CN114301699A - Behavior prediction method and apparatus, electronic device, and computer-readable storage medium - Google Patents
Behavior prediction method and apparatus, electronic device, and computer-readable storage medium Download PDFInfo
- Publication number
- CN114301699A CN114301699A CN202111651790.6A CN202111651790A CN114301699A CN 114301699 A CN114301699 A CN 114301699A CN 202111651790 A CN202111651790 A CN 202111651790A CN 114301699 A CN114301699 A CN 114301699A
- Authority
- CN
- China
- Prior art keywords
- attack
- behavior
- link
- predicted
- attack behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a behavior prediction method and device, electronic equipment and a computer readable storage medium, which are applied to the technical field of network security, and the method comprises the following steps: extracting attack threat information from the network information; determining a current attack behavior link according to the attack threat information; determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model; determining a confidence level of each predicted attack behavior according to the probability of each predicted attack behavior occurring in a plurality of predetermined devices; and determining the predicted attack behavior with the maximum confidence coefficient as a target attack behavior. According to the technical scheme, the characteristic that the attack path of the APT attack is difficult to change is utilized, and the attack behavior which possibly occurs is predicted based on the preset link model on the aspect of the attack path, so that the effectiveness of APT attack protection can be effectively improved, and the network safety is protected.
Description
[ technical field ] A method for producing a semiconductor device
The present invention relates to the field of network security technologies, and in particular, to a behavior prediction method and apparatus, an electronic device, and a computer-readable storage medium.
[ background of the invention ]
With the diversified development of network attack means and channels, the APT attack has become one of the main threats faced by the network security industry. In recent years, APT attack events are frequent, and serious threats are brought to network security. The traditional network safety protection means is a passive defense mechanism essentially, and APT attack activities with high pertinence, continuity and concealment at present can avoid the existing network safety protection means to cause the failure of the protection means.
Therefore, how to improve the effectiveness of responding to the APT attack becomes a technical problem to be solved urgently at present.
[ summary of the invention ]
The embodiment of the invention provides a behavior prediction method and device, electronic equipment and a computer readable storage medium, and aims to solve the technical problem that in the related art, the effectiveness of protection measures for APT attack is insufficient.
In a first aspect, an embodiment of the present invention provides a behavior prediction method, including: extracting attack threat information from the network information; determining a current attack behavior link according to the attack threat information; determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model; determining a confidence level of each predicted attack behavior according to the probability of each predicted attack behavior occurring in a plurality of predetermined devices; and determining the predicted attack behavior with the maximum confidence coefficient as a target attack behavior.
In the above embodiment of the present invention, optionally, the step of determining the current attack behavior link according to the attack threat information includes: and matching corresponding attack tactical information, attack technical information and sub-technical information for the attack threat information in an attack behavior database according to a preset matching rule, and generating a current attack behavior link according to a matching result.
In the above embodiment of the present invention, optionally, if the current attack behavior link is a partial link in the known attack behavior link, the known attack behavior link is determined as a target attack behavior link, and a first attack behavior in the target attack behavior link after the current attack behavior link is determined as a predicted attack behavior.
In the above embodiment of the present invention, optionally, the step of determining the confidence level of each predicted attack behavior according to the probability of occurrence of each predicted attack behavior in a plurality of predetermined devices includes: for each of the predicted attack behaviors, obtaining a probability that the predicted attack behavior occurs in a plurality of the predetermined devices; and weighting and averaging the probabilities corresponding to the plurality of predetermined devices to obtain the confidence of the predicted attack behavior.
In the above embodiment of the present invention, optionally, before determining, based on a preset link model, a plurality of predicted attack behaviors after the current attack behavior link, the method further includes: determining an attack intention of the current attack behavior link based on an attack behavior database; and selecting the preset link model matched with the attack intention type of the current attack behavior link from a plurality of types of preset link models.
In the above embodiment of the present invention, optionally, the type of the preset link model includes: the system comprises a theft type preset link model, a profit type preset link model and a damage type preset link model.
In a second aspect, an embodiment of the present invention provides a behavior prediction apparatus, including: the attack threat information acquisition unit is used for extracting attack threat information from the network information; the attack behavior link determining unit is used for determining the current attack behavior link according to the attack threat information; the predicted attack behavior determining unit is used for determining a plurality of predicted attack behaviors behind the current attack behavior link based on a preset link model; a confidence coefficient calculation unit for determining a confidence coefficient of each of the predicted attack behaviors according to a probability of occurrence of each of the predicted attack behaviors in a plurality of predetermined devices; and the target attack behavior determining unit is used for determining the predicted attack behavior with the maximum confidence coefficient as the target attack behavior.
In the foregoing embodiment of the present invention, optionally, the attack behavior link determining unit is configured to: and matching corresponding attack tactical information, attack technical information and sub-technical information for the attack threat information in an attack behavior database according to a preset matching rule, and generating a current attack behavior link according to a matching result.
In the above embodiment of the present invention, optionally, a plurality of known attack action links are set in the preset link model; the predicted attack behavior determination unit is configured to: and if the current attack behavior link is a part of the known attack behavior link, determining the known attack behavior link as a target attack behavior link, and determining the first attack behavior in the target attack behavior link after the current attack behavior link as a predicted attack behavior.
In the above embodiment of the present invention, optionally, the confidence coefficient calculating unit is configured to: for each of the predicted attack behaviors, obtaining a probability that the predicted attack behavior occurs in a plurality of the predetermined devices; and weighting and averaging the probabilities corresponding to the plurality of predetermined devices to obtain the confidence of the predicted attack behavior.
In the above embodiment of the present invention, optionally, the predicted attack behavior determining unit is configured to: determining an attack intention of the current attack behavior link based on an attack behavior database; and selecting the preset link model matched with the attack intention type of the current attack behavior link from a plurality of types of preset link models.
In the above embodiment of the present invention, optionally, the type of the preset link model includes: the system comprises a theft type preset link model, a profit type preset link model and a damage type preset link model.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the first aspects above.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer-executable instructions for performing the method flow described in any one of the first aspect.
According to the technical scheme, aiming at the technical problem that the effectiveness of the protection measures aiming at the APT attack in the related technology is insufficient, the characteristic that the attack path of the APT attack is difficult to change is utilized, and on the aspect of the attack path, the attack behavior which possibly occurs is predicted based on the preset link model, so that the effectiveness of APT attack protection can be effectively improved, and the network safety is protected.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 shows a flow diagram of a behavior prediction method according to one embodiment of the invention;
FIG. 2 shows a block diagram of a behavior prediction device according to an embodiment of the invention;
FIG. 3 shows a block diagram of an electronic device according to an embodiment of the invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
FIG. 1 shows a flow diagram of a behavior prediction method according to one embodiment of the invention.
As shown in fig. 1, a flow of a behavior prediction method according to an embodiment of the present invention includes:
The network information includes, but is not limited to, data such as traffic and logs generated by various devices such as a network device, a network security device, and a terminal device, optionally, the network information includes an analysis report of a known APT attack, and the data is subjected to automated association and topology analysis, so that corresponding attack threat information can be obtained. Specifically, the attack threat information includes, but is not limited to, attack organization, target country, target industry/domain, impact platform, attack technique, attack equipment, exploit vulnerability, attack intention, IoC, and associated data, etc.
And step 104, determining the current attack behavior link according to the attack threat information.
The attack threat information can reflect the specific attack process of the current APT attack, so the specific attack process of the current APT attack can be restored based on the attack threat information, the specific attack process of the current APT attack comprises a plurality of continuous attack behaviors in the APT attack, and the plurality of continuous attack behaviors form a current attack behavior link.
Specifically, according to a predetermined matching rule, matching corresponding attack tactical information, attack technical information and sub-technical information for the attack threat information in an attack behavior database, and generating the current attack behavior link according to a matching result.
The attack behavior database is constructed based on the ATT & CK framework and can be updated along with the updating of the ATT & CK framework. The attack behavior database stores various attack tactical information and attack technical information under each attack tactical information, and various sub-technical information under each attack technical information is correspondingly arranged for each attack technical information. Further, a corresponding matching rule is set for any sub-technology information in the attack behavior database.
Therefore, after obtaining the attack threat information of the current APT attack, the attack behavior database can determine which attack tactical information, attack technical information and sub-technical information can be matched with the attack threat information through the matching rules, and the matched attack tactical information, attack technical information and sub-technical information are the attack behaviors included in the current APT attack.
Generally, the APT attack includes a plurality of continuous attack behaviors, and based on the attack threat information, the plurality of continuous attack behaviors, that is, the current attack behavior link, can be restored.
As shown in table 1 below, the attack behavior database stores a large number of known attack behaviors, each of which includes tactics, attack techniques, attack sub-techniques, and matching rules for attack threat information generated by the attack behavior.
TABLE 1
And 106, determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model.
In one possible design, a plurality of known attack behavior links are arranged in the preset link model; the step of determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model includes: and if the current attack behavior link is a part of the known attack behavior link, determining the known attack behavior link as a target attack behavior link, and determining the first attack behavior in the target attack behavior link after the current attack behavior link as a predicted attack behavior.
In this regard, the pre-set link model may be built based on the ATT & CK framework as well, and may be updated as the ATT & CK framework is updated. Specifically, the preset link model is composed of a plurality of known attack behavior links, after the current attack behavior link is determined, each attack behavior in the current attack behavior link can be matched with attack behaviors in the plurality of known attack behavior links, if the current attack behavior link exists in any one of the known attack behavior links, or if the sequence of each attack behavior in the current attack behavior link corresponds to a part of attack behaviors in any one of the known attack behavior links one to one, it is indicated that the APT attack at this time has the possibility of adopting the known attack behavior link, and then the first attack behavior located after the part of links matched with the current attack behavior link in the known attack behavior link is the predicted attack behavior which may occur after the current attack behavior link in the APT attack at this time.
In another possible design, the preset link model is obtained by training based on input samples and output samples, where the input samples are total links of sample attack behaviors, and the output samples are attack behaviors in the total links of the sample attack behaviors.
At this time, a large amount of known total links of sample attack behaviors and each attack behavior in the total links of the sample attack behaviors are used as training samples in a big data training mode, a preset link model is generated, and the preset link model reflects the incidence relation between the total links of the attack behaviors and each attack behavior in the links. Therefore, for the current APT attack, the current attack behavior link of the current APT attack can be input into the preset link model, and the attack behavior after the current attack behavior link is output through the preset link model to serve as the predicted attack behavior.
Of course, no matter which way of presetting the link model is adopted, due to the diversity and uncertainty of the APT attack, the finally obtained predicted attack behavior is often multiple. For example, if the current attack behavior link matches a plurality of known attack behavior links, the first attack behavior of the plurality of known attack behavior links located behind the current attack behavior link may be determined as the predicted attack behavior.
And step 108, determining the confidence of each predicted attack behavior according to the probability of each predicted attack behavior occurring in a plurality of preset devices.
Different network devices have different capabilities and attributes, so that the corresponding capabilities of the network devices to the APT attack are different, and the attack behaviors and the probability of taking the attack behaviors are different for different network devices in the APT attack due to different attack intentions and attack purposes.
Thus, for each of the predicted attack behaviors, obtaining a probability that the predicted attack behavior occurs in a plurality of the predetermined devices; and weighting and averaging the probabilities corresponding to the plurality of predetermined devices to obtain the confidence of the predicted attack behavior. In other words, the probability of the attack behavior occurring in a single predetermined device cannot generally reflect the probability of the attack behavior occurring in a plurality of predetermined devices, so that the probabilities of the attack behavior occurring in a plurality of predetermined devices can be comprehensively considered to generate a confidence that reflects the possibility of the attack behavior occurring in a plurality of predetermined devices.
And step 110, determining the predicted attack behavior with the maximum confidence coefficient as a target attack behavior.
Finally, the predicted attack behavior with the highest probability of occurring in the plurality of predetermined devices is determined as the target attack behavior as a final prediction result.
According to the technical scheme, the APT attack is difficult to change the attack path, in other words, the attack behavior link generated by the attack behavior is often determined relatively, so that the attack behavior which is possibly generated is predicted based on the preset link model on the aspect of the attack path, the effectiveness of APT attack protection can be effectively improved, and the network safety is protected.
In addition, it is to be added that, before determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model, the method may further include: determining an attack intention of the current attack behavior link based on an attack behavior database; and selecting the preset link model matched with the attack intention type of the current attack behavior link from a plurality of types of preset link models. In particular, APT attack organizations have different types of attack intentions, such as stealing, gaining, destroying, etc., in attack activities directed at different traffic scenarios. Under different attack intention types, attack behavior links of the same attack organization have certain difference, and under the same attack intention, attack behavior links of different attack organizations have certain similarity. Therefore, the extracted attack behaviors are divided according to different attack intention types to form a stealing type preset link model, a profit type preset link model and a destructive type preset link model of an attack organization.
Therefore, the preset link models which are suitable for respective actual requirements are provided for the attack behaviors with different attack intentions in a targeted manner, so that the subsequent attack behaviors can be predicted more effectively and accurately aiming at the attack paths, and the network security is improved.
In one embodiment of the application, a multisource heterogeneous database automatically/manually collects an analysis report of public APT attack action/event and the like, and an attack organization attack behavior prediction analysis platform receives data of the multisource heterogeneous database. The attack behavior prediction analysis server carries out manual analysis on the collected multi-source heterogeneous data, extracts attack paths in specific attack behaviors based on ATT & CK, constructs preset link models based on different attack intentions, and stores the attack paths into an attack path library and carries out continuous updating.
The attack organization attack behavior prediction analysis platform receives data of client side equipment, including flow and log data generated by network equipment, network security equipment and terminal equipment, performs automatic association and route extension analysis on the data such as the flow and the log, finds a threat clue, and performs label marking. And matching the threat clues discovered from the client side with the rule base, and evaluating the attack tactics, attack technologies and even sub-technologies adopted by the attack organization. And based on the combination of a target network service scene and manual study and judgment, mapping the evaluated attack technology into a corresponding preset link model of an attack path library, fusing and calculating the credibility of different equipment data to the attack behavior, predicting the attack behavior of an attack organization, returning the prediction result of the attack behavior to the client side equipment, and supporting the rapid blocking of the threat process.
The rule base is constructed based on the ATT & CK framework, threat clues are matched with tactics, technologies and sub-technologies of the ATT & CK framework through matching rules, and attack stages of the threat clues are evaluated. The rule base is updated along with the updating of the ATT & CK framework, and the rule base constructed based on the ATT & CK framework has the following examples:
the attack behavior prediction analysis server comprises one or more processors, a persistent storage module and a network interface. The processor is responsible for executing different logic functions of each module of the attack behavior prediction analysis server and interacting with different external databases/data through the network interface. And the persistent storage module is responsible for persistently storing and continuously updating all logic components of the attack behavior prediction analysis server.
The network interface supports the attack behavior prediction analysis server to interact with different external databases/data, and comprises a multi-source heterogeneous database, an ATT & CK-based rule base, an attack path base and client-side equipment.
The persistent storage module persistently stores different logic components and persistently updates specific logic components, and comprises attack path extraction logic, preset link model construction logic, association route analysis logic, threat clue matching logic, preset link model matching logic, probability calculation logic, fusion analysis logic, GUI logic, configurable logic and notification generation logic.
The attack path extraction logic is based on an ATT & CK framework and used for manually extracting the attack path of APT attack organization in a multi-source heterogeneous database in a specific attack action/event. The attack path extraction of the attack organization mainly comprises the steps of obtaining attack steps and characteristic data of the attack organization in a specific attack action and extracting a technology and a sub-technology under a specific tactic. The attack tactics of the ATT & CK framework comprise reconnaissance, resource development, initial access, execution, persistence, right-lifting, defense avoidance, certificate access, discovery, lateral movement, collection, command and control, data exudation and influence, wherein each tactic comprises different technologies, and each technology comprises different sub-technologies. The ATT & CK framework is an attack organization skill and tactics knowledge base constructed based on real APT attack events, so that the attack path of an attack organization can be accurately and standardly constructed.
And storing the attack path extracted by the attack path extraction logic into an attack path library. It is worth noting that APT attack organizations may have different attack intentions of stealing secrets, gaining profits, destroying, etc. in attack activities for different traffic scenarios. Under different attack intentions, the attack paths of the same attack organization have certain differences, and under the same attack intention, the attack paths of different attack organizations have certain similarities. Therefore, the extracted attack paths are divided according to different attack intentions to form a stealing type attack path library, a profit type attack path library and a destructive type attack path library of an attack organization. Different attack path libraries comprise attack paths extracted by the same/different attack organizations in specific attack actions, and a knowledge base composed of a large number of attack paths is formed.
The preset link model building logic is based on a secret stealing type attack path library, a profit type attack path library and a destructive type attack path library to respectively build a secret stealing type preset link model, a profit type preset link model and a destructive type preset link model. Since the attack path library is extracted based on the ATT & CK framework, the preset link model is also constructed based on the ATT & CK framework. Taking the construction of the stealing type preset link model as an example, based on the stealing type attack path library, the attack paths of the same/different attack organizations contained in the library are subjected to fusion analysis, redundant technical and tactics are eliminated, and the stealing type preset link model is abstracted by combining manual research and judgment. The stealing preset link model covers all attack paths which can occur in stealing attack activities of an attack organization, and relates to technologies and sub-technologies of different tactical stages of an ATT & CK framework. In the same way, a profit type preset link model and a destructive type preset link model are constructed. It should be noted that, as the attack path library is continuously updated, the preset link model also needs to be continuously optimized.
The attack behavior prediction analysis server receives logs and flow data generated by network equipment, network security equipment and terminal equipment from client side equipment, performs association extension analysis on threat data generated by different equipment by combining internal and external threat information through association extension analysis logic to generate a threat clue, and performs tagging processing on the threat clue.
The preset link model mapping logic maps the attack techniques matched from the rule base to corresponding nodes of the preset link model. And selecting the mapped preset link model based on the combination of the client side business scene and manual study and judgment, and in brief, if the client side is a government and enterprise business scene and is likely to suffer from stealing type APT (advanced persistent threat) attack activity, mapping the matched attack technology to the stealing type preset link model. If the client side is a financial business scene and is likely to suffer from profit type APT attack activity, the matched attack skills are mapped to the profit type preset link model. And if the client side is an industrial control type business scene and is likely to suffer from the APT attack activity of the damage type, mapping the matched attack technology to the damage type preset link model.
Because the probability of the log and flow data pairs generated by different network devices, network security devices, terminals and the like mapped to the specific node of the preset link model is different, the probability of possible occurrence of the behavior of the different devices mapped to the specific node of the preset link model is respectively calculated through probability calculation logic. The probability of the specific attack behavior calculated by different devices is subjected to fusion calculation through fusion analysis logic, the attack behavior of the attack organization is predicted through the fusion calculated value, the prediction accuracy is enhanced, and false alarm is prevented. The predicted attack behavior of the attack organization is returned to the client side through the notification generation logic, and the latent attack behavior in the network environment is blocked in time by combining manual research and judgment. Iterative analysis is carried out based on the logic, a complete attack link of an attack organization is traced, and whole network investigation of threats is supported.
In conclusion, compared with the traditional passive defense strategy, the method does not depend on a single threat index, but builds a preset link model based on a mass attack path, actively discovers latent security threats in a target network environment, and timely blocks a threat link before the security threats cause greater data leakage or asset damage. The disadvantages of the technical scheme are as follows: the construction of the attack path library requires massive data accumulation.
It is to be added that, in the present application, a plurality of attack behaviors occur in sequence to form an attack link, where the attack link is an attack path to which the APT attack depends, and on this basis, in the description of any of the above embodiments, the attack link and the attack path may be used and expressed in an alternative manner.
Fig. 2 shows a block diagram of a behavior prediction apparatus according to an embodiment of the present invention.
As shown in fig. 2, a behavior prediction apparatus 200 according to an embodiment of the present invention includes: an attack threat information obtaining unit 202, configured to extract attack threat information from network information; an attack behavior link determining unit 204, configured to determine a current attack behavior link according to the attack threat information; a predicted attack behavior determination unit 206, configured to determine, based on a preset link model, a plurality of predicted attack behaviors after the current attack behavior link; a confidence calculation unit 208, configured to determine a confidence of each of the predicted attack behaviors according to a probability of occurrence of each of the predicted attack behaviors in a plurality of predetermined devices; a target attack behavior determination unit 210, configured to determine the predicted attack behavior with the highest confidence as a target attack behavior.
In the foregoing embodiment of the present invention, optionally, the attack behavior link determining unit 204 is configured to: and matching corresponding attack tactical information, attack technical information and sub-technical information for the attack threat information in an attack behavior database according to a preset matching rule, and generating a current attack behavior link according to a matching result.
In the above embodiment of the present invention, optionally, a plurality of known attack action links are set in the preset link model; the predicted attack behavior determination unit 206 is configured to: and if the current attack behavior link is a part of the known attack behavior link, determining the known attack behavior link as a target attack behavior link, and determining the first attack behavior in the target attack behavior link after the current attack behavior link as a predicted attack behavior.
In the above embodiment of the present invention, optionally, the confidence calculating unit 208 is configured to: for each of the predicted attack behaviors, obtaining a probability that the predicted attack behavior occurs in a plurality of the predetermined devices; and weighting and averaging the probabilities corresponding to the plurality of predetermined devices to obtain the confidence of the predicted attack behavior.
In the foregoing embodiment of the present invention, optionally, the predicted attack behavior determining unit 206 is configured to: determining an attack intention of the current attack behavior link based on an attack behavior database; and selecting the preset link model matched with the attack intention type of the current attack behavior link from a plurality of types of preset link models.
In the above embodiment of the present invention, optionally, the type of the preset link model includes: the system comprises a theft type preset link model, a profit type preset link model and a damage type preset link model.
FIG. 3 shows a block diagram of an electronic device of one embodiment of the invention.
As shown in FIG. 3, an electronic device 300 of one embodiment of the invention includes at least one memory 302; and a processor 304 communicatively coupled to the at least one memory 302; wherein the memory stores instructions executable by the at least one processor 304, the instructions being configured to perform the scheme described in any of the above embodiments. Therefore, the electronic device 300 has the same technical effects as any of the above embodiments, and will not be described herein again.
The electronic device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
In addition, an embodiment of the present invention provides a computer-readable storage medium, which stores computer-executable instructions for executing the method flow described in any of the above embodiments.
The technical scheme of the invention is described in detail in combination with the drawings, and by using the characteristic that the attack path of the invention is difficult to change in the APT attack, the attack behavior which may occur is predicted based on the preset link model on the aspect of the attack path, so that the effectiveness of APT attack protection can be effectively improved, and the network security is protected.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (9)
1. A method of behavior prediction, comprising:
extracting attack threat information from the network information;
determining a current attack behavior link according to the attack threat information;
determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model;
determining a confidence level of each predicted attack behavior according to the probability of each predicted attack behavior occurring in a plurality of predetermined devices;
and determining the predicted attack behavior with the maximum confidence coefficient as a target attack behavior.
2. The behavior prediction method according to claim 1, wherein the step of determining a current attack behavior link according to the attack threat information comprises:
and matching corresponding attack tactical information, attack technical information and sub-technical information for the attack threat information in an attack behavior database according to a preset matching rule, and generating the current attack behavior link according to a matching result.
3. The behavior prediction method according to claim 1, wherein a plurality of known attack behavior links are set in the preset link model;
the step of determining a plurality of predicted attack behaviors after the current attack behavior link based on a preset link model includes:
and if the current attack behavior link is a part of the known attack behavior link, determining the known attack behavior link as a target attack behavior link, and determining the first attack behavior in the target attack behavior link after the current attack behavior link as a predicted attack behavior.
4. The behavior prediction method according to any one of claims 1 to 3, wherein the step of determining the confidence level of each of the predicted attack behaviors based on the probability of occurrence of each of the predicted attack behaviors in a plurality of predetermined devices comprises:
for each of the predicted attack behaviors, obtaining a probability that the predicted attack behavior occurs in a plurality of the predetermined devices;
and weighting and averaging the probabilities corresponding to the plurality of predetermined devices to obtain the confidence of the predicted attack behavior.
5. The behavior prediction method according to claim 2, wherein before the determining the plurality of predicted attack behaviors after the current attack behavior link based on the preset link model, the method further comprises:
determining an attack intention of the current attack behavior link based on an attack behavior database;
and selecting the preset link model matched with the attack intention type of the current attack behavior link from a plurality of types of preset link models.
6. The behavior prediction method according to claim 5, wherein the type of the predetermined link model comprises: the system comprises a theft type preset link model, a profit type preset link model and a damage type preset link model.
7. A behavior prediction apparatus, comprising:
the attack threat information acquisition unit is used for extracting attack threat information from the network information;
the attack behavior link determining unit is used for determining the current attack behavior link according to the attack threat information;
the predicted attack behavior determining unit is used for determining a plurality of predicted attack behaviors behind the current attack behavior link based on a preset link model;
a confidence coefficient calculation unit for determining a confidence coefficient of each of the predicted attack behaviors according to a probability of occurrence of each of the predicted attack behaviors in a plurality of predetermined devices;
and the target attack behavior determining unit is used for determining the predicted attack behavior with the maximum confidence coefficient as the target attack behavior.
8. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 6.
9. A computer-readable storage medium having stored thereon computer-executable instructions for performing the method flow of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651790.6A CN114301699A (en) | 2021-12-30 | 2021-12-30 | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111651790.6A CN114301699A (en) | 2021-12-30 | 2021-12-30 | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301699A true CN114301699A (en) | 2022-04-08 |
Family
ID=80974091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111651790.6A Pending CN114301699A (en) | 2021-12-30 | 2021-12-30 | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301699A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116743502A (en) * | 2023-08-11 | 2023-09-12 | 四川新立高科科技有限公司 | Network attack detection method and device for power system, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN110417772A (en) * | 2019-07-25 | 2019-11-05 | 浙江大华技术股份有限公司 | The analysis method and device of attack, storage medium, electronic device |
| CN112511561A (en) * | 2020-12-21 | 2021-03-16 | 深信服科技股份有限公司 | Network attack path determination method, equipment, storage medium and device |
| CN113486334A (en) * | 2021-05-25 | 2021-10-08 | 新华三信息安全技术有限公司 | Network attack prediction method and device, electronic equipment and storage medium |
| CN113742718A (en) * | 2021-07-30 | 2021-12-03 | 国家工业信息安全发展研究中心 | Industrial Internet equipment attack path restoration method, related equipment and system |
| CN113824676A (en) * | 2020-11-13 | 2021-12-21 | 北京沃东天骏信息技术有限公司 | Method and device for determining attack chain aiming at vulnerability |
-
2021
- 2021-12-30 CN CN202111651790.6A patent/CN114301699A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN110417772A (en) * | 2019-07-25 | 2019-11-05 | 浙江大华技术股份有限公司 | The analysis method and device of attack, storage medium, electronic device |
| CN113824676A (en) * | 2020-11-13 | 2021-12-21 | 北京沃东天骏信息技术有限公司 | Method and device for determining attack chain aiming at vulnerability |
| CN112511561A (en) * | 2020-12-21 | 2021-03-16 | 深信服科技股份有限公司 | Network attack path determination method, equipment, storage medium and device |
| CN113486334A (en) * | 2021-05-25 | 2021-10-08 | 新华三信息安全技术有限公司 | Network attack prediction method and device, electronic equipment and storage medium |
| CN113742718A (en) * | 2021-07-30 | 2021-12-03 | 国家工业信息安全发展研究中心 | Industrial Internet equipment attack path restoration method, related equipment and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116743502A (en) * | 2023-08-11 | 2023-09-12 | 四川新立高科科技有限公司 | Network attack detection method and device for power system, electronic equipment and storage medium |
| CN116743502B (en) * | 2023-08-11 | 2023-11-14 | 四川新立高科科技有限公司 | Network attack detection method and device for power system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109816397B (en) | Fraud discrimination method, device and storage medium | |
| US20210019674A1 (en) | Risk profiling and rating of extended relationships using ontological databases | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| CN111401416B (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN111914569A (en) | Prediction method and device based on fusion map, electronic equipment and storage medium | |
| CN113486334A (en) | Network attack prediction method and device, electronic equipment and storage medium | |
| CN113973012B (en) | Threat detection method and device, electronic equipment and readable storage medium | |
| CN114915475A (en) | Method, device, equipment and storage medium for determining attack path | |
| CN115329770A (en) | Threat information extraction method and system based on semantic analysis | |
| CN116112211A (en) | Knowledge-graph-based network attack chain reduction method | |
| CN114301699A (en) | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium | |
| CN114297632A (en) | Host computer sink detection method and device, electronic equipment and storage medium | |
| CN117240632B (en) | Attack detection method and system based on knowledge graph | |
| CN111030974A (en) | APT attack event detection method, device and storage medium | |
| CN106651183B (en) | Communication data security audit method and device of industrial control system | |
| CN115567325B (en) | Threat hunting method based on graph matching | |
| RU2724783C1 (en) | Candidate fingerprint matching and comparison system and method | |
| EP4102772B1 (en) | Method and apparatus of processing security information, device and storage medium | |
| CN115935358A (en) | Malicious software identification method and device, electronic equipment and storage medium | |
| CN114817928A (en) | Network space data fusion analysis method and system, electronic device and storage medium | |
| CN112651764B (en) | Target user identification method, device, equipment and storage medium | |
| CN110457600B (en) | Method, device, storage medium and computer equipment for searching target group | |
| CN112434894A (en) | Real-time risk control method, computer equipment and readable storage medium | |
| CN115348109B (en) | Industrial production threat early warning method and system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |