CN115412372B - Network attack tracing method, system and equipment based on knowledge graph - Google Patents
Network attack tracing method, system and equipment based on knowledge graph Download PDFInfo
- Publication number
- CN115412372B CN115412372B CN202211352646.7A CN202211352646A CN115412372B CN 115412372 B CN115412372 B CN 115412372B CN 202211352646 A CN202211352646 A CN 202211352646A CN 115412372 B CN115412372 B CN 115412372B
- Authority
- CN
- China
- Prior art keywords
- attack
- node
- preset
- vulnerability
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 241000700605 Viruses Species 0.000 claims abstract description 76
- 238000001514 detection method Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims description 60
- 238000012423 maintenance Methods 0.000 claims description 10
- 238000012804 iterative process Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 238000010801 machine learning Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/02—Knowledge representation; Symbolic representation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Virology (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network attack tracing method, a system and equipment based on a knowledge graph, mainly relates to the technical field of network attack tracing, and is used for solving the problems of low accuracy, narrow application range and the like of the existing tracing method. The method comprises the following steps: constructing equipment running state information; creating a network security ontology and an attack set; acquiring behavior data uploaded by preset behavior detection equipment, and determining the behavior relationship among nodes in the network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database; when the attacked device node is obtained, obtaining a virus vulnerability node associated with the attacked device node; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack. By the method, the source tracing accuracy is improved, and the source tracing range is expanded.
Description
Technical Field
The present application relates to the field of network attack tracing technologies, and in particular, to a network attack tracing method, system and device based on a knowledge graph.
Background
With the development of a series of emerging network technologies such as the internet and the like, the network attack threats are more and more, and a large number of traditional network defense measures basically lose the effect. The attacker is found, the problem is solved from the root, and the requirement of tracing the network attack is generated.
At present, the mainstream schemes of attack tracing are roughly divided into three types, namely a tracing method based on log storage query, a tracing method based on router input debugging and a network attack mining tracing method based on machine learning.
However, backtracking methods based on log storage queries rely too much on knowledge storage and operation of analysts; the backtracking accuracy based on router input debugging cannot be guaranteed; the model based on machine learning training depends on data, the application range of the model trained by partial data is limited, and the model cannot cover variable network attacks.
Disclosure of Invention
In order to solve the technical problems, the invention provides a network attack tracing method, system and device based on a knowledge graph.
In a first aspect, the present application provides a network attack tracing method based on a knowledge graph, including: acquiring equipment information, an equipment safety protection log and equipment operation and maintenance information to construct equipment running state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information; establishing a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database; wherein, the network security ontology includes: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein an attack set is used for storing attack conditions and attack modes corresponding to vulnerability/viruses; acquiring behavior data uploaded by preset behavior detection equipment to determine behavior relations among nodes in a network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database; when the attacked device node is obtained, obtaining a virus vulnerability node associated with the attacked device node from a preset map database; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack.
Further, according to the device running state information and a preset virus/vulnerability database, a network security body and an attack set are created, and the method specifically comprises the following steps: determining equipment nodes according to equipment information in the equipment running state information; determining virus vulnerability nodes according to vulnerability scanning information and virus detection information in the equipment running state information; determining a service application node according to application deployment information in the equipment running state information; determining a port node according to port state information in the equipment operation state information; based on the vulnerability/virus name in the vulnerability scanning information and the virus detection information, acquiring the attack condition and the attack mode corresponding to the vulnerability/virus name from a preset virus/vulnerability database to create an attack set.
Further, before acquiring the behavior data uploaded by the preset behavior detection device, the method further includes: acquiring original behavior data through preset behavior detection equipment; the device for detecting the preset behavior at least comprises a firewall and a detector, and the original behavior data at least comprises a firewall log and detector flow data; and removing invalid data and missing data in the original behavior data according to a preset data cleaning algorithm to obtain the behavior data.
Further, determining an initial node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, specifically comprising: determining the corresponding nearest one-hop node of the attacked equipment node in the preset map database according to the attack condition, the attack mode and the Cypher grammar; then, taking the latest one-hop node as a next attacked device node to iteratively calculate the next latest one-hop node until the next attacked device node is a virus vulnerability node which is not related in a preset map database; and determining a set formed by the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
Further, after determining the set of nodes under the network attack, the method further includes: and constructing an attack path graph containing the nodes and the behaviors according to the Cypher grammar, the node set and the behavior relation, and sending the attack path graph to a preset analysis terminal.
In a second aspect, the present application provides a network attack tracing system based on a knowledge graph, which includes: the device comprises a construction module, a storage module and a processing module, wherein the construction module is used for acquiring device information, a device safety protection log and device operation and maintenance information so as to construct device operation state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information; the creating module is used for creating a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database; wherein, the network security ontology includes: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein an attack set is used for storing attack conditions and attack modes corresponding to vulnerability/viruses; the storage module is used for acquiring behavior data uploaded by the preset behavior detection equipment so as to determine the behavior relation among all nodes in the network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database; the completion module is used for acquiring virus vulnerability nodes related to the attacked device nodes from a preset database when the attacked device nodes are acquired; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack.
Further, the completion module further comprises a set generation unit; the set generation unit is used for determining the corresponding nearest one-hop node of the attacked equipment node in the preset map database according to the attack condition, the attack mode and the Cypher grammar; then, taking the latest one-hop node as a next attacked device node to iteratively calculate the next latest one-hop node until the next attacked device node is a virus vulnerability node which is not related in a preset map database; and determining a set formed by the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
In a third aspect, the present application provides a network attack tracing apparatus based on a knowledge graph, where the apparatus includes: a processor; and a memory having executable code stored thereon, the executable code, when executed, causing the processor to perform a method of knowledge-graph based cyber attack tracing as in any one of the above.
As can be appreciated by those skilled in the art, the present invention has at least the following beneficial effects:
(1) Updating a preset graph database: compared with the fact that the actual operation of an analyst is too heavy, the information knowledge network is constructed by establishing the ontology model, and diversified network attacks are responded by knowledge points abstracted and extracted by experts; the knowledge of people is digitalized and programmed, so that the human participation is greatly reduced, and the automation of backtracking is achieved.
(2) Determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar: compared with the pertinence and the data dependency of a machine learning and training model, the method takes the knowledge graph as the leading basis, the mode that the machine actively conducts path exploration has higher applicability, and the coverage rate is higher by combining the knowledge graph and the attack path exploration of behavior data to the attacked node.
Drawings
Some embodiments of the disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a network attack tracing method based on a knowledge graph according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of a network attack traceability system based on a knowledge graph according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an internal structure of a network attack tracing device based on a knowledge graph according to an embodiment of the present application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not mean that the present disclosure can be implemented only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure and are not intended to limit the scope of the present disclosure. All other embodiments that can be derived by one of ordinary skill in the art from the preferred embodiments provided by the disclosure without undue experimentation will still fall within the scope of the disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The technical solutions proposed in the embodiments of the present application are described in detail below with reference to the accompanying drawings.
The embodiment of the application provides a network attack tracing method based on a knowledge graph, and as shown in fig. 1, the method provided by the embodiment of the application mainly comprises the following steps:
and step 110, acquiring equipment information, an equipment safety protection log and equipment operation and maintenance information to construct equipment running state information.
It should be noted that the device running state information at least includes device information, vulnerability scanning information, virus detection information, application deployment information, and port state information; the equipment operation and maintenance information may be obtained from a third party operation and maintenance database. The specific method for acquiring the equipment running state information is to extract the equipment information, the equipment safety protection log and the equipment operation and maintenance information. The specific process of extraction can be realized by the existing method, and the application is not limited to this.
And 120, establishing a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database.
It should be noted that the network security ontology includes: the system comprises a virus vulnerability node, an attacker node, a service application node, a device node and a port node, wherein an attack set is used for storing attack conditions and attack modes corresponding to the vulnerability/virus. The preset virus/vulnerability database can be from vulnerability information bases established by governments or security enterprises of various countries. The execution main body can obtain the bug/virus name through the bug scanning information and the virus detection information, and further extract the attack condition and the attack mode corresponding to the bug/virus name from the preset virus/bug database.
As an example, according to the device operating state information and the preset virus/vulnerability database, a network security ontology and an attack set are created, which may specifically be: determining equipment nodes according to equipment information in the equipment running state information; determining virus vulnerability nodes according to vulnerability scanning information and virus detection information in the equipment running state information; determining a service application node according to application deployment information in the equipment running state information; determining a port node according to port state information in the equipment operation state information; based on the vulnerability/virus name in the vulnerability scanning information and the virus detection information, acquiring the attack condition and the attack mode corresponding to the vulnerability/virus name from a preset virus/vulnerability database to create an attack set.
Step 130, acquiring behavior data uploaded by preset behavior detection equipment to determine behavior relations among nodes in the network security ontology; and storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database.
In order to improve the source tracing accuracy, the behavior relation can be preprocessed before the behavior data uploaded by the preset behavior detection device is acquired. Specifically, the method comprises the following steps: acquiring original behavior data through preset behavior detection equipment; the device for detecting the preset behavior at least comprises a firewall and a detector, and the original behavior data at least comprises a firewall log and detector flow data; and removing invalid data and missing data in the original behavior data according to a preset data cleaning algorithm to obtain the behavior data.
Step 140, when the attacked device node is obtained, obtaining a virus vulnerability node associated with the attacked device node from a preset map database; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack.
Determining an initial node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, wherein the method specifically comprises the following steps: determining the corresponding nearest one-hop node of the attacked equipment node in the preset map database according to the attack condition, the attack mode and the Cypher grammar; then, taking the latest one-hop node as a next attacked device node to iteratively calculate the next latest one-hop node until the next attacked device node is a virus vulnerability node which is not related in a preset map database; and determining a set formed by the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
In addition, after the node set of the network attack is determined, the attack path graph can be constructed and sent to a preset analysis terminal corresponding to an analyst. Illustratively, according to the Cypher grammar, the node set and the behavior relation, an attack path graph containing the nodes and the behaviors is constructed and sent to a preset analysis terminal.
In addition, fig. 2 is a system for tracing a network attack based on a knowledge graph according to an embodiment of the present application. As shown in fig. 2, the system provided in the embodiment of the present application mainly includes:
the building module 210 is configured to obtain device information, a device security protection log, and device operation and maintenance information to build device operation state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information;
a creating module 220, configured to create a network security ontology and an attack set according to the device operating state information and a preset virus/vulnerability database; wherein, the network security ontology includes: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein an attack set is used for storing attack conditions and attack modes corresponding to vulnerability/viruses;
the storage module 230 is configured to obtain behavior data uploaded by the preset behavior detection device, so as to determine a behavior relationship between nodes in the network security ontology; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database;
a completion module 240, configured to, when obtaining an attacked device node, obtain a virus vulnerability node associated with the attacked device node from a preset map database; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack.
Wherein, the completing module 240 further comprises a set generating unit 240; the method comprises the steps that a node of an attacked device is determined to be a corresponding nearest one-hop node in a preset map database according to attack conditions, attack modes and Cypher grammar; then, the nearest one-hop node is used as a next attacked device node to iteratively calculate a next nearest one-hop node until the next attacked device node is not associated with a virus vulnerability node in a preset graph database; and determining a set formed by the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
In addition, an embodiment of the present application further provides a network attack tracing apparatus based on a knowledge graph, as shown in fig. 3, where executable instructions are stored thereon, and when the executable instructions are executed, the network attack tracing apparatus based on a knowledge graph as described above is implemented. Specifically, the server sends an execution instruction to the memory through the bus, and when the memory receives the execution instruction, sends an execution signal to the processor through the bus so as to activate the processor.
It should be noted that the processor is configured to obtain the device information, the device security protection log, and the device operation and maintenance information, so as to construct device operation state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information; establishing a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database; wherein, the network security ontology includes: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein an attack set is used for storing attack conditions and attack modes corresponding to vulnerability/viruses; acquiring behavior data uploaded by preset behavior detection equipment to determine behavior relations among nodes in a network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database; when the attacked device node is obtained, obtaining a virus vulnerability node associated with the attacked device node from a preset map database; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; and further determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack.
So far, the technical solutions of the present disclosure have been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the scope of the present disclosure is not limited to only these specific embodiments. A person skilled in the art may split and combine the technical solutions in the above embodiments, and may make equivalent changes or substitutions on the related technical features without departing from the technical principles of the present disclosure, and any changes, equivalents, improvements and the like made within the technical concept and/or technical principles of the present disclosure will fall within the protection scope of the present disclosure.
Claims (6)
1. A network attack tracing method based on a knowledge graph is characterized by comprising the following steps:
acquiring equipment information, equipment safety protection logs and equipment operation and maintenance information to construct equipment running state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information;
establishing a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database; wherein the network security ontology comprises: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein the attack set is used for storing attack conditions and attack modes corresponding to vulnerabilities/viruses;
acquiring behavior data uploaded by preset behavior detection equipment to determine behavior relations among nodes in a network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database;
when the attacked device node is obtained, obtaining a virus vulnerability node associated with the attacked device node from a preset map database; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack;
determining an initial node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, wherein the method specifically comprises the following steps: determining the corresponding nearest one-hop node of the attacked equipment node in the preset map database according to the attack condition, the attack mode and the Cypher grammar; then, taking the latest one-hop node as a next attacked device node to iteratively calculate the next latest one-hop node until the next attacked device node is a virus vulnerability node which is not related in a preset map database; and determining a set consisting of the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
2. The network attack tracing method based on the knowledge graph according to claim 1, wherein a network security ontology and an attack set are created according to the device running state information and a preset virus/vulnerability database, and specifically comprises:
determining equipment nodes according to equipment information in the equipment running state information;
determining virus vulnerability nodes according to vulnerability scanning information and virus detection information in the equipment running state information;
determining a service application node according to application deployment information in the equipment running state information;
determining a port node according to port state information in the equipment operation state information;
based on the vulnerability/virus name in the vulnerability scanning information and the virus detection information, acquiring the attack condition and the attack mode corresponding to the vulnerability/virus name from a preset virus/vulnerability database to create an attack set.
3. The network attack tracing method based on the knowledge graph according to claim 1, wherein before acquiring the behavior data uploaded by the preset behavior detection device, the method further comprises:
acquiring original behavior data through preset behavior detection equipment; the device for detecting the preset behavior at least comprises a firewall and a detector, and the original behavior data at least comprises a firewall log and detector flow data;
and removing invalid data and missing data in the original behavior data according to a preset data cleaning algorithm to obtain the behavior data.
4. The method of knowledge-graph-based network attack tracing according to claim 1, wherein after determining a set of nodes for a network attack, the method further comprises:
and constructing an attack path graph containing the nodes and the behaviors according to the Cypher grammar, the node set and the behavior relation, and sending the attack path graph to a preset analysis terminal.
5. A network attack traceability system based on a knowledge graph, the system comprising:
the device comprises a construction module, a storage module and a processing module, wherein the construction module is used for acquiring device information, a device safety protection log and device operation and maintenance information so as to construct device operation state information; the equipment running state information at least comprises equipment information, vulnerability scanning information, virus detection information, application deployment information and port state information;
the creating module is used for creating a network security body and an attack set according to the equipment running state information and a preset virus/vulnerability database; wherein the network security ontology comprises: the system comprises a virus vulnerability node, an attacker node, a service application node, an equipment node and a port node, wherein the attack set is used for storing attack conditions and attack modes corresponding to vulnerabilities/viruses;
the storage module is used for acquiring behavior data uploaded by the preset behavior detection equipment so as to determine the behavior relation among all nodes in the network security body; storing the network security ontology and the behavior relation as a knowledge graph in a preset graph database;
the completion module is used for acquiring virus vulnerability nodes related to the attacked device nodes from a preset database when the attacked device nodes are acquired; determining attack conditions and attack modes corresponding to the associated virus vulnerability nodes from the attack set; determining a node set of the network attack according to the attack condition, the attack mode and the Cypher grammar, and finishing the tracing of the network attack;
the completion module further comprises a set generation unit; the set generating unit is used for determining the corresponding nearest one-hop node of the attacked equipment node in the preset map database according to the attack condition, the attack mode and the Cypher grammar; then, the nearest one-hop node is used as a next attacked device node to iteratively calculate a next nearest one-hop node until the next attacked device node is not associated with a virus vulnerability node in a preset graph database; and determining a set formed by the initial attacked device node and a plurality of next attacked device nodes generated in the iterative process as a node set.
6. A network attack tracing apparatus based on a knowledge graph, the apparatus comprising:
a processor;
and a memory having executable code stored thereon, which when executed, causes the processor to perform a method of knowledge-graph based tracing of cyber attacks according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211352646.7A CN115412372B (en) | 2022-11-01 | 2022-11-01 | Network attack tracing method, system and equipment based on knowledge graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211352646.7A CN115412372B (en) | 2022-11-01 | 2022-11-01 | Network attack tracing method, system and equipment based on knowledge graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115412372A CN115412372A (en) | 2022-11-29 |
| CN115412372B true CN115412372B (en) | 2023-03-24 |
Family
ID=84168776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211352646.7A Active CN115412372B (en) | 2022-11-01 | 2022-11-01 | Network attack tracing method, system and equipment based on knowledge graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115412372B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118467303B (en) * | 2024-07-15 | 2024-09-17 | 成都格理特电子技术有限公司 | Traceability early warning method and system based on data driving and mechanism model fusion |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581397A (en) * | 2020-05-07 | 2020-08-25 | 南方电网科学研究院有限责任公司 | Network attack tracing method, device and equipment based on knowledge graph |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102079970B1 (en) * | 2019-04-30 | 2020-04-07 | (주)에스투더블유랩 | Method, apparatus and computer program for providing cyber security using a knowledge graph |
| CN111181959A (en) * | 2019-12-30 | 2020-05-19 | 论客科技(广州)有限公司 | Method and device for constructing threat information knowledge graph based on mail data |
| CN111935192B (en) * | 2020-10-12 | 2021-03-23 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN113282759B (en) * | 2021-04-23 | 2024-02-20 | 国网辽宁省电力有限公司电力科学研究院 | Threat information-based network security knowledge graph generation method |
| CN113032794A (en) * | 2021-04-23 | 2021-06-25 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for constructing security vulnerability knowledge graph |
-
2022
- 2022-11-01 CN CN202211352646.7A patent/CN115412372B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581397A (en) * | 2020-05-07 | 2020-08-25 | 南方电网科学研究院有限责任公司 | Network attack tracing method, device and equipment based on knowledge graph |
| CN113612763A (en) * | 2021-07-30 | 2021-11-05 | 北京交通大学 | Network attack detection device and method based on network security malicious behavior knowledge base |
Non-Patent Citations (1)
| Title |
|---|
| 网络攻击节点路径高效检测模型仿真研究;张波等;《计算机仿真》;20170815(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115412372A (en) | 2022-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111177417B (en) | Security event correlation method, system and medium based on network security knowledge graph | |
| US11558418B2 (en) | System for query injection detection using abstract syntax trees | |
| CN104509034B (en) | Pattern merges to identify malicious act | |
| CN115296924B (en) | Network attack prediction method and device based on knowledge graph | |
| US7941853B2 (en) | Distributed system and method for the detection of eThreats | |
| US9462009B1 (en) | Detecting risky domains | |
| AU2014213584B2 (en) | Method and product for providing a predictive security product and evaluating existing security products | |
| Nelms et al. | {ExecScent}: Mining for New {C&C} Domains in Live Networks with Adaptive Control Protocol Templates | |
| EA037617B1 (en) | Method and system for detecting an intrusion in data traffic on a data communication network | |
| Baiardi et al. | Automating the assessment of ICT risk | |
| CN115412372B (en) | Network attack tracing method, system and equipment based on knowledge graph | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| CN113595790A (en) | Security access assessment method and device for power terminal equipment | |
| Aparicio-Navarro et al. | Addressing multi-stage attacks using expert knowledge and contextual information | |
| Shabtai et al. | Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content | |
| CN115225531B (en) | Database firewall testing method and device, electronic equipment and medium | |
| Tylman | Misuse-based intrusion detection using Bayesian networks | |
| Kubota et al. | A new feature to secure web applications | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| Wang et al. | Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls | |
| Dik et al. | Web attacks detection based on patterns of sessions | |
| Jongsawat et al. | Creating behavior-based rules for snort based on Bayesian network learning algorithms | |
| Razzaq et al. | Multi-layered defense against web application attacks | |
| Haseeb | Deception-based security framework for iot: An empirical study | |
| Brzezinski | Intrusion detection as passive testing: linguistic support with TTCN-3 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |