CN113094707A - Transverse mobile attack detection method and system based on heterogeneous graph network - Google Patents

Transverse mobile attack detection method and system based on heterogeneous graph network Download PDF

Info

Publication number
CN113094707A
CN113094707A CN202110347685.7A CN202110347685A CN113094707A CN 113094707 A CN113094707 A CN 113094707A CN 202110347685 A CN202110347685 A CN 202110347685A CN 113094707 A CN113094707 A CN 113094707A
Authority
CN
China
Prior art keywords
user
graph
login
path
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110347685.7A
Other languages
Chinese (zh)
Other versions
CN113094707B (en
Inventor
卢志刚
王天
姜波
刘俊荣
刘松
董璞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202110347685.7A priority Critical patent/CN113094707B/en
Publication of CN113094707A publication Critical patent/CN113094707A/en
Application granted granted Critical
Publication of CN113094707B publication Critical patent/CN113094707B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a heterogeneous graph network-based lateral mobile attack detection method and system. The method is based on an authentication log of an intranet, a login behavior diagram between a user and a host is structured, a user login diagram and a source host path diagram are constructed, and then two-stage anomaly detection is carried out on the diagrams. The first stage is based on a user login graph, a graph neural network algorithm with maximized mutual information is used for learning a behavior pattern of a host, and partial abnormal samples are obtained through calculation of a local abnormal factor algorithm; and in the second stage, based on the source host path diagram and the labeled samples obtained in the first stage, a heterogeneous diagram attention network algorithm is used for semi-supervised learning, and the transverse mobile attack behavior is detected. The method can simply and effectively detect the transverse mobile attack behavior under the condition of no sample label, has the effect exceeding that of most methods with supervision learning, and has high recall rate and low false alarm rate.

Description

Transverse mobile attack detection method and system based on heterogeneous graph network
Technical Field
The invention relates to the field of computer network security, which is used for resisting horizontal mobile attack behaviors implemented in advanced persistent threats, in particular to a horizontal mobile attack detection method and a horizontal mobile attack detection system based on a heterogeneous graph network.
Background
In recent years, with the rapid development of the internet, the network environment becomes increasingly complex, and the network attack increasingly presents a highly frequent situation. Among them, Advanced Persistent Threat (APT) benefits from the progress of the attack technique and the improvement of the attack organization, and attacks are increasingly frequent. Compared with other attacks, the APT attack has a longer latent period and larger destructive power, such as intervention in American great election, damage to a power grid and the like. The attack method is more comprehensive, and a customized attack tool can be developed through long-term observation on the target, so that the threat is huge. Therefore, the detection and protection of APT attacks have become an urgent problem to be solved in current network security.
Lateral movement is an extremely important ring of the APT attack, and is a main process for implementing the attack after an attacker enters an intranet. According to the ATT & CK framework, lateral movement consists of the technology used by attackers to enter and control remote systems on the network. After an attacker successfully invades the network and establishes a foothold, the attacker usually moves transversely in the network for the next step of attacking and collecting information of the target network, finally obtains the control right of the whole network, achieves the purposes of destroying the target network or infrastructure, stealing confidential data or core intellectual property rights and the like, and has great harm.
At present, the detection of the lateral movement attack is still in a relatively preliminary stage, and the research on the detection of the lateral movement attack mainly converts the detection into the detection of an abnormal user or a host in an intranet, and detects abnormal performance exceeding a threshold value by modeling the behavior of the user or the host. The detection target can be classified into a moving target type and a moving path type according to the detection target. The moving target type method mainly detects the user or host machine attacked and trapped by an attacker in the transverse moving attack; the moving path type method uses a moving path occurring in the lateral movement attack as a detection target. Much of the existing research work is focused on moving target type lateral movement attack detection, and the movement path of the lateral movement attack is less researched.
In conclusion, the transverse mobile attack usually pretends normal users to operate by stealing user credentials, has high concealment and is difficult to detect. The existing lateral movement attack detection research method generally converts the method into the detection of abnormal users or hosts in an intranet, but still has the following defects and shortcomings: firstly, the false alarm rate of the existing method is generally higher due to the massive multi-source security logs. Secondly, in an actual network environment, a few abnormal users or hosts cannot be observed or can be observed, and the abnormal users or hosts are not fully utilized; thirdly, the intranet is essentially an association diagram formed by users and a host, and lateral movement attack detection on the diagram is yet to be researched.
Disclosure of Invention
In order to solve the above problems, a two-stage lateral mobile attack detection method hglm (terrestrial Movement detection using Heterogeneous graph) based on a Heterogeneous graph network is proposed herein.
The principle of the invention is as follows: based on the authentication log of the intranet, the login behavior graph between the user and the host is structured, the user login graph and the source host path graph are constructed, and then two-stage anomaly detection is carried out on the graph. The first stage is based on a user login graph, a graph neural network algorithm with maximized mutual information is used for learning a behavior pattern of a host, and partial abnormal samples are obtained through calculation of a local abnormal factor algorithm; and in the second stage, based on the source host path diagram and the labeled samples obtained in the first stage, a heterogeneous diagram attention network algorithm is used for semi-supervised learning, and the transverse mobile attack behavior is detected.
In order to achieve the purpose, the invention adopts the specific technical scheme that:
a method for detecting lateral mobile attacks based on a heterogeneous graph network comprises the following steps:
1) and (6) data set extraction. Since the lateral movement attack involves login authentication behavior between the user and the host, the data set extraction is to collect authentication logs generated by the intranet equipment and construct a data set.
2) The security log graph is structured. And constructing a user login graph and a source host path graph by using the extracted data set.
3) Abnormal login behavior detection based on unsupervised learning: and carrying out abnormal login behavior detection based on unsupervised learning based on the user login graph. This section is the first stage of HGLM two-stage anomaly detection.
4) Lateral movement attack detection based on semi-supervised learning: and performing semi-supervised learning based lateral movement attack detection based on the source host path diagram and the small amount of labeled samples in the first stage. This section is the second stage of HGLM two-stage anomaly detection.
Further, the security log graph structuring mainly comprises three parts, namely data preprocessing, building of a user login graph and building of a source host path graph.
a) The first step of log graph structuring is to preprocess the authentication log of the intranet. The authentication log typically contains attributes such as authentication time, source user, target user, source host, target host, and authentication status. The original log information is redundantly refuted, and therefore needs to be processed into a format that conforms to the lateral movement attack scenario. First, since an attacker typically moves laterally from one host to another using a trapped user, we only need to focus on the same authentication events for the source user and the target user. Second, the lateral mobile attack involves at least two hosts, so we need to filter the same authentication events for the source host and the target host. In summary, the pretreatment process is as follows: giving an authentication log data set D, traversing each authentication event, screening out the events of which the source user is the same as the target user and the source host is different from the target host, and obtaining a processed data set D1
b) The User Authentication Graph (UAG) is a directionless homogeneous Graph, which represents the login behavior pattern between hosts for a certain time. Definition map GuIn the figure, a node V represents a host, and an edge E represents a login connection between hosts of a user. The login times of the user on the host under the sliding window are given to the nodes in the graph as the characteristics F, the edges in the graph are not given with the characteristics, only the connection relation is shown, and the user login graph network with the characteristics is obtained. In particular, given data set D1User u and sliding window length L, first at D1Screening out authentication events belonging to the user u to obtain a data set Du. Secondly, dividing the data into a plurality of time windows according to the length L of the sliding window, and calculating the login frequency characteristic F of the user on the host under different windows. Finally, traverse DuAdding the source host and the target host to a node V in the graph, adding an edge E (the node and the edge are ignored if the addition is repeated) of the source host and the target host connected to the graph, adding one to the login times of the source host and the target host in the window corresponding to the graph F, and obtaining a user login graph G with characteristics of a user u after the traversal is finishedu=(V,E,F)。
c) The source Host Path Graph (HPG) is a directed heterogeneous Graph, which represents the association relationship between the login Path of the user to the target Host and the source Host. Definition map GpTwo types of nodes are defined in the graph, (V, E, F), one type representing a source host VsrcClass V representing the user's login path to the target hostpathThere are also two types of edges, one type being the sending edge EsendThe login path node from the source host node to the target host points to the user, and represents that the user logs in from the source host to the target host; the other is depending edge EonThe point of the login path node from the user to the target host is to the source host node, which means that the login path from the user to the target host occurs on the source host, and the two types of edges are symmetrical. Through the occurrence frequency and the statistical characteristic F of the login path under the sliding window on the source hoststatisticAssigning edges to nodesOnly the connection relation is shown, and a source host path diagram network is obtained. In particular, given data set D1Sliding window length L and statistical characteristics FstatisticGo through D1Adding V to the source host at each eventsrcSplicing the user and the target host into a login path as a node to be added to the VpathAnd adding a connecting edge pointed to the login path by the source host to EsendSymmetrically adding a connecting edge pointed to the source host by the login path to EonAnd calculating the login frequency characteristics of the sliding window and the user login graph. Finally, the node V of the type of the login path in the graph is checkedpathTraversing to obtain the statistical characteristic FstatisticAppending to the node while targeting the source host node VsrcEndowing one-hot coding characteristics to obtain a source host path diagram G with characteristicsp(V, E, F). The used statistical characteristics comprise success and failure times of authentication from the user to the target host, the ratio of the authentication times from the user to the target host to the total authentication times of the user, and the minimum value, the maximum value and the average value of time intervals of authentication events from the user to the target host.
Further, the unsupervised learning-based abnormal login behavior detection comprises: based on a user login Graph, firstly, a Graph neural network algorithm (Deep Graph Infomax, DGI) with maximized mutual information is used for learning a behavior mode of a host, namely, a hidden layer feature representation of a sample is obtained by training mutual information of a local feature h and a global feature s of the maximized sample, specifically, in the Graph, a feature vector of each node is the local feature h of the node, training and learning are carried out through a Graph convolution kernel encoder, and the global feature s is obtained through an average readout function. And then, applying random disorder disturbance to the nodes to obtain negative samples, using a discriminator to score a sample pair consisting of h and s, and finally obtaining hidden layer representation of the nodes. And then, based on sample characteristic representation learned by DGI, detecting by using a Local abnormal Factor algorithm (LOF), obtaining a small amount of labeled host samples by setting a threshold, and synthesizing a login path from a user to a target host with the labeled host samples and a user group corresponding to the labeled host samples for second-stage semi-supervised learning.
Further, the semi-supervised learning based lateral movement attack detection comprises: based on a source host path graph and a small number of labeled samples in the first stage, a Heterogeneous graph Attention Network algorithm (HAN) is used for semi-supervised learning on the graph, and through learning the association between login path nodes, more transverse movement attack behaviors are detected. HAN introduces attention mechanisms into heterogeneous graphs, including node-level attention and semantic-level attention. By defining meta-paths (meta-paths) on the graph, node-level attention primarily learns the weights of neighboring nodes on its meta-paths, while semantic-level attention learning is based on the weights of different meta-paths. And finally, obtaining a final node representation through corresponding aggregation operation. Specifically, in the figure, two meta paths are defined: meta-path p from path node to source host node1(vpath,eon,vsrc) And meta path p from path node to source host node to path node2(vpath,eon,vsrc,esend,vpath). Based on the two meta paths, node level attention and semantic level attention features are calculated, the labeled samples in the first stage are used, cross entropy loss functions are used as targets for semi-supervised learning, and transverse movement attack behaviors are detected.
Based on the same inventive concept, the invention also provides a system for detecting the lateral mobile attack based on the heterogeneous graph network, which comprises the following steps:
the data acquisition module is used for collecting authentication logs generated by the intranet equipment and constructing a data set;
and the safety log graph structuring module is used for constructing a user login graph and a source host path graph by utilizing the data set.
The abnormal login behavior detection module based on unsupervised learning is used for detecting the abnormal login behavior based on unsupervised learning based on the user login graph;
and the transverse mobile attack detection module based on semi-supervised learning is used for carrying out transverse mobile attack detection based on semi-supervised learning based on the source host path diagram and the labeled sample obtained by detecting the abnormal login behavior based on unsupervised learning.
Compared with the prior art, the invention has the beneficial effects that:
the method can simply and effectively detect the transverse moving attack behavior under the condition of no sample label, the AUC value on the CMCS Events of the related public data set exceeds 95 percent, the TPR of part of users reaches 100 percent, the FPR is 0, the effect exceeds that of most methods with supervised learning, and the method has high recall rate and low false alarm rate.
Drawings
Fig. 1 is an overall flow chart of the present invention for detecting a lateral movement attack based on a heterogeneous graph network. Wherein X represents the initial characteristic of the positive sample, X 'represents the initial characteristic of the disturbed negative sample, H represents the hidden layer characteristic of the positive sample after graph convolution, H' represents the hidden layer characteristic of the negative sample after graph convolution, D represents a classifier, R represents an average Readout function, S represents the global characteristic calculated by the average Readout function, and Z represents the global characteristic calculated by the average Readout function1~ZpThe hidden layer features acquired through node level attention are represented, and Z represents the hidden layer features acquired through semantic level attention.
FIG. 2 is a flow chart of the construction of a user login diagram in the present invention.
FIG. 3 is a flow chart of the construction of a source host path graph in the present invention.
Fig. 4 is a flow chart of abnormal login behavior detection based on unsupervised learning in the present invention.
Fig. 5 is a flow chart of the lateral movement attack detection based on semi-supervised learning in the present invention.
Fig. 6 is a graph of the detection performance results of the HGLM in the method of the present invention for different users on the public data set CMCS Events.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the objects, features, and advantages of the present invention more comprehensible, the technical core of the present invention is described in further detail below with reference to the accompanying drawings and examples.
The invention discloses a heterogeneous graph network-based method for detecting a lateral mobile attack, which mainly comprises four parts of data acquisition, security log graph structurization, unsupervised learning-based abnormal login behavior detection and semi-supervised learning-based lateral mobile attack detection, and mainly comprises the following steps of:
step 100 is data set extraction, namely, collecting authentication logs generated by the intranet equipment for a period of time to form a data set.
Step 200 is a security log graph structuring, which mainly comprises three parts, namely data preprocessing, construction of a user login graph and construction of a source host path graph.
The construction of the user login diagram is shown in fig. 2.
Step 210, for a given data set D1First define user u and sliding window length L for use at D1And screening out authentication events belonging to the user u and calculating the login times characteristic F of the user on the host under different windows.
Step 220, for data set D1And traversing.
Step 230, at D1And screening out authentication events belonging to the user u.
Step 240, add the source host and the target host of the authentication event to node V in the graph, and add an edge E of the source host and the target host connected to the graph (node and edge are ignored if adding duplicates).
Step 250, calculating the login times characteristic F of the user on the host computer under different windows, and adding one to the login times of the source host computer and the target host computer under the corresponding windows.
Obtaining a user login graph G with characteristics of the user u after the traversal is finishedu=(V,E,F)。
The construction of the source host path graph is shown in fig. 3.
Step 260, given data set D1First, defining the length L of the sliding window and the extracted statistical characteristics Fstatistic
Step 270, traverse D1Adding V to the source host at each eventsrcSplicing the user and the target host into a login path as a node to be added to the VpathAnd adding a connecting edge pointed to the login path by the source host to EsendSymmetrically adding a connecting edge pointed to the source host by the login path to Eon
Step 280, calculating the occurrence frequency characteristic F of the login path under different windows, and adding one to the occurrence frequency of the login path under the corresponding window.
Step 290, corresponding statistical characteristics FstatisticAnd adding the information to the login path node.
After traversing, the source host node V in the graph is alignedsrcEndowing one-hot coding characteristic to obtain a source host path diagram G with the characteristicp=(V,E,F)。
Step 300 is a two-stage anomaly detection, the first stage is an unsupervised learning-based anomaly logging behavior detection, and the second stage is a semi-supervised learning-based lateral movement attack detection.
Abnormal login behavior detection based on unsupervised learning, as shown in fig. 4.
And step 310, based on the user login graph, firstly, learning the behavior pattern of the host by using DGI, and performing node disturbance by using a random disorder method to obtain a negative sample.
In step 320, the feature vector of each node in the graph is the local feature h of the node, training and learning are performed through a graph convolution kernel encoder, and the global feature s is obtained through an average readout function. And with the goal of maximizing the mutual information of the local features and the global features, a discriminator is used for scoring positive and negative 'sample pairs' consisting of h and s to obtain the hidden layer representation of the nodes.
And step 330, based on the sample characteristic representation learned by DGI, detecting by using a local abnormal factor algorithm, and obtaining a small amount of labeled host samples by setting a threshold value.
And finally, synthesizing the labeled host computer sample and the user group corresponding to the labeled host computer sample into a login path training sample from the user to the target host computer for the second-stage semi-supervised learning.
Lateral movement attack detection based on semi-supervised learning, as shown in fig. 5.
At step 340, semi-supervised learning on the graph is performed using the HAN based on the source host path graph and the small number of labeled exemplars of the first stage. First, two meta-paths are defined: meta-path p from path node to source host node1(vpath,eon,vsrc) And meta path p from path node to source host node to path node2(vpath,eon,vsrc,esend,vpath)。
And 350, calculating node level attention and semantic level attention features based on the two meta paths, performing semi-supervised learning by using the labeled samples in the first stage and taking a cross entropy loss function as a target, and detecting the lateral movement attack behavior.
And finally, combining the abnormal samples detected in the first stage and the second stage, namely, the transverse movement attack behavior result detected by the HGLM model.
Experiments on a CMCS Events open data set show that the AUC value of the detection result of the HGLM in the method exceeds 95%, the TPR of part of users reaches 100%, the FPR is 0, the effect exceeds that of most methods with supervised learning, and the method has high recall rate and low false alarm rate. The experimental results are shown in table 1, and compared with the existing methods, the method provided by the invention is simple and effective in HGLM, does not need a sample label, and can exceed most of supervised detection methods. In addition, the detection performance of the model on different users is shown in fig. 6, and it can be found that for most users, the recall rate of the model can exceed 95%, and the false alarm rate is lower than 5%.
TABLE 1 Performance comparison of lateral Shift attack detection models
Figure BDA0003001299700000071
Based on the same inventive concept, another embodiment of the present invention provides a system for detecting a lateral mobile attack based on a heterogeneous graph network, which includes:
the data acquisition module is used for collecting authentication logs generated by the intranet equipment and constructing a data set;
and the safety log graph structuring module is used for constructing a user login graph and a source host path graph by utilizing the data set.
The abnormal login behavior detection module based on unsupervised learning is used for detecting the abnormal login behavior based on unsupervised learning based on the user login graph;
and the transverse mobile attack detection module based on semi-supervised learning is used for carrying out transverse mobile attack detection based on semi-supervised learning based on the source host path diagram and the labeled sample obtained by detecting the abnormal login behavior based on unsupervised learning.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device (computer, server, smartphone, etc.) comprising a memory storing a computer program configured to be executed by the processor, and a processor, the computer program comprising instructions for performing the steps of the inventive method.
Based on the same inventive concept, another embodiment of the present invention provides a computer-readable storage medium (e.g., ROM/RAM, magnetic disk, optical disk) storing a computer program, which when executed by a computer, performs the steps of the inventive method.
Portions of the invention not described in detail (e.g., local anomaly factor algorithms) are well known to those skilled in the art.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail by using examples, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered in the claims of the present invention.

Claims (10)

1. A horizontal mobile attack detection method based on a heterogeneous graph network is characterized by comprising the following steps:
collecting authentication logs generated by intranet equipment and constructing a data set;
and constructing a user login graph and a source host path graph by using the data set.
Based on the user login graph, carrying out abnormal login behavior detection based on unsupervised learning;
and performing lateral movement attack detection based on semi-supervised learning based on the source host path diagram and the labeled sample obtained by detecting the abnormal login behavior based on unsupervised learning.
2. The method of claim 1, wherein data pre-processing is performed before constructing the user login graph and the source host path graph; the data preprocessing comprises the following steps: giving an authentication log data set D, traversing each authentication event, screening out the events of which the source user is the same as the target user and the source host is different from the target host, and obtaining a processed data set D1
3. The method of claim 2, wherein the user login graph is a homogeneous graph representing login behavior patterns between hosts for a certain period of time; the construction process of the user login graph comprises the following steps: given data set D1User u and sliding window length L, at D1Screening out authentication events belonging to the user u to obtain a data set Du(ii) a Dividing the data into a plurality of time windows according to the length L of the sliding window, and calculating the login frequency characteristic F of the user on the host under different windows; traverse DuIn each authentication event, a source host and a target host are added to a node V in the graph, an edge E of the source host and the target host connected to the graph is added, meanwhile, the login times of the source host and the target host in the window F under the corresponding window are increased by one, and the user login graph G with the characteristics of the user u is obtained after traversal is finishedu=(V,E,F)。
4. The method of claim 3, wherein the source host path graph is a directed heterogeneous graph representing an association between a user's login path to the target host and the source host; two types of nodes are defined in the source host path diagram, wherein one type represents a source host VsrcClass V representing the user's login path to the target hostpath(ii) a There are also two types of edges, one type being the sending edge EsendThe login path node from the source host node to the target host points to the user, and represents that the user logs in from the source host to the target host; the other is depending edge EonThe node of the login path from the user to the target host points to the node of the source host, which means that the login path from the user to the target host occurs on the source host, and the edges of the two types are symmetrical; through the occurrence frequency and the statistical characteristic F of the login path under the sliding window on the source hoststatisticAnd (4) endowing the nodes with edges which only represent connection relation to obtain a source host path graph network.
5. Method according to claim 4, characterized in that said statistical feature FstatisticThe method comprises the following steps: the authentication success and failure times of the user to the target host, the ratio of the authentication times of the user to the target host to the total authentication times of the user, and the minimum value, the maximum value and the average value of the time interval of the authentication event of the user to the target host.
6. The method of claim 1, wherein the unsupervised learning-based abnormal login behavior detection comprises:
based on a user login graph, learning a behavior pattern of a host by using a graph neural network algorithm with maximized mutual information, namely obtaining hidden layer feature representation of a sample by maximizing mutual information training of a local feature h and a global feature s of the sample;
obtaining a negative sample by applying random disorder disturbance to the node, and scoring a sample pair consisting of h and s by using a discriminator to obtain hidden layer representation of the node;
and based on sample characteristic representation learned by the graph neural network algorithm, detecting by using a local abnormal factor algorithm, obtaining a small number of labeled host samples by setting a threshold value, synthesizing a login path from a user to a target host with the corresponding user group, and using the login path for the second stage of semi-supervised learning.
7. The method of claim 1, wherein the semi-supervised learning based lateral movement attack detection comprises:
two meta paths are defined: a meta path from the path node to the source host node and a meta path from the path node to the source host node to the path node;
and calculating node-level attention and semantic-level attention features based on the two meta paths, performing semi-supervised learning by using the labeled sample obtained by detecting the abnormal login behavior based on unsupervised learning and taking a cross entropy loss function as a target, and detecting the lateral movement attack behavior.
8. A heterogeneous graph network based lateral mobile attack detection system using the method of any one of claims 1 to 7, comprising:
the data acquisition module is used for collecting authentication logs generated by the intranet equipment and constructing a data set;
and the safety log graph structuring module is used for constructing a user login graph and a source host path graph by utilizing the data set.
The abnormal login behavior detection module based on unsupervised learning is used for detecting the abnormal login behavior based on unsupervised learning based on the user login graph;
and the transverse mobile attack detection module based on semi-supervised learning is used for carrying out transverse mobile attack detection based on semi-supervised learning based on the source host path diagram and the labeled sample obtained by detecting the abnormal login behavior based on unsupervised learning.
9. An electronic apparatus, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a computer, implements the method of any one of claims 1 to 7.
CN202110347685.7A 2021-03-31 2021-03-31 Lateral movement attack detection method and system based on heterogeneous graph network Active CN113094707B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110347685.7A CN113094707B (en) 2021-03-31 2021-03-31 Lateral movement attack detection method and system based on heterogeneous graph network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110347685.7A CN113094707B (en) 2021-03-31 2021-03-31 Lateral movement attack detection method and system based on heterogeneous graph network

Publications (2)

Publication Number Publication Date
CN113094707A true CN113094707A (en) 2021-07-09
CN113094707B CN113094707B (en) 2024-05-14

Family

ID=76671616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110347685.7A Active CN113094707B (en) 2021-03-31 2021-03-31 Lateral movement attack detection method and system based on heterogeneous graph network

Country Status (1)

Country Link
CN (1) CN113094707B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114020593A (en) * 2021-11-08 2022-02-08 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114741688A (en) * 2022-03-14 2022-07-12 北京邮电大学 Unsupervised host intrusion detection method and system
CN115604032A (en) * 2022-12-01 2023-01-13 南京南瑞信息通信科技有限公司(Cn) Complex multi-step attack detection method and system for power system
WO2023042000A1 (en) * 2021-09-20 2023-03-23 International Business Machines Corporation Graph neural network (gnn) training using meta-path neighbor sampling and contrastive learning
CN115913616A (en) * 2022-09-23 2023-04-04 清华大学 Method and device for detecting transverse mobile attack based on heterogeneous graph abnormal link discovery

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519276A (en) * 2019-08-29 2019-11-29 中国科学院信息工程研究所 A method of detection Intranet transverse shifting attack
CN111967271A (en) * 2020-08-19 2020-11-20 北京大学 Analysis result generation method, device, equipment and readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519276A (en) * 2019-08-29 2019-11-29 中国科学院信息工程研究所 A method of detection Intranet transverse shifting attack
CN111967271A (en) * 2020-08-19 2020-11-20 北京大学 Analysis result generation method, device, equipment and readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王天: "基于异质图网络的横向移动攻击检测方法", 信息安全学报, pages 1 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023042000A1 (en) * 2021-09-20 2023-03-23 International Business Machines Corporation Graph neural network (gnn) training using meta-path neighbor sampling and contrastive learning
CN114020593A (en) * 2021-11-08 2022-02-08 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114020593B (en) * 2021-11-08 2024-05-14 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114741688A (en) * 2022-03-14 2022-07-12 北京邮电大学 Unsupervised host intrusion detection method and system
CN115913616A (en) * 2022-09-23 2023-04-04 清华大学 Method and device for detecting transverse mobile attack based on heterogeneous graph abnormal link discovery
CN115604032A (en) * 2022-12-01 2023-01-13 南京南瑞信息通信科技有限公司(Cn) Complex multi-step attack detection method and system for power system

Also Published As

Publication number Publication date
CN113094707B (en) 2024-05-14

Similar Documents

Publication Publication Date Title
CN113094707A (en) Transverse mobile attack detection method and system based on heterogeneous graph network
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN113283476B (en) Internet of things network intrusion detection method
Peng et al. Network intrusion detection based on deep learning
CN109389181B (en) Association rule generation method and device for power grid abnormal event
CN111598179B (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
Ghosh et al. Proposed GA-BFSS and logistic regression based intrusion detection system
CN104899513A (en) Data diagram detection method for industrial control system malicious data attack
CN112491860A (en) Industrial control network-oriented collaborative intrusion detection method
CN109347863B (en) Improved immune network abnormal behavior detection method
CN112738014A (en) Industrial control flow abnormity detection method and system based on convolution time sequence network
CN117113228B (en) Electric power social engineering attack monitoring method and system based on deep learning
CN115883213B (en) APT detection method and system based on continuous time dynamic heterogeneous graph neural network
Qi Computer Real-Time Location Forensics Method for Network Intrusion Crimes.
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN113162904B (en) Power monitoring system network security alarm evaluation method based on probability graph model
KR102307632B1 (en) Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder
Alqurashi et al. On the performance of isolation forest and multi layer perceptron for anomaly detection in industrial control systems networks
CN114679291A (en) System for monitoring industrial network intrusion
CN115051833B (en) Intercommunication network anomaly detection method based on terminal process
Zhang et al. Hierarchical clustering of group behaviors in cyber situation awareness
CN117579324B (en) Intrusion detection method based on gating time convolution network and graph
Qian et al. Research on network security situational awareness technology for building multi-element, integrated and highly elastic power grid
US20230095966A1 (en) Intrusion detection method based on improved immune network algorithm, and application thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant