CN113162794B - Next attack event prediction method and related equipment - Google Patents
Next attack event prediction method and related equipment Download PDFInfo
- Publication number
- CN113162794B CN113162794B CN202110113711.XA CN202110113711A CN113162794B CN 113162794 B CN113162794 B CN 113162794B CN 202110113711 A CN202110113711 A CN 202110113711A CN 113162794 B CN113162794 B CN 113162794B
- Authority
- CN
- China
- Prior art keywords
- attack
- attack chain
- chain
- event
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000000605 extraction Methods 0.000 claims abstract description 30
- 238000007781 pre-processing Methods 0.000 claims abstract description 13
- 238000012549 training Methods 0.000 claims description 36
- 238000012360 testing method Methods 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 238000007637 random forest analysis Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 claims description 5
- 230000003203 everyday effect Effects 0.000 claims description 2
- 238000013138 pruning Methods 0.000 claims description 2
- 230000009467 reduction Effects 0.000 claims description 2
- 238000012163 sequencing technique Methods 0.000 claims 2
- 238000004220 aggregation Methods 0.000 claims 1
- 230000002776 aggregation Effects 0.000 claims 1
- 238000000638 solvent extraction Methods 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 10
- 238000005457 optimization Methods 0.000 abstract description 4
- 230000000694 effects Effects 0.000 abstract description 3
- 238000005070 sampling Methods 0.000 abstract description 3
- 238000002474 experimental method Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 231100000279 safety data Toxicity 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
One or more embodiments of the present disclosure provide a method for predicting a next attack event and related devices, which may be used to predict a next attack event in a power grid, where an attack chain formed by an alarm log generated in the power grid is used as source data, and the processes of data preprocessing, feature extraction, model selection, optimization, etc. are performed to input features extracted from the attack chain into a prediction model to predict the next attack event. Meanwhile, in the preprocessing process of the attack chain, a layered sampling method is provided for the problem of unbalanced power grid number attack chain, and in the characteristic extraction process, the text characteristic extraction method for the alarm content is improved. Experiments show that the accuracy and recall rate of the method and related equipment using the method in the actual prediction process reach 84.90% and 84.91%, respectively, and the effect of effectively predicting possible attack events is achieved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a next attack event prediction method and related equipment.
Background
The vast majority of attacks that exist on the internet today are multi-step attacks. The correlation analysis of the multi-step attack event refines the high-level security event from the redundant low-level alarm information, a complete multi-step attack is provided, the steps have correlation, and the last step is the reason for the occurrence of the next step. Generally, the multi-step attack step is divided into five stages: the method comprises a investigation stage, a vulnerability scanning and analyzing stage, a permission acquisition stage, a permission keeping and attack implementation stage and a trace elimination stage.
In the initial stage of a multi-step attack event, an attacker often performs less harmful attack behaviors, and in the later stage of the multi-step attack event, the attacker often performs more harmful attack behaviors.
Conventional intrusion detection systems and firewall systems commonly used today can only report a single attack to a security administrator and lack active defense functionality, which makes security data on the network bulky and tedious to directly interpret. Because a large amount of redundant information exists and the safety data lacks unified standards, the limitation of high false alarm rate is easily caused, and effective identification of real attack events is interfered.
Therefore, research on multi-source heterogeneous security data fusion becomes a hot spot in recent years, and for complex network attacks, a network security event analysis model is established, which is important for managing and analyzing multi-source heterogeneous network security data, and the occurrence of attack events can be reflected through analysis and processing of the multi-source heterogeneous security data, so that the network attacks are prevented, and the effective monitoring of the whole network security situation is realized.
Disclosure of Invention
In view of this, it is an object of one or more embodiments of the present disclosure to provide a method and related apparatus for predicting a next attack event, so as to solve the problems encountered in the prior art.
Based on the above objects, one or more embodiments of the present disclosure provide a method for predicting a next attack event, which includes the following steps:
analyzing a power grid alarm log to generate an attack chain, wherein the attack chain is built by using host IP node association in a power grid;
preprocessing the attack chain, namely filtering the attack chain to remove heavy and extracting features, wherein node features and event features of the attack chain are obtained through the feature extraction operation;
inputting the extracted node characteristics and the extracted event characteristics into a prediction model, and outputting a prediction result by the prediction model.
Optionally, the prediction model is obtained through training by a random forest algorithm, an attack chain to be trained is analyzed and generated from an alarm log to be trained, the preprocessing is carried out, the attack chain to be trained is divided into layers, and the attack chain to be trained is divided into a training set and a testing set; inputting the node characteristics and the event characteristics of the extracted training set into the random forest algorithm to train to obtain a training model, inputting the node characteristics and the time characteristics of the extracted testing set into the training model, and calculating the accuracy of an output result of the training model, wherein the accuracy reaches a preset threshold value, and the training model is the prediction model; otherwise, continuing training the training model by using the node characteristics and the event characteristics of the training set, and adjusting and optimizing the training model until the accuracy of the output result reaches the preset threshold value when the node characteristics and the time characteristics of the test set are input into the optimized training model.
Based on the same inventive concept, one or more embodiments of the present disclosure further provide a next attack event prediction apparatus, including:
the attack chain generation module analyzes the power grid alarm log to generate the attack chain, wherein the attack chain is built by using host IP node association in the power grid;
the feature extraction module is used for preprocessing the attack chain and comprises filtering heavy and feature extraction of the attack chain, wherein node features and event features of the attack chain are obtained through the feature extraction operation;
and the prediction module inputs the extracted node characteristics and the extracted event characteristics into a prediction model, and observes a prediction result output by the prediction model.
Based on the same inventive concept, one or more embodiments of the present disclosure further provide an electronic device including a memory, a processor, and a computer program stored in the memory and executable by the processor, wherein the processor implements the method for predicting a next attack event when executing the computer program.
Based on the same inventive concept, one or more embodiments of the present specification further provide a non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores computer instructions that, when executed by a computer, cause the computer to implement the above-described next attack event prediction method.
From the foregoing, it can be seen that the next attack event prediction method and the related device provided in one or more embodiments of the present disclosure can propose a next attack event prediction model for a multi-step attack event, to predict a significant attack event that may occur in a power grid, and a power grid technician can take precautionary measures for the prediction result output by the model, so as to prevent a significant loss of the power grid system.
According to the next attack event prediction method and the related equipment provided by one or more embodiments of the present disclosure, an attack chain formed by an alarm log generated in a power grid is used as source data, and after data preprocessing, feature extraction, model selection, optimization and other processes, a next attack event prediction model with good generalization performance is finally formed, node features and time features extracted from the attack chain are input into the prediction model, and the prediction result is output after the feature is processed by the prediction model. Meanwhile, in the preprocessing process of the attack chain, a layered sampling method is provided for the problem of unbalanced power grid number attack chain, and in the characteristic extraction process, the text characteristic extraction method for the alarm content is improved. Experiments show that the accuracy rate and recall rate of the prediction model reach 84.90% and 84.91%, respectively, and the effect of effectively predicting possible attack events is achieved.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only one or more embodiments of the present description, from which other drawings can be obtained, without inventive effort, for a person skilled in the art.
FIG. 1 is a block diagram of a method for predicting next attack events according to one or more embodiments of the present disclosure;
FIG. 2 is a flowchart of attack chain generation provided by one or more embodiments of the present disclosure;
FIG. 3 is a diagram of a predictive model training step provided in one or more embodiments of the present disclosure;
FIG. 4 is a schematic diagram of an attack chain provided by one or more embodiments of the present disclosure;
FIG. 5 is a block diagram of a next attack event prediction apparatus provided in one or more embodiments of the present disclosure;
fig. 6 is a schematic diagram of an electronic device capable of implementing a method for predicting a next attack event according to one or more embodiments of the present disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
It is noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should be taken in a general sense as understood by one of ordinary skill in the art to which the present disclosure pertains. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items.
As described in the background section, conventional intrusion detection systems and firewall systems can only report a single attack to security administrators and lack active defense functionality, which makes security data on the network bulky and tedious to interpret directly. Because a large amount of redundant information exists and the safety data lacks unified standards, the limitation of high false alarm rate is easily caused, and effective identification of real attack events is interfered. The prediction of multi-step attack events does not work well.
In order to solve the problems faced by the prior art, one or more embodiments of the present disclosure provide a method for predicting a next attack event and related devices. And generating an attack chain through an analysis result of the power grid alarm log analysis, carrying out feature extraction after de-duplication on the attack chain, obtaining node features and event features of the attack chain, inputting the two features into an optimized prediction model for prediction, and carrying out analysis and judgment according to a prediction result obtained by the model. The prediction model is obtained by training by using the characteristics extracted from the attack chain in the alarm log to be trained through a random forest algorithm, and the method can better predict the next attack event in the multi-step attack event and provides assistance for technicians.
Referring to fig. 1, the following steps of the attack event prediction method provided in one or more embodiments of the present disclosure are as follows:
and S101, analyzing a power grid alarm log to generate an attack chain, wherein the attack chain is constructed by using host IP node association in the power grid.
In this step, an attack chain needs to be established by using data in an alarm log, and the steps are as shown in fig. 2:
step S201, constructing an attack tree by utilizing IP node association of the host according to the data of the alarm log.
Step S202, aggregating the attack tree to obtain an initial attack chain.
And step S203, pruning and noise reduction are carried out on the initial attack chain to obtain the attack chain.
Step S102, preprocessing the attack chain, namely filtering heavy and feature extraction on the attack chain, wherein node features and event features of the attack chain are obtained through the feature extraction operation.
In the step, the generated attack chains need to be subjected to de-duplication operation, each obtained attack chain is firstly circularly traversed, the occurrence time of a first alarm event in each attack chain is recorded, and the occurrence time is compared with the start time of a production window of the corresponding attack chain; if the two are not equal, the attack chain is rejected, otherwise, the attack chain is reserved to wait for subsequent operation.
In this step, when node features of an attack chain are extracted, first, the node features are abstracted to obtain a vector set suitable for machine learning, and feature extraction is performed on the obtained vector set to obtain the node features.
The method adopted when extracting the node characteristics is to abstract the attack chain event type data text in the vector set into one-hot codes by using a text characteristic extraction function, and process the obtained codes to obtain 8-dimensional node characteristics, comprising the following steps:
accessing the number of the IP of the local machine;
accessing the number of suspicious IP of the local machine;
the local IP is a suspicious source IP, if the local IP is the suspicious source IP which is 1, otherwise, the local IP is 0;
the local IP is a victim IP, is 1 and is not 0;
the local IP is a suspicious source IP and a victim IP, is 1 and is not 0;
accessing the number of other IPs;
accessing the number of victim IPs;
total number of events with destination IP.
The text feature extraction function only considers the frequency of each word, then forms a feature matrix, and each row represents word frequency statistics results of a training text; one-hot encoding, also known as one-bit valid encoding, uses an N-bit status register to encode N states, each of which is represented by its independent register bit, and only one of which is valid at any time.
And step S103, inputting the extracted node characteristics and the extracted event characteristics into a prediction model, and outputting a prediction result by the prediction model.
As an alternative embodiment, referring to fig. 3, the prediction model training method for performing the next attack event prediction is as follows:
step S301, an alarm log is obtained from power grid safety equipment, safety data including an attack chain, key equipment and key events are obtained by analyzing the power grid alarm log, and the attack chain is divided into a training set and a testing set after being preprocessed.
In the step, when the training set and the testing set are divided, firstly, sorting the training set and the testing set according to the time displayed by the labels of the attack chains, and then sorting the attack chains every day according to the time sequence; and then extracting the first 80% as the training set and the remaining 20% as the test set according to the sorting result.
And step S302, extracting characteristics of an attack chain in a training set, inputting the obtained node characteristics and event characteristics including key equipment and key events into a random forest algorithm for training to obtain a model, and optimizing a training result to obtain a next attack event prediction model.
And step 303, extracting characteristics of an attack chain in the test set, inputting the obtained node characteristics and the time characteristics into the obtained next attack event prediction model, and observing whether the result meets a preset threshold value.
In this step, if the output result of the prediction model does not reach the preset threshold, the adjustment and optimization of the prediction model need to be continued by using the node features and the time features of the training set until the prediction result obtained by inputting the node features and the event features of the test set into the optimized prediction model reaches the preset threshold, and at this time, a prediction model capable of performing the prediction of the next attack event is obtained.
As an alternative embodiment, an attack chain is used to describe the execution process of the next attack event prediction method, and an attack chain from the power grid is used to anonymize the IP address for protecting privacy. In this attack chain, host 20.16 initiates a host scan event to host 154.2, and host 154.2 initiates an abnormal data access event to host 20.17. The attack chain is shown in fig. 4.
The two alarm events occur in the attack chain and are detected by the power grid system: the IP number of accessing the attack chain is 23; the number of suspicious IP accessing the local machine is 64; the attack chain has victim IP and suspicious IP; the number of other IP accesses of the host IP in the attack chain is 12; the number of access victim IPs is 2; the total number of events to reach the destination IP is 2.
TABLE 1 characterization of the extraction of the attack chain
| Numbering device | Feature dimension | Numerical value |
| 1 | Host scan event | 1 |
| 2 | Abnormal data access event | 1 |
| 3 | IP number for accessing the attack chain | 23 |
| 4 | Number of suspicious IP accessing to local machine | 64 |
| 5 | Whether there is victim IP | 1 |
| 6 | Whether or not source IP exists | 1 |
| 7 | Whether there is victim IP and source IP | 1 |
| 8 | Number of accesses to other IP | 12 |
| 9 | Number of access victim IP | 2 |
| 10 | Total number of events to reach destination IP | 2 |
The feature 1 and the feature 2 in the table 1 are the extracted event features of the attack chain, the event type with the value of 0 obtained by feature extraction has 125 dimensions, which are not listed in the table 1, the feature 3 to the feature 10 are node features of the attack chain, the feature data in the table 1 are input into a built and optimized prediction model, and the prediction result output by the model is that the next event of the attack chain is an intrusion event.
The next attack event prediction method provided by one or more embodiments of the present disclosure can predict a multi-step attack event in a power grid, and predict a next attack event possibly occurring in advance in the first several stages of the multi-step attack, so as to actively prevent occurrence of a major hazard in real time, and correct attack weaknesses and security vulnerabilities in the network according to the next predicted event timely and effectively, and timely respond and block the network attack.
Aiming at multi-step attack events occurring in a power grid, one or more embodiments of the present disclosure provide a next-step attack event prediction method, wherein an attack chain formed by an alarm log occurring in the power grid is used as source data, and the next-step attack event prediction model with better generalization performance is finally formed through the processes of data preprocessing, feature extraction, model selection, optimization and the like. Meanwhile, in the preprocessing process of the data set, a hierarchical sampling method is provided for the problem of unbalanced power grid data, and in the characteristic extraction process, the text characteristic extraction method for the alarm content is improved. The accuracy rate and recall rate of the next attack event prediction model of the invention reach 84.90% and 84.91%, respectively, so as to achieve the effect of effectively predicting the possible attack event.
It should be noted that the methods of one or more embodiments of the present description may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of one or more embodiments of the present description, the devices interacting with each other to accomplish the methods.
It should be noted that the foregoing describes specific embodiments of the present invention. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, one or more embodiments of the present disclosure also provide a next attack event prediction device corresponding to the method of any embodiment.
Referring to fig. 5, the next attack event prediction apparatus includes:
and the attack chain generation module 501 analyzes the power grid alarm log to generate the attack chain, wherein the attack chain is constructed by using host IP node association in the power grid.
The feature extraction module 502 performs preprocessing on the attack chain, including filtering heavy and feature extraction on the attack chain, where node features and event features of the attack chain are obtained through the feature extraction operation.
And the prediction module 503 inputs the extracted node characteristics and the event characteristics into a prediction model, and observes a prediction result output by the prediction model.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in one or more pieces of software and/or hardware when implementing one or more embodiments of the present description.
The device of the foregoing embodiment is configured to implement the corresponding next attack event prediction method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, one or more embodiments of the present disclosure further provide an electronic device, corresponding to the method of any of the embodiments, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor executes the program to implement the method of predicting a next attack event according to any of the embodiments.
Fig. 6 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the corresponding next attack event prediction method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, one or more embodiments of the present disclosure also provide a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the next attack event prediction method according to any of the embodiments.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The storage medium of the foregoing embodiment stores computer instructions for causing the computer to execute the next attack event prediction method according to any of the foregoing embodiments, and has the advantages of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the present disclosure, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments described above which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure one or more embodiments of the present description. Furthermore, the apparatus may be shown in block diagram form in order to avoid obscuring the one or more embodiments of the present description, and also in view of the fact that specifics with respect to implementation of such block diagram apparatus are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present disclosure is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the one or more embodiments of the disclosure, are therefore intended to be included within the scope of the disclosure.
Claims (7)
1. A next attack event prediction method, comprising:
analyzing the power grid alarm log to generate an attack chain; the attack chain is built by using host IP node association in the power grid;
filtering the attack chain to remove heavy and extracting features; the node characteristics and the event characteristics of the attack chain are obtained through the characteristic extraction operation;
wherein filtering the attack chain for deduplication comprises:
traversing each attack chain in a circulating way and recording the occurrence time of a first alarm event in each attack chain;
comparing the occurrence time with the start time of the production window of each attack chain corresponding to the occurrence time, and if the occurrence time is not equal to the start time of the production window of each attack chain, removing the attack chain;
extracting the attack chain characteristics, including:
abstracting the attack chain into a vector set, abstracting the vector set into a single thermal code by adopting a text feature extraction function, and taking the single thermal code as the node feature;
the key events and key hosts recorded in the power grid alarm log are used as the event characteristics;
inputting the extracted node characteristics and the extracted event characteristics into a prediction model, and outputting a prediction result by the prediction model.
2. The method of claim 1, wherein analyzing the grid alarm log generates an attack chain comprising:
analyzing the alarm log, and constructing an attack tree by the IP node association of the host;
performing aggregation treatment on the attack tree to obtain an initial attack chain;
pruning and noise reduction are carried out on the initial attack chain to obtain the attack chain.
3. The method of claim 2, wherein the predictive model is trained by a random forest algorithm, comprising:
analyzing and generating an attack chain to be trained from an alarm log to be trained, preprocessing, carrying out layered division on the attack chain to be trained, and dividing the attack chain to be trained into a training set and a testing set;
inputting the node characteristics and the event characteristics of the training set into the random forest algorithm to train to obtain a training model, inputting the node characteristics and the time characteristics of the test set into the training model, and calculating the accuracy of an output result of the training model, wherein the accuracy reaches a preset threshold value, and the training model is the prediction model;
otherwise, continuing training the training model by using the node characteristics and the event characteristics of the training set, and adjusting and optimizing the training model until the accuracy of the output result reaches the preset threshold value when the node characteristics and the time characteristics of the test set are input into the optimized training model.
4. A method according to claim 3, wherein hierarchically partitioning the attack chain to be trained comprises:
sequencing the to-be-trained attack chains according to the time displayed by the labels of the to-be-trained attack chains, and sequencing the to-be-trained attack chains every day according to the time sequence;
according to the sorting result, the first 80% is extracted as the training set, and the remaining 20% is extracted as the test set.
5. A next attack event prediction apparatus comprising:
the attack chain generation module analyzes the power grid alarm log to generate the attack chain, wherein the attack chain is built by using host IP node association in the power grid;
the feature extraction module is used for preprocessing the attack chain and comprises filtering heavy and feature extraction of the attack chain, wherein node features and event features of the attack chain are obtained through the feature extraction operation;
wherein filtering the attack chain for deduplication comprises:
traversing each attack chain in a circulating way and recording the occurrence time of a first alarm event in each attack chain;
comparing the occurrence time with the start time of the production window of each attack chain corresponding to the occurrence time, and if the occurrence time is not equal to the start time of the production window of each attack chain, removing the attack chain;
extracting the attack chain characteristics, including:
abstracting the attack chain into a vector set, abstracting the vector set into a single thermal code by adopting a text feature extraction function, and taking the single thermal code as the node feature;
the key events and key hosts recorded in the power grid alarm log are used as the event characteristics;
and the prediction module inputs the extracted node characteristics and the extracted event characteristics into a prediction model, and observes a prediction result output by the prediction model.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, characterized in that the processor implements the method according to any one of claims 1 to 4 when executing the computer program.
7. A non-transitory computer readable storage medium storing computer instructions which, when executed by a computer, cause the computer to implement the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110113711.XA CN113162794B (en) | 2021-01-27 | 2021-01-27 | Next attack event prediction method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110113711.XA CN113162794B (en) | 2021-01-27 | 2021-01-27 | Next attack event prediction method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113162794A CN113162794A (en) | 2021-07-23 |
| CN113162794B true CN113162794B (en) | 2024-01-16 |
Family
ID=76878861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110113711.XA Active CN113162794B (en) | 2021-01-27 | 2021-01-27 | Next attack event prediction method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113162794B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422186A (en) * | 2021-12-21 | 2022-04-29 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN114301692B (en) * | 2021-12-29 | 2023-12-12 | 中国电信股份有限公司 | Attack prediction method, device, medium and equipment |
| CN114124587B (en) * | 2022-01-29 | 2022-06-28 | 北京安帝科技有限公司 | Attack chain processing method and system and electronic equipment |
| CN114528404A (en) * | 2022-02-18 | 2022-05-24 | 浪潮卓数大数据产业发展有限公司 | Method and device for identifying provincial and urban areas |
| CN115391354A (en) * | 2022-10-08 | 2022-11-25 | 深圳市众云网有限公司 | Network optimization information management system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN109347827A (en) * | 2018-10-22 | 2019-02-15 | 东软集团股份有限公司 | Method, apparatus, equipment and the storage medium of attack prediction |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
-
2021
- 2021-01-27 CN CN202110113711.XA patent/CN113162794B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN109347827A (en) * | 2018-10-22 | 2019-02-15 | 东软集团股份有限公司 | Method, apparatus, equipment and the storage medium of attack prediction |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
Non-Patent Citations (2)
| Title |
|---|
| 基于告警事件特征的网络攻击行为实时预警研究;高泽芳;王岱辉;王昀;文成江;;电信工程技术与标准化(12);第38-42页 * |
| 电力监控系统的网络安全威胁溯源技术研究;李泽科;陈泽文;王春艳;徐志光;梁野;;电力工程技术(02);第173-179页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113162794A (en) | 2021-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113162794B (en) | Next attack event prediction method and related equipment | |
| US20200296137A1 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11165815B2 (en) | Systems and methods for cyber security alert triage | |
| US10248910B2 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| CN104115117A (en) | Automatic synthesis of unit tests for security testing | |
| US20220294810A1 (en) | Asset Remediation Trend Map Generation and Utilization for Threat Mitigation | |
| US20230418938A1 (en) | Attack kill chain generation and utilization for threat analysis | |
| US20170068892A1 (en) | System and method for generation of a heuristic | |
| Kumar Raju et al. | Event correlation in cloud: a forensic perspective | |
| CN114760106A (en) | Network attack determination method, system, electronic device and storage medium | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| US11290473B2 (en) | Automatic generation of detection alerts | |
| Hemdan et al. | Spark-based log data analysis for reconstruction of cybercrime events in cloud environment | |
| Kim et al. | AIBFT: artificial intelligence browser forensic toolkit | |
| Daghmehchi Firoozjaei et al. | Memory forensics tools: a comparative analysis | |
| CN114070642A (en) | Network security detection method, system, device and storage medium | |
| CN111104670B (en) | APT attack identification and protection method | |
| Gulmez et al. | Analysis of the dynamic features on ransomware detection using deep learning-based methods | |
| CN115589339B (en) | Network attack type identification method, device, equipment and storage medium | |
| Odebade et al. | Mitigating anti-forensics in the cloud via resource-based privacy preserving activity attribution | |
| CN113971284A (en) | JavaScript-based malicious webpage detection method and device and computer-readable storage medium | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |