CN115589339B - Network attack type identification method, device, equipment and storage medium - Google Patents

Network attack type identification method, device, equipment and storage medium Download PDF

Info

Publication number
CN115589339B
CN115589339B CN202211574191.3A CN202211574191A CN115589339B CN 115589339 B CN115589339 B CN 115589339B CN 202211574191 A CN202211574191 A CN 202211574191A CN 115589339 B CN115589339 B CN 115589339B
Authority
CN
China
Prior art keywords
attack
abnormal log
network
community
communities
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211574191.3A
Other languages
Chinese (zh)
Other versions
CN115589339A (en
Inventor
姚晖
沈传宝
白兴伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huayuan Information Technology Co Ltd
Original Assignee
Beijing Huayuan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huayuan Information Technology Co Ltd filed Critical Beijing Huayuan Information Technology Co Ltd
Priority to CN202211574191.3A priority Critical patent/CN115589339B/en
Publication of CN115589339A publication Critical patent/CN115589339A/en
Application granted granted Critical
Publication of CN115589339B publication Critical patent/CN115589339B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the disclosure provides a network attack type identification method, a network attack type identification device, network attack type identification equipment and a storage medium, and relates to the technical field of network security. The method comprises the following steps: analyzing a log generated by a target network system to obtain an abnormal log entry; determining a characteristic relationship between any two abnormal log entries; taking the abnormal log entries obtained by analysis as nodes, generating a super edge according to the characteristic relationship between any two abnormal log entries, and constructing an abnormal log entry relationship super graph; carrying out attack community detection on the hypergraph to obtain an attack community; and classifying the detected attack communities and identifying the network attack types corresponding to the attack communities. In this way, attack community detection can be carried out based on the abnormal log entry relation hypergraph, the detected attack communities are classified, the corresponding network attack types are identified, and then the network attack means adopted by a network attacker for carrying out network attack on the target network system is accurately determined.

Description

Network attack type identification method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for identifying a network attack type.
Background
In recent years, network attack events are frequent, and trojan, worm and lasso invasion on the internet is endless, which poses serious threats to network security. Therefore, it is necessary to identify the network attack type of the network system and discover the network attack means adopted by the network attacker to implement the network attack in time.
However, in the current network attack type identification, most of the network attack type identification is carried out only on the basis of a relationship matrix between every two log entries, and the network attack type identification is not high in accuracy and poor in effect. Therefore, how to improve the network attack type identification effect becomes a technical problem to be solved urgently at present.
Disclosure of Invention
The present disclosure provides a network attack type identification method, apparatus, device and storage medium, which can improve the network attack type identification effect.
In a first aspect, an embodiment of the present disclosure provides a network attack type identification method, where the method includes:
analyzing a log generated by a target network system to obtain an abnormal log entry;
determining a characteristic relationship between any two abnormal log entries;
taking the abnormal log entries obtained by analysis as nodes, generating a super edge according to the characteristic relationship between any two abnormal log entries, and constructing an abnormal log entry relationship super graph;
carrying out attack community detection on the abnormal log entry relation hypergraph to obtain an attack community;
and classifying the detected attack communities and identifying the network attack types corresponding to the attack communities.
In some implementations of the first aspect, before parsing the logs generated by the target network system, the method further comprises:
detecting the operation authority of a user;
and if the operation authority of the user meets the authority requirement and the current time is in a preset time period, acquiring the log generated by the target network system from the log storage server.
In some implementation manners of the first aspect, parsing a log generated by a target network system to obtain an abnormal log entry includes:
and performing regular matching on the logs generated by the target network system according to the preset abnormal characteristic field, and extracting matched log entries as abnormal log entries.
In some implementations of the first aspect, determining a characteristic relationship between any two exception log entries includes:
matching characteristic fields of any two abnormal log entries;
and determining the characteristic relation between any two abnormal log entries according to the matching result.
In some implementation manners of the first aspect, performing attack community detection on the abnormal log entry relation hypergraph to obtain an attack community, including:
carrying out weight assignment on the super edge in the abnormal log entry relation hypergraph to generate a weighted hypergraph;
and clustering the nodes and the super edges in the weighted super graph to obtain an attack community.
In some implementation manners of the first aspect, clustering nodes and super edges in the weighted super graph to obtain an attack community includes:
and clustering the nodes and the super edges in the weighted super graph according to the weight and characteristic relation of the super edges in the weighted super graph to obtain the attack community.
In some implementation manners of the first aspect, classifying the detected attack communities and identifying network attack types corresponding to the attack communities include:
classifying the detected attack communities by utilizing a pre-trained network attack identification model, and identifying network attack types corresponding to the attack communities;
the network attack recognition model is obtained by training a hypergraph convolutional neural network by utilizing a network attack training sample set, wherein the network attack training sample set is generated according to attack community samples and corresponding network attack type labels.
In a second aspect, an embodiment of the present disclosure provides a network attack type identification apparatus, where the apparatus includes:
the analysis module is used for analyzing the logs generated by the target network system to obtain abnormal log entries;
the determining module is used for determining the characteristic relation between any two abnormal log entries;
the construction module is used for generating a super edge according to the characteristic relation between any two abnormal log entries by taking the abnormal log entries obtained by analysis as nodes, and constructing an abnormal log entry relation super graph;
the detection module is used for carrying out attack community detection on the abnormal log entry relation hypergraph to obtain an attack community;
and the classification module is used for classifying the detected attack communities and identifying the network attack types corresponding to the attack communities.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
In a fourth aspect, the disclosed embodiments provide a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method as described above.
According to the method and the device, an abnormal log entry relation hypergraph can be established according to a plurality of abnormal log entries corresponding to a target network system and characteristic relations among the abnormal log entries, attack community detection is conducted based on the hypergraph, detected attack communities are classified, network attack types corresponding to the attack communities are identified, and network attack means adopted by a network attacker in network attack on the target network system are accurately determined.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
fig. 2 shows a flowchart of a network attack type identification method provided by an embodiment of the present disclosure;
fig. 3 is a structural diagram illustrating a network attack type identification apparatus according to an embodiment of the present disclosure;
FIG. 4 sets forth a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without inventive step, are intended to be within the scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.
In order to solve the problems occurring in the background art, embodiments of the present disclosure provide a network attack type identification method, apparatus, device, and storage medium.
Specifically, the logs generated by the target network system can be analyzed to obtain abnormal log entries, the characteristic relationship between any two abnormal log entries is determined, then the abnormal log entries obtained through analysis are used as nodes, a super edge is generated according to the characteristic relationship between any two abnormal log entries, an abnormal log entry relationship hypergraph is constructed, then the abnormal log entry relationship hypergraph is subjected to attack community detection to obtain attack communities, and therefore the detected attack communities are classified, and the network attack types corresponding to the attack communities are identified.
In this way, attack community detection can be performed based on the abnormal log entry relation hypergraph, the detected attack communities are classified, the network attack type corresponding to each attack community is identified, and then the network attack means adopted by a network attacker in implementing network attack on the target network system is accurately determined.
The network attack type identification method, apparatus, device and storage medium provided by the embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Fig. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented, as shown in fig. 1, in which an electronic device and a target network system may be included in the operating environment 100.
The electronic device may be a mobile electronic device or a non-mobile electronic device. For example, the Mobile electronic device may be a tablet Computer, a notebook Computer, a palmtop Computer, an Ultra-Mobile Personal Computer (UMPC), or the like, and the non-Mobile electronic device may be a Personal Computer (PC), a supercomputer, a server, or the like.
The target network system is a network system that needs to perform network attack type identification, and may be a network system of an enterprise, a factory, a school, a research institute, or other group, which is not limited herein.
As an example, the electronic device may analyze a plurality of logs (e.g., weblogs, system logs, etc.) generated by a target network system to obtain a plurality of abnormal log entries, determine a characteristic relationship between any two abnormal log entries, use the analyzed abnormal log entries as nodes, generate a super edge according to the characteristic relationship between any two abnormal log entries, construct an abnormal log entry relationship hypergraph, further perform attack community detection on the abnormal log entry relationship hypergraph to obtain attack communities, classify the detected attack communities, identify a network attack type corresponding to each attack community, and further accurately determine a network attack means adopted by a network attacker when performing a network attack on the target network system.
The network attack type identification method provided by the embodiment of the present disclosure will be described in detail below, wherein the network attack type identification method can be applied to the operating environment 100 shown in fig. 1.
Fig. 2 shows a flowchart of a network attack type identification method provided by an embodiment of the present disclosure, and as shown in fig. 2, the network attack type identification method 200 may include the following steps:
s210, analyzing the logs generated by the target network system to obtain abnormal log entries.
Illustratively, the logs generated by the target network system may be stored in a log storage server.
In some embodiments, the operation authority of the user may be detected, and if the operation authority of the user meets the authority requirement and the current time is within a preset time period, the log generated by the target network system is acquired from the log storage server.
Therefore, only if the user has enough authority, the log stored in the log storage server can be accessed and obtained within the effective access time range, and the log is further prevented from being leaked.
In addition, the log can be stored in the log storage server in an encrypted manner, and when the log is acquired, the log ciphertext needs to be decrypted to obtain the log, so that the log confidentiality is further improved.
It can be understood that a plurality of log entries usually exist in the log, but most of the log entries are irrelevant to the network attack type identification, so that the log generated by the target network system can be regularly matched according to the preset abnormal characteristic field, the log entries matched with the abnormal characteristic field are extracted as abnormal log entries, and the data volume required by the network attack type identification is reduced.
S220, determining the characteristic relation between any two abnormal log entries.
In some embodiments, feature field matching may be performed on any two abnormal log entries, and a feature relationship between any two abnormal log entries may be quickly determined according to a matching result.
For example, there are an abnormal log entry 1 and an abnormal log entry 2, where the abnormal log entry 1 has a feature field a, a feature field B, a feature field C, and a feature field D, and the abnormal log entry 2 has a feature field a, a feature field D, a feature field E, and a feature field F, and if the feature field matching is performed on the abnormal log entry 1 and the abnormal log entry 2, it may be determined that the matching result is the feature field a and the feature field D, determine whether the values of the feature fields a of the abnormal log entry 1 and the abnormal log entry 2 are consistent, determine whether the values of the feature fields D of the abnormal log entry 1 and the abnormal log entry 2 are consistent, and further determine the feature relationship between the abnormal log entry 1 and the abnormal log entry 2 according to the determination result.
And S230, taking the abnormal log entries obtained through analysis as nodes, generating a superedge according to the characteristic relationship between any two abnormal log entries, and constructing an abnormal log entry relationship supergraph.
Compared with a simple graph, the hypergraph has strong characterization and mining capabilities of nonlinear high-order correlation between data samples, can more accurately model the multivariate relation, and has more advantages in the clustering process.
Here, the abnormal log entry relationship hypergraph includes a characteristic relationship between a plurality of nodes (i.e., abnormal log entries), and can sufficiently capture a multiple relationship of a plurality of abnormal log entries.
S240, carrying out attack community detection on the abnormal log entry relation hypergraph to obtain an attack community.
In some embodiments, attack community detection can be performed on the abnormal log entry relation hypergraph according to a community detection algorithm (e.g., kernighan-Lin algorithm, spectrum bisection method, GN algorithm, greedy algorithm, simulated annealing algorithm, etc.), so as to obtain an attack community.
In other embodiments, the weight assignment can be further performed on the super edge in the abnormal log entry relation super graph to generate a weighted super graph. Specifically, a supervised learning mode can be adopted to perform weight assignment on the super edges in the abnormal log entry relation hypergraph, so as to generate a weighted relation graph.
And clustering the nodes and the super edges in the weighted super graph to obtain an attack community. Specifically, the nodes and the super edges in the weighted super graph can be accurately clustered according to the weight and characteristic relation of the super edges in the weighted super graph, so as to obtain the attack community.
Therefore, the problem of state explosion possibly occurring in the process of constructing the abnormal log entry relation hypergraph can be solved through the weight assignment operation, and the efficiency and the precision of the attack community detection are greatly improved.
And S250, classifying the detected attack communities and identifying the network attack types corresponding to the attack communities.
In some embodiments, the detected attack communities may be quickly classified by using a pre-trained network attack recognition model, and network attack types (such as a variant Trojan, a Lesso virus, a botnet, and the like) corresponding to the attack communities are recognized, so as to accurately determine a network attack means adopted by a network attacker in implementing network attack on a target network system.
The network attack recognition model is obtained by training a hypergraph convolutional neural network by using a network attack training sample set, and the network attack training sample set is generated according to attack community samples and corresponding network attack type labels.
According to the embodiment of the disclosure, an abnormal log entry relation hypergraph can be established according to a plurality of abnormal log entries corresponding to a target network system and characteristic relations among the abnormal log entries, attack community detection is performed based on the hypergraph, detected attack communities are classified, network attack types corresponding to each attack community are identified, and network attack means adopted by a network attacker in implementing network attack on the target network system are accurately determined. Illustratively, the method can be applied to APT attack tracing.
The following describes a network attack type identification method provided in a public way in detail with reference to a specific embodiment, specifically as follows:
(1) And detecting the operation authority of the user, and if the operation authority of the user meets the authority requirement and the current time is in a preset time period, acquiring the log generated by the target network system from the log storage server.
(2) And performing regular matching on the logs generated by the target network system according to the preset abnormal characteristic fields, and extracting the log entries matched with the abnormal characteristic fields as abnormal log entries.
(3) And matching the characteristic fields of any two abnormal log entries, and determining the characteristic relation between any two abnormal log entries according to the matching result.
(4) And taking the abnormal log entries obtained by analysis as nodes, generating a super edge according to the characteristic relationship between any two abnormal log entries, and constructing an abnormal log entry relationship super graph.
(5) And carrying out weight assignment on the super edges in the abnormal log entry relation hypergraph to generate a weighted hypergraph, and accurately clustering the nodes and the super edges in the weighted hypergraph according to the weight and the characteristic relation of the super edges in the weighted hypergraph to obtain an attack community.
(6) And rapidly classifying the detected attack communities by using a pre-trained network attack identification model, identifying the network attack types corresponding to the attack communities, and further accurately determining the network attack means adopted by the network attackers when the network attackers implement network attack on the target network system.
It should be noted that for simplicity of description, the above-mentioned method embodiments are described as a series of acts, but those skilled in the art should understand that the present disclosure is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present disclosure. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 shows a block diagram of a network attack type identification apparatus provided according to an embodiment of the present disclosure, and as shown in fig. 3, the network attack type identification apparatus 300 may include:
the parsing module 310 is configured to parse the log generated by the target network system to obtain an abnormal log entry.
A determining module 320, configured to determine a characteristic relationship between any two exception log entries.
The constructing module 330 is configured to generate a superedge according to a characteristic relationship between any two abnormal log entries by using the abnormal log entries obtained through analysis as nodes, and construct an abnormal log entry relationship supergraph.
And the detection module 340 is configured to perform attack community detection on the abnormal log entry relation hypergraph to obtain an attack community.
The classification module 350 is configured to classify the detected attack communities and identify network attack types corresponding to the attack communities.
In some embodiments, the detection module 340 is further configured to detect the operation authority of the user before parsing the log generated by the target network system.
The network attack type identification apparatus 300 further includes:
and the acquisition module is used for acquiring the log generated by the target network system from the log storage server if the operation authority of the user meets the authority requirement and the current time is in a preset time period.
In some embodiments, the parsing module 310 is specifically configured to:
and performing regular matching on the logs generated by the target network system according to the preset abnormal characteristic field, and extracting matched log entries as abnormal log entries.
In some embodiments, the determining module 320 is specifically configured to:
matching the characteristic fields of any two abnormal log entries;
and determining the characteristic relation between any two abnormal log entries according to the matching result.
In some embodiments, the detection module 340 is specifically configured to:
carrying out weight assignment on the super edge in the abnormal log entry relation hypergraph to generate a weighted hypergraph;
and clustering the nodes and the super edges in the weighted super graph to obtain an attack community.
In some embodiments, the detection module 340 is specifically configured to:
and clustering the nodes and the super edges in the weighted super graph according to the weight and characteristic relation of the super edges in the weighted super graph to obtain the attack community.
In some embodiments, the classification module 350 is specifically configured to:
classifying the detected attack communities by utilizing a pre-trained network attack identification model, and identifying network attack types corresponding to the attack communities;
the network attack recognition model is obtained by training a hypergraph convolutional neural network by utilizing a network attack training sample set, wherein the network attack training sample set is generated according to attack community samples and corresponding network attack type labels.
It can be understood that each module/unit in the network attack type identification apparatus 300 shown in fig. 3 has a function of implementing each step in the network attack type identification method 200 provided by the embodiment of the present disclosure, and can achieve the corresponding technical effect, and for brevity, no further description is provided here.
FIG. 4 illustrates a block diagram of an electronic device that may be used to implement embodiments of the present disclosure. The electronic device 400 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic device 400 may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 4, the electronic device 400 may include a computing unit 401 that may perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM403, various programs and data required for the operation of the electronic device 400 can also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in the electronic device 400 are connected to the I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Computing unit 401 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 401 performs the various methods and processes described above, such as the method 200. For example, in some embodiments, the method 200 may be implemented as a computer program product, including a computer program, tangibly embodied in a computer-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM402 and/or the communication unit 409. When the computer program is loaded into RAM403 and executed by computing unit 401, one or more steps of method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
The various embodiments described herein above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a computer-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that, the present disclosure also provides a non-transitory computer-readable storage medium storing computer instructions, where the computer instructions are used to enable a computer to execute the method 200, and achieve the corresponding technical effects achieved by the method according to the embodiments of the present disclosure, and for brevity, no detailed description is given here again.
Additionally, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 200.
To provide for interaction with a user, the above-described embodiments may be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The embodiments described above may be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user may interact with an implementation of the systems and techniques described herein), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server combining a blockchain.
It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present disclosure may be executed in parallel or sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (10)

1. A network attack type identification method is characterized by comprising the following steps:
analyzing a log generated by a target network system to obtain an abnormal log entry;
determining a characteristic relationship between any two abnormal log entries;
taking the abnormal log entries obtained by analysis as nodes, generating a super edge according to the characteristic relationship between any two abnormal log entries, and constructing an abnormal log entry relationship super graph;
carrying out attack community detection on the abnormal log entry relation hypergraph to obtain an attack community;
and classifying the detected attack communities and identifying the network attack types corresponding to the attack communities.
2. The method of claim 1, wherein prior to said parsing the log generated by the target network system, the method further comprises:
detecting the operation authority of a user;
and if the operation authority of the user meets the authority requirement and the current time is in a preset time period, acquiring the log generated by the target network system from the log storage server.
3. The method of claim 1, wherein parsing the log generated by the target network system to obtain an abnormal log entry comprises:
and performing regular matching on the logs generated by the target network system according to the preset abnormal characteristic field, and extracting matched log entries as abnormal log entries.
4. The method of claim 1, wherein determining a characteristic relationship between any two exception log entries comprises:
matching the characteristic fields of any two abnormal log entries;
and determining the characteristic relation between any two abnormal log entries according to the matching result.
5. The method of claim 1, wherein the performing attack community detection on the abnormal log entry relation hypergraph to obtain an attack community comprises:
carrying out weight assignment on the super edges in the abnormal log entry relation super graph to generate a weighted super graph;
and clustering the nodes and the super edges in the weighted super graph to obtain an attack community.
6. The method of claim 5, wherein the clustering nodes and hyperedges in the weighted hypergraph to obtain an attack community comprises:
and clustering the nodes and the super edges in the weighted super graph according to the weight and the characteristic relation of the super edges in the weighted super graph to obtain an attack community.
7. The method according to any one of claims 1 to 6, wherein the classifying the detected attack communities and identifying the network attack types corresponding to the attack communities comprises:
classifying the detected attack communities by utilizing a pre-trained network attack identification model, and identifying the network attack types corresponding to the attack communities;
the network attack recognition model is obtained by training a hypergraph convolutional neural network by using a network attack training sample set, wherein the network attack training sample set is generated according to attack community samples and corresponding network attack type labels.
8. A network attack type recognition apparatus, the apparatus comprising:
the analysis module is used for analyzing the logs generated by the target network system to obtain abnormal log entries;
the determining module is used for determining the characteristic relation between any two abnormal log entries;
the construction module is used for generating a superedge according to the characteristic relation between any two abnormal log entries by taking the abnormal log entries obtained by analysis as nodes, and constructing an abnormal log entry relation supergraph;
the detection module is used for carrying out attack community detection on the abnormal log entry relation hypergraph to obtain an attack community;
and the classification module is used for classifying the detected attack communities and identifying the network attack types corresponding to the attack communities.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-7.
CN202211574191.3A 2022-12-08 2022-12-08 Network attack type identification method, device, equipment and storage medium Active CN115589339B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211574191.3A CN115589339B (en) 2022-12-08 2022-12-08 Network attack type identification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211574191.3A CN115589339B (en) 2022-12-08 2022-12-08 Network attack type identification method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115589339A CN115589339A (en) 2023-01-10
CN115589339B true CN115589339B (en) 2023-04-07

Family

ID=84783605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211574191.3A Active CN115589339B (en) 2022-12-08 2022-12-08 Network attack type identification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115589339B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743508B (en) * 2023-08-15 2023-11-14 四川新立高科科技有限公司 Method, device, equipment and medium for detecting network attack chain of power system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986299A (en) * 2010-10-28 2011-03-16 浙江大学 Multi-task personalized web service method based on hypergraph
CN109858254A (en) * 2019-01-15 2019-06-07 西安电子科技大学 Platform of internet of things attack detection system and method based on log analysis
CN112104633A (en) * 2020-09-07 2020-12-18 西安电子科技大学 Attack chain construction method based on log correlation analysis
CN112182567A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Multi-step attack tracing method, system, terminal and readable storage medium
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN113141335A (en) * 2020-01-19 2021-07-20 奇安信科技集团股份有限公司 Network attack detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986299A (en) * 2010-10-28 2011-03-16 浙江大学 Multi-task personalized web service method based on hypergraph
CN109858254A (en) * 2019-01-15 2019-06-07 西安电子科技大学 Platform of internet of things attack detection system and method based on log analysis
CN113141335A (en) * 2020-01-19 2021-07-20 奇安信科技集团股份有限公司 Network attack detection method and device
CN112104633A (en) * 2020-09-07 2020-12-18 西安电子科技大学 Attack chain construction method based on log correlation analysis
CN112182567A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Multi-step attack tracing method, system, terminal and readable storage medium
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Community Structure Enhanced Community Detection Algorithm Based on Graph Compression;Shuxia REN等;《2022 5th International Conference on AEMCSE》;全文 *
Information Theoretic Limits of Exact Recovery in Sub-hypergraph Models for Community Detection;Jiajun Liang等;《IEEE》;全文 *
On the Minimax Misclassification Ratio of Hypergraph Community Detection;I (Eli) Chien等;《IEEE TRANSACTIONS ON INFORMATION THEORY》;全文 *
基于XGBoost 和社区发现的主机攻击行为检测;朱元庆, 李赛飞, 李洪赭;《计算机系统应用》;全文 *
基于系统溯源图的威胁发现与取证分析综述;冷涛等;《通 信 学 报》;全文 *

Also Published As

Publication number Publication date
CN115589339A (en) 2023-01-10

Similar Documents

Publication Publication Date Title
US10691795B2 (en) Quantitative unified analytic neural networks
US20190182283A1 (en) Log analysis device, log analysis method, and log analysis program
RU2722692C1 (en) Method and system for detecting malicious files in a non-isolated medium
CN114266342A (en) Internal threat detection method and system based on twin network
CN115589339B (en) Network attack type identification method, device, equipment and storage medium
CN114553591A (en) Training method of random forest model, abnormal flow detection method and device
US20170068892A1 (en) System and method for generation of a heuristic
CN110730164A (en) Safety early warning method, related equipment and computer readable storage medium
CN114157480B (en) Method, device, equipment and storage medium for determining network attack scheme
CN114491513A (en) Knowledge graph-based block chain intelligent contract reentry attack detection system and method
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
CN116108880A (en) Training method of random forest model, malicious website detection method and device
CN116668054A (en) Security event collaborative monitoring and early warning method, system, equipment and medium
CN116015861A (en) Data detection method and device, electronic equipment and storage medium
CN113452700B (en) Method, device, equipment and storage medium for processing safety information
CN114492364A (en) Same vulnerability judgment method, device, equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN110704848B (en) Vulnerability quantitative evaluation method and device
CN113010571A (en) Data detection method, data detection device, electronic equipment, storage medium and program product
CN115378746B (en) Network intrusion detection rule generation method, device, equipment and storage medium
Dunaev et al. Logs analysis to search for anomalies in the functioning of large technology platforms
CN113868660B (en) Training method, device and equipment for malicious software detection model
CN116915459B (en) Network threat analysis method based on large language model
CN115296917B (en) Asset exposure surface information acquisition method, device, equipment and storage medium
Latha et al. IDSFS: A Signature Based Intrusion Detection System with High Pertinent Feature Selection Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant