CN115567306A - APT attack tracing analysis method based on bidirectional long-time and short-time memory network - Google Patents

Abstract

The invention relates to an APT attack tracing analysis method based on a bidirectional long-time memory network, which comprises the following steps: step S1: constructing a tracing graph, constructing the tracing graph aiming at the operation events of the audit log data extraction system, and carrying out graph optimization on the tracing graph; step S2: extracting sequences, namely extracting attack sequences and non-attack sequences from the optimized tracing graph; and step S3: and (5) deep learning model training. And step S4: identifying attack entities, namely providing real attack symptom entities by an intrusion detection system, and identifying all the attack entities by a deep learning model; step S5: and tracing the source of the attack path. According to the invention, the tracing graph depending on explosion is processed by a graph optimization algorithm aiming at the log type tracing data, an attack sequence and a non-attack sequence are extracted, the automatic identification of an attack entity is realized, the tracing of an attack path is carried out on the basis, and the attack path can be accurately recovered.

Description

APT attack tracing analysis method based on bidirectional long-time and short-time memory network

Technical Field

The invention relates to the field of network security traceability, in particular to an APT attack traceability analysis method based on a bidirectional long-time memory network.

Background

APT attacks, i.e. high-level sustainable threat attacks, also called targeted threat attacks, refer to the persistent and effective attack activity that an organization develops on a particular object. The APT attack tracing mainly comprises a tracing attacker, an attack organization and an attack path. The attack activity of an APT organization is not a simple attack behavior, it is a high-level threat action performed by an organization. One important difficulty in the current research on the detection and tracing of APT attacks is that no data set is disclosed. Different security companies issue respective reports for the same APT organization, and many graphical web pages which portray the APT organization are continuously appearing, but an open and authoritative APT data set does not exist.

The APT attack tracing technology is a difficult problem in a network defense system, and needs multiple aspects of technical detection, association search and support of relevant threat knowledge information. In the security industry, APT attack events are mainly analyzed by a combined traceability method of 'automation means + expert analysis' in combination with the strength of the whole department, and the attack traceability typical process is that a security analyst generates corresponding hypothesis on the occurrence of attack symptom phenomena, then data investigation is carried out by using tools and technologies, source tracing is identified, verification and discovery are carried out by using the automation analysis means, and the steps are repeated. Therefore, an APT attack tracing analysis method needs to be further researched so as to be capable of recovering an attack path more accurately.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: the APT attack tracing analysis method based on the bidirectional long-time memory network is provided, and an attack path can be recovered more accurately.

The technical scheme adopted by the invention for solving the technical problems is as follows: an APT attack tracing analysis method based on a bidirectional long-time memory network comprises the following steps:

step S1: constructing a tracing graph, constructing the tracing graph aiming at the operation events of the audit log data extraction system, and carrying out graph optimization on the tracing graph;

step S2: extracting sequences, namely extracting attack sequences and non-attack sequences from the optimized tracing graph;

and step S3: deep learning model training, wherein the extracted attack sequence and non-attack sequence are converted into attack tracing digital vectors; aiming at the generated attack tracing digital vector, a deep learning model is adopted for training;

and step S4: identifying an attack entity, providing a real attack symptom entity by an intrusion detection system, and identifying all attack entities by a deep learning model;

step S5: and tracing the attack path, wherein all attack events containing the attack entity form an attack event set, and the attack events are sequenced according to the time stamps to form an attack flow.

Specifically, the construction of the traceability graph in step S1 includes the following contents:

extracting system operation events according to the used audit log data, and constructing a tracing graph according to event contents; the tracing graph consists of nodes, wherein the nodes represent a main body and an object, the nodes representing the main body and the nodes representing the object are collectively called event entities, the nodes representing the main body and the nodes representing the object are connected with edges, and the edges represent operations between the main body and the object;

the graph optimization of the tracing graph comprises the following contents:

(1) Nodes and edges which are inaccessible to the attack nodes and the attack symptom nodes are deleted;

(2) Edges between the same subject and object that do not have repetitive actions that result in state changes are deleted;

(3) Different subject and object descriptions of the same event are merged.

Specifically, in step S2, the first step,

the attack sequence extraction method comprises the following steps: extracting attack events containing attack entities, and forming attack sequences of the attack events according to a time sequence;

the non-attack sequence extraction method comprises the following steps: adding a non-attack entity into each attack entity subset to form a non-attack entity set, then extracting a sequence by using an attack sequence extraction method, and if the extracted sequence is not matched with a known attack sequence, marking the sequence as a non-attack sequence.

Specifically, the deep learning model is a bidirectional long-time memory network BilSTM, and learns the similarity and the difference between an attack sequence and a non-attack sequence.

Specifically, the main steps of identifying the attack entity in step S4 include:

firstly, removing attack symptom entities from an entity set in a tracing graph to obtain an unknown entity set, and then taking an unknown entity and all attack symptom entities to form an unknown entity subset;

extracting a sequence from the formed unknown entity subset, vectorizing the sequence, and inputting the sequence into a trained deep learning model;

if the attack sequence is judged, marking the taken unknown entity as an attack entity, continuing to take the unknown entity and constructing an unknown entity subset to perform the same operation until all the unknown entities are taken out, and forming an attack entity set by all the marked attack entities.

The beneficial effects of the invention are: the invention aims at the tracing data of the log type and processes the tracing graph depending on the explosion through a graph optimization algorithm. Then, a quadruple (body, action, object and timestamp) is constructed, an attack sequence and a non-attack sequence are extracted, automatic identification of an attack entity is realized, and the source tracing of an attack path is carried out on the basis. Through the found attack path, a security analysis person can find the attack intention, the attack host and the possibly infected user host moving transversely, and the attack path can be accurately recovered.

Drawings

The invention is further described below with reference to the accompanying drawings.

FIG. 1 is a schematic flow chart of an APT attack tracing analysis method based on a bidirectional long-and-short-term memory network according to the present invention;

FIG. 2 is a schematic block diagram of the present invention for extracting attack sequences from a subset { B, E } of known attack entities;

FIG. 3 is a flow chart illustrating the identification of an attacking entity according to the present invention;

FIG. 4 is a schematic diagram of an attack path tracing process according to the present invention;

FIG. 5 is a block diagram of the APT attack tracing analysis method of the present invention;

FIG. 6 is a diagram of the deep learning model architecture of the present invention.

Detailed Description

The invention will now be further described with reference to the accompanying drawings. These drawings are simplified schematic diagrams only illustrating the basic structure of the present invention in a schematic manner, and thus show only the constitution related to the present invention.

As shown in fig. 1, an APT attack tracing analysis method based on a bidirectional long-and-short-term memory network includes the following steps:

step S1: constructing a tracing graph, constructing the tracing graph aiming at the operation events of the audit log data extraction system, and carrying out graph optimization on the tracing graph;

step S2: extracting sequences, namely extracting attack sequences and non-attack sequences from the optimized tracing graph;

and step S3: deep learning model training, wherein the extracted attack sequence and non-attack sequence are converted into attack tracing digital vectors; aiming at the generated attack tracing digital vector, a deep learning model is adopted for training;

and step S4: identifying an attack entity, providing a real attack symptom entity by an intrusion detection system, and identifying all attack entities by a deep learning model;

step S5: and tracing the attack path, wherein all attack events containing the attack entity form an attack event set, and the attack events are sequenced according to the time stamps to form an attack flow.

Specifically, the construction of the traceability graph in step S1 includes the following contents:

aiming at the used audit log data, the audit log data mainly comprises a system event log, a DNS record, a browser log and the like, extracting a system operation event, and constructing a tracing graph according to the event content. The tracing graph is composed of nodes, wherein the nodes represent a main body and an object, the nodes representing the main body and the nodes representing the object are collectively called event entities, the nodes representing the main body and the nodes representing the object are connected with edges, and the edges represent operations between the main body and the object. However, due to the problem of relying on explosion, the generated tracing graph has a plurality of useless nodes and edges, and a graph optimization algorithm is adopted to remove redundant nodes and merge related nodes and edges.

The graph optimization of the tracing graph comprises the following contents:

(1) And nodes and edges which are inaccessible to the attack nodes and the attack symptom nodes are deleted. Since the attack is firstly initiated from the attack node and the attack symptom node, the attack gradually invades the system, and if the attack cannot reach the system, the node cannot be infected.

(2) Edges between the same body and object that do not have repetitive actions that result in a state change are deleted. The same subject and object may repeat some action over a period of time, such as the iterative communication of processes and IP addresses.

(3) Different subject and object descriptions of the same event are merged.

Specifically, in step S2, the first step,

the attack sequence extraction method comprises the following steps: and extracting attack events containing the attack entities, and forming attack sequences of the attack events according to the time sequence.

An attack sequence is a time sequence of attack events made up of attacking entities. The system comprises three attack entities { B, E, G }, wherein the attack entity subset consisting of the three attack entities { B, E, G }, the attack entity subset consists of 7 attack entities { B }, { E }, { G }, { B, E }, { B, G }, { E, G } and { B, E, G }, respectively.

Taking { B, E } as an example, as shown in FIG. 2, the dashed box is a neighborhood map of the attacking entities B and E. First 6 events are extracted and marked as attack events (containing an attack entity), and then an attack sequence is formed in time sequence.

The non-attack sequence extraction method comprises the following steps: adding a non-attack entity into each attack entity subset to form a non-attack entity set, then extracting a sequence by using an attack sequence extraction method, and if the extracted sequence does not match with a known attack sequence, marking the sequence as a non-attack sequence.

The number of non-attack sequences is very large compared to the number of attack sequences, so extracting the attack sequences in the above-described manner would be an order of magnitude of effort. Thus, learning the boundaries of malicious and benign activities is replaced by learning the boundaries of malicious and benign activities. And adding a non-attack entity into each attack entity subset, and extracting a non-attack sequence from the non-attack entity subset, so that the deep learning model can better learn the similarity and the difference between the attack sequence and the non-attack sequence.

As shown in FIG. 3, a non-attacking entity D is added to the attacking entity set { B } to form a non-attacking entity set { B, D }, and then a method for extracting an attacking sequence is used for extracting the sequence. If the extracted sequence does not match the known attack sequence, it is marked as a non-attack sequence.

The extracted attack sequence and the non-attack sequence are converted into attack tracing digital vectors through sub-sampling and word vectorization.

The sub-sampling of the sequence is mainly divided into over-sampling and under-sampling, the over-sampling is mainly a filling sequence, and the under-sampling is a reducing sequence. Because the benign sequence (non-attack sequence) is far larger than the attack sequence, and the related data set needs to be balanced in the model learning stage, the invention mainly carries out undersampling on the benign sequence, does not adopt oversampling on the attack sequence in order to maintain the semanteme and the correctness of the attack sequence, but also maintains certain balance between the attack sequence and the benign sequence of the data set by reducing the number of the benign sequence. On undersampling for benign sequences, the calculation of similarity between benign sequences by Levenshtein distance is assumed. The number of non-attacking sequences is reduced by filtering the related sequences by setting a similarity threshold. The Levenshtein distance is widely used in natural language processing to find similarities between statements.

The main methods for vectorizing words include Word Embedding (Word Embedding) and one-hot-encoding (one-hot-encoding). When the importance of the semantics before and after the attack event and the non-attack event is considered, in order to keep the semantic relation of the context, a word expression embedding method is adopted to convert the sequence into a digital vector.

Specifically, the deep learning model is a bidirectional long-time and short-time memory network BilSTM, and the deep learning model learns the similarity and the difference between an attack sequence and a non-attack sequence.

Aiming at an attack tracing digital vector generated by a tracing graph, LSTM is used as a variant of a Recurrent Neural Network (RNN) and is also a deep learning model specially corresponding to serialization, and due to the context of an attack process, a bidirectional long-time and short-time memory network (BilTM) is considered in the invention. As shown in fig. 6, since the Convolutional Neural Network (CNN) is also applied to the graph-type data, the Convolutional Neural Network (CNN) may be added on the basis of the bidirectional long-and-short term memory network.

Specifically, the main steps of identifying the attack entity in step S4 include:

firstly, removing attack symptom entities from an entity set in a tracing graph to obtain an unknown entity set, and then taking an unknown entity and all attack symptom entities to form an unknown entity subset;

extracting a sequence from the formed unknown entity subset, vectorizing the sequence, and inputting the sequence into a trained deep learning model;

if the attack sequence is judged, marking the taken unknown entity as an attack entity, continuing to take the unknown entity and constructing an unknown entity subset to perform the same operation until all the unknown entities are taken out, and forming an attack entity set by all the marked attack entities.

Specifically, in this embodiment, the process of identifying the attack entity in step S4 specifically includes the following steps: and determining more than one real attack symptom entity through comprehensive intelligence and correlation analysis, and then identifying the attack entities through a trained deep learning model. All attacking entities are identified starting from the attack symptom entity.

Fig. 3 shows a specific flow of the attack entity identification. Firstly, removing attack symptom entities from the entity set in the tracing graph to obtain an unknown entity set, and then taking one unknown entity and all attack symptom entities to form an unknown entity subset. And extracting a sequence from the formed unknown entity subset, embedding words, inputting the sequence into the trained deep learning model, giving a prediction score by the deep learning model, and judging that the prediction score exceeds a preset threshold value to be an attack sequence. And if the attack sequence is determined, marking the taken unknown entity as an attack entity, continuing to take the unknown entity and constructing a subset of the unknown entity to perform the same operation until all the unknown entities are taken out. For example, for an unknown entity subset { D, B } formed by an unknown entity D and an attacking entity B, the extracted sequence is { (a, write, B, T1), (a, execute, B, T2), (D, read, B, T3), (D, fork, E, T4), (B, read, C, T7) }. And finally, judging the unknown entity D as an attack entity after passing through the deep learning model, and otherwise, judging the unknown entity D as a non-attack entity.

Specifically, in this embodiment, as shown in fig. 4 and fig. 5, the tracing of the attack flow in step S5 specifically includes the following steps: and extracting attack events according to the attack entities, sequencing according to the time attributes of the attack events to form an attack sequence, and forming the current attack flow of the APT attack through certain cleaning calculation.

The bidirectional long-time network model (BilSTM) can better capture bidirectional dependency. When a tracing graph is constructed and an attack sequence and a non-attack sequence are further extracted, certain and similar attack flows are found when an attacker starts an attack. However, the tracing graph formed naturally by the log has a great number of dependency relationships, so that the problem of dependency explosion is easily caused, and the tracing graph is optimized, so that the dependency relationship can be reduced, and the length of the extracted sequence can also be reduced. Although LSTM works well to solve the gradient explosion and gradient disappearance problems, a sequence that is too long will still result in the gradient disappearance problem of the LSTM model. The problem can be effectively solved by optimizing the tracing graph, including technologies such as pruning, merging and the like.

In order to increase the automation process of tracing, the invention aims at the tracing data of log type and processes the tracing graph depending on explosion by a graph optimization algorithm. Then, a quadruplet (body, action, object and timestamp) is constructed, an attack sequence and a non-attack sequence are extracted, automatic identification of an attack entity is realized, and the source tracing of an attack path is carried out on the basis. Through the found attack path, a security analysis person can find the attack intention, the attack host and the possibly infected user host moving transversely, and the attack path can be accurately recovered.

In light of the foregoing description of the preferred embodiment of the present invention, many modifications and variations will be apparent to those skilled in the art without departing from the spirit and scope of the invention. The technical scope of the present invention is not limited to the content of the specification, and must be determined according to the scope of the claims.

Claims (5)

1. An APT attack tracing analysis method based on a bidirectional long-time memory network is characterized by comprising the following steps:

step S1: constructing a tracing graph, constructing the tracing graph aiming at the operation events of the audit log data extraction system, and carrying out graph optimization on the tracing graph;

step S2: extracting sequences, namely extracting attack sequences and non-attack sequences from the optimized tracing graph;

and step S3: deep learning model training, wherein the extracted attack sequence and non-attack sequence are converted into attack tracing digital vectors; aiming at the generated attack tracing digital vector, a deep learning model is adopted for training;

and step S4: identifying an attack entity, providing a real attack symptom entity by an intrusion detection system, and identifying all attack entities by a deep learning model;

step S5: and tracing the attack path, wherein all attack events containing the attack entity form an attack event set, and the attack events are sequenced according to the time stamps to form an attack flow.

2. The APT attack tracing analysis method based on the bidirectional long-and-short-term memory network as claimed in claim 1, wherein the constructing of the tracing graph in step S1 comprises the following steps:

extracting system operation events according to the used audit log data, and constructing a tracing graph according to event contents; the tracing graph consists of nodes, wherein the nodes represent a main body and an object, the nodes representing the main body and the nodes representing the object are collectively called event entities, the nodes representing the main body and the nodes representing the object are connected with edges, and the edges represent operations between the main body and the object;

the graph optimization of the tracing graph comprises the following contents:

(1) Nodes and edges which are inaccessible to the attack nodes and the attack symptom nodes are deleted;

(2) Deleting edges of repeated actions which do not cause state change between the same subject and the same object;

(3) Different subject and object descriptions of the same event are merged.

3. The APT attack tracing analysis method based on the bidirectional long-and-short term memory network as claimed in claim 1, wherein in step S2,

the attack sequence extraction method comprises the following steps: extracting attack events containing attack entities, and forming attack sequences of the attack events according to a time sequence;

the non-attack sequence extraction method comprises the following steps: adding a non-attack entity into each attack entity subset to form a non-attack entity set, then extracting a sequence by using an attack sequence extraction method, and if the extracted sequence does not match with a known attack sequence, marking the sequence as a non-attack sequence.

4. The APT attack tracing analysis method based on the bidirectional long-and-short term memory network as claimed in claim 1, wherein the deep learning model is the bidirectional long-and-short term memory network BilSTM, and the deep learning model learns the similarity and difference between an attack sequence and a non-attack sequence.

5. The APT attack tracing analysis method based on the bidirectional long-and-short term memory network as claimed in claim 1, wherein the main steps of identifying the attack entity in step S4 comprise:

firstly, removing attack symptom entities from an entity set in a tracing graph to obtain an unknown entity set, and then taking an unknown entity and all attack symptom entities to form an unknown entity subset;

extracting a sequence from the formed unknown entity subset, vectorizing the sequence, and inputting the sequence into a trained deep learning model;

if the attack sequence is judged, marking the taken unknown entity as an attack entity, continuing to take the unknown entity and constructing an unknown entity subset to perform the same operation until all the unknown entities are taken out, and forming an attack entity set by all the marked attack entities.

Images