CN113591077A

CN113591077A - Network attack behavior prediction method and device, electronic equipment and storage medium

Info

Publication number: CN113591077A
Application number: CN202110875490.XA
Authority: CN
Inventors: 李小勇; 葛悦琴; 常超舜; 李昀峰
Original assignee: Beijing University of Posts and Telecommunications
Current assignee: Beijing University of Posts and Telecommunications
Priority date: 2021-07-30
Filing date: 2021-07-30
Publication date: 2021-11-02
Anticipated expiration: 2041-07-30
Also published as: CN113591077B

Abstract

The network attack behavior prediction method, the network attack behavior prediction device, the electronic equipment and the storage medium are applied to the field of information technology, network threat information can be marked and divided to obtain multiple groups of characteristic information, then the conflicting characteristic information is removed through outburst detection, then multiple groups of learned relations are obtained through knowledge inference, and finally the current network attack is predicted according to the learned relations by utilizing a network model obtained through pre-training, so that not only can the removal of the conflicting characteristic information be realized, but also deep relations can be obtained through knowledge inference, and the accuracy of network attack prediction is improved.

Description

Network attack behavior prediction method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for predicting network attack behavior, an electronic device, and a storage medium.

Background

The network security means that the hardware, software and data in the system of the network system are protected and are not damaged, changed and leaked due to accidental or malicious reasons, the system continuously, reliably and normally operates, and the network service is uninterrupted. With the rapid development of internet technology, the threat to network security is increasing. As the number of threats from the network has increased dramatically, the attack patterns have become infinite and the scope of the attack has expanded rapidly. Therefore, in order to protect network security, a network security knowledge base is often used to predict network attacks, and then corresponding protective measures are set based on the prediction result.

However, the inventor finds that, when threat situation reports are collected through a network security knowledge base in the prior art, the collected threats and the relationship thereof are often unclear, so that the prediction result is inaccurate and the prediction efficiency is low.

Disclosure of Invention

The embodiment of the invention aims to provide a network attack behavior prediction method, a network attack behavior prediction device, electronic equipment and a storage medium, so as to improve the accuracy of network attack behavior prediction. The specific technical scheme is as follows:

in a first aspect of the embodiments of the present application, a network attack behavior prediction method is provided, where the method includes:

acquiring network threat information;

marking and dividing the network threat information to obtain a plurality of groups of characteristic information;

performing conflict detection on the multiple groups of feature information to obtain and remove conflicting feature information and obtain multiple groups of detected information;

learning the characteristic relationship of the multiple groups of detected information through knowledge reasoning to obtain multiple groups of learned relationships;

and predicting the current network attack according to the learned relation by utilizing a network model obtained by pre-training.

Optionally, the predicting the current network attack according to the learned relationship by using a network model obtained by pre-training includes:

calculating a trust value between the entities through a preset formula according to the relationship information between the entities and the learned relationship;

and predicting the current network attack according to the trust value between the entities by utilizing a network model obtained by pre-training.

Optionally, the learning of the feature relationship of the multiple groups of detected information through knowledge inference to obtain multiple groups of learned relationships includes:

and learning the characteristic relations of the multiple groups of detected information by using a pre-established tuple model through a path sorting algorithm to obtain multiple groups of learned relations.

Optionally, the performing collision detection on the multiple groups of feature information to obtain and remove the collided feature information, and obtaining multiple groups of detected information includes:

and performing conflict detection on the multiple groups of feature information by using a dictionary-based analysis method through the pre-created structural information to obtain and remove the conflicting feature information, so as to obtain multiple groups of detected information.

In a second aspect of the embodiments of the present application, a device for predicting network attack behavior is provided, where the device includes:

the information acquisition module is used for acquiring network threat information;

the marking and dividing module is used for marking and dividing the network threat information to obtain a plurality of groups of characteristic information;

the conflict detection module is used for carrying out conflict detection on the multiple groups of characteristic information to obtain and remove conflicting characteristic information and obtain multiple groups of detected information;

the relation learning module is used for learning the characteristic relation of the multiple groups of detected information through knowledge reasoning to obtain multiple groups of learned relations;

and the attack prediction module is used for predicting the current network attack according to the learned relation by utilizing a network model obtained by pre-training.

Optionally, the attack prediction module includes:

the trust value operator module is used for calculating the trust value between the entities through a preset formula according to the relationship information between the entities and the learned relationship;

and the network attack prediction submodule is used for predicting the current network attack according to the trust value between the entities by utilizing a network model obtained by pre-training.

Optionally, the relationship learning module is specifically configured to perform feature relationship learning on the multiple groups of detected information through a path sorting algorithm by using a pre-created tuple model, so as to obtain multiple groups of learned relationships.

Optionally, the conflict detection module is specifically configured to perform conflict detection on the multiple sets of feature information by using a dictionary-based analysis method through pre-created structural information, so as to obtain and remove conflicting feature information, and obtain multiple sets of detected information.

On the other hand, the embodiment of the present application further provides an electronic device, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;

a memory for storing a computer program;

and the processor is used for realizing any network attack behavior prediction method step when executing the program stored in the memory.

In another aspect of the embodiments of the present application, a computer-readable storage medium is further provided, where a computer program is stored in the computer-readable storage medium, and when executed by a processor, the computer program implements any of the above network attack behavior prediction method steps.

In another aspect of the embodiments of the present application, there is also provided a computer program product containing instructions, which when run on a computer, causes the computer to perform any of the above network attack behavior prediction method steps.

The embodiment of the invention has the following beneficial effects:

the network attack behavior prediction method, the network attack behavior prediction device, the electronic equipment and the storage medium provided by the embodiment of the invention can mark and divide network threat information to obtain multiple groups of characteristic information, remove conflicting characteristic information through conflict detection, obtain multiple groups of learned relations through knowledge inference, and finally predict the current network attack according to the learned relations by utilizing a network model obtained through pre-training, so that not only can the removal of the conflicting characteristic information be realized, but also deep relations can be obtained through knowledge inference, and the accuracy of network attack prediction is improved.

Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic flowchart of a network attack behavior prediction method according to an embodiment of the present application;

FIG. 2 is a schematic structural diagram of a hexahydric group model provided in an embodiment of the present application;

FIG. 3 is a state value diagram provided by an embodiment of the present application;

fig. 4 is a schematic flowchart of predicting a current network attack according to an embodiment of the present disclosure;

fig. 5 is a schematic diagram of a network structure of an LSTM provided in an embodiment of the present application;

fig. 6a is a schematic diagram of a calculation flow of a forgetting threshold according to an embodiment of the present application;

fig. 6b is a schematic diagram of a calculation process of an input threshold according to an embodiment of the present application;

fig. 6c is a schematic diagram illustrating a calculation flow of a unit state of an input threshold according to an embodiment of the present application;

fig. 6d is a schematic diagram of a calculation flow of a unit state at the current time of the input threshold according to the embodiment of the present application;

fig. 6e is a schematic diagram of a calculation process of an output threshold according to the embodiment of the present application;

FIG. 6f is a schematic diagram of a calculation flow of the LSTM final output provided by the embodiment of the present application;

fig. 7 is another schematic flow chart of a network attack behavior prediction method according to an embodiment of the present application;

FIG. 8 is a schematic diagram of an algorithm flow of the L-BFGS provided in the embodiment of the present application;

fig. 9 is a schematic structural diagram of a network attack behavior prediction apparatus provided in an embodiment of the present application;

fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In order to solve the problems that in the prior art, when threat reports are collected through a network security knowledge base, collected threats are often unclear in main body, relation and the like, so that a prediction result is inaccurate and prediction efficiency is low, embodiments of the present application provide a network attack behavior prediction method, device, electronic device and storage medium.

In a first aspect of the embodiments of the present application, a method for predicting network attack behavior is provided, where the method includes:

acquiring network threat information;

performing conflict detection on the multiple groups of characteristic information to obtain and remove conflicting characteristic information and obtain multiple groups of detected information;

learning characteristic relations of the multiple groups of detected information through knowledge reasoning to obtain multiple groups of learned relations;

and predicting the current network attack according to the learned relation by using a network model obtained by pre-training.

Therefore, by the method of the embodiment of the application, the network threat information can be labeled and segmented to obtain multiple groups of characteristic information, then the conflicting characteristic information is removed through outburst detection, multiple groups of learned relations are obtained through knowledge reasoning, and finally the current network attack is predicted according to the learned relations by using the network model obtained through pre-training, so that not only can the conflicting characteristic information be removed, but also deep relations can be obtained through knowledge reasoning, and the accuracy of network attack prediction is improved.

Specifically, referring to fig. 1, fig. 1 is a schematic flow chart of a network attack behavior prediction method provided in the embodiment of the present application, including:

and step S11, acquiring the network threat information.

The network threat information may be related information of network-related vulnerabilities, attacks and other threat intelligence required by acquiring structured data such as a database and unstructured data such as texts and audios. The structured data set can acquire data stored in formats such as XML (extensible markup language) and JSON (JavaScript Object Notification), and can be updated by acquiring related downloading rules, and the two formats can be analyzed by JSONObject (JSON tool). And acquiring network security data from the network by adopting a Scapy crawler frame in the unstructured data acquisition. Wherein, the method of extracting knowledge from the structured data and the unstructured data mainly adopts a rule-based and machine learning method. The existing richer vulnerability knowledge base is a Chinese information security vulnerability database, which contains various vulnerabilities including vulnerability names, vulnerability descriptions and other information. The rule base of the attack collects a great deal of existing attack information, including the name of the attack, the type of the attack, and other attributes. For unstructured text, enough training data is obtained, information about bugs and attacks is detected and extracted by adopting a machine learning method, and an unigram bag-of-words vector model is used for training an SVM (support vector machines) classifier by the classifier. If a description of the relevant needs is found, named entity recognition tools are used to extract entities, concepts and attributes relevant to network security. For structured data, usually in a fixed tag format, corresponding information can be directly extracted from such data and stored in a queue for later invocation.

The method of the embodiment of the application is applied to the intelligent terminal, can be implemented through the intelligent terminal, and specifically, the intelligent terminal can be a computer, a server and the like.

And step S12, labeling and dividing the network threat information to obtain a plurality of groups of characteristic information.

The plurality of sets of feature information may include network security entities and relationships between the entities. The network threat information is labeled and segmented, related network security entities can be identified from the network threat information through a network security named entity identifier, and then relationships among the entities are constructed based on a relationship rule template to obtain multiple groups of characteristic information.

For example, for partial description information of a vulnerability with the serial number of CVE-2020-. The entities include a CVE (Common Vulnerabilities & Exposures) number, a vulnerability type, an operating system, and the like, and the relationship includes that an attacker "utilizes" a vulnerability, and the vulnerability "affects" the operating system.

And step S13, performing conflict detection on the multiple groups of feature information to obtain and remove conflicting feature information and obtain multiple groups of detected information.

Because the fragmented big data disclosed generally contains a large amount of redundancy, errors or collisions, there is often a lack of logic between the data. The conflict detection is carried out on the multiple groups of characteristic information, the true values of the characteristic information can be judged, the error data can be detected and removed through the arrangement and fusion of the acquired characteristic information and then through the conflict detection and consistency check, the verified correct characteristic information is reasonably organized into a knowledge base through the alignment, combination and calculation, and the accuracy of the data can be guaranteed to the greatest extent.

For example, the same vulnerability entity appears as different vulnerability records in the CVE and BID (Bugtraq ID) vulnerability libraries, and therefore, the two types of entities need to be aligned to be the same entity. For example, the vulnerability numbered "106674" in the BID vulnerability database and the vulnerability numbered "CVE-2019-1010142" in the CVE vulnerability database should belong to the same vulnerability entity. The 'CVE' attribute in the BID record and the 'CVE _ ID' in the CVE record both belong to a CVE number, the 'Published' and 'Updated' attributes in the BID vulnerability record respectively correspond to the 'Published data' and 'lastModifiedDate' in the CVE record to indicate release time and update time, and the 'Vulnerable' attribute in the BID record and the 'cpe 23 Uri' attribute in the CVE record correspond to affected entities, so the equivalent attributes are aligned and summarized into an attribute field in a network security field body construction specification, wherein the semantic information of the two attributes of the 'Local' field in the BID and the 'accessVector' in the CVE record is the same to indicate whether the vulnerability is a Local vulnerability or a network vulnerability, and the attribute field and the attribute value are required to be converted and then fused. In addition, the values of the fields with the same attribute need to be complemented and the repeated redundant information needs to be removed in the fusion process.

And step S14, learning the characteristic relationship of the multiple groups of detected information through knowledge inference to obtain multiple groups of learned relationships.

The inference can mainly learn new relationships and new attribute values from the knowledge graph spectrum, and specifically, can be implemented by using rules in the hexahydric group model, see fig. 2. Wherein, the model includes: concepts, instances, relationships, attributes, rules, levels. The concept is a collection of abstract ontologies including OS (operating system), software, etc., such as DDos (distributed denial of service attack), Smurf (a virus attack), etc. Relationships are then incidence relationships between instances, relationships between ontologies, and the like. An attribute is then a collection of instance attribute values. Rules are used to reason about new instance relationships and new attribute values. The rating represents the importance of the instance. K represents a knowledge graph, K ═ concept, instance, relationship, property, rule, level. The deduction of attributes is to deduce the attributes of the new other aspects through the instances and the existing attribute values of the instances. The rule-based reasoning method mainly uses a method based on ontology rules, and rules defined by SWRL (semantic Web Law language) or other formal languages are restricted to establish reasoning relations on the basis of the ontology, so that the rule-based reasoning method has the characteristics of concise definition and rich description.

The relationship deduction mainly uses a path sorting algorithm and predicts the relationship between two nodes by using the characteristics of edges connecting the two nodes. When the relationship between two nodes is calculated, the length of the edge between the nodes and the trust value of the edge are introduced to simultaneously calculate the relationship of the nodes. The trust value calculation mode is as follows:

S_p＝αt_p+β(1-v_p)+γw_p,α＝β＝γ＝1/3，

wherein, t_p、v_p、w_pThe three parameters are the mean, variance and length ratio of the whole path, S_pRepresenting a trust value. The trust values of the edges are 0.1, 0.3, 0.5, 0.8 and 1.0, which respectively represent five relationships of distrust, general trust, comparative trust and extreme trust. Transfer with transfer in knowledge-based transfer processThe length of the node is increased, the current situation that the trust value is decreased is adopted, the length is limited when a path is selected, and the relationship between two nodes is calculated through simple multiplication operation. Finally, new relations can be obtained through the sorting of the paths.

And step S15, predicting the current network attack according to the learned relation by using the network model obtained by training in advance.

The current network attack is predicted according to the learned relationship, and the whole network system can be decomposed into three layers of a system, a host and a service by using a hierarchical analysis method. And calculating the network security situation of the service, the host and the whole network system in sequence. The hierarchical analysis method comprises the following steps:

service S for calculating time t_jThreat index of

Where n is time t for service S_jNumber of attack categories of D_i(t) attack severity of the ith attack, N_i(t) the ith attack pair service S at time t_jThe attack times of (1), wherein, in the actual use process, the number of types of attacks and the verification degree of the attacks can be searched according to the public information of the attacks, for example, the attacks can be searched through a Chinese information security vulnerability database.

Calculate time t host H_kThreat index of

Wherein m is host H_kNumber of services opened, V_j(t) is the weight vector that the service occupies in all services that the host is open.

Calculating threat index of the whole network at the time t

Where c is the number of hosts in the entire network, W_k(t) is the weight vector that the host takes in the importance of the local area network being evaluated.

The network model obtained by the pre-training may be LSTM (long term memory network). After the threat index is obtained, the network security situation can be normalized to obtain a network situation value in a (0,1) interval. And then judging the condition of the network according to the network security situation value through the LSTM. Therein, a situation value diagram can be seen in fig. 3, wherein a-F represent different nodes.

Optionally, step S13 performs collision detection on multiple sets of feature information, obtains and removes the colliding feature information, and obtains multiple sets of detected information, including: and performing conflict detection on the multiple groups of feature information by using a dictionary-based analysis method through the pre-created structural information to obtain and remove the conflicting feature information and obtain multiple groups of detected information.

The characteristic relation of a plurality of groups of detected information is learned through knowledge reasoning, and a dictionary analysis-based method can be utilized to learn a large amount of structural information of Wikipedia, including entity pages, redirection pages, disambiguation pages, head segment blackened fields and hyperlink texts in encyclopedia pages. And expanding and expressing the document describing the entity object into a space vector model containing concepts and topics in the Wikipedia by using the classification information of the entity object page extracted from the Wikipedia and a large number of hyperlink texts contained in the page as the topics and the concepts respectively to obtain a plurality of groups of learned relations.

Specifically, the Chinese named entity linking method comprises three stages of nominal identification, candidate entity set generation and disambiguation;

1. the title recognition is to perform word segmentation and named entity recognition on the text by extracting a named entity title from the text to be disambiguated;

2. the generation of the candidate entity set is to provide a series of possible candidate entities for each name so as to avoid traversing the whole knowledge base in the disambiguation stage and further improve the disambiguation efficiency;

3. and sequencing and learning the corpus by using the text similarity characteristic and the entity type disambiguation characteristic to obtain a sequencing model, so that the target entities of the named items in the corpus can be predicted.

Therefore, through the method of the embodiment of the application, the conflict detection can be performed on the multiple groups of feature information through the pre-established structural information by utilizing the dictionary-based analysis method, and the conflicting feature information is removed, so that the accuracy of threat prediction is improved.

Optionally, in step S14, learning the feature relationship of the multiple groups of detected information through knowledge inference to obtain multiple groups of learned relationships, including: and learning the characteristic relations of the multiple groups of detected information by using a pre-established tuple model through a path sorting algorithm to obtain multiple groups of learned relations.

The inference can mainly learn new relations and new attribute values from the knowledge graph, and specifically can be realized by using rules in the hexahydric group model. The deduction of attributes is to deduce the attributes of the new other aspects through the instances and the existing attribute values of the instances.

And (3) assuming that A and B have a certain relation and B and C have a certain relation, and reasoning out the implicit relation of A and C through a chain relation. Clustering groups in the knowledge graph according to attribute similarity between the entities, calculating numbers on connecting lines by combining interaction times, relationship types and interest similarity between the entities to represent the trust degree between the two entities, and converting the whole network relationship into an entity interaction graph, which is shown in fig. 5. For the transfer relationship between nodes in the graph, it may be set as: obtaining information from only one man-in-the-middle is generally more reliable than information delivered by long-chain users, while the most accurate information will come from the most trusted neighbors, so path length limits and confidence value minimum thresholds can be established in finding a trusted path.

Wherein m represents the number of layers between A and E; n represents the L th_j-1Layer units and L_jThe number of layer individual interactions; t represents the L th_j-1Layer and L_jTotal number of layer interactions; n represents the number of links between A and E, W_iIs the weight corresponding to the ith link, h_iIs the hop count of the ith link layer, h_totalTrust (A, E) is the Trust value between A and E for the total hop count. The number of layers between a and E, the hop count of the link layer, and the like can be obtained through the entity interaction diagram.

Therefore, by the method of the embodiment of the application, the characteristic relations of a plurality of groups of detected information can be learned by utilizing the pre-established tuple model through the path sorting algorithm to obtain a plurality of groups of learned relations, so that the network threat can be predicted through the learned relations.

Optionally, in fig. 4, the feature information in step S15 includes entity information and relationship information between entities, and the predicting of the current network attack according to the learned relationship by using the network model obtained through pre-training includes:

step S151, calculating trust values between the entities through a preset formula according to the relationship information between the entities and the learned relationship;

and S152, predicting the current network attack according to the trust value between the entities by using a network model obtained by pre-training.

The current network attack can be predicted by using the LSTM network according to the trust value between the entities by using a network model obtained by pre-training. In order to solve the problems of gradient elimination and gradient explosion in the long sequence training process, the method can be realized by a tenserflow frame regulation library. Continuously updating the batch _ size, the time _ step _ size and the test _ size by calculating a loss function when the LSTM parameter is set; the activation function may employ tanh; to prevent overfitting, regularization can be performed using dropout. Dropout may update the weights of other neurons by gradient descent by deleting a portion of the neurons. This is done the same way the next time other neurons are temporarily deleted, thus preventing overfitting. And finally, calculating errors through cross entropy, and repeatedly training to obtain an optimal value.

The network structure of the LSTM can be seen in fig. 5. The LSTM network may remember the state of the preamble, selectively let the information pass, forget the old information, and remember the new subject information. The LSTM network may include:

1. a forgetting threshold, which can determine the state c of the unit at the previous moment_i-1How much to keep current time c_i. The expression for the forget gate is:

athbff_t＝σ(W_f·[h_t-1,x_t]+b_f)，

in the above formula, W_fIs the weight matrix of the forgetting gate, h_t-1,x_tRepresenting the concatenation of two vectors into a longer vector, b_fIs the offset term of the forgetting gate, σ () is the sigmoid function, athbff_tIs a forgetting threshold. If the dimension of the input is d_xDimension of the hidden layer is d_hDimension of cell state is d_c(d_c＝d_h) Then forget the weight matrix W of the gate_fDimension is d_cx(d_h+d_x). Weight matrix W_fBoth are formed by splicing two matrixes: a matrix W_fhIt corresponds to the entry h_t-1Of dimension d_cxd_h(ii) a Another matrix W_fWhich corresponds to the entry x_tOf dimension d_cxd_x，W_fCan be written as:

wherein, the calculation of the forgetting gate can be seen in fig. 6 a.

2. Inputting a threshold: i.e. i_t＝σ(W_i·[h_t-1,x_t]+b_i) Wherein W is_iIs an input gateWeight matrix, b_iIs an offset term of the input gate, i_tIs the input threshold. The calculation of the input gate can be seen in fig. 6 b.

Calculating cell states for describing current inputs

Can be calculated according to the output of the last time and the input of this time:

see fig. 6c, where w_cA matrix is represented.

Calculating the cell state c at the current time_tFrom the last cell state c_t-1Multiplication by element of forget gate f_tReuse the currently input cell state

Multiplying input Gate i by element_tThen, two products are added to generate:

c_tsee FIG. 6d for an example of the calculation of LSTM with respect to the current memory

And long term memory c_t-1Combine to form a new cell state c_t，f_tAn entry is represented. The control of the forgetting gate can save information of a long time ago, and the control of the input gate can prevent the current irrelevant content from entering into memory.

3. And an output threshold, which controls the influence of long-term memory on the current output: o_t＝σ(W_o·[h_t-1,x_t]+b_o)，o_tPresentation input gateLimit, w_oIs a predetermined matrix, b_oIs a preset item. The calculation of the output gates can be seen in fig. 6 e.

The final output of the LSTM is determined by the output gates and cell states together: h is_t＝o_tοtanh(c_t) The calculation of the final output of the LSTM can be seen in fig. 6 f.

Therefore, by the method of the embodiment of the application, the trust value between the entities can be calculated through the preset formula according to the relationship information between the entities and the learned relationship, so that the current network attack can be predicted by using the network model obtained by pre-training, and the precaution is provided for a decision maker.

Referring to fig. 7, fig. 7 is another schematic flow chart of a network attack behavior prediction method provided in the embodiment of the present application. The embodiment of the application further provides a network security knowledge base, which comprises five modules, wherein the five modules are respectively as follows: the system comprises a data source module, an ontology module, a knowledge extraction module, a knowledge fusion module, a knowledge deduction module and a threat prediction module. The main functions and implementation of each module are as follows:

1. a data source module: the module is mainly used for acquiring needed relevant information of bugs, attacks and other threat intelligence from structured data such as a database and unstructured data such as texts and audios, and provides a large amount of knowledge information for the knowledge extraction module.

2. An ontology module: the body of network security contains four entity types, which are vulnerability, software, operating system and attack. And researching the unified formal representation of the network security elements based on the ontology, and establishing a multilevel security ontology structural system.

3. A knowledge extraction module: the module is mainly used for processing data acquired from the data source module, and performing operations such as data arrangement, data normalization and the like. The purpose of knowledge extraction is to label and segment sequences for data, so knowledge graph methods are used. The idea of the conditional random field is derived from a Markov network in a undirected graph model, mainly represents a linear chain element random field, and can be regarded as popularization of a maximum entropy Markov model on a labeling problem. The method has the advantage that rich internal and context statement information can be utilized in the process of labeling a position, so that a linear chain element random field is used for realizing the labeling classification of the sequence. The model is an unconstrained optimization problem, the learning strategy of which is maximum likelihood estimation. However, the dimension of the characteristic function involved in the sequence labeling problem is very high, so the embodiment of the present application selects L-BFGS (quasi-newton method under limited memory), and the basic idea of L-BFGS is to only store the latest m times of iteration information, thereby greatly reducing the storage space of data, and being better applied to the practical application with a larger scale, and the algorithm flow is shown in fig. 8.

The algorithm is described as follows: the L-BFGS first sets an initial value for the parameter

The estimation of the parameters is then refined a time after time:

is required to be driven from

Is updated to

Then the search direction needs to be calculated

By a step a in the direction_tThe size of (2). To calculate

Need to use

And

the last m changes take values, m being given by the user, typically between 3 and 20.

Is the time of the ith iteration

The gradient vector of (2), at the time of the k-th iteration, the search direction is calculated

M pairs are required

Where i ═ k-m +1, …, k. Step length a_kIs chosen to satisfy a strong Wolfe condition (a termination condition) to avoid steps that are too large or too small. Wherein H_tIs an approximation of the hessian matrix, H per iteration_tMay all be different.

4. A knowledge fusion module: through the knowledge extraction module, the tasks of the entities, the relationships, the entity attributes and other information are obtained. However, fragmented big data disclosed by the internet generally contains a large amount of redundancy, errors or conflicts, and the data usually lacks logicality, so that the acquired knowledge needs to be sorted and fused, then the true value of the knowledge is judged through conflict detection and consistency check, the error data is detected and removed, the verified correct knowledge is reasonably organized into a knowledge base through alignment, combination and calculation, a comprehensive shared knowledge network is provided for users, and the accuracy of the data is guaranteed to the maximum extent. Here, a dictionary analysis-based approach is mainly utilized, with the help of the large amount of structural information of wikipedia, including entity pages, redirection pages, disambiguation pages, first segment blackened fields, hyperlinked text in encyclopedia pages. And expanding and representing the document describing the entity object into a space vector model containing concepts and topics in the Wikipedia by using the classification information of the entity object page extracted from the Wikipedia and a large number of hyperlink texts contained in the page as the topics and the concepts respectively, and finally performing one-to-one linking.

5. A knowledge deduction module: knowledge reasoning is mainly to learn new relations from knowledge profilesAttribute values, here implemented primarily using rules in the six-tuple model. The deduction of attributes is to deduce the attributes of the new other aspects through the instances and the existing attribute values of the instances. The relationship deduction mainly uses a path sorting algorithm, and utilizes the characteristics of edges connecting two nodes in a graph so as to predict the relationship between the two nodes. When the relationship between two nodes is calculated, the length of the edge between the nodes and the trust value of the edge are introduced to simultaneously calculate the relationship of the nodes. Wherein, the trust value is calculated as follows_p＝αt_p+β(1-v_p)+γw_p,α＝β＝γ＝1/3，t_p、v_p、w_pThe three parameters are the mean, variance and length ratio of the whole path. The range of the trust value of the edge is V ═<0.1,0.3,0.5,0.8,1.0>The numbers represent five relationships of distrust, poor trust, general trust, comparative trust and very trust. Based on the current situation that the trust value is decreased along with the increase of the transmission length in the knowledge transmission process, the length is limited when a path is selected, and the relationship between two nodes is calculated through simple multiplication operation. Finally, new relations can be obtained through the sorting of the paths. The rule-based reasoning method mainly uses a method based on ontology rules, and OWL and SWRL or rule constraints defined by other formal languages establish reasoning relations on the basis of the ontology.

6. A risk prediction module: threat prediction is mainly to mine hidden risks and thus provide advance precaution for decision makers. The deep learning method uses the LSTM network for prediction. LSTM is a special RNN (Recurrent Neural Network) and mainly aims to solve the problems of gradient extinction and gradient explosion during long sequence training. This is done directly through the tenserflow framereconcile library. Continuously updating the batch _ size, the time _ step _ size and the test _ size by calculating a loss function when the LSTM parameter is set; the activation function adopts tanh; to prevent overfitting, regularization is performed using dropout. dropout is to temporarily delete a part of neurons, and to update the weights of other neurons by gradient descent. This is then done the same way the next time other neurons are temporarily deleted, thus preventing overfitting. And finally, calculating errors through cross entropy, and repeatedly training to obtain an optimal value.

In a second aspect of the embodiments of the present application, there is further provided a network attack behavior prediction apparatus, with reference to fig. 9, where the apparatus includes:

an information obtaining module 901, configured to obtain network threat information;

a labeling and dividing module 902, configured to label and divide the network threat information to obtain multiple sets of feature information;

a conflict detection module 903, configured to perform conflict detection on the multiple sets of feature information, obtain and remove conflicting feature information, and obtain multiple sets of detected information;

a relationship learning module 904, configured to learn a feature relationship of multiple groups of detected information through knowledge inference, so as to obtain multiple groups of learned relationships;

and the attack prediction module 905 is configured to predict a current network attack according to the learned relationship by using a network model obtained through pre-training.

Optionally, the attack prediction module 905 includes:

the trust value calculation operator module is used for calculating the trust value between the entities through a preset formula according to the relationship information between the entities and the learned relationship;

and the network attack prediction submodule is used for predicting the current network attack according to the trust value between the entities by utilizing the network model obtained by pre-training.

Optionally, the relationship learning module 904 is specifically configured to perform feature relationship learning on multiple groups of detected information through a path sorting algorithm by using a pre-created tuple model, so as to obtain multiple groups of learned relationships.

Optionally, the collision detection module 903 is specifically configured to perform collision detection on multiple sets of feature information through pre-created structural information by using a dictionary-based analysis method, to obtain and remove feature information of a collision, so as to obtain multiple sets of detected information.

Therefore, by the aid of the device, network threat information can be marked and divided to obtain multiple groups of characteristic information, conflicting characteristic information is removed through outburst detection, multiple groups of learned relations are obtained through knowledge reasoning, and the current network attack is predicted according to the learned relations by means of the network model obtained through pre-training, so that not only can the conflicting characteristic information be removed, but also deep relations can be obtained through knowledge reasoning, and accuracy of network attack prediction is improved.

The embodiment of the present invention further provides an electronic device, as shown in fig. 10, which includes a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, wherein the processor 1001, the communication interface 1002 and the memory 1003 complete mutual communication through the communication bus 1004,

a memory 1003 for storing a computer program;

the processor 1001 is configured to implement the following steps when executing the program stored in the memory 1003:

acquiring network threat information;

The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above network attack behavior prediction methods.

In yet another embodiment, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform any one of the above described network attack behavior prediction methods.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for embodiments such as the apparatus, the electronic device, and the computer-readable storage medium, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to part of the description of the method embodiments.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. A network attack behavior prediction method, the method comprising:

acquiring network threat information;

2. The method of claim 1, wherein the feature information includes entity information and relationship information between entities, and predicting the current cyber attack according to the learned relationship by using a pre-trained cyber model includes:

3. The method of claim 1, wherein learning the feature relationships of the multiple groups of detected information through knowledge inference to obtain multiple groups of learned relationships comprises:

4. The method of claim 1, wherein the performing collision detection on the multiple sets of feature information to obtain and remove collided feature information and obtain multiple sets of detected information comprises:

5. A cyber attack behavior prediction apparatus, characterized in that the apparatus comprises:

6. The apparatus of claim 5, wherein the attack prediction module comprises:

7. The apparatus of claim 5,

the relationship learning module is specifically configured to perform feature relationship learning on the multiple groups of detected information through a path sorting algorithm by using a pre-created tuple model to obtain multiple groups of learned relationships.

8. The apparatus of claim 5,

the conflict detection module is specifically configured to perform conflict detection on the multiple sets of feature information by using a dictionary-based analysis method through pre-created structural information, obtain and remove conflicting feature information, and obtain multiple sets of detected information.

9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;

a memory for storing a computer program;

a processor for implementing the method steps of any of claims 1 to 4 when executing a program stored in the memory.

10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 4.