CN113553584A - Method, system and storage medium for detecting unknown threats of industrial internet security - Google Patents
Method, system and storage medium for detecting unknown threats of industrial internet security Download PDFInfo
- Publication number
- CN113553584A CN113553584A CN202110870023.8A CN202110870023A CN113553584A CN 113553584 A CN113553584 A CN 113553584A CN 202110870023 A CN202110870023 A CN 202110870023A CN 113553584 A CN113553584 A CN 113553584A
- Authority
- CN
- China
- Prior art keywords
- attack
- industrial internet
- unknown
- threat
- detection data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention relates to a method and a system for detecting unknown threats of industrial internet security. According to the method for detecting the unknown threat of the industrial internet security, the mapping relation between the attack genes and the attack stages is established by extracting the attack genes and the attack stages in the acquired historical industrial internet detection data comprising the malicious samples and the attack events. After the mapping relation is established, according to the mapping relation, the unknown threat in the obtained current industrial internet detection data is determined by adopting a threat detection method, so that the malicious attack depending on equipment is effectively detected, and the efficiency and the accuracy of finding the unknown threat are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for detecting unknown threats to industrial internet security and a storage medium.
Background
With the process of informatization and intellectualization of an industrial system, the number of industrial internet intelligent devices is increased sharply, and the frequency of attacks implemented by the industrial internet intelligent devices is increased remarkably. Meanwhile, the industrial internet system needs to consider the problems of compatibility and the like, patch upgrading is rarely carried out, even some workstation suppliers definitely require that users do not obtain the upgrading system, so that a large number of security holes can be accumulated after the system runs for a long time, the holes are widely existed, and the utilization cost is low, so that more and more attack organizations utilize the industrial system holes to launch network attacks to the industrial internet equipment. The challenge to industrial systems is also becoming more severe with malicious code threats.
The security technology of the traditional IT system is mature day by day, but the essential difference exists between the information system and the industrial control system, the IT security technology cannot be directly applied to the industrial control system, and the information security of the industrial control system needs to be combined with the characteristics of the industrial control system to develop security protection measures. However, because the industrial internet intelligent device has heterogeneous characteristics, the device system has various types and the device performance difference is large, and the traditional unknown threat detection means is mostly based on a method combining dynamic and static analysis, so that the malicious attack depending on the device cannot be effectively detected.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method, a system and a storage medium for detecting unknown threats to the security of an industrial internet.
In order to achieve the purpose, the invention provides the following scheme:
an unknown industrial internet security threat detection method comprises the following steps:
acquiring historical industrial internet detection data; the historical industrial internet detection data comprises: malicious samples and attack events;
extracting an attack gene and an attack stage in the historical detection data; the attack genes include: basic and complex aggressor genes;
establishing a mapping relation between the attack genes and the attack stages;
acquiring current industrial internet detection data;
determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relation; the unknown threat is an attack threat brought by unknown malicious codes.
Preferably, the determining, according to the mapping relationship, the unknown threat in the current industrial internet detection data by using a threat detection method specifically includes:
according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion;
or according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data.
Preferably, the determining, according to the mapping relationship, the unknown threat in the current industrial internet detection data by using a malicious code attack association method based on multi-feature fusion specifically includes:
extracting attack features in the current industrial internet detection data;
carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result;
and determining an attack intention according to the attack correlation analysis result based on the mapping relation.
Preferably, according to the mapping relationship, determining an unknown threat in the current industrial internet detection data by using a malicious code intelligent evaluation method based on multi-source heterogeneous data specifically includes:
cleaning the current industrial internet detection data to obtain cleaned data;
performing feature abstraction on the cleaned data to obtain multi-dimensional evaluation features;
performing feature selection on the multi-dimensional evaluation features to obtain multi-dimensional features;
performing feature dimensionality reduction on the multi-dimensional features to obtain low-dimensional features;
acquiring a malicious code evaluation model;
determining the threat degree of the malicious code by using the low-dimensional features as input and adopting the malicious code evaluation model;
and determining an attack intention according to the mapping relation based on the threat degree of the malicious code.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the method for detecting the unknown threat of the industrial internet security, the mapping relation between the attack genes and the attack stages is established by extracting the attack genes and the attack stages in the acquired historical industrial internet detection data comprising the malicious samples and the attack events. After the mapping relation is established, according to the mapping relation, the unknown threat in the obtained current industrial internet detection data is determined by adopting a threat detection method, so that the malicious attack depending on equipment is effectively detected, and the efficiency and the accuracy of finding the unknown threat are improved.
Corresponding to the method for detecting the unknown industrial internet security threat, the invention also provides the following embodiments:
an industrial internet security unknown threat detection system, comprising:
the first acquisition module is used for acquiring historical industrial internet detection data; the historical industrial internet detection data comprises: malicious samples and attack events;
the gene and attack stage extraction module is used for extracting attack genes and attack stages in the historical detection data; the attack genes include: basic and complex aggressor genes;
the mapping relation establishing module is used for establishing the mapping relation between the attack genes and the attack stages;
the second acquisition module is used for acquiring the current industrial internet detection data;
the unknown threat detection module is used for determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relation; the unknown threat is an attack threat brought by unknown malicious codes.
Preferably, the unknown threat detection module specifically includes:
the first unknown threat detection unit is used for determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion according to the mapping relation;
or the second unknown threat detection unit is used for determining the unknown threat in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data according to the mapping relation.
Preferably, the first unknown threat detection unit specifically includes:
the attack characteristic extraction subunit is used for extracting attack characteristics in the current industrial internet detection data;
the attack correlation analysis subunit is used for carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result;
and the first attack intention determining subunit is used for determining the attack intention according to the attack correlation analysis result based on the mapping relation.
Preferably, the second unknown threat detection unit specifically includes:
the cleaning subunit is used for cleaning the current industrial internet detection data to obtain cleaned data;
the characteristic abstraction subunit is used for carrying out characteristic abstraction on the cleaned data to obtain multi-dimensional evaluation characteristics;
the characteristic selection subunit is used for carrying out characteristic selection on the multi-dimensional evaluation characteristics to obtain multi-dimensional characteristics;
the characteristic dimension reduction subunit is used for carrying out characteristic dimension reduction on the multi-dimensional characteristic to obtain a low-dimensional characteristic;
the malicious code evaluation model obtaining subunit is used for obtaining a malicious code evaluation model;
the threat degree determining subunit is used for determining the threat degree of the malicious code by using the low-dimensional features as input and adopting the malicious code evaluation model;
and the second attack intention determining subunit is used for determining the attack intention according to the mapping relation based on the threat degree of the malicious code.
A computer-readable storage medium having a software program stored therein is also provided; the software program is used for executing the industrial internet security unknown threat detection method.
The technical effects achieved by the industrial internet security unknown threat detection system and the computer-readable storage medium provided by the invention are the same as those achieved by the industrial internet security unknown threat detection method, and therefore, the technical effects are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of a method for detecting unknown threats to industrial Internet security provided by the present invention;
FIG. 2 is a schematic block diagram of an unknown threat detection method for industrial Internet security provided by the present invention;
FIG. 3 is a schematic diagram of basic attack gene extraction in the method for detecting unknown threats to industrial Internet security according to the present invention;
FIG. 4 is a schematic diagram of complex attack gene extraction in the method for detecting unknown threats to industrial Internet security provided by the invention;
FIG. 5 is a schematic block diagram of a malicious code attack correlation method based on multi-feature fusion in the unknown threat detection method for industrial internet security provided by the invention.
Fig. 6 is a schematic structural diagram of an unknown threat detection system for industrial internet security provided by the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a method, a system and a storage medium for detecting unknown threats of industrial internet security, so as to realize effective detection of malicious attacks depending on equipment and further improve the efficiency and accuracy of finding unknown threats.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Aiming at the problems that industrial internet intelligent equipment has heterogeneous characteristics, equipment systems are various, equipment performance difference is large, traditional unknown threat detection means are mostly based on a method of combining dynamic and static analysis, and malicious attacks depending on operation of the equipment cannot be effectively detected, based on the specific principle provided by the figure 2, the invention provides the following industrial internet security unknown threat detection method based on a network-air threat framework, and the discovery of unknown threats is realized mainly by deeply analyzing behavior record data of a simulation platform, extracting attack genes and mapping the attack genes to the corresponding network-air threat framework.
Specifically, as shown in fig. 1, the method for detecting unknown threats to industrial internet security provided by the invention comprises the following steps:
step 100: and acquiring historical industrial internet detection data. The historical industrial internet detection data comprises: malicious samples and attack events.
Step 101: and extracting attack genes and attack stages in the historical detection data. The attacking genes include: basic and complex challenge genes.
Step 102: and establishing a mapping relation between the attack genes and the attack stages.
Step 103: and acquiring current industrial internet detection data.
Step 104: and determining unknown threats in the current industrial Internet detection data by adopting a threat detection method according to the mapping relation. The unknown threat is an attack threat brought by unknown malicious codes.
Wherein, the process of extracting the attack genes based on the discovered malicious samples and attack events in the step 101 is as follows:
the samples are pre-processed, such as format recognition, unpacking, and shelling. And (4) performing feature screening and dimension reduction based on threat degree evaluation and artificial probability statistics, and extracting core attack genes.
Extracting the core attacking gene comprises: basic attack gene extraction and complex attack gene extraction.
As shown in fig. 3, the basic attack genes are mainly based on static and dynamic analysis results, including static analysis results, analysis of dynamic analysis results, and abstraction to obtain features, and meanwhile, basic analysis may be performed on the cleaned samples to obtain attack genes that can be used for homologous analysis, and specifically, the basic attack genes mainly include malicious code determination features, malicious code attribute features, malicious code structural features, malicious code API call features, digital signature features, malicious code behavior features, and malicious code network features.
The malicious code judging features mainly extract features from the malicious code judging features, wherein the features comprise classification, family, variety, running platform, core behavior, malicious code instruction sequence and the like.
The malicious code attribute features are mainly extracted from malicious code file attributes, and include file fuzzy hash, file type, compiler type, shell type, package type, version, language, company to which the malicious code belongs, file name and the like.
The malicious code structure features are mainly extracted from the malicious code structure, and include a PE structure after decryption or unshelling, including the number of nodes, a generation timestamp, a PE entry point, a PE node name, a PE import function list, a PE export function list, resources and the like. The method also comprises character strings, mutexes, encryption and decryption algorithms or keys, compression and decompression algorithms, Hook function lists, fuzzy hash and the like.
The calling features of the malicious code API are mainly extracted from a calling sequence of the malicious code API, and comprise an API calling sequence, API calling parameters and parameter values, a key API and the like.
The digital signature features are mainly extracted from the binary executable file, and comprise an issuer of the digital signature, a user, a signature date, a signature validity period, a signature state (legal, expired, revoked, forged and embezzled), a certificate list and the like.
The behavior characteristics of the malicious code are mainly extracted from behavior characteristics of the malicious code, and include a file type (such as PE file release), a file name of release, a file name of read-write, a registry value of read-write, a process name of closing and opening, a communication mode (such as RPC and IRC) and the like.
The malicious code network characteristics are mainly extracted from the malicious code network characteristics, including target IP of access, port, URL of access, domain name, open port, characteristics of using communication protocol (HTTP, HTTPS, TCP, UDP, etc.), and the like. The protocol features include public protocol parameter features and proprietary protocol features such as byte content, field distribution and content specific to the data packet.
As shown in fig. 4, the complex attack gene is a feature obtained by performing deep format parsing abstraction on a sample, and includes the following 3 parts:
and the PE file is split according to the sections and the additional data sections.
Compound documents (office, pdf, swf, rtf, etc.) are deeply resolved.
External data source mining (vulnerability, propagation feature mining.
Specifically, the extracted complex attack genes include: malicious code anti-analysis features, malicious code exploit features, malicious code slicing features, and structural exception features.
The malicious code anti-analysis features mainly extract features from malicious code anti-analysis and anti-killing characteristics, and include an anti-sandbox/virtual machine technology, an anti-debugging technology, an anti-killing soft list, a black and white list process list and the like. For some office files containing macro viruses, AutoClose is deliberately adopted to call when closing a document, whether the file name length exceeds 32 is judged (analysts are generally named by Hash), the file name length is often difficult to trigger in the dynamic analysis process, and the anti-analysis characteristics can be extracted only by carrying out deep format analysis on the office files.
The malicious code vulnerability exploitation characteristics are mainly characteristics extracted from vulnerability technologies of malicious code exploitation, and include exploited vulnerability numbers, vulnerability names, shellcode characteristics and the like.
The malicious code slicing feature performs slicing operation on the PE file, and fuzzy hashes of different segments (sections, additional data, icons and the like) are extracted as slicing features.
The structural exception characteristic is that data of important fields in a file format is extracted, particularly, field exceptions, such as infinite loop of a sector chain in an Office file header, inconsistency of a maximum flow size specified by Office with 4096 defined by Microsoft, and malicious tampering are suffered.
Further, the step 102 is specifically to establish a mapping relationship between the core attack genes and the attack stage, and store the mapping relationship in a database to construct a network null threat framework mapping library.
The method comprises the following steps: based on technical and tactical points in a net-air threat framework (such as ATT & CK and NSA) and the extracted attack genes, a mapping relation is established between the core attack genes and the attack stage of the malicious threat, the mapping relation is stored in a database, and a net-air threat framework mapping library is finally established. By deeply analyzing the extracted attack genes, 100% coverage of the net-space threat framework tactical points and more than 60% coverage of the technical points can be realized.
The network air threat frame ATT & CK frame comprises 12 tactics, and specifically comprises the following steps:
1) TA0001 initial visit: the initial access policy represents a vector that an attacker uses to obtain an initial foothold in the network.
2) TA0002 performs: an execution policy represents a technique that results in execution of adversary-controlled code on a local or remote system. Such policies are typically used with initial access, as a means of executing code once access is obtained, and move laterally to extend access to remote systems on the network.
3) TA0003 persistence: persistence is any access, operation or configuration change to a system that causes an adversary to persist on the system. Attackers typically need to maintain access to the system through interrupts, such as system reboots, loss of credentials, or other failures that require a remote access tool to reboot or alternate backdoors to regain access.
4) TA0004 right granting: rights elevation is the result of an operation that allows an attacker to obtain higher level rights on a system or network. Certain tools or operations require a higher level of authority to work and may be necessary at many points throughout the operation. An attacker can enter a SYSTEM with non-privileged access rights and must exploit SYSTEM vulnerabilities to gain local administrator or SYSTEM/root level rights. User accounts with similar administrator access rights may also be used. A user account with the right to access a particular system or perform a particular function necessary for an attacker to achieve its goal may also be considered an upgrade to the right.
5) TA0005 defense avoidance: defense avoidance includes techniques that an adversary may use to avoid spying or other defenses. Sometimes these behaviors are the same or different from other classes of technologies, which have the added benefit of subverting a particular defense or mitigation. Defensive avoidance may be viewed as a set of attributes that an adversary applies to all other phases of an operation.
6) TA0006 credential access: credential access refers to a technology that results in access to or control of a system, domain, or service credential used in an enterprise environment. An attacker may attempt to obtain legitimate credentials from a user or administrator account (a local system administrator or domain user with administrator access) for use in the network. This allows an attacker to assume the identity of an account, have all the rights of the account on the system and network, and make it more difficult for a defender to discover the attacker. By providing sufficient access within the network, an attacker can create an account for later use in the environment.
7) TA0007 found: discovery includes techniques that allow an attacker to gain knowledge about the system and the internal network. When an attacker gains access to a new system, they must position themselves in what they can now control, and the benefit of the current or overall goal brought by the operation of the system during the intrusion. The operating system provides a number of native tools that facilitate this post-attack information gathering phase.
8) TA0008 lateral movement: lateral movement includes techniques that enable an adversary to access and control a remote system on a network, and may, but need not, include executing tools on the remote system. The lateral movement technique may allow an adversary to gather information from the system without the need for additional tools, such as remote access tools.
9) TA0009 acquisition: the collection of collections includes techniques for identifying and collecting information (e.g., sensitive files) from the target network prior to infiltration. This category also includes locations on the system or network where an attacker may look for information to reveal.
10) TA0011 command and control: the command and control policies indicate how the attacker communicates with the systems under its control within the target network. Depending on the system configuration and network topology, an attacker can establish commands and controls with various levels of concealment in a number of ways. Due to the wide variety available to network level adversaries, only the most common factors are used to describe differences in command and control. There are still many specific techniques in the recorded method, mainly due to the ease of defining new protocols and communicating using existing legal protocols and network services.
11) TA0010 exudation: bleed-out refers to techniques and attributes that cause or assist an attacker to delete files and information from a target network. This category also includes locations on the system or network where an attacker may look for information to reveal.
12) TA0011 challenge: fighting refers to an attacker trying to manipulate, break or destroy your system and data in order to cover his own attack.
Further, based on the above, in step 104 of the present invention, according to the mapping relationship, the specific process of determining the unknown threat in the current industrial internet detection data by using the threat detection method is as follows:
and according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion.
Or according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data.
According to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion, specifically comprising the following steps of:
and extracting attack features in the current industrial Internet detection data.
And carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result.
And determining the attack intention according to the attack correlation analysis result based on the mapping relation.
According to the mapping relation, an intelligent malicious code evaluation method based on multi-source heterogeneous data is adopted to determine unknown threats in the current industrial internet detection data, and the method specifically comprises the following steps:
and cleaning the current industrial internet detection data to obtain the cleaned data.
And performing feature abstraction on the cleaned data to obtain multi-dimensional evaluation features.
And performing feature selection on the multi-dimensional evaluation features to obtain the multi-dimensional features.
And performing feature dimensionality reduction on the multi-dimensional features to obtain low-dimensional features.
And acquiring a malicious code evaluation model.
And determining the threat degree of the malicious code by using the low-dimensional features as input and adopting a malicious code evaluation model.
And determining the attack intention according to the mapping relation based on the threat degree of the malicious code.
Specifically, based on the above specific process for determining the unknown threat, the principle of detecting the unknown threat by the multi-feature fused malicious code attack association method is as shown in fig. 5, and specifically includes:
attack correlation is an important means for realizing timely discovery and active response of malicious code attack behaviors of the industrial internet, and the industrial internet has the characteristics of complex network structure, variable application scenes, various equipment types and the like, so that the current technology for attacking correlation of malicious codes of the industrial internet faces the problems of difficulty in discovering attack actions, difficulty in predicting attack paths, difficulty in identifying threat degree and the like. The invention provides an attack correlation method of industrial internet malicious codes based on multi-feature fusion, which is used for collecting the feature behaviors of the industrial internet malicious codes in different operating environments for fusion analysis on the basis of carrying out abstract modeling on an industrial internet application scene, realizing the attack correlation of the industrial internet malicious codes by methods such as attack behavior sequence analysis, probability attack graph construction, threat degree constraint solving and the like, accurately identifying the attack intention of the industrial internet malicious codes, and mining and tracing attackers and attack means behind the attack.
Based on the principle, the multi-feature fusion malicious code attack correlation method comprises three aspects of attack feature extraction, attack correlation analysis and attack intention output.
In the aspect of attack feature extraction, attack action related data such as sample sources, static features and dynamic features are comprehensively extracted aiming at characteristics of capturing and collecting malicious codes of the industrial internet and analyzing samples. In the aspect of attack correlation analysis, a formalized industrial internet application scene model is constructed by adopting a visualization method, fusion analysis is carried out in the aspects of preprocessing, normalization, topology construction, homology judgment and the like, an attack action is identified by adopting a behavior sequence analysis method, an attack path is identified by adopting a probability attack graph construction method, and threat degree constraint solving method is used for judging the threat degree, so that complete attack intention information is formed. The attack intention output mainly realizes the display and application of attack action, path and threat degree information, and provides support for constructing a homologous judgment model to mine attackers and attack means. The method has the characteristics of comprehensive attack scene coverage, rich feature extraction, accurate attack intention identification, high attack intention output practicability and the like.
Specifically, the intelligent malicious code evaluation method based on multi-source heterogeneous data specifically detects unknown threats by: and (3) fusing and converging multi-source heterogeneous characteristic data such as a high-aggregation multi-dimensional attack gene, an attack correlation result, an attack tracing result and the like by adopting a high-aggregation characteristic fusion malicious threat intelligent evaluation method. And then, carrying out quantitative evaluation on the threat elements of the dimensionality characteristics, calibrating the characteristic threat degree according to the probability statistics of the characteristic threat degree and artificial aid decision, and selecting a characteristic vector capable of representing the malicious threat degree. And finally, reasonably reducing the dimension of the selected high-dimensional features by using a principal component analysis method, and constructing an intelligent evaluation model by using a machine learning method, wherein the method comprises but is not limited to methods of expanding a decision tree, clustering and the like, so that the unknown or known malicious threats can be accurately and quickly judged.
The evaluation method comprises the steps of cleaning, feature abstraction, feature selection, feature dimension reduction and evaluation model establishment. In the aspect of sample cleaning, accurate identification is mainly carried out on various file formats of the heterogeneous Internet of things, and decompression and shelling of the encrypted shelled files are mainly carried out. The characteristic abstraction aspect is mainly multi-source heterogeneous characteristic data analysis and abstraction, and multi-dimensional evaluation characteristics which can be quantitatively expressed are extracted, wherein the multi-dimensional evaluation characteristics include but are not limited to file attributes, file structures, file exceptions, file slices, networks, algorithms, character strings, URL characteristics and the like. In the aspect of feature selection, a probability statistics method, a manual assistant decision method and a threat degree evaluation method for evaluation result feedback are mainly used for screening multidimensional features which can be used for evaluation. The feature dimension reduction can further perform dimension reduction operation on the selected features by utilizing a principal component analysis algorithm and a linear discriminant analysis algorithm, so that the conversion from high-dimensional features to low-dimensional features is realized. The evaluation model can utilize the existing machine learning algorithm, including decision trees, neural networks, cluster classification and the like, to realize the rapid discovery of known malicious codes and the accurate evaluation of the threat degree of unknown malicious codes in the internet of things.
The attack target, the attack process and the attack means of the net-air high-grade sustainable threat behavior body can be effectively found out by extracting the attack genes, constructing the attack stage mapping library based on the net-air threat framework, then constructing the attack scene map, restoring the complete attack chain and finally based on multi-source fusion intelligent detection, and the continuous detection capability of unknown threats can be achieved by continuously analyzing the attack method of the net-air threat behavior body.
In addition, corresponding to the method for detecting the unknown threat of the industrial internet security, the invention also provides the following embodiments:
as shown in fig. 6, the present invention also provides a system for detecting unknown threats to the security of the industrial internet. The system comprises: the system comprises a first acquisition module 1, a gene and attack stage extraction module 2, a mapping relation establishment module 3, a second acquisition module 4 and an unknown threat detection module 5.
The first acquisition module 1 is used for acquiring historical industrial internet detection data. The historical industrial internet detection data comprises: malicious samples and attack events.
The gene and attack stage extraction module 2 is used for extracting attack genes and attack stages in the historical detection data. The attacking genes include: basic and complex challenge genes.
The mapping relation establishing module 3 is used for establishing the mapping relation between the attack genes and the attack stages.
The second obtaining module 4 is used for obtaining current industrial internet detection data.
And the unknown threat detection module 5 is used for determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relation. The unknown threat is an attack threat brought by unknown malicious codes.
Further, the unknown threat detection module 5 specifically includes: a first unknown threat detection unit or a second unknown threat detection unit.
The first unknown threat detection unit is used for determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion according to the mapping relation.
And the second unknown threat detection unit is used for determining unknown threats in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data according to the mapping relation.
Further, the first unknown threat detection unit specifically includes: the attack system comprises an attack feature extraction subunit, an attack correlation analysis subunit and a first attack intention determination subunit.
The attack feature extraction subunit is used for extracting attack features in the current industrial internet detection data.
And the attack correlation analysis subunit is used for carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result.
The first attack intention determining subunit is used for determining an attack intention according to the attack correlation analysis result based on the mapping relation.
Further, the second unknown threat detection unit specifically includes: the system comprises a cleaning subunit, a feature abstraction subunit, a feature selection subunit, a feature dimension reduction subunit, a malicious code evaluation model acquisition subunit, a threat degree determination subunit and a second attack intention determination subunit.
And the cleaning subunit is used for cleaning the current industrial internet detection data to obtain the cleaned data.
And the characteristic abstraction subunit is used for carrying out characteristic abstraction on the cleaned data to obtain multi-dimensional evaluation characteristics.
And the characteristic selection subunit is used for performing characteristic selection on the multi-dimensional evaluation characteristics to obtain the multi-dimensional characteristics.
And the feature dimension reduction subunit is used for performing feature dimension reduction on the multi-dimensional features to obtain low-dimensional features.
The malicious code evaluation model obtaining subunit is used for obtaining the malicious code evaluation model.
And the threat degree determining subunit is used for determining the threat degree of the malicious code by using the low-dimensional features as input and adopting a malicious code evaluation model.
And the second attack intention determining subunit is used for determining the attack intention according to the mapping relation based on the threat degree of the malicious code.
The invention also provides an electronic device and a computer-readable storage medium in which the software program is stored. The software program is used for executing the industrial internet security unknown threat detection method.
Further, based on the contents shown in fig. 2-5, the present invention can also provide an industrial internet security unknown threat detection apparatus based on an air-over-internet threat framework, including:
and the attack gene extraction module is used for extracting the core attack gene.
And the attack gene mapping module is used for establishing a mapping relation between the core attack genes and the attack stage of the malicious threat and establishing a network empty threat frame mapping library.
And the malicious code attack correlation module based on multi-feature fusion is used for detecting unknown threats.
And the malicious code intelligent evaluation module is used for detecting unknown threats.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (9)
1. A method for detecting unknown threats to industrial Internet security is characterized by comprising the following steps:
acquiring historical industrial internet detection data; the historical industrial internet detection data comprises: malicious samples and attack events;
extracting an attack gene and an attack stage in the historical detection data; the attack genes include: basic and complex aggressor genes;
establishing a mapping relation between the attack genes and the attack stages;
acquiring current industrial internet detection data;
determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relation; the unknown threat is an attack threat brought by unknown malicious codes.
2. The method for detecting unknown threats to industrial internet security according to claim 1, wherein the determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relationship specifically comprises:
according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion;
or according to the mapping relation, determining unknown threats in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data.
3. The method for detecting unknown threats to industrial internet security according to claim 2, wherein the determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion according to the mapping relationship specifically comprises:
extracting attack features in the current industrial internet detection data;
carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result;
and determining an attack intention according to the attack correlation analysis result based on the mapping relation.
4. The method for detecting unknown threats to industrial internet security according to claim 2, wherein according to the mapping relationship, an intelligent malicious code evaluation method based on multi-source heterogeneous data is adopted to determine unknown threats in the current industrial internet detection data, and specifically comprises:
cleaning the current industrial internet detection data to obtain cleaned data;
performing feature abstraction on the cleaned data to obtain multi-dimensional evaluation features;
performing feature selection on the multi-dimensional evaluation features to obtain multi-dimensional features;
performing feature dimensionality reduction on the multi-dimensional features to obtain low-dimensional features;
acquiring a malicious code evaluation model;
determining the threat degree of the malicious code by using the low-dimensional features as input and adopting the malicious code evaluation model;
and determining an attack intention according to the mapping relation based on the threat degree of the malicious code.
5. An industrial internet security unknown threat detection system, comprising:
the first acquisition module is used for acquiring historical industrial internet detection data; the historical industrial internet detection data comprises: malicious samples and attack events;
the gene and attack stage extraction module is used for extracting attack genes and attack stages in the historical detection data; the attack genes include: basic and complex aggressor genes;
the mapping relation establishing module is used for establishing the mapping relation between the attack genes and the attack stages;
the second acquisition module is used for acquiring the current industrial internet detection data;
the unknown threat detection module is used for determining unknown threats in the current industrial internet detection data by adopting a threat detection method according to the mapping relation; the unknown threat is an attack threat brought by unknown malicious codes.
6. The system for detecting unknown threats in industrial internet security according to claim 5, wherein the unknown threat detection module specifically comprises:
the first unknown threat detection unit is used for determining unknown threats in the current industrial internet detection data by adopting a malicious code attack association method based on multi-feature fusion according to the mapping relation;
or the second unknown threat detection unit is used for determining the unknown threat in the current industrial internet detection data by adopting a malicious code intelligent evaluation method based on multi-source heterogeneous data according to the mapping relation.
7. The industrial internet security unknown threat detection system of claim 6, wherein the first unknown threat detection unit specifically comprises:
the attack characteristic extraction subunit is used for extracting attack characteristics in the current industrial internet detection data;
the attack correlation analysis subunit is used for carrying out attack correlation analysis on the attack characteristics to obtain an attack correlation analysis result;
and the first attack intention determining subunit is used for determining the attack intention according to the attack correlation analysis result based on the mapping relation.
8. The industrial internet security unknown threat detection system of claim 6, wherein the second unknown threat detection unit specifically comprises:
the cleaning subunit is used for cleaning the current industrial internet detection data to obtain cleaned data;
the characteristic abstraction subunit is used for carrying out characteristic abstraction on the cleaned data to obtain multi-dimensional evaluation characteristics;
the characteristic selection subunit is used for carrying out characteristic selection on the multi-dimensional evaluation characteristics to obtain multi-dimensional characteristics;
the characteristic dimension reduction subunit is used for carrying out characteristic dimension reduction on the multi-dimensional characteristic to obtain a low-dimensional characteristic;
the malicious code evaluation model obtaining subunit is used for obtaining a malicious code evaluation model;
the threat degree determining subunit is used for determining the threat degree of the malicious code by using the low-dimensional features as input and adopting the malicious code evaluation model;
and the second attack intention determining subunit is used for determining the attack intention according to the mapping relation based on the threat degree of the malicious code.
9. A computer-readable storage medium, wherein a software program is stored in the computer-readable storage medium; the software program is used for executing the industrial internet security unknown threat detection method as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110870023.8A CN113553584A (en) | 2021-07-30 | 2021-07-30 | Method, system and storage medium for detecting unknown threats of industrial internet security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110870023.8A CN113553584A (en) | 2021-07-30 | 2021-07-30 | Method, system and storage medium for detecting unknown threats of industrial internet security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113553584A true CN113553584A (en) | 2021-10-26 |
Family
ID=78104969
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110870023.8A Pending CN113553584A (en) | 2021-07-30 | 2021-07-30 | Method, system and storage medium for detecting unknown threats of industrial internet security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113553584A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978586A (en) * | 2022-04-12 | 2022-08-30 | 东北电力大学 | Power grid attack detection method and system based on attack genes and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN110059726A (en) * | 2019-03-22 | 2019-07-26 | 中国科学院信息工程研究所 | The threat detection method and device of industrial control system |
| CN113067812A (en) * | 2021-03-17 | 2021-07-02 | 哈尔滨安天科技集团股份有限公司 | APT attack event tracing analysis method, device and computer readable medium |
-
2021
- 2021-07-30 CN CN202110870023.8A patent/CN113553584A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN110059726A (en) * | 2019-03-22 | 2019-07-26 | 中国科学院信息工程研究所 | The threat detection method and device of industrial control system |
| CN113067812A (en) * | 2021-03-17 | 2021-07-02 | 哈尔滨安天科技集团股份有限公司 | APT attack event tracing analysis method, device and computer readable medium |
Non-Patent Citations (2)
| Title |
|---|
| 汪洋等: "基于深度序列加权核极限学习的入侵检测算法", 《计算机应用研究》 * |
| 范玉涛等: "网络入侵检测系统中的特征降维方法", 《计算机工程与应用》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978586A (en) * | 2022-04-12 | 2022-08-30 | 东北电力大学 | Power grid attack detection method and system based on attack genes and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9507944B2 (en) | Method for simulation aided security event management | |
| CN111541705B (en) | TTP automatic extraction and attack team clustering method | |
| Pham et al. | Machine learning techniques for web intrusion detection—A comparison | |
| Cepeda et al. | Feature selection and improving classification performance for malware detection | |
| Kheir | Behavioral classification and detection of malware through http user agent anomalies | |
| Ring et al. | A toolset for intrusion and insider threat detection | |
| Lo et al. | Towards an effective and efficient malware detection system | |
| Le et al. | Unsupervised monitoring of network and service behaviour using self organizing maps | |
| Amarasinghe et al. | AI based cyber threats and vulnerability detection, prevention and prediction system | |
| Boulaiche et al. | An auto-learning approach for network intrusion detection | |
| Sakthivelu et al. | Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model. | |
| Yusufovna | Integrating intrusion detection system and data mining | |
| Wu et al. | GroupTracer: Automatic attacker TTP profile extraction and group cluster in Internet of things | |
| Bragen | Malware detection through opcode sequence analysis using machine learning | |
| CN113553584A (en) | Method, system and storage medium for detecting unknown threats of industrial internet security | |
| Osorio et al. | Segmented sandboxing-a novel approach to malware polymorphism detection | |
| Paul et al. | Survey of polymorphic worm signatures | |
| Catherine et al. | Efficient host based intrusion detection system using Partial Decision Tree and Correlation feature selection algorithm | |
| EP3252645B1 (en) | System and method of detecting malicious computer systems | |
| Yin et al. | Optimal remote access Trojans detection based on network behavior. | |
| He et al. | A comprehensive detection method for the lateral movement stage of apt attacks | |
| Mohaisen et al. | Chatter: Exploring classification of malware based on the order of events | |
| CN117978431A (en) | Method and system for detecting unknown threats of isolated network based on network air threat framework | |
| Jawhar | A Survey on Malware Attacks Analysis and Detected | |
| Tundis et al. | An exploratory analysis on the impact of Shodan scanning tool on the network attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |