CN114430331A - Network security situation sensing method and system based on knowledge graph - Google Patents

Network security situation sensing method and system based on knowledge graph Download PDF

Info

Publication number
CN114430331A
CN114430331A CN202011173955.9A CN202011173955A CN114430331A CN 114430331 A CN114430331 A CN 114430331A CN 202011173955 A CN202011173955 A CN 202011173955A CN 114430331 A CN114430331 A CN 114430331A
Authority
CN
China
Prior art keywords
attack
network
knowledge graph
scene
scenario
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011173955.9A
Other languages
Chinese (zh)
Inventor
林卓骁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jianyi Technology Co ltd
Original Assignee
Beijing Jianyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jianyi Technology Co ltd filed Critical Beijing Jianyi Technology Co ltd
Priority to CN202011173955.9A priority Critical patent/CN114430331A/en
Publication of CN114430331A publication Critical patent/CN114430331A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

One or more embodiments of the present specification provide a method and a system for sensing network security situation based on a knowledge graph, including: constructing a security situation perception model based on a knowledge graph; identifying a network attack scene according to the security situation awareness model; and determining the network asset situation value according to the network attack scene to sense the network security situation. The method provided by one or more embodiments of the specification overcomes the defect that the traditional alarm aggregation process and alarm association analysis process are susceptible to a large amount of redundancy and false alarm, completes attack discovery and attack association through attribute map mining and similarity calculation, and effectively reflects specific network attack behaviors and attack scenes. The attack scene can be effectively excavated and situation understanding can be completed, and the accuracy, the efficiency and the like of the method are improved compared with those of the traditional method.

Description

Network security situation sensing method and system based on knowledge graph
Technical Field
One or more embodiments of the present disclosure relate to the field of communications technologies, and in particular, to a method and a system for sensing network security situation based on a knowledge graph.
Background
The current social internet technology is developed at a high speed, network intrusion and attack behaviors are developed towards the trends of distribution, scale and indirection under the background of a new era, the traditional network security products are increasingly difficult to meet the requirements of people on network security, and especially under the condition of large network scale, the network security technology faces unprecedented challenges. The importance of Network status Awareness (NSSA) systems is becoming increasingly prominent. The network situation awareness system aims to monitor the network situation in real time, send out early warning before potential and malicious network behaviors are out of control, and give out corresponding countermeasures. The network situation awareness system integrates traditional network security tools, such as an intrusion detection system and a firewall, and analyzes based on original data provided by the network security tools so as to obtain more useful information and provide decision support for a network security analyst. The network security situation awareness technology provides technical support for a network situation awareness system, analyzes a certain abstract level according to original data, and mainly relates to aspects of intrusion detection and alarm correlation, vulnerability analysis by using an attack graph, causal relationship analysis, evidence obtaining analysis (intrusion back tracking), information flow analysis, attack trend analysis, intrusion response and the like.
The Knowledge Graph (KG) is used as an important branch of artificial intelligence, has unique advantages in the aspects of big data analysis and decision making, can represent data into a mesh Knowledge structure based on 'entity-relation-entity', helps to understand big data through semantic link, obtains overall insight of the big data, and provides decision support. The network security knowledge graph is a domain knowledge graph facing the network security field, the research of people on the network security knowledge graph is still in an exploration stage, and aims to construct a network threat information platform based on the knowledge graph, and an automatic network security entity marking method, a supervised entity extracting party based on security related corpus marking, a network security entity relation extracting method combining semi-supervised natural language processing and bootstrapping algorithm, a security knowledge graph body construction method based on network threat information, a GraphPrints analysis method based on network anomaly detection, a network security entity identification method based on a deep neural network, a large-scale network named entity identification method under the large-data background and a relation extracting method based on a remote supervision model are provided.
Disclosure of Invention
In view of the above, one or more embodiments of the present disclosure are directed to a method and system for sensing network security situation based on a knowledge graph, so as to solve at least one of the problems described above.
In view of the above, one or more embodiments of the present specification provide a method for sensing network security situation based on a knowledge graph, including:
constructing a security situation perception model based on a knowledge graph;
identifying a network attack scene according to the security situation awareness model;
and determining a network asset situation value according to the network attack scene to sense the network security situation.
Optionally, the building of the security situation awareness model based on the knowledge graph includes:
acquiring network data;
and determining a network security knowledge graph according to the network data.
Optionally, the identifying a network attack scenario according to the security situation awareness model includes:
the network attack scenario includes: a single-step attack scenario and a multi-step attack tandem scenario;
identifying the single-step attack scenario based on alarm aggregation;
and identifying the multi-step attack cascading scene based on alarm correlation analysis.
Optionally, the identifying the multi-step attack cascade scenario based on alarm correlation analysis includes:
mining potential multiple attacks to determine a relevance metric;
the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure BDA0002748158530000021
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiThe start time of (c);
the spatial correlation metric is represented as
Figure BDA0002748158530000022
The service relevance metric is expressed as
Figure BDA0002748158530000023
Optionally, the identifying the multi-step attack tandem scenario based on the alarm correlation analysis further includes:
setting an attack threshold value;
determining whether the measure of relevance between the attack events exceeds the attack threshold;
and if so, the multi-step attack series scene is formed among the attack events.
In view of the above, one or more embodiments of the present specification further provide a system for sensing network security situation based on a knowledge graph, including:
a construction module configured to construct a security posture awareness model based on a knowledge graph;
the identification module is configured to identify a network attack scene according to the security situation awareness model;
and the situation awareness module is configured to determine a network asset situation value according to the network attack scene so as to perceive the network security situation.
Optionally, the building module is specifically configured to obtain network data; and determining a network security knowledge graph according to the network data.
Optionally, the identification module is specifically configured to be the network attack scenario, and includes: a single-step attack scenario and a multi-step attack tandem scenario; identifying the single-step attack scenario based on alarm aggregation; and identifying the multi-step attack cascading scene based on alarm correlation analysis.
Optionally, the identification module is further configured to mine potential multiple attacks to determine a correlation metric; the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure BDA0002748158530000031
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiThe start time of (c);
the spatial correlation metric is represented as
Figure BDA0002748158530000032
The service relevance metric is expressed as
Figure BDA0002748158530000033
Optionally, the identification module is further configured to set an attack threshold; determining whether the measure of relevance between the attack events exceeds the attack threshold; and if so, the multi-step attack series scene is formed among the attack events.
As can be seen from the above description, one or more embodiments of the present specification provide a method for sensing network security situation based on a knowledge graph, including: constructing a security situation perception model based on a knowledge graph; identifying a network attack scene according to the security situation awareness model; and determining a network asset situation value according to the network attack scene to sense the network security situation. The method provided by one or more embodiments of the present specification provides a solution to the problems of network attack scene discovery and situation understanding on the basis of constructing a network security knowledge graph, overcomes the defects that the traditional alarm aggregation process and alarm association analysis process are susceptible to a large amount of redundancy and false alarms, completes attack discovery and attack association through attribute graph mining and similarity calculation, and effectively reflects specific network attack behaviors and excavates attack scenes. On the basis of completing the attack scene discovery, a situation understanding scheme is given, and the network attack scene is effectively reflected in the asset node situation. The method can effectively mine the attack scene and finish situation understanding, and is improved in the aspects of accuracy, efficiency and the like compared with the traditional method.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a flow diagram of a method for knowledge-graph-based network security situation awareness in one or more embodiments of the present disclosure;
FIG. 2 is a schematic view of an asset-based network security knowledge graph in one or more embodiments of the present description;
FIG. 3 is a schematic diagram of a security situation awareness model in one or more embodiments of the present description;
FIG. 4 is a schematic diagram illustrating a configuration of a schema layer of a security situation awareness model in one or more embodiments of the present specification;
FIG. 5 is a graph of time relationships of attack events in one or more embodiments of the present description;
FIG. 6 is a block diagram of a knowledge-graph based network security situation awareness system in one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
The applicant finds that the internet technology in the current society develops at a high speed through research, the network intrusion and attack behaviors develop towards the trends of distribution, scale and indirection in the background of a new era, the traditional network security products are increasingly difficult to meet the requirements of people on network security, and especially under the condition of large network scale, the network security technology faces unprecedented challenges. The importance of Network status Awareness (NSSA) systems is becoming increasingly prominent. The network situation awareness system aims to monitor the network situation in real time, send out early warning before potential and malicious network behaviors are out of control, and give out corresponding countermeasures. The network situation awareness system integrates traditional network security tools, such as an intrusion detection system and a firewall, and analyzes based on original data provided by the network security tools so as to obtain more useful information and provide decision support for a network security analyst. The network security situation awareness technology provides technical support for a network situation awareness system, analyzes a certain abstract level according to original data, and mainly relates to aspects of intrusion detection and alarm correlation, vulnerability analysis by using an attack graph, causal relationship analysis, evidence obtaining analysis (intrusion back tracking), information flow analysis, attack trend analysis, intrusion response and the like.
The Knowledge Graph (KG) is used as an important branch of artificial intelligence, has unique advantages in the aspects of big data analysis and decision making, can represent data into a mesh Knowledge structure based on 'entity-relation-entity', helps to understand big data through semantic link, obtains overall insight of the big data, and provides decision support. The network security knowledge graph is a domain knowledge graph facing the network security field, the research of people on the network security knowledge graph is still in an exploration stage, and aims to construct a network threat information platform based on the knowledge graph, and an automatic network security entity marking method, a supervised entity extracting party based on security related corpus marking, a network security entity relation extracting method combining semi-supervised natural language processing and bootstrapping algorithm, a security knowledge graph body construction method based on network threat information, a GraphPrints analysis method based on network anomaly detection, a network security entity identification method based on a deep neural network, a large-scale network named entity identification method under the large-data background and a relation extracting method based on a remote supervision model are provided.
Therefore, in order to solve the above problems in the prior art, one or more embodiments of the present disclosure provide a method for constructing a security situation awareness model based on a knowledge graph; identifying a network attack scene according to the security situation awareness model; and determining a network asset situation value according to the network attack scene to sense the network security situation. The method provided by one or more embodiments of the present specification provides a solution to the problems of network attack scene discovery and situation understanding on the basis of constructing a network security knowledge graph, overcomes the defects that the traditional alarm aggregation process and alarm association analysis process are susceptible to a large amount of redundancy and false alarms, completes attack discovery and attack association through attribute graph mining and similarity calculation, and effectively reflects specific network attack behaviors and excavates attack scenes. On the basis of completing the attack scene discovery, a situation understanding scheme is given, and the network attack scene is effectively reflected in the asset node situation. The method can effectively mine the attack scene and finish situation understanding, and is improved in the aspects of accuracy, efficiency and the like compared with the traditional method.
Referring to fig. 1, one or more embodiments of the present specification provide a method for sensing a network security situation based on a knowledge graph, which specifically includes the following steps:
s101: and constructing a security situation perception model based on the knowledge graph.
In the embodiment, a network security situation perception model based on a knowledge graph is provided, a construction method of the knowledge graph combining network real-time flow and asset information is provided, and an attribute graph is taken as a network security knowledge graph data model.
As an optional embodiment, the construction of the security situation awareness model based on the knowledge graph comprises the following steps: acquiring network data; and determining a network security knowledge graph according to the network data.
As an alternative embodiment, referring to fig. 2, the generic security knowledge graph is automatically constructed by using a crawler or the like to acquire external knowledge. Part of information of the attack characteristic map comes from multi-step attack characteristic knowledge, and can be complemented through the general safety knowledge map. The data of the network basic event map comes from a flow sensor deployed in a monitored network, network flow information is converted into network basic event information, the network basic event information becomes a network basic event combined with specific threat information after the supplement and the promotion of a general safety knowledge map, and finally the network basic event map is displayed in a map form. The assets are the core of network security situation awareness, and are based on the composition of the network security knowledge graph of the assets and the relations among all parts of the network security knowledge graph. The hierarchy of the knowledge graph refers to the Schema-Data hierarchy, i.e., the Schema layer-Data layer hierarchy. The Schema layer of the network security knowledge graph gives the entity types possibly existing in the graph and the relations possibly existing among the entities, the Data layer of the network security knowledge graph is established under the guidance of the Schema layer, and the Schema-Data hierarchical structure of the general security knowledge graph, the network attack characteristic event graph and the network basic event graph is introduced respectively in this section.
As an alternative embodiment, referring to fig. 3, the schema layer of the network security knowledge graph is a data model in the network security field, and the data model contains concept types meaningful in the network security field and attributes of the types. Three problems need to be considered when constructing the schema layer: constructing a domain, constructing a type and determining an attribute. Referring to fig. 4, the structure of the knowledge graph schema layer is described, domains are independent and do not intersect, circles in the domains represent types, association relationships exist among the types, and various attributes exist in the types. In the asset-based network security knowledge graph, a domain of a schema layer corresponds to three parts of the graph and is divided into three domains. If the general security knowledge graph is represented by the 'domain 1', the type circle in the 'domain 1' can represent concepts such as a vulnerability and a malicious domain, and the type of the 'vulnerability' can have attributes such as a vulnerability number, a vulnerability date and vulnerability description information, and similarly, the 'domain 2' can represent an attack characteristic event graph, and the 'domain 3' can represent a network basic event graph.
As an alternative embodiment, the Data layer: in contrast to the schema layer, the data layer of the network security knowledge graph is the actual data of the network security knowledge graph. The construction work of the knowledge graph is actually a process of receiving original data under the guidance of the schema layer, and filling the data layer through a series of data preprocessing operations. Therefore, the data layer exists by relying on the schema layer, and the schema layer is grounded to work. In the knowledge graph, actual data often refers to points and edges that can be queried by a user, i.e., graph data. The attack characteristic event map data layer has another characteristic that: a single attack signature event is a weakly connected branch that makes up the entire attack signature event graph. If the attack characteristic event map is represented by E, Gi(i is more than or equal to 1 and less than or equal to M, and M is the number of weak communication branches) represents a single attack characteristic event, then the attack characteristic event has
Figure BDA0002748158530000071
Figure BDA0002748158530000072
E=G (3)
From a set perspective, E represents the full set and G is the partition of the full set.
In conclusion, the data of the general security knowledge graph and the attack characteristic event graph are relatively stable data, and the data of the network basic event graph is relatively active data. The data of the general security knowledge graph and the attack characteristic event graph can be understood as a knowledge base, and the data of the network basic event graph can be understood as an event base. The task of the system is to analyze and process the events in the event library by using the knowledge in the knowledge library, and to complete the network security situation perception work in the working mode.
S102: and identifying a network attack scene according to the security situation awareness model.
In this embodiment, the process of discovering the attack scene is divided into two steps, namely single-step attack discovery and multi-step attack tandem. In a traditional alarm information processing system, single-step attack discovery is generally realized based on alarm aggregation, and multi-step attack concatenation is realized based on alarm correlation analysis. In the asset-based network security knowledge graph, network flow is presented in the form of 'network basic events', in the process of constructing the network basic event graph, a system filters and combines the bottom-layer network events, the effect similar to alarm aggregation is achieved to a certain extent, the rest work only needs to search a subgraph which accords with attack characteristics in the network basic event graph according to a series of network attack characteristic information in the network attack characteristic event graph, and the obtained subgraph is the result of single-step attack discovery.
As an optional embodiment, identifying a network attack scenario according to the security situation awareness model includes: the network attack scenario includes: a single-step attack scenario and a multi-step attack tandem scenario; identifying the single-step attack scenario based on alarm aggregation; and identifying the multi-step attack cascading scene based on alarm correlation analysis.
As an optional embodiment, identifying the multi-step attack cascading scenario based on alarm correlation analysis includes: mining potential multiple attacks to determine a relevance metric; the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure BDA0002748158530000081
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiThe start time of (c);
the spatial correlation metric is represented as
Figure BDA0002748158530000082
The service relevance metric is expressed as
Figure BDA0002748158530000083
As an optional embodiment, identifying the multi-step attack cascading scenario based on alarm correlation analysis further includes: setting an attack threshold value; determining whether the measure of relevance between the attack events exceeds the attack threshold; and if so, the multi-step attack series scene is formed among the attack events.
As an alternative embodiment, referring to FIG. 5, we can extract hexahydric group data from the attack event, according to the attack event EiThe time sequence relation of the attack event chain is used for sequencing all current attack events to form an attack event chain with the length of n, and then whether all successive attack event time intervals in the attack event chain are smaller than the preset T or not is checkedβ. After the time relation of the attack events is obtained, potential multi-step attack mining can be carried out on the basis of the method shown in the figure 5. Let the relevancy measure between any two different attack events in fig. 5 be the relevancy measure between any two different attack events:
Figure BDA0002748158530000091
wherein C is1As a measure of temporal relevance between attack events, C2As a measure of spatial correlation between attack events, C3For service relevance measures between attack events, C4As a measure of type association between attack events, C1、C2、C3Is defined as follows:
Figure BDA0002748158530000092
Figure BDA0002748158530000093
Figure BDA0002748158530000094
wherein etjAnd stiRespectively represent attack events EjEnd time of and attack event EiThe start time of (c). It can be seen that the smaller the time interval between the two attack events, the greater the degree of temporal correlation. Jaccard similarity (Jaccard) is an important index for describing the similarity of collection samples, and is defined as follows
Figure BDA0002748158530000095
As an alternative embodiment, the type relevance metric C between attack events4The main consideration is that the last two components in the six-element group data, namely attacker and label, respectively reflect the difference of two attack events on an attacker and the causal relationship of attack behavior, which are defined as follows:
Figure BDA0002748158530000096
wherein a isijIs the interval [0,1]Real number between, bijAre the bol variables, which are defined as follows:
Figure BDA0002748158530000097
Figure BDA0002748158530000098
by combining the four relevance metrics, the relevance metric between any two attack events can be obtained, a threshold value is set for the relevance metric between the two attack events, and if the relevance metric exceeds the threshold value, the two attack events are considered to belong to the same multi-step attack chain.
S103: and determining a network asset situation value according to the network attack scene to sense the network security situation.
In the embodiment, the network asset situation value is determined according to the network attack scene to sense the network security situation, the server processes the multi-source heterogeneous data and converts the multi-source heterogeneous data into the graph data to construct the network security knowledge graph, the network security knowledge graph provides query and analysis interfaces and visualization services, and a user can perform network security situation related analysis work based on the network security knowledge graph.
As can be seen from the above description, one or more embodiments of the present specification provide a method for sensing network security situation based on a knowledge graph, including: constructing a security situation perception model based on a knowledge graph; identifying a network attack scene according to the security situation awareness model; and determining a network asset situation value according to the network attack scene to sense the network security situation. The method provided by one or more embodiments of the present specification provides a solution to the problems of network attack scene discovery and situation understanding on the basis of constructing a network security knowledge graph, overcomes the defects that the traditional alarm aggregation process and alarm association analysis process are susceptible to a large amount of redundancy and false alarms, completes attack discovery and attack association through attribute graph mining and similarity calculation, and effectively reflects specific network attack behaviors and excavates attack scenes. On the basis of completing the attack scene discovery, a situation understanding scheme is given, and the network attack scene is effectively reflected in the asset node situation. The method can effectively mine the attack scene and finish situation understanding, and is improved in the aspects of accuracy, efficiency and the like compared with the traditional method.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above description describes certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to any embodiment method, one or more embodiments of the present specification further provide a system for sensing network security situation based on a knowledge graph.
Referring to fig. 6, the system for sensing network security situation based on knowledge graph includes:
a construction module configured to construct a security posture awareness model based on a knowledge graph;
the identification module is configured to identify a network attack scene according to the security situation awareness model;
and the situation awareness module is configured to determine a network asset situation value according to the network attack scene so as to perceive the network security situation.
As an optional embodiment, the building module is specifically configured to obtain network data; and determining a network security knowledge graph according to the network data.
As an optional embodiment, the identification module, specifically configured to be the network attack scenario, includes: a single-step attack scenario and a multi-step attack tandem scenario; identifying the single-step attack scenario based on alarm aggregation; and identifying the multi-step attack cascading scene based on alarm correlation analysis.
As an optional embodiment, the identification module is further configured to mine potential multiple attacks to determine a correlation metric; the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure BDA0002748158530000111
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiThe start time of (c);
the spatial correlation metric is represented as
Figure BDA0002748158530000112
The service relevance metric is expressed as
Figure BDA0002748158530000113
As an optional embodiment, the identification module is further configured to set an attack threshold; determining whether the measure of relevance between the attack events exceeds the attack threshold; and if so, the multi-step attack series scene is formed among the attack events.
As an alternative embodiment, the overall framework design of the system of the invention is also expanded around atlas construction and application, and the main functional modules of the system are divided into three parts: the system comprises a preprocessing module, a network attack scene discovery module and a network security situation understanding module. The preprocessing module completes all contents before graph data storage in the overall frame graph, and the network attack scene discovery and network security situation understanding module belongs to the category of graph data analysis. The collector is deployed in a monitored network and takes on the tasks of collecting external data mainly based on safety knowledge and internal data mainly based on network flow information. The message queue is responsible for summarizing and transmitting the data collected by the collector to the server. The server processes the multi-source heterogeneous data and converts the multi-source heterogeneous data into graph data to construct a network security knowledge graph, the network security knowledge graph provides query and analysis interfaces and visualization services, and a user can perform network security situation related analysis work based on the network security knowledge graph.
The system operation flow comprises the following five steps: (1) setting a strategy script for generating a network basic event; (2) replaying the network traffic of the data set to the ZEEK-IDS and constructing a network basic event map; (3) setting attack characteristics to a network attack characteristic map; (4) performing network attack scene discovery and analyzing the result; (5) network situational understanding is performed and results are analyzed.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the modules may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
The apparatus of the foregoing embodiment is used to implement a corresponding method for sensing a network security situation based on a knowledge graph in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures, for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (10)

1. A network security situation awareness method based on a knowledge graph is characterized by comprising the following steps:
constructing a security situation perception model based on a knowledge graph;
identifying a network attack scene according to the security situation awareness model;
and determining a network asset situation value according to the network attack scene to sense the network security situation.
2. The method of claim 1, wherein the building of the security posture awareness model based on the knowledge-graph comprises:
acquiring network data;
and determining a network security knowledge graph according to the network data.
3. The method according to claim 1, wherein the identifying a cyber attack scenario according to the security posture awareness model comprises:
the network attack scenario includes: a single-step attack scenario and a multi-step attack tandem scenario;
identifying the single-step attack scenario based on alarm aggregation;
and identifying the multi-step attack cascading scene based on alarm correlation analysis.
4. The method of claim 3, wherein identifying the multi-step attack tandem scenario based on alarm correlation analysis comprises:
mining potential multiple attacks to determine a relevance metric;
the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure FDA0002748158520000011
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiStart of (2)Time;
the spatial correlation metric is represented as
Figure FDA0002748158520000012
The service relevance metric is expressed as
Figure FDA0002748158520000013
5. The method of claim 4, wherein the identifying the multi-step attack tandem scenario based on alarm correlation analysis further comprises:
setting an attack threshold value;
determining whether the measure of relevance between the attack events exceeds the attack threshold;
and if so, the multi-step attack series scene is formed among the attack events.
6. A network security situation awareness system based on a knowledge graph, comprising:
a construction module configured to construct a security posture awareness model based on a knowledge graph;
the identification module is configured to identify a network attack scene according to the security situation awareness model;
and the situation awareness module is configured to determine a network asset situation value according to the network attack scene so as to perceive the network security situation.
7. The system according to claim 6, characterized in that said building module, in particular configured to obtain network data; and determining a network security knowledge graph according to the network data.
8. The system according to claim 6, wherein the identification module, in particular configured as the cyber attack scenario, comprises: a single-step attack scenario and a multi-step attack tandem scenario; identifying the single-step attack scenario based on alarm aggregation; and identifying the multi-step attack cascading scene based on alarm correlation analysis.
9. The system of claim 8, wherein the identification module is further configured to mine potential multiple attacks to determine a correlation metric; the correlation metric comprises: a temporal relevance metric, a spatial relevance metric, and a service relevance metric, the temporal relevance metric being represented as
Figure FDA0002748158520000021
Wherein e istjRepresenting an attack event EjEnd time of stiRepresenting the attack event EiThe start time of (c);
the spatial correlation metric is represented as
Figure FDA0002748158520000022
The service relevance metric is expressed as
Figure FDA0002748158520000023
10. The system of claim 9, wherein the identification module is further configured to set an attack threshold; determining whether the measure of relevance between the attack events exceeds the attack threshold; and if so, the multi-step attack series scene is formed among the attack events.
CN202011173955.9A 2020-10-28 2020-10-28 Network security situation sensing method and system based on knowledge graph Pending CN114430331A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011173955.9A CN114430331A (en) 2020-10-28 2020-10-28 Network security situation sensing method and system based on knowledge graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011173955.9A CN114430331A (en) 2020-10-28 2020-10-28 Network security situation sensing method and system based on knowledge graph

Publications (1)

Publication Number Publication Date
CN114430331A true CN114430331A (en) 2022-05-03

Family

ID=81310281

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011173955.9A Pending CN114430331A (en) 2020-10-28 2020-10-28 Network security situation sensing method and system based on knowledge graph

Country Status (1)

Country Link
CN (1) CN114430331A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037632A (en) * 2022-06-14 2022-09-09 国网安徽省电力有限公司芜湖供电公司 Network security situation perception analysis system
CN115098705A (en) * 2022-08-25 2022-09-23 成都航空职业技术学院 Network security event analysis method and system based on knowledge graph reasoning
CN115664860A (en) * 2022-12-26 2023-01-31 广东财经大学 Network security threat assessment method and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037632A (en) * 2022-06-14 2022-09-09 国网安徽省电力有限公司芜湖供电公司 Network security situation perception analysis system
CN115098705A (en) * 2022-08-25 2022-09-23 成都航空职业技术学院 Network security event analysis method and system based on knowledge graph reasoning
CN115664860A (en) * 2022-12-26 2023-01-31 广东财经大学 Network security threat assessment method and system
CN115664860B (en) * 2022-12-26 2023-03-31 广东财经大学 Network security threat assessment method and system

Similar Documents

Publication Publication Date Title
CN110210227B (en) Risk detection method, device, equipment and storage medium
CN107196910B (en) Threat early warning monitoring system, method and deployment framework based on big data analysis
US11522881B2 (en) Structural graph neural networks for suspicious event detection
Zhong et al. A cyber security data triage operation retrieval system
CN114430331A (en) Network security situation sensing method and system based on knowledge graph
CN104303152B (en) Detect abnormal to recognize the methods, devices and systems that collaboration group is attacked in Intranet
CN107992746A (en) Malicious act method for digging and device
CN108270785A (en) Knowledge graph-based distributed security event correlation analysis method
Hanguang et al. Intrusion detection technology research based on apriori algorithm
CN104268254A (en) Security state analysis and statistics method
CN111538842A (en) Intelligent sensing and predicting method and device for network space situation and computer equipment
CN112165462A (en) Attack prediction method and device based on portrait, electronic equipment and storage medium
CN113347170A (en) Intelligent analysis platform design method based on big data framework
CN110830483B (en) Webpage log attack information detection method, system, equipment and readable storage medium
CN111813960A (en) Data security audit model device and method based on knowledge graph and terminal equipment
US11354325B2 (en) Methods and apparatus for a multi-graph search and merge engine
CN110388315A (en) Oil transfer pump fault recognition method, apparatus and system based on Multi-source Information Fusion
CN112487208A (en) Network security data association analysis method, device, equipment and storage medium
CN115514558A (en) Intrusion detection method, device, equipment and medium
Jin et al. Crime-GAN: A context-based sequence generative network for crime forecasting with adversarial loss
CN115544519A (en) Method for carrying out security association analysis on threat information of metering automation system
Singh et al. Analysis on data mining models for Internet Of Things
Chu et al. Big data and its V’s with IoT to develop sustainability
Hemdan et al. Spark-based log data analysis for reconstruction of cybercrime events in cloud environment
Curry et al. Multimodal event processing: A neural-symbolic paradigm for the internet of multimedia things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication