracking information is acquired, a sample entity relation diagram between sample instruction execution entities can be determined based on the sample instruction tracking information; and establishing a graph neural network model based on the sample entity relation graph.
Optionally, determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction tracking information includes:
determining a sample entity and a relationship between sample entities based on the sample instruction tracking information;
and establishing a sample entity relation diagram between the sample instruction execution entities by taking the sample entities as nodes of the sample entity relation diagram and taking the relation between the sample entities as edges of the sample entity relation diagram.
Specifically, when determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction tracking information, the sample entity may be taken as a node of the sample entity relationship graph, and the relationship between the sample entities may be taken as an edge of the sample entity relationship graph, so as to establish the sample entity relationship graph between the sample instruction execution entities.
Specifically, when the sample entity relationship graph is built based on sample instruction trace information, since the entities in the sample instruction trace information include instructions, instruction operation codes and instruction operands, the building of the sample entity relationship graph may mainly consider three entity relationships:
(1) Sequential dependencies between sample instructions;
(2) Causal dependencies between sample instruction opcodes and sample instruction operands;
(3) Data dependency between sample instruction operands and sample instruction operands.
To construct a sample entity relationship graph, an instruction may first be divided into, by number of operands: zero-order operand instructions (instruction format [ opcode ]), single-order operand instructions (instruction format [ opcode, op-and ]), double-order operand instructions (instruction format [ opcode, op-and-1, op-and-2 ]), and triple-order operand instructions (instruction format [ opcode, op-and-1, op-and-2, op-and-3 ]).
Then, three composition rules are constructed according to three relations between entities:
(1) If the operation codes of the front and rear instructions are respectively represented by the opcode1 and the opcode2, two new entity nodes of the opcode1 and the opcode2 and a new entity relation side opcode1- > opcode2 can be created;
(2) In addition to zero-order operand instructions, there are also causal dependencies between opcodes and operands within the three other types of instructions.
For a monocular operand instruction, two new entity nodes of an opcode and a new entity relation side opcode- > opcode can be created;
for a binocular operand instruction, three new entity nodes opcode, operand and op and2 can be created, if op and1 represents a destination operand and op and2 represents a source operand, two entity relationship edges op and2- > op code and op code- > op and1 can be created;
if the comparison instruction is a comparison instruction, the operation 1 and the operation 2 are both source operands, two entity relationship edges of the operation 2- > operation and the operation 1- > operation can be created;
for a three-destination operand instruction, four new entity nodes opcode, operand, op and2 and op and3 can be created, if op and1 represents a destination operand and op and2 and op and3 represent source operands, three new entity relationship edges op and2- > opcode, operand- > op code and op code- > op and1 can be created;
(3) If the operands in the non-zero order operand instruction and the operands in other non-zero order operand instructions have a data read-after-write dependency, the write operand entity node and the read operand entity node with the read-after-write dependency are combined into one node in the composition, and a new entity relationship edge can be not created any more.
Based on the three composition rules, the sample entity relationship graph can be automatically constructed.
Optionally, the building the graph neural network model based on the sample entity relationship graph includes:
marking the sample entity relation graph;
training the marked sample entity relation graph to obtain a graph neural network model.
Specifically, the Heimdall neural network may obtain a large number of entity relationship graphs of normal application programs and attack programs respectively, and use the entity relationship graphs as sample entity relationship graphs, and mark each sample entity relationship graph, for example, mark with 0 and 1, where 0 may be a mark of a common application program, and 1 may be a mark of an attack, and vice versa.
The graph-cycle neural network technique can then be employed for supervised training and learning. And taking the labeled entity relation graph as a model input, and training to obtain a graph neural network model.
Optionally, the training the marked sample entity relationship graph to obtain a graph neural network model includes:
based on the neural network external connection, obtaining the topological relation of the entity nodes in the sample entity relation graph;
based on the connection in the neural network, converting the entity nodes in the sample entity relation graph into low-dimensional vectors containing topological relations;
And based on the low-dimensional vector containing the topological relation, performing deep learning on the topological relation of the entity relation graph to obtain a graph neural network model.
In particular, the neuron connections in the Heimdall graph neural network model may include external connections and internal connections.
The external connections may be used to provide inputs to the neural network of the graph, and the internal connections may be used to convert the entity-relationship graph into a vectorized feature representation and to perform topology pattern learning based on the vectorized feature representation.
Specifically, taking a transient attack as an example, when the Heimdall obtains entity relation diagrams of a large number of normal application programs and transient attack programs respectively and marks the entity relation diagrams as model input, the topology structure of the entity relation can correspondingly form external connection of the graph neural network model, and the internal connection structure of the graph neural network model can be initialized and set according to experience knowledge, for example, 1) the number of hidden layer neurons is set to be between the number of input layer neurons and the number of output layer neurons; 2) The number of hidden layer neurons should not exceed 2 times the number of input layer neurons. It can be seen that the interconnection structure mainly comprises super parameters such as the number of layers of the neural network and the number of neurons. And then, continuously trying new super parameters with the aim of optimizing the model precision, and finally determining the internal connection structure of the graph neural network model.
Specifically, after the internal connection and the external connection are determined, the graph neural network model can convert the entity relation graph into vectorized feature expression, and deep learn the internal topological feature mode of the entity relation graph, so that the method has the capability of identifying normal application programs and attack programs, and solves the problems that the existing attack detection method excessively relies on manpower to extract and construct features and the existing attack detection method cannot effectively learn complex topological semantics.
Therefore, the topological relation of the entity nodes in the sample entity relation graph can be acquired firstly based on the external connection of the neural network; based on the connection in the neural network, converting the entity nodes in the sample entity relation graph into low-dimensional vectors containing topological relations; and finally, based on the low-dimensional vector containing the topological relation, performing deep learning on the topological relation of the entity relation graph to obtain a graph neural network model.
Fig. 3 is a second schematic diagram of entity relationship establishment provided in the present invention, as shown in fig. 3, in order to better describe the relationship between the entity relationship diagram and the neural network model architecture, the nodes of the entity relationship diagram in fig. 2 may be numbered to obtain fig. 3.
It will be appreciated that the graph data structure has spatial characteristics, and that the numbering sequence does not affect the construction of the graph neural network model.
Fig. 4 is a schematic diagram of a neural network model architecture according to the present invention, as shown in fig. 4, corresponding to the entity relationship diagram in fig. 3, the external connection of the neural network model architecture is determined by the entity relationship diagram, and the internal connection is correspondingly determined by the existing neural network model.
Optionally, the detecting that the target program is an attack program includes:
and if the target program is an attack program of a preset class, identifying the class of the attack program based on a graph neural network model.
Specifically, taking a transient attack as an example, the transient attack based on a cache side channel belongs to a transient attack of a known type, the Heimdall graph neural network in the invention can identify and distinguish the known types after learning and training, and the topological characteristic vectorization expression of the known type transient attack has a similarity relation with the topological characteristic mode of the transient attack in the model, so that the graph neural network model, namely the Heimdall transient attack detection module in the embodiment can directly adopt a classification algorithm for identification.
Alternatively, the known types may include, but are not limited to, at least one of: ghost attacks and fuse attacks; among other things, ghost attacks include utilizing spectra-PHT, spectra-BTB, spectra-RSB, and spectra-STL types. Wherein the three types of spectrum-PHT, spectrum-BTB and spectrum-RSB can be further subdivided into cross-address space types or co-address space types. The fuse attacks include the types of Meltdown-US, meltdown-P, meltdown-GP, meltdown-NM, meltdown-RW, meltdown-PK, meltdown-BR, and Residual Meltdown.
It should be understood that the classification algorithm herein does not refer to a specific classification algorithm, but rather refers to a functional sub-module in the graph neural network model that can classify known types of attacks, either as a separate or independent algorithm or as a separate or independent entity sub-module.
Specifically, the known types of attacks can be preset in the graph neural network model, for example, the graph neural network model with the classification function after training is set, including but not limited to, setting of different names which can enable the graph neural network model to output different types of attacks;
specifically, if the target program is an attack of a preset category, the category of the attack can be identified and obtained based on the neural network model; the name of the attack category may also be entered.
Optionally, the method further comprises:
and if the target program is not the attack program of the preset category, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relation graph.
Specifically, for attacks with other hidden channels, although the Heimdall graph neural network learning module in the graph neural network model cannot directly learn the attacks with unknown types, the topological feature vectorization expression of the attacks with unknown types deviates from the topological feature mode of the normal application program and is more similar to the topological feature mode of the attacks in the model, so that the Heimdall attack detection module in the graph neural network model can adopt an anomaly detection algorithm for identification.
It should be understood that the anomaly detection algorithm herein does not refer to a specific anomaly detection algorithm, but rather refers to a functional sub-module in the graph neural network model that can detect an unknown type of attack, and may not be a separate or independent algorithm, or may not be a separate or independent entity sub-module.
Specifically, if the target program is not the attack program of the preset category, the target program can be identified and determined to be the abnormal attack program based on the neural network model.
The learning method based on the graph neural network can utilize the characteristic representation to learn the generated low-dimensional vector to deeply learn the internal mode of the topological characteristic, and solves the problem that the existing attack program detection method cannot learn the complex semantic mode; the detection method based on the graph neural network is used for accurately identifying the attack program and detecting possible variants of the attack program.
According to the attack detection method provided by the invention, the defect of poor quality of an attack detection training sample in the prior art is overcome by acquiring the target instruction tracking information of the target program to be detected during running and then determining the target entity relation diagram among target instruction execution entities based on the target instruction tracking information, and then detecting the target program through a graph neural network model, and the learning method based on the graph neural network can be used for carrying out automatic feature representation learning and topology pattern learning, so that the defect that the existing attack detection method excessively relies on manual feature extraction and cannot capture the graph topology relation pattern of a non-European space is overcome, and the attack is accurately and reliably detected.
Fig. 5 is a schematic diagram of a detection system of a Heimdall neural network model provided by the present invention, as shown in fig. 5, taking a transient attack detection as an example, the system is composed of four key modules: the system comprises a program behavior data acquisition module, an entity relation diagram construction module, a diagram neural network learning module and a transient attack detection module.
The program behavior data acquisition module is used for collecting instruction tracking information when the central processing unit runs;
the entity relation diagram construction module is used for extracting entities in the instruction tracking information and relations among the entities;
the graph neural network learning module is used for carrying out automatic feature expression learning, converting entity nodes in the entity relation graph into low-dimensional vectors containing topological relations, and solving the problem that the existing transient attack detection method excessively relies on manpower to carry out feature extraction and construction. Meanwhile, the graph neural network utilizes the low-dimensional vectors to deeply learn the internal modes of the topological features, so that the problem that the existing transient attack detection method cannot effectively learn the complex topological semantics is solved.
The transient attack detection module is used for identifying transient attacks based on the cache side channel and detecting transient attack variants using other hidden channels.
It can be understood that the Heimdall graph neural network model detection system of the present invention can implement all the method steps implemented by the attack detection method, and can achieve the same technical effects, which are not described herein.
The attack detection device provided by the invention is described below, and the attack detection device described below and the attack detection method described above can be referred to correspondingly.
Fig. 6 is a schematic structural diagram of an attack detection device provided by the present invention, as shown in fig. 6, the device includes: an acquisition module 610, a determination module 620, and a detection module 630, wherein:
the acquiring module 610 is configured to acquire instruction tracking information when the target program runs;
the determining module 620 is configured to determine an entity relationship diagram between instruction execution entities based on the instruction tracking information;
the detection module 630 is configured to detect that the target program is an attack program based on the graph neural network model and the entity relationship graph.
Specifically, the attack detection device acquires instruction tracking information of the target program in running through the acquisition module 610; then, determining an entity relationship diagram between instruction execution entities based on the instruction tracking information through a determining module 620; finally, the detection module 630 can detect that the target program is an attack program based on the graph neural network model and the entity relationship graph.
It can be understood that the attack detection device of the present invention can implement all the method steps implemented by the attack detection method, and can achieve the same technical effects, which are not described herein.
According to the attack detection device provided by the invention, the defect of poor quality of an attack detection training sample in the prior art is overcome by acquiring the target instruction tracking information when the target program to be detected runs and determining the target entity relation diagram among target instruction execution entities based on the target instruction tracking information, and then the target program is detected through the graph neural network model, and the learning method based on the graph neural network can be used for carrying out automatic feature representation learning and topology pattern learning, so that the defect that the existing attack detection method excessively depends on manual feature extraction and cannot capture the graph topology relation pattern of a non-European space is overcome, and the attack is accurately and reliably detected.
Fig. 7 is a schematic physical structure of an electronic device according to the present invention, as shown in fig. 7, the electronic device may include: processor 710, communication interface (Communications Interface) 720, memory 730, and communication bus 740, wherein processor 710, communication interface 720, memory 730 communicate with each other via communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform an attack detection method comprising:
Acquiring target instruction tracking information of a target program during operation;
determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
and detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph.
Further, the logic instructions in the memory 730 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of executing the methods provided above to perform an attack detection method, the method comprising:
acquiring target instruction tracking information of a target program during operation;
determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
and detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the above provided methods of attack detection, the method comprising:
acquiring target instruction tracking information of a target program during operation;
determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
and detecting that the target program is an attack program based on the graph neural network model and the target entity relation graph.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. An attack detection method, comprising:
acquiring target instruction tracking information of a target program during operation;
determining a target entity relation diagram between target instruction execution entities based on the target instruction tracking information;
detecting that the target program is an attack program based on a graph neural network model and the target entity relation graph;
the method further comprises the steps of:
acquiring sample instruction tracking information when the central processing unit runs;
determining a sample entity relationship graph between sample instruction execution entities based on the sample instruction tracking information;
based on the sample entity relation diagram, establishing a neural network model of the diagram;
Based on the sample instruction tracking information, determining a sample entity relationship graph between sample instruction execution entities, comprising:
determining a sample entity and a relationship between sample entities based on the sample instruction tracking information;
establishing a sample entity relation diagram between the sample instruction execution entities by taking the sample entities as nodes of the sample entity relation diagram and taking the relation between the sample entities as edges of the sample entity relation diagram;
the establishing the graph neural network model based on the sample entity relation graph comprises the following steps:
marking the sample entity relation graph;
training the marked sample entity relation graph to obtain a graph neural network model;
training the marked sample entity relation graph to obtain a graph neural network model, wherein the training comprises the following steps:
based on the neural network external connection, obtaining the topological relation of the entity nodes in the sample entity relation graph;
based on the connection in the neural network, converting the entity nodes in the sample entity relation graph into low-dimensional vectors containing topological relations;
based on the low-dimensional vector containing the topological relation, performing deep learning on the topological relation of the entity relation graph to obtain a graph neural network model;
The neural network external connection is used for providing input of a graph neural network model, the neural network internal connection is used for converting a sample entity relation graph into a vectorized feature expression, and topology mode learning is performed based on the vectorized feature expression.
2. The attack detection method according to claim 1, wherein the detecting that the target program is an attack program includes:
and if the target program is an attack program of a preset class, identifying the class of the attack program based on a graph neural network model.
3. The attack detection method according to claim 1, wherein the method further comprises:
and if the target program is not the attack program of the preset category, identifying the target program as an abnormal attack program based on the graph neural network model and the entity relation graph.
4. An attack detection apparatus, comprising:
the acquisition module is used for acquiring instruction tracking information of the target program in running;
the determining module is used for determining an entity relation diagram between instruction execution entities based on the instruction tracking information;
the detection module is used for detecting that the target program is an attack program based on the graph neural network model and the entity relation graph;
The apparatus further comprises:
the information acquisition module is used for acquiring sample instruction tracking information when the central processing unit runs;
the relation diagram determining module is used for determining a sample entity relation diagram between sample instruction execution entities based on the sample instruction tracking information;
the model building module is used for building the graph neural network model based on the sample entity relation graph;
the relation diagram determining module is used for:
determining a sample entity and a relationship between sample entities based on the sample instruction tracking information;
establishing a sample entity relation diagram between the sample instruction execution entities by taking the sample entities as nodes of the sample entity relation diagram and taking the relation between the sample entities as edges of the sample entity relation diagram;
the model building module is used for:
marking the sample entity relation graph;
training the marked sample entity relation graph to obtain a graph neural network model;
the model building module is used for:
based on the neural network external connection, obtaining the topological relation of the entity nodes in the sample entity relation graph;
based on the connection in the neural network, converting the entity nodes in the sample entity relation graph into low-dimensional vectors containing topological relations;
Based on the low-dimensional vector containing the topological relation, performing deep learning on the topological relation of the entity relation graph to obtain a graph neural network model;
the neural network external connection is used for providing input of a graph neural network model, the neural network internal connection is used for converting a sample entity relation graph into a vectorized feature expression, and topology mode learning is performed based on the vectorized feature expression.
5. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the attack detection method according to any of claims 1 to 3 when the program is executed by the processor.
6. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the attack detection method according to any of claims 1 to 3.
CN202011507771.1A 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium Active CN112632535B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011507771.1A CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011507771.1A CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112632535A CN112632535A (en) 2021-04-09
CN112632535B true CN112632535B (en) 2024-03-12

Family

ID=75317647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011507771.1A Active CN112632535B (en) 2020-12-18 2020-12-18 Attack detection method, attack detection device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112632535B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221118B (en) * 2021-05-11 2023-03-28 卓尔智联(武汉)研究院有限公司 Detection method and device for channel attack on cache side and electronic equipment
CN113672909B (en) * 2021-07-01 2023-09-26 华南理工大学 Method for detecting on-chip heat hidden channel attack based on pattern classification
CN113779649B (en) * 2021-09-08 2023-07-14 中国科学院上海高等研究院 Defense method for executing attack against speculation
CN114302431A (en) * 2021-12-28 2022-04-08 中国电信股份有限公司 Network element configuration method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027574A (en) * 2019-12-09 2020-04-17 中南大学 Building mode identification method based on graph convolution

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190005384A1 (en) * 2017-06-29 2019-01-03 General Electric Company Topology aware graph neural nets
US20190354832A1 (en) * 2018-05-17 2019-11-21 Università della Svizzera italiana Method and system for learning on geometric domains using local operators
US20190318085A1 (en) * 2019-06-27 2019-10-17 Intel Corporation Methods and apparatus to analyze computer system attack mechanisms

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027574A (en) * 2019-12-09 2020-04-17 中南大学 Building mode identification method based on graph convolution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
段亚男.基于代码属性图和图卷积神经网络的软件漏洞检测方法研究.万方硕士学位论文.2020,第1-65页. *

Also Published As

Publication number Publication date
CN112632535A (en) 2021-04-09

Similar Documents

Publication Publication Date Title
CN112632535B (en) Attack detection method, attack detection device, electronic equipment and storage medium
CN112491796B (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
CN109308415B (en) Binary-oriented guidance quality fuzzy test method and system
CN111931179B (en) Cloud malicious program detection system and method based on deep learning
CN107392016A (en) A kind of web data storehouse attack detecting system based on agency
CN108491228A (en) A kind of binary vulnerability Code Clones detection method and system
CN113381962B (en) Data processing method, device and storage medium
CN112631611A (en) Intelligent Pompe deception contract identification method and device
CN113657896A (en) Block chain transaction topological graph analysis method and device based on graph neural network
CN113326187A (en) Data-driven intelligent detection method and system for memory leakage
CN110766329A (en) Risk analysis method, device, equipment and medium for information assets
CN108399321B (en) Software local plagiarism detection method based on dynamic instruction dependence graph birthmark
CN114036531A (en) Multi-scale code measurement-based software security vulnerability detection method
CN116340952A (en) Intelligent contract vulnerability detection method based on operation code program dependency graph
CN112200196A (en) Phishing website detection method, device, equipment and computer readable storage medium
CN113742205A (en) Code vulnerability intelligent detection method based on man-machine cooperation
CN117240632B (en) Attack detection method and system based on knowledge graph
CN113886832A (en) Intelligent contract vulnerability detection method, system, computer equipment and storage medium
CN114297665A (en) Intelligent contract vulnerability detection method and device based on deep learning
CN116074092B (en) Attack scene reconstruction system based on heterogram attention network
CN117235600A (en) User abnormal behavior detection method and system
CN116702157A (en) Intelligent contract vulnerability detection method based on neural network
CN116909788A (en) Multi-mode fault diagnosis method and system with unchanged task direction and visual angle
CN116467720A (en) Intelligent contract vulnerability detection method based on graph neural network and electronic equipment
CN115757062A (en) Log anomaly detection method based on sentence embedding and Transformer-XL

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant