CN115834251A - Hypergraph transform based threat hunting model establishing method - Google Patents

Hypergraph transform based threat hunting model establishing method Download PDF

Info

Publication number
CN115834251A
CN115834251A CN202310108673.8A CN202310108673A CN115834251A CN 115834251 A CN115834251 A CN 115834251A CN 202310108673 A CN202310108673 A CN 202310108673A CN 115834251 A CN115834251 A CN 115834251A
Authority
CN
China
Prior art keywords
log
hypergraph
layer
matrix
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310108673.8A
Other languages
Chinese (zh)
Other versions
CN115834251B (en
Inventor
邱日轩
孙欣
梁良
周欣
付俊峰
张俊峰
汪一波
林楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202310108673.8A priority Critical patent/CN115834251B/en
Publication of CN115834251A publication Critical patent/CN115834251A/en
Application granted granted Critical
Publication of CN115834251B publication Critical patent/CN115834251B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a hypergraph transform-based threat hunting model establishing method, which comprises the following steps of: using threat intelligence and system logs as input data, generating a log graph through a processing module, and inputting the log graph into a threat hunting model; the threat hunting model encodes input data and constructs a hypergraph, and then matrix data are generated through processing of a hypergraph neural network layer; extracting features from the preprocessed data through a multi-head attention mechanism, mapping the features to a super-edge matrix, finally realizing similarity score calculation of a log graph through super-edge matching, finding a novel power system kernel audit log matched with network threat information, and finishing threat hunting. The model can adapt to the continuously updated and changed APT attack, complete the threat hunting of the APT attack of the novel power system, and realize the quick response and active defense aiming at the APT attack.

Description

Hypergraph transform based threat hunting model establishing method
Technical Field
The invention relates to the technical field of threat hunting model establishment, in particular to a hypergraph Transformer-based threat hunting model establishment method.
Background
Because the power distribution of a novel power system is changing towards a distributed direction, the risk of being attacked by the APT is increased due to the increase of cross-space vulnerability, an attacker can invade and hide in a novel power system information network through an external network, a novel power system service layer is modified, and finally the power system is damaged.
Based on the above, the application provides a method for establishing a hypergraph Transformer-based threat hunting model to solve the above problems.
Disclosure of Invention
The invention aims to provide a hypergraph Transformer threat hunting model establishing method, which can maximally reserve APT attack traces of a novel power system aiming at the characteristic of long-term latency of APT attack when a log graph is established, and can utilize network threat information to self-adapt to the APT attack which is continuously updated and changed so as to solve the defects in the background technology.
In order to achieve the above purpose, the invention provides the following technical scheme: the method for establishing the hunting model based on the hypergraph transform threat comprises the following steps of:
s1: using threat intelligence and system logs as input data, encoding the input data and constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2: extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
s3: and calculating the score of the characteristic data through a super-edge matching algorithm, completing the matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of the APT attack of the power system.
In a preferred embodiment, the step S1 of obtaining threat intelligence includes the steps of:
s1.1: acquiring kernel audit log streams of the power system through various kernel audit engines of the operating system, and constructing a log graph of the power system by the log streams through an overcurrent processing unit module;
s1.2: collecting network threat intelligence in various open sources or private threat intelligence libraries, and generating a threat intelligence log graph through a threat intelligence processing module;
s1.3: inputting the log graph of the power system and the log graph of the threat intelligence into an HTTN threat hunting model together, and calculating the scores of the log graph subgraph of the novel power system and the log graph of the threat intelligence through matching the log graphs;
s1.4: all operating system logs matched with threat intelligence in a novel power system log library are obtained by setting a score threshold value for the HTTN threat hunting model, unknown APT attack is found through the HTTN threat hunting model, and the threat hunting of the APT attack is completed.
In a preferred embodiment, the HTTN threat hunting model comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hypergraph matching layer and a function calculation layer;
the generating step of the graph information input layer comprises the following steps:
n log graph pairs constitute the data input, each log graph pair represented as
Figure SMS_1
Each log graph
Figure SMS_2
Or log map
Figure SMS_3
The number of nodes and edges of the log graph is arbitrary;
any set of log graph entries
Figure SMS_4
The log map is shown as
Figure SMS_5
Figure SMS_6
And
Figure SMS_7
respectively representing the number of nodes and the number of edges;
using a contiguous matrix
Figure SMS_8
To characterize a log graph
Figure SMS_9
Connection information of, wherein
Figure SMS_10
Is a set of real numbers;
use of
Figure SMS_11
To represent a log graph
Figure SMS_12
A feature matrix of nodes, wherein
Figure SMS_13
Is the dimension of a node, log graph
Figure SMS_14
Is expressed by a log graph
Figure SMS_15
The same is true.
In a preferred embodiment, in the hypergraph construction layer, the log hypergraph is defined as
Figure SMS_16
The log hypergraph comprises a set of log nodes
Figure SMS_17
Journal edge set
Figure SMS_18
Log node feature matrix
Figure SMS_19
And log diagonal edge weight matrix
Figure SMS_20
Each superedge of the log hypergraph comprises at least two nodes, and the incidence matrix is used
Figure SMS_21
To model unpaired node relationships, the entries in H are defined as:
Figure SMS_22
wherein ,
Figure SMS_23
representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as
Figure SMS_24
Figure SMS_25
Representing the degree of the fixed point; the number of times of the edge e is expressed as
Figure SMS_26
The node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed as
Figure SMS_27
And
Figure SMS_28
in a preferred embodiment, in the hypergraph construction layer, a log hypergraph of the power system is constructed by adopting a random walk method, for each log node v, a common log graph G with the step length of K is selected to perform random walk, and then a sampling node sequence is used as a hyperedge to obtain a hyper-edge
Figure SMS_29
A supercide matrix.
In a preferred embodiment, in the hypergraph neural network layer, an HGNN layer is added in the HTTN threat hunting model, and for the l-th layer in the HGNN layer, a hypergraph H log and a hidden representation matrix are used
Figure SMS_30
As input, the next level of nodes is then computed:
Figure SMS_31
Figure SMS_32
wherein
Figure SMS_33
Is a non-linear activation function and,
Figure SMS_34
represents the training parameter matrix of the l-th layer,
Figure SMS_35
Figure SMS_36
Figure SMS_37
respectively diagonal node degree, edge degree and edge weight matrix,
Figure SMS_38
a matrix of training parameters.
In a preferred embodiment, the HGNN layer performs a log graph node-edge-node conversion, such that the log hypergraph structure refines the hyper-edge characteristics of the log.
In a preferred embodiment, the hypergraph Transformer coding layer inputs the log hyper-edge matrix E processed by the hypergraph neural network layer into the Transformer coding layer, the Transformer coding layer extracts core features in the log hyper-edge matrix, and the hypergraph Transformer coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the calculation formula of the self-attention mechanism is as follows:
Figure SMS_39
Figure SMS_40
Figure SMS_41
Figure SMS_42
wherein E is a log hyper-edge matrix, Q, K and V are Query, key and Value vectors respectively from E,
Figure SMS_43
represents the dimension of the vector of Q and K,
Figure SMS_44
Figure SMS_45
Figure SMS_46
initializing a matrix for random;
the multi-head attention mechanism passes through h different linear transformation pairs
Figure SMS_47
Projection mapping is carried out, and finally, the calculation results of the self-attention modules are spliced, wherein the expression is as follows:
Figure SMS_48
Figure SMS_49
initializing multiple sets of weight matrices
Figure SMS_51
Figure SMS_52
Figure SMS_54
, wherein
Figure SMS_56
Respectively calculate the respective
Figure SMS_58
Figure SMS_59
Figure SMS_60
Then obtaining the result according to the attention mechanism calculation formula
Figure SMS_50
Each group of
Figure SMS_53
Spliced sum weight matrix
Figure SMS_55
Multiplying, and finally mapping to the original space to obtain the product with the same dimension as the input dimension of the original super-edge matrix
Figure SMS_57
A feed-forward neural network: the method is composed of a full-connection layer with an activation function of RELU and a full-connection layer with a linear activation function, and is used for solving the problem that the fitting degree of a multi-head attention mechanism on data processed by a hypergraph neural network layer is not enough.
In a preferred embodiment, the pair of super-edge matching layers is a pair of super-graphs
Figure SMS_61
And
Figure SMS_62
scores between hypergraph edges, constructing a score matrix of hypergraph pairs
Figure SMS_63
To a
Figure SMS_64
Each of the super edges
Figure SMS_65
Calculating it from the other graph of the pair
Figure SMS_66
The gaussian kernel function of all hyper-edges computes a score:
Figure SMS_67
wherein ,
Figure SMS_69
is that
Figure SMS_70
The number of the middle-over edges is equal to that of the middle-over edges,
Figure SMS_71
and
Figure SMS_72
representation hypergraph
Figure SMS_73
And
Figure SMS_74
the super-edge in (1) indicates that,
Figure SMS_75
the range of action of the gaussian kernel function is controlled,
Figure SMS_68
the larger the value, the larger the local influence range of the gaussian kernel function.
In a preferred embodiment, in the function calculation layer, the matrix generates scores after being processed by the full connection layer
Figure SMS_76
The calculation formula is as follows:
Figure SMS_77
wherein G is a set of pairs of training images, and
Figure SMS_78
presentation log graph
Figure SMS_79
And log graph
Figure SMS_80
The actual fraction in between.
In the technical scheme, the invention provides the following technical effects and advantages:
the method comprises the steps of establishing a hypergraph by using network threat information and novel electric power system kernel audit logs, learning the relation between hypergraph high-order nodes through an HGNN layer, mapping characteristics into a super-edge matrix, adding a multi-head attention mechanism to the super-edge matrix by using a transform coding layer, finally realizing similarity score calculation of the log graph through super-edge matching, and finding the novel electric power system kernel audit logs matched with the network threat information.
Drawings
In order to more clearly illustrate the embodiments of the present application or technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a flow chart of threat hunting according to the present invention.
FIG. 2 is a schematic diagram of the HTTN threat hunting model according to the present invention.
FIG. 3 is a flow chart of the construction of a Trojan log hypergraph according to the invention.
FIG. 4 is a schematic view of a multi-headed attention mechanism of the present invention.
FIG. 5 is a graph of the mean square error variation of each model training process according to the present invention.
FIG. 6 is a process for training models according to the present invention
Figure SMS_81
And (5) a variation graph.
FIG. 7 is a graph of the accuracy @10 variation of each model training process of the present invention.
FIG. 8 is a comparison chart of hunting time of models according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
In this embodiment, the method for establishing a hunting model based on hypergraph transform threat includes the following steps:
s1, using threat intelligence and a system log as input data, encoding the input data, constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2, extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
and S3, calculating a similarity score by the characteristic data through a super-edge matching algorithm, completing matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of power system APT attack.
The hypergraph is constructed through network threat information and novel electric power system kernel audit logs, the relation between hypergraph high-order nodes is learned through an HGNN layer, the characteristics are mapped to a super-edge matrix, a multi-head attention mechanism is added to the super-edge matrix through a transform coding layer, the similarity score calculation of the log graph is finally realized through super-edge matching, the novel electric power system kernel audit logs matched with the network threat information are found, the model can adapt to the APT attack which is continuously updated and changed, the threat hunting of the novel electric power system APT attack is completed, and the quick response and active defense for the APT attack are realized.
Referring to fig. 1, in the step a, the obtaining of threat information includes the following steps:
1) The method comprises the steps that the novel power system kernel audit log stream is collected through various operating system kernel audit engines, and a novel power system log graph is constructed through a log stream overcurrent processing unit module;
2) Network threat intelligence in various open sources or private threat intelligence libraries is artificially collected, and a threat intelligence log graph is generated through a threat intelligence processing module;
3) Inputting the novel power system log graph and the threat information log graph into an HTTN threat hunting model together, and calculating the similarity score of the novel power system log graph subgraph and the threat information log graph through log graph similarity matching;
4) The threat hunting expert acquires all operating system logs matched with threat intelligence in a novel power system log library by setting a similarity score threshold value for the HTTN threat hunting model, discovers unknown APT attack through the HTTN threat hunting model and finishes the threat hunting of the APT attack.
Example 2
Referring to fig. 2, the HTTN threat hunting model is composed of a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hyperedge matching layer, and a similarity score calculation layer.
wherein ,
graph information input layer: the data input of the HTTN threat hunting model is composed of N log graph pairs, and each log graph pair can be represented as
Figure SMS_83
Wherein for each log graph
Figure SMS_85
Or log map
Figure SMS_87
The number of nodes and edges of the log graph can be arbitrary; for any set of log graph entries
Figure SMS_89
The log map is shown as
Figure SMS_91
Figure SMS_93
And
Figure SMS_95
representing the number of nodes and edges separately, and then using the adjacency matrix
Figure SMS_82
To characterize a log graph
Figure SMS_84
Wherein R is a real number set; use of
Figure SMS_86
To represent a log graph
Figure SMS_88
A feature matrix of nodes, wherein
Figure SMS_90
Is the dimension of a node, log graph
Figure SMS_92
Is expressed by a log graph
Figure SMS_94
The same is true.
Hypergraph structural layer: in order to complete the super-edge matching of the system log graph, a super graph needs to be constructed for the log graph data input by the information input layer, and the log super graph is defined as
Figure SMS_96
The log hypergraph consists of a set of log nodes
Figure SMS_97
Log edge set
Figure SMS_98
Log node feature matrix
Figure SMS_99
And log diagonal edge weight matrix
Figure SMS_100
The composition is different from that of a common log graph G, and each hyper-edge of the log hyper-graph comprises two or more nodes; and use the incidence matrix
Figure SMS_101
To model the unpaired node relationship, the entries in H are defined as:
Figure SMS_102
(1),
wherein ,
Figure SMS_103
representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as
Figure SMS_104
Figure SMS_105
Representing the degree of the fixed point; the number of times of the edge e is expressed as
Figure SMS_106
The node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed as
Figure SMS_107
And
Figure SMS_108
in a hypergraph construction layer, a novel power system log hypergraph is constructed by adopting a random walk (RandomWalk) method;
for each log node v, selecting a common log graph G with the step length of K to carry out random walk, and then taking a sampling node sequence as a super edge to obtain
Figure SMS_109
A supercide matrix.
Referring to fig. 3, a process for constructing a log hypergraph in a Trojan attack scenario of an APT attack is shown, wherein,
node a represents an untrusted external address;
node B represents a browser;
the node C represents a Trojan file;
node D represents the executed Trojan process;
node E represents a dash script command line;
node F represents a command to display the server network configuration;
node G represents a command to display the host name;
node H represents a command to monitor the server TCP/IP network connection;
the node I represents a configuration file containing sensitive information such as account number and password in the server;
the leakage of the configuration files can directly cause an attacker to invade a service layer of the novel power system, tamper with the service layer data and the like.
Hypergraph neural network layer: the Hyper Graph Neural Network (HGNN) is a neural network model considering a high-order node relationship rather than a pair node relationship, and because the kernel audit log graph nodes of the novel power system have the characteristics of complexity and stage APT attack, the correlation of the nodes between the log graphs cannot be fully extracted only by matching and training the pair nodes of the log graphs, and thus the trained model has poor matching effect on the APT attack threat intelligence logs.
And because the HGNN shows better performance than a traditional graph volume network (GCN) in terms of encoding log node position correlation, in order to better capture complex node relations in the log hypergraph, a HGNN layer is added in the HTTN threat hunting model. Wherein, for the l-th layer in the HGNN layer, the log hypergraph H and the hidden representation matrix
Figure SMS_110
As input, the nodes of the next layer are then computed as follows:
Figure SMS_111
Figure SMS_112
(2),
wherein
Figure SMS_113
Is a non-linear activation function and,
Figure SMS_114
represents the training parameter matrix of the l < th > layer,
Figure SMS_115
Figure SMS_116
Figure SMS_117
respectively diagonal node degree, edge degree and edge weight matrix,
Figure SMS_118
is a matrix of trainable parameters.
The HGNN layer can perform node-edge-node conversion of the log graph, so that the hyper-edge characteristics of the log can be better refined by the log hyper-graph structure. In the HTTN threat hunting model, in order to improve the matching effect of the super edges in the super edge matching layer in the subsequent module, a node-edge conversion method is adopted for the novel power system log graph, so that the node characteristics are embedded into a super edge matrix.
Initial log node in HTTN threat hunting model
Figure SMS_119
Can learn and process
Figure SMS_120
Parameter matrix characteristics, and then collecting log node characteristics according to the excess edges to form an excess edge characteristic matrix
Figure SMS_121
From
Figure SMS_122
Finally, related overcide characteristics are aggregated by multiplying the matrix H, and the HGNN layer can fully extract a novel power system and threat situationAnd reporting the position and the characteristic information of the node in the log graph, and improving the similarity score of subsequent over edge matching.
Hypergraph Transformer coding layer: and inputting the log hyper-edge matrix E processed by the hyper-graph neural network layer into a Transformer coding layer. The Transformer coding layer can extract core characteristics in the log super-edge matrix, and the problem of dependence between log super-edges is weakened. The Transformer coding layer mainly comprises the following two structures:
a multi-head attention mechanism: the self-attention mechanism is an improvement of the original attention mechanism and is a core technology in a Transformer model. The self-attention calculation formula is as follows:
Figure SMS_123
Figure SMS_124
Figure SMS_125
Figure SMS_126
(3),
wherein E is a log super-edge matrix, Q, K, V are Query, key and Value vectors, respectively, from E,
Figure SMS_127
represents the dimension of the vector of Q and K,
Figure SMS_128
Figure SMS_129
Figure SMS_130
the matrix is randomly initialized, and the model can learn proper parameters in back propagation;
the multi-head attention mechanism can find the dayPosition features in log hyperedges are calculated simultaneously by multiple sets of weights, the weights are not shared among the position features, nodes of each hyperedge in the log hypergraph pay attention to features of surrounding nodes by stacking attention layers, and the multi-head attention mechanism is realized by h different linear transformation pairs
Figure SMS_131
Performing projection mapping;
as shown in fig. 4, the calculation results of the self-attention module are finally concatenated, and the formula is as follows:
Figure SMS_132
Figure SMS_133
(4),
first, multiple sets of weight matrices are initialized
Figure SMS_135
Figure SMS_136
Figure SMS_138
, wherein
Figure SMS_140
Respectively calculate each of
Figure SMS_142
Figure SMS_143
Figure SMS_144
Then obtaining the result according to the attention mechanism calculation formula
Figure SMS_134
Each group of
Figure SMS_137
Post-concatenation (Concat) with weight matrix
Figure SMS_139
Multiplying, and finally mapping to the original space to obtain the product with the same dimension as the input dimension of the original super-edge matrix
Figure SMS_141
A feed-forward neural network: the feedforward neural network of the hypergraph Transformer coding layer mainly solves the problem that the fitting degree of a multi-head attention mechanism to data processed by the hypergraph neural network layer is not enough so as to better generalize a function, and the feedforward neural network is composed of a full-connection layer with an activation function being a RELU and a full-connection layer with a linear activation function.
And (3) a super edge matching layer: because the correlation between log super edges is very important for a graph matching model, a super edge matching mechanism is used in an HTTN threat hunting model, the traditional graph matching problem mostly adopts node-by-node matching, and due to the characteristics of concealment and long-term entanglement of APT attack, the matching effect of threat information of APT attack in a novel power system log library is not good only by considering the correlation of log graph nodes or single edges, so that the HTTN threat hunting model does not use node feature matching but uses a super edge matching method, and compared with the matching of all nodes in the whole graph, the computing efficiency and the computing accuracy are higher;
the core part of the super edge matching layer is a pair of super graphs
Figure SMS_145
And
Figure SMS_146
the similarity scores between the super edges are calculated by first constructing a similarity score matrix of the graph pair
Figure SMS_147
To a
Figure SMS_148
Each of the super edges
Figure SMS_149
Calculating it from the other graph of the pair
Figure SMS_150
The gaussian kernel function of all hyper-edges of (a) calculates a score, i.e.:
Figure SMS_151
(5),
wherein ,
Figure SMS_152
is that
Figure SMS_153
The number of the middle-out edges,
Figure SMS_154
and
Figure SMS_155
representation hypergraph
Figure SMS_156
And
Figure SMS_157
the super-edge in (1) indicates that,
Figure SMS_158
the larger the value of the action range of the Gaussian kernel function is, the larger the local influence range of the Gaussian kernel function is.
Similarity score calculation layer: after obtaining the log graph similarity score matrix, gradually reducing the dimension of the log graph similarity matrix by using a full-connection layer neural network, and further fitting a function to realize the similarity score calculation of the log graph, wherein the full-connection layer principle is that one feature space is linearly transformed to another feature space through the vector product of the matrix, and finally the dimension reduction of the matrix is realized;
the similarity matrix generates a similarity score after being processed by the full connection layer
Figure SMS_159
And comparing the following mean square error loss function with the actual similarity score, and measuring the matching effect of the model on the novel power system log graph and the threat intelligence log graph:
Figure SMS_160
(6),
wherein G is a set of pairs of training images, and
Figure SMS_161
presentation log graph
Figure SMS_162
And log graph
Figure SMS_163
The actual similarity score between them.
Example 3
In order to verify the accuracy and the high efficiency of the HTTN threat hunting model for APT attack threat hunting, the application adopts a data set formed by mixing a Linux kernel audit log and a plurality of APT attack scenes, and performs a comparison experiment with traditional graph regression models such as SimGNN, graphSim, H2MN, HGMN and the like, and finally proves that the HTTN threat hunting model provided by the application has better performance in matching APT attack threat information.
Experimental preparation and experimental environment: the server version of the experiment is Ubuntu16.04, 4 NVIDIATITANTX 2080Ti display cards and CUDA of version 10.2 are configured in the equipment, the experiment environment is python version 3.7, the equipment is written by using a Pythroch frame, the optimal hyper-parameter of the HTTN threat hunting model is determined based on the grid search experiment, and the relevant hyper-parameter is shown in Table 1:
Figure SMS_164
in the context of Table 1, the following examples are,
in the training process of the HTTN threat hunting model, the Adam algorithm is used for optimizing model parameters, the Adam algorithm is a first-order optimization algorithm, the traditional gradient descent process can be replaced, the memory required in the training process can be less, the calculation is more efficient, and the method is suitable for solving the problem of large scale of kernel audit log data of the power system.
The evaluation method comprises the following steps: in order to accurately evaluate the matching effect of the HTTN threat hunting model provided by the application, mean Square Error (MSE) and Spearman grade correlation coefficient (Spearman grade correlation coefficient) are adopted
Figure SMS_165
) And precision @10 (precision @10, p @ 10) measure model performance, respectively;
wherein MSE is used to measure the mean squared variance of the predicted similarity score and the true similarity score, as in equation (6);
Figure SMS_166
evaluating ranking correlation between the predicted result and the real ranking result; p @10 calculates the interaction of the predicted similarity score with the actual similarity score divided by 10.
Data set introduction and preprocessing: the experimental data set is from Linux kernel audit logs in some APT attack scenes, the novel power system belongs to a distributed architecture, most of services are deployed in a Linux server, so that the requirement on the safety of the server is high, the kernel audit logs record programs, processes and operations of a user system based on a Linux bottom layer, and log information of each stage of APT attack can be collected. One node representative in log graph
A bar of commands or programs, and an edge representing a dependency between commands or programs.
In a data set, 1000 log graph pairs are randomly selected and divided into a training set, a testing set and a verification set according to 60%, 20% and 20%, due to the characteristic of the concealment of APT attack, the number of log graph nodes generated by threat intelligence generally does not exceed 15, and an A-x algorithm is used for the data set to generate the similarity scores of the log graph pairs.
Analyzing experimental results of different models: experiment the HTTN threat hunting model proposed in the present application was compared with the traditional SimGNN, graphSim, HGMN and H2MN graph regression models, and the experimental results are shown in table 2:
Figure SMS_167
in the context of Table 2, the following examples are,
for example, as shown in fig. 5, 6, and 7, in the Linux log data set containing APT attacks, the HTTN threat hunting model provided by the present application has a mean square error index that is 0.81 lower than that of SimGNN, about 0.27 lower than that of GraphSim, about 0.166 lower than that of HGMN, and about 0.046 lower than that of H2 MN;
in the aspect of Spearman grade correlation coefficient, compared with a SimGNN model, the HTTN threat hunting model provided by the application is improved by 0.06, 0.0226, 0.0076 and 0.0126 respectively compared with a GraphSim model, and an H2MN model;
in the aspect of the p @10 index, the HTTN threat hunting model is improved by about 0.1 compared with the SimGNN model, is improved by about 0.015 compared with the GraphSim model, is improved by 0.0147 compared with the HGMN model, and is improved by 0.011 compared with the H2MN model. By taking the MSE,
Figure SMS_168
Compared with the p @10 index, the effectiveness of multi-head attention of the HTTN threat hunting model for adding the transform coding layer to the log graph super-edge matrix can be fully proved, and the method has a better effect on threat information matching compared with other four models.
When the new power system is subjected to the APT attack based on the zero-day vulnerability, the longer the APT attack exists in the new power system, the larger the generated damage is, and therefore, the shorter the time requirement for threatening the hunting model is, the better, we have conducted a comparison experiment of the similarity score calculation time of different model log graphs,
the experimental results are shown in fig. 8, the computing time of the HTTN threat hunting model for the log graph similarity score is respectively shortened by 6.14, 7.1 and 5.35 milliseconds compared with the SimGNN, graphSim and HGMN models, and is only slightly different from the time consumed by the H2MN model. It can be seen that the HTTN threat hunting model optimizes the log graph for computation time.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" in this application is only one type of association relationship that describes the associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in the present application generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the former and latter text specifically.
In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not imply any order of execution, and the order of execution of the processes should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Those of ordinary skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a portable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A hypergraph transform-based threat hunting model establishing method is characterized by comprising the following steps: the establishing method comprises the following steps:
s1: using threat intelligence and system logs as input data, encoding the input data and constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2: extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
s3: and calculating the score of the characteristic data through a super-edge matching algorithm, completing the matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of the APT attack of the power system.
2. The hypergraph Transformer-based threat hunting model building method of claim 1, wherein: in step S1, the threat intelligence acquisition includes the following steps:
s1.1: acquiring kernel audit log streams of the power system through various kernel audit engines of the operating system, and constructing a log graph of the power system by the log streams through an overcurrent processing unit module;
s1.2: collecting network threat intelligence in various open sources or private threat intelligence libraries, and generating a threat intelligence log graph through a threat intelligence processing module;
s1.3: inputting the power system log graph and the threat intelligence log graph into an HTTN threat hunting model together, and calculating scores of a novel power system log graph subgraph and the threat intelligence log graph through matching the log graphs;
s1.4: all operating system logs matched with threat intelligence in a novel power system log library are obtained by setting a score threshold value for the HTTN threat hunting model, unknown APT attack is found through the HTTN threat hunting model, and the threat hunting of the APT attack is completed.
3. The hypergraph Transformer-based threat hunting model building method of claim 2, wherein: the HTTN threat hunting model comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hypergraph matching layer and a function calculation layer;
the generating step of the graph information input layer comprises the following steps:
n log graph pairs constitute the data input, each log graph pair represented as
Figure QLYQS_1
Each log graph
Figure QLYQS_2
Or log graph
Figure QLYQS_3
The number of nodes and edges of the log graph is arbitrary;
any set of log graph entries
Figure QLYQS_4
The log map is shown as
Figure QLYQS_5
Figure QLYQS_6
And
Figure QLYQS_7
respectively representing the number of nodes and the number of edges;
using a contiguous matrix
Figure QLYQS_8
To characterize a log graph
Figure QLYQS_9
Connection information of, wherein
Figure QLYQS_10
Is a set of real numbers;
use of
Figure QLYQS_11
To represent a log graph
Figure QLYQS_12
A feature matrix of nodes, wherein
Figure QLYQS_13
Is the dimension of a node, log graph
Figure QLYQS_14
Is expressed by a log graph
Figure QLYQS_15
The same is true.
4. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: in the hypergraph construction layer, the log hypergraph is defined as
Figure QLYQS_16
The log hypergraph comprises a set of log nodes
Figure QLYQS_17
Log edge set
Figure QLYQS_18
Log node feature matrix
Figure QLYQS_19
And log diagonal edge weight matrix
Figure QLYQS_20
Each superedge of the log hypergraph comprises at least two nodes, and the incidence matrix is used
Figure QLYQS_21
To model unpaired node relationships, the entries in H are defined as:
Figure QLYQS_22
wherein ,
Figure QLYQS_23
representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as
Figure QLYQS_24
Figure QLYQS_25
Representing the degree of the fixed point; the number of times of the edge e is expressed as
Figure QLYQS_26
The node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed as
Figure QLYQS_27
And
Figure QLYQS_28
5. the hypergraph Transformer-based threat hunting model building method of claim 4, wherein: in the hypergraph construction layer, a log hypergraph of the power system is constructed by adopting a random walk method, for each log node v, a common log graph G with the step length of K is selected to carry out random walk, and then a sampling node sequence is used as a hyperedge to obtain a hypergraph
Figure QLYQS_29
A supercide matrix.
6. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: in the hypergraph neural network layer, an HGNN layer is added in an HTTN threat hunting model, and for the l-th layer in the HGNN layer, a log hypergraph H and a hidden representation matrix are used
Figure QLYQS_30
As a transfusionThen, the nodes of the next layer are calculated:
Figure QLYQS_31
Figure QLYQS_32
wherein Sigmoid
Figure QLYQS_33
Is a non-linear activation function and,
Figure QLYQS_34
represents the training parameter matrix of the l-th layer,
Figure QLYQS_35
Figure QLYQS_36
Figure QLYQS_37
respectively diagonal node degree, edge degree and edge weight matrix,
Figure QLYQS_38
is a training parameter matrix.
7. The hypergraph Transformer-based threat hunting model building method of claim 6, wherein: and the HGNN layer executes the node-edge-node conversion of the log graph, so that the log hypergraph structure refines the hyperedge characteristics of the log.
8. The hypergraph Transformer based hunting model for threat model according to claim 3, wherein: the hypergraph Transformer coding layer inputs the log super-edge matrix E processed by the hypergraph neural network layer into the Transformer coding layer, the Transformer coding layer extracts core characteristics in the log super-edge matrix, and the hypergraph Transformer coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the calculation formula of the self-attention mechanism is as follows:
Figure QLYQS_39
Figure QLYQS_40
Figure QLYQS_41
Figure QLYQS_42
wherein E is a log super-edge matrix, Q, K, V are Query, key and Value vectors, respectively, from E,
Figure QLYQS_43
represents the dimension of the vector of Q and K,
Figure QLYQS_44
Figure QLYQS_45
Figure QLYQS_46
initializing a matrix for random;
the multi-head attention mechanism passes through h different linear transformation pairs
Figure QLYQS_47
Projection mapping is carried out, and finally, the calculation results of the self-attention modules are spliced, wherein the expression is as follows:
Figure QLYQS_48
Figure QLYQS_49
initializing multiple sets of weight matrices
Figure QLYQS_54
Figure QLYQS_55
Figure QLYQS_56
, wherein
Figure QLYQS_57
Respectively calculate the respective
Figure QLYQS_58
Figure QLYQS_59
Figure QLYQS_60
Then obtaining the result according to the attention mechanism calculation formula
Figure QLYQS_50
Each group of
Figure QLYQS_51
Spliced sum weight matrix
Figure QLYQS_52
Multiplying, and finally mapping to the original space to obtain the matrix with the same dimension as the input dimension of the original super-edge matrix
Figure QLYQS_53
A feed-forward neural network: the full-connection mechanism is composed of a full-connection layer with an activation function of RELU and a full-connection layer with a linear activation function, and is used for solving the problem that the fitting degree of a multi-head attention mechanism on data processed by a hypergraph neural network layer is not enough.
9. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: the super edge matching layer pair is a super graph pair
Figure QLYQS_61
And
Figure QLYQS_62
scores between hypergraph edges, constructing a score matrix of hypergraph pairs
Figure QLYQS_63
To a
Figure QLYQS_64
Each of the super edges
Figure QLYQS_65
Calculating it from the other graph of the pair
Figure QLYQS_66
The gaussian kernel function of all hyper-edges computes a score:
Figure QLYQS_67
wherein ,
Figure QLYQS_69
is that
Figure QLYQS_70
The number of the middle-out edges,
Figure QLYQS_71
and
Figure QLYQS_72
representation hypergraph
Figure QLYQS_73
And
Figure QLYQS_74
the super-edge in (1) indicates that,
Figure QLYQS_75
the range of action of the gaussian kernel function is controlled,
Figure QLYQS_68
the larger the value, the larger the local influence range of the gaussian kernel function.
10. The hypergraph Transformer-based threat hunting model building method of claim 9, wherein: in the function calculation layer, the matrix generates scores after being processed by the full connection layer
Figure QLYQS_76
The calculation formula is as follows:
Figure QLYQS_77
wherein G is a set of pairs of training images, and
Figure QLYQS_78
presentation log graph
Figure QLYQS_79
And log graph
Figure QLYQS_80
The actual score in between.
CN202310108673.8A 2023-02-14 2023-02-14 Hypergraph-transform-based threat hunting model building method Active CN115834251B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310108673.8A CN115834251B (en) 2023-02-14 2023-02-14 Hypergraph-transform-based threat hunting model building method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310108673.8A CN115834251B (en) 2023-02-14 2023-02-14 Hypergraph-transform-based threat hunting model building method

Publications (2)

Publication Number Publication Date
CN115834251A true CN115834251A (en) 2023-03-21
CN115834251B CN115834251B (en) 2023-09-29

Family

ID=85521200

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310108673.8A Active CN115834251B (en) 2023-02-14 2023-02-14 Hypergraph-transform-based threat hunting model building method

Country Status (1)

Country Link
CN (1) CN115834251B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117240598A (en) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 Attack detection method, attack detection device, terminal equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150128274A1 (en) * 2013-11-04 2015-05-07 Crypteia Networks S.A. System and method for identifying infected networks and systems from unknown attacks
US20160162690A1 (en) * 2014-12-05 2016-06-09 T-Mobile Usa, Inc. Recombinant threat modeling
CN112269316A (en) * 2020-10-28 2021-01-26 中国科学院信息工程研究所 High-robustness threat hunting system and method based on graph neural network
US11128649B1 (en) * 2019-03-06 2021-09-21 Trend Micro Incorporated Systems and methods for detecting and responding to anomalous messaging and compromised accounts
CN115221511A (en) * 2022-09-20 2022-10-21 国网江西省电力有限公司信息通信分公司 Power distribution Internet of things threat hunting method
CN115543951A (en) * 2022-11-30 2022-12-30 浙江工业大学 Log acquisition, compression and storage method based on origin map
CN115664696A (en) * 2022-08-30 2023-01-31 华北电力大学 APT attack active defense method based on threat hunting

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150128274A1 (en) * 2013-11-04 2015-05-07 Crypteia Networks S.A. System and method for identifying infected networks and systems from unknown attacks
US20160162690A1 (en) * 2014-12-05 2016-06-09 T-Mobile Usa, Inc. Recombinant threat modeling
US11128649B1 (en) * 2019-03-06 2021-09-21 Trend Micro Incorporated Systems and methods for detecting and responding to anomalous messaging and compromised accounts
CN112269316A (en) * 2020-10-28 2021-01-26 中国科学院信息工程研究所 High-robustness threat hunting system and method based on graph neural network
CN115664696A (en) * 2022-08-30 2023-01-31 华北电力大学 APT attack active defense method based on threat hunting
CN115221511A (en) * 2022-09-20 2022-10-21 国网江西省电力有限公司信息通信分公司 Power distribution Internet of things threat hunting method
CN115543951A (en) * 2022-11-30 2022-12-30 浙江工业大学 Log acquisition, compression and storage method based on origin map

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
KHAN SALMAN MUHAMMAD;RICHARD RENE;MOLYNEAUX HEATHER;COTE MARTEL DANICK;KAMALANATHAN ELANGO JACKSON HENRY;LIVINGSTONE STEVE;GAUDET : "Cyber Threat Hunting: A Cognitive Endpoint Behavior Analytic System" *
徐嘉涔;王轶骏;薛质: "网络空间威胁狩猎的研究综述" *
胡钊;金文娴;陈禹旭: "关于威胁情报的研究分析" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117240598A (en) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 Attack detection method, attack detection device, terminal equipment and storage medium
CN117240598B (en) * 2023-11-07 2024-02-20 国家工业信息安全发展研究中心 Attack detection method, attack detection device, terminal equipment and storage medium

Also Published As

Publication number Publication date
CN115834251B (en) 2023-09-29

Similar Documents

Publication Publication Date Title
TWI764640B (en) Training method and device for anomaly detection model based on differential privacy
CN110032665B (en) Method and device for determining graph node vector in relational network graph
CN113408743A (en) Federal model generation method and device, electronic equipment and storage medium
CN112700252A (en) Information security detection method and device, electronic equipment and storage medium
Tian et al. MANE: Model-agnostic non-linear explanations for deep learning model
CN113378160A (en) Graph neural network model defense method and device based on generative confrontation network
CN114417427A (en) Deep learning-oriented data sensitivity attribute desensitization system and method
CN115834251A (en) Hypergraph transform based threat hunting model establishing method
CN114021188A (en) Method and device for interactive security verification of federated learning protocol and electronic equipment
Zeng et al. Licality—likelihood and criticality: Vulnerability risk prioritization through logical reasoning and deep learning
Drakopoulos et al. Approximate high dimensional graph mining with matrix polar factorization: A Twitter application
CN115238827A (en) Privacy-protecting sample detection system training method and device
Zakariyya et al. Towards a robust, effective and resource efficient machine learning technique for IoT security monitoring
CN110992194A (en) User reference index algorithm based on attribute-containing multi-process sampling graph representation learning model
Zheng et al. Wmdefense: Using watermark to defense byzantine attacks in federated learning
CN113627597A (en) Countermeasure sample generation method and system based on general disturbance
Nazari et al. Using cgan to deal with class imbalance and small sample size in cybersecurity problems
Rahman et al. Multi-objective evolutionary optimization for worst-case analysis of false data injection attacks in the smart grid
Li et al. Online alternate generator against adversarial attacks
CN113988519A (en) Method for representing risk of cultural relic preservation environment in collection of cultural relics
Li et al. Optimal feature manipulation attacks against linear regression
Yao et al. RemovalNet: DNN Fingerprint Removal Attacks
CN114139601A (en) Evaluation method and system for artificial intelligence algorithm model of power inspection scene
CN112966732A (en) Multi-factor interactive behavior anomaly detection method with periodic attribute
Hao et al. Privacy-preserving Blockchain-enabled Parametric Insurance via Remote Sensing and IoT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant