CN115834251A - Hypergraph transform based threat hunting model establishing method - Google Patents
Hypergraph transform based threat hunting model establishing method Download PDFInfo
- Publication number
- CN115834251A CN115834251A CN202310108673.8A CN202310108673A CN115834251A CN 115834251 A CN115834251 A CN 115834251A CN 202310108673 A CN202310108673 A CN 202310108673A CN 115834251 A CN115834251 A CN 115834251A
- Authority
- CN
- China
- Prior art keywords
- log
- hypergraph
- layer
- matrix
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 239000011159 matrix material Substances 0.000 claims abstract description 79
- 230000007246 mechanism Effects 0.000 claims abstract description 26
- 238000013528 artificial neural network Methods 0.000 claims abstract description 25
- 238000004364 calculation method Methods 0.000 claims abstract description 23
- 238000012550 audit Methods 0.000 claims abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 12
- 238000013507 mapping Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 28
- 238000012549 training Methods 0.000 claims description 15
- 230000004913 activation Effects 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000005295 random walk Methods 0.000 claims description 7
- 239000013598 vector Substances 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 4
- 241001235534 Graphis <ascomycete fungus> Species 0.000 claims description 3
- 230000009471 action Effects 0.000 claims description 3
- 230000014509 gene expression Effects 0.000 claims description 3
- 238000005070 sampling Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 claims description 3
- 230000007123 defense Effects 0.000 abstract description 2
- 230000004044 response Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 14
- 230000000694 effects Effects 0.000 description 7
- 238000003860 storage Methods 0.000 description 7
- 238000002474 experimental method Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- HPTJABJPZMULFH-UHFFFAOYSA-N 12-[(Cyclohexylcarbamoyl)amino]dodecanoic acid Chemical compound OC(=O)CCCCCCCCCCCNC(=O)NC1CCCCC1 HPTJABJPZMULFH-UHFFFAOYSA-N 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a hypergraph transform-based threat hunting model establishing method, which comprises the following steps of: using threat intelligence and system logs as input data, generating a log graph through a processing module, and inputting the log graph into a threat hunting model; the threat hunting model encodes input data and constructs a hypergraph, and then matrix data are generated through processing of a hypergraph neural network layer; extracting features from the preprocessed data through a multi-head attention mechanism, mapping the features to a super-edge matrix, finally realizing similarity score calculation of a log graph through super-edge matching, finding a novel power system kernel audit log matched with network threat information, and finishing threat hunting. The model can adapt to the continuously updated and changed APT attack, complete the threat hunting of the APT attack of the novel power system, and realize the quick response and active defense aiming at the APT attack.
Description
Technical Field
The invention relates to the technical field of threat hunting model establishment, in particular to a hypergraph Transformer-based threat hunting model establishment method.
Background
Because the power distribution of a novel power system is changing towards a distributed direction, the risk of being attacked by the APT is increased due to the increase of cross-space vulnerability, an attacker can invade and hide in a novel power system information network through an external network, a novel power system service layer is modified, and finally the power system is damaged.
Based on the above, the application provides a method for establishing a hypergraph Transformer-based threat hunting model to solve the above problems.
Disclosure of Invention
The invention aims to provide a hypergraph Transformer threat hunting model establishing method, which can maximally reserve APT attack traces of a novel power system aiming at the characteristic of long-term latency of APT attack when a log graph is established, and can utilize network threat information to self-adapt to the APT attack which is continuously updated and changed so as to solve the defects in the background technology.
In order to achieve the above purpose, the invention provides the following technical scheme: the method for establishing the hunting model based on the hypergraph transform threat comprises the following steps of:
s1: using threat intelligence and system logs as input data, encoding the input data and constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2: extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
s3: and calculating the score of the characteristic data through a super-edge matching algorithm, completing the matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of the APT attack of the power system.
In a preferred embodiment, the step S1 of obtaining threat intelligence includes the steps of:
s1.1: acquiring kernel audit log streams of the power system through various kernel audit engines of the operating system, and constructing a log graph of the power system by the log streams through an overcurrent processing unit module;
s1.2: collecting network threat intelligence in various open sources or private threat intelligence libraries, and generating a threat intelligence log graph through a threat intelligence processing module;
s1.3: inputting the log graph of the power system and the log graph of the threat intelligence into an HTTN threat hunting model together, and calculating the scores of the log graph subgraph of the novel power system and the log graph of the threat intelligence through matching the log graphs;
s1.4: all operating system logs matched with threat intelligence in a novel power system log library are obtained by setting a score threshold value for the HTTN threat hunting model, unknown APT attack is found through the HTTN threat hunting model, and the threat hunting of the APT attack is completed.
In a preferred embodiment, the HTTN threat hunting model comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hypergraph matching layer and a function calculation layer;
the generating step of the graph information input layer comprises the following steps:
any set of log graph entriesThe log map is shown as, Andrespectively representing the number of nodes and the number of edges;
using a contiguous matrixTo characterize a log graphConnection information of, whereinIs a set of real numbers;
use ofTo represent a log graphA feature matrix of nodes, whereinIs the dimension of a node, log graphIs expressed by a log graphThe same is true.
In a preferred embodiment, in the hypergraph construction layer, the log hypergraph is defined asThe log hypergraph comprises a set of log nodesJournal edge setLog node feature matrixAnd log diagonal edge weight matrixEach superedge of the log hypergraph comprises at least two nodes, and the incidence matrix is usedTo model unpaired node relationships, the entries in H are defined as:
wherein , representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as, Representing the degree of the fixed point; the number of times of the edge e is expressed asThe node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed asAnd。
in a preferred embodiment, in the hypergraph construction layer, a log hypergraph of the power system is constructed by adopting a random walk method, for each log node v, a common log graph G with the step length of K is selected to perform random walk, and then a sampling node sequence is used as a hyperedge to obtain a hyper-edgeA supercide matrix.
In a preferred embodiment, in the hypergraph neural network layer, an HGNN layer is added in the HTTN threat hunting model, and for the l-th layer in the HGNN layer, a hypergraph H log and a hidden representation matrix are usedAs input, the next level of nodes is then computed:
wherein Is a non-linear activation function and,represents the training parameter matrix of the l-th layer,、 、 respectively diagonal node degree, edge degree and edge weight matrix,a matrix of training parameters.
In a preferred embodiment, the HGNN layer performs a log graph node-edge-node conversion, such that the log hypergraph structure refines the hyper-edge characteristics of the log.
In a preferred embodiment, the hypergraph Transformer coding layer inputs the log hyper-edge matrix E processed by the hypergraph neural network layer into the Transformer coding layer, the Transformer coding layer extracts core features in the log hyper-edge matrix, and the hypergraph Transformer coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the calculation formula of the self-attention mechanism is as follows:
wherein E is a log hyper-edge matrix, Q, K and V are Query, key and Value vectors respectively from E,represents the dimension of the vector of Q and K,、 、 initializing a matrix for random;
the multi-head attention mechanism passes through h different linear transformation pairsProjection mapping is carried out, and finally, the calculation results of the self-attention modules are spliced, wherein the expression is as follows:
initializing multiple sets of weight matrices、 、 , wherein Respectively calculate the respective、 、 Then obtaining the result according to the attention mechanism calculation formulaEach group ofSpliced sum weight matrixMultiplying, and finally mapping to the original space to obtain the product with the same dimension as the input dimension of the original super-edge matrix;
A feed-forward neural network: the method is composed of a full-connection layer with an activation function of RELU and a full-connection layer with a linear activation function, and is used for solving the problem that the fitting degree of a multi-head attention mechanism on data processed by a hypergraph neural network layer is not enough.
In a preferred embodiment, the pair of super-edge matching layers is a pair of super-graphsAndscores between hypergraph edges, constructing a score matrix of hypergraph pairsTo aEach of the super edgesCalculating it from the other graph of the pairThe gaussian kernel function of all hyper-edges computes a score:
wherein , is thatThe number of the middle-over edges is equal to that of the middle-over edges,andrepresentation hypergraphAndthe super-edge in (1) indicates that,the range of action of the gaussian kernel function is controlled,the larger the value, the larger the local influence range of the gaussian kernel function.
In a preferred embodiment, in the function calculation layer, the matrix generates scores after being processed by the full connection layerThe calculation formula is as follows:
wherein G is a set of pairs of training images, andpresentation log graphAnd log graphThe actual fraction in between.
In the technical scheme, the invention provides the following technical effects and advantages:
the method comprises the steps of establishing a hypergraph by using network threat information and novel electric power system kernel audit logs, learning the relation between hypergraph high-order nodes through an HGNN layer, mapping characteristics into a super-edge matrix, adding a multi-head attention mechanism to the super-edge matrix by using a transform coding layer, finally realizing similarity score calculation of the log graph through super-edge matching, and finding the novel electric power system kernel audit logs matched with the network threat information.
Drawings
In order to more clearly illustrate the embodiments of the present application or technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a flow chart of threat hunting according to the present invention.
FIG. 2 is a schematic diagram of the HTTN threat hunting model according to the present invention.
FIG. 3 is a flow chart of the construction of a Trojan log hypergraph according to the invention.
FIG. 4 is a schematic view of a multi-headed attention mechanism of the present invention.
FIG. 5 is a graph of the mean square error variation of each model training process according to the present invention.
FIG. 6 is a process for training models according to the present inventionAnd (5) a variation graph.
FIG. 7 is a graph of the accuracy @10 variation of each model training process of the present invention.
FIG. 8 is a comparison chart of hunting time of models according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
In this embodiment, the method for establishing a hunting model based on hypergraph transform threat includes the following steps:
s1, using threat intelligence and a system log as input data, encoding the input data, constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2, extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
and S3, calculating a similarity score by the characteristic data through a super-edge matching algorithm, completing matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of power system APT attack.
The hypergraph is constructed through network threat information and novel electric power system kernel audit logs, the relation between hypergraph high-order nodes is learned through an HGNN layer, the characteristics are mapped to a super-edge matrix, a multi-head attention mechanism is added to the super-edge matrix through a transform coding layer, the similarity score calculation of the log graph is finally realized through super-edge matching, the novel electric power system kernel audit logs matched with the network threat information are found, the model can adapt to the APT attack which is continuously updated and changed, the threat hunting of the novel electric power system APT attack is completed, and the quick response and active defense for the APT attack are realized.
Referring to fig. 1, in the step a, the obtaining of threat information includes the following steps:
1) The method comprises the steps that the novel power system kernel audit log stream is collected through various operating system kernel audit engines, and a novel power system log graph is constructed through a log stream overcurrent processing unit module;
2) Network threat intelligence in various open sources or private threat intelligence libraries is artificially collected, and a threat intelligence log graph is generated through a threat intelligence processing module;
3) Inputting the novel power system log graph and the threat information log graph into an HTTN threat hunting model together, and calculating the similarity score of the novel power system log graph subgraph and the threat information log graph through log graph similarity matching;
4) The threat hunting expert acquires all operating system logs matched with threat intelligence in a novel power system log library by setting a similarity score threshold value for the HTTN threat hunting model, discovers unknown APT attack through the HTTN threat hunting model and finishes the threat hunting of the APT attack.
Example 2
Referring to fig. 2, the HTTN threat hunting model is composed of a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hyperedge matching layer, and a similarity score calculation layer.
wherein ,
graph information input layer: the data input of the HTTN threat hunting model is composed of N log graph pairs, and each log graph pair can be represented asWherein for each log graphOr log mapThe number of nodes and edges of the log graph can be arbitrary; for any set of log graph entriesThe log map is shown as, Andrepresenting the number of nodes and edges separately, and then using the adjacency matrixTo characterize a log graphWherein R is a real number set; use ofTo represent a log graphA feature matrix of nodes, whereinIs the dimension of a node, log graphIs expressed by a log graphThe same is true.
Hypergraph structural layer: in order to complete the super-edge matching of the system log graph, a super graph needs to be constructed for the log graph data input by the information input layer, and the log super graph is defined asThe log hypergraph consists of a set of log nodesLog edge setLog node feature matrixAnd log diagonal edge weight matrixThe composition is different from that of a common log graph G, and each hyper-edge of the log hyper-graph comprises two or more nodes; and use the incidence matrixTo model the unpaired node relationship, the entries in H are defined as:
wherein , representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as, Representing the degree of the fixed point; the number of times of the edge e is expressed asThe node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed asAnd。
in a hypergraph construction layer, a novel power system log hypergraph is constructed by adopting a random walk (RandomWalk) method;
for each log node v, selecting a common log graph G with the step length of K to carry out random walk, and then taking a sampling node sequence as a super edge to obtainA supercide matrix.
Referring to fig. 3, a process for constructing a log hypergraph in a Trojan attack scenario of an APT attack is shown, wherein,
node a represents an untrusted external address;
node B represents a browser;
the node C represents a Trojan file;
node D represents the executed Trojan process;
node E represents a dash script command line;
node F represents a command to display the server network configuration;
node G represents a command to display the host name;
node H represents a command to monitor the server TCP/IP network connection;
the node I represents a configuration file containing sensitive information such as account number and password in the server;
the leakage of the configuration files can directly cause an attacker to invade a service layer of the novel power system, tamper with the service layer data and the like.
Hypergraph neural network layer: the Hyper Graph Neural Network (HGNN) is a neural network model considering a high-order node relationship rather than a pair node relationship, and because the kernel audit log graph nodes of the novel power system have the characteristics of complexity and stage APT attack, the correlation of the nodes between the log graphs cannot be fully extracted only by matching and training the pair nodes of the log graphs, and thus the trained model has poor matching effect on the APT attack threat intelligence logs.
And because the HGNN shows better performance than a traditional graph volume network (GCN) in terms of encoding log node position correlation, in order to better capture complex node relations in the log hypergraph, a HGNN layer is added in the HTTN threat hunting model. Wherein, for the l-th layer in the HGNN layer, the log hypergraph H and the hidden representation matrixAs input, the nodes of the next layer are then computed as follows:
wherein Is a non-linear activation function and,represents the training parameter matrix of the l < th > layer,、 、 respectively diagonal node degree, edge degree and edge weight matrix,is a matrix of trainable parameters.
The HGNN layer can perform node-edge-node conversion of the log graph, so that the hyper-edge characteristics of the log can be better refined by the log hyper-graph structure. In the HTTN threat hunting model, in order to improve the matching effect of the super edges in the super edge matching layer in the subsequent module, a node-edge conversion method is adopted for the novel power system log graph, so that the node characteristics are embedded into a super edge matrix.
Initial log node in HTTN threat hunting modelCan learn and processParameter matrix characteristics, and then collecting log node characteristics according to the excess edges to form an excess edge characteristic matrixFromFinally, related overcide characteristics are aggregated by multiplying the matrix H, and the HGNN layer can fully extract a novel power system and threat situationAnd reporting the position and the characteristic information of the node in the log graph, and improving the similarity score of subsequent over edge matching.
Hypergraph Transformer coding layer: and inputting the log hyper-edge matrix E processed by the hyper-graph neural network layer into a Transformer coding layer. The Transformer coding layer can extract core characteristics in the log super-edge matrix, and the problem of dependence between log super-edges is weakened. The Transformer coding layer mainly comprises the following two structures:
a multi-head attention mechanism: the self-attention mechanism is an improvement of the original attention mechanism and is a core technology in a Transformer model. The self-attention calculation formula is as follows:
wherein E is a log super-edge matrix, Q, K, V are Query, key and Value vectors, respectively, from E,represents the dimension of the vector of Q and K,、 、 the matrix is randomly initialized, and the model can learn proper parameters in back propagation;
the multi-head attention mechanism can find the dayPosition features in log hyperedges are calculated simultaneously by multiple sets of weights, the weights are not shared among the position features, nodes of each hyperedge in the log hypergraph pay attention to features of surrounding nodes by stacking attention layers, and the multi-head attention mechanism is realized by h different linear transformation pairsPerforming projection mapping;
as shown in fig. 4, the calculation results of the self-attention module are finally concatenated, and the formula is as follows:
first, multiple sets of weight matrices are initialized、 、 , wherein Respectively calculate each of、 、 Then obtaining the result according to the attention mechanism calculation formulaEach group ofPost-concatenation (Concat) with weight matrixMultiplying, and finally mapping to the original space to obtain the product with the same dimension as the input dimension of the original super-edge matrix。
A feed-forward neural network: the feedforward neural network of the hypergraph Transformer coding layer mainly solves the problem that the fitting degree of a multi-head attention mechanism to data processed by the hypergraph neural network layer is not enough so as to better generalize a function, and the feedforward neural network is composed of a full-connection layer with an activation function being a RELU and a full-connection layer with a linear activation function.
And (3) a super edge matching layer: because the correlation between log super edges is very important for a graph matching model, a super edge matching mechanism is used in an HTTN threat hunting model, the traditional graph matching problem mostly adopts node-by-node matching, and due to the characteristics of concealment and long-term entanglement of APT attack, the matching effect of threat information of APT attack in a novel power system log library is not good only by considering the correlation of log graph nodes or single edges, so that the HTTN threat hunting model does not use node feature matching but uses a super edge matching method, and compared with the matching of all nodes in the whole graph, the computing efficiency and the computing accuracy are higher;
the core part of the super edge matching layer is a pair of super graphsAndthe similarity scores between the super edges are calculated by first constructing a similarity score matrix of the graph pairTo aEach of the super edgesCalculating it from the other graph of the pairThe gaussian kernel function of all hyper-edges of (a) calculates a score, i.e.:
wherein , is thatThe number of the middle-out edges,andrepresentation hypergraphAndthe super-edge in (1) indicates that,the larger the value of the action range of the Gaussian kernel function is, the larger the local influence range of the Gaussian kernel function is.
Similarity score calculation layer: after obtaining the log graph similarity score matrix, gradually reducing the dimension of the log graph similarity matrix by using a full-connection layer neural network, and further fitting a function to realize the similarity score calculation of the log graph, wherein the full-connection layer principle is that one feature space is linearly transformed to another feature space through the vector product of the matrix, and finally the dimension reduction of the matrix is realized;
the similarity matrix generates a similarity score after being processed by the full connection layerAnd comparing the following mean square error loss function with the actual similarity score, and measuring the matching effect of the model on the novel power system log graph and the threat intelligence log graph:
wherein G is a set of pairs of training images, andpresentation log graphAnd log graphThe actual similarity score between them.
Example 3
In order to verify the accuracy and the high efficiency of the HTTN threat hunting model for APT attack threat hunting, the application adopts a data set formed by mixing a Linux kernel audit log and a plurality of APT attack scenes, and performs a comparison experiment with traditional graph regression models such as SimGNN, graphSim, H2MN, HGMN and the like, and finally proves that the HTTN threat hunting model provided by the application has better performance in matching APT attack threat information.
Experimental preparation and experimental environment: the server version of the experiment is Ubuntu16.04, 4 NVIDIATITANTX 2080Ti display cards and CUDA of version 10.2 are configured in the equipment, the experiment environment is python version 3.7, the equipment is written by using a Pythroch frame, the optimal hyper-parameter of the HTTN threat hunting model is determined based on the grid search experiment, and the relevant hyper-parameter is shown in Table 1:
in the context of Table 1, the following examples are,
in the training process of the HTTN threat hunting model, the Adam algorithm is used for optimizing model parameters, the Adam algorithm is a first-order optimization algorithm, the traditional gradient descent process can be replaced, the memory required in the training process can be less, the calculation is more efficient, and the method is suitable for solving the problem of large scale of kernel audit log data of the power system.
The evaluation method comprises the following steps: in order to accurately evaluate the matching effect of the HTTN threat hunting model provided by the application, mean Square Error (MSE) and Spearman grade correlation coefficient (Spearman grade correlation coefficient) are adopted) And precision @10 (precision @10, p @ 10) measure model performance, respectively;
wherein MSE is used to measure the mean squared variance of the predicted similarity score and the true similarity score, as in equation (6);evaluating ranking correlation between the predicted result and the real ranking result; p @10 calculates the interaction of the predicted similarity score with the actual similarity score divided by 10.
Data set introduction and preprocessing: the experimental data set is from Linux kernel audit logs in some APT attack scenes, the novel power system belongs to a distributed architecture, most of services are deployed in a Linux server, so that the requirement on the safety of the server is high, the kernel audit logs record programs, processes and operations of a user system based on a Linux bottom layer, and log information of each stage of APT attack can be collected. One node representative in log graph
A bar of commands or programs, and an edge representing a dependency between commands or programs.
In a data set, 1000 log graph pairs are randomly selected and divided into a training set, a testing set and a verification set according to 60%, 20% and 20%, due to the characteristic of the concealment of APT attack, the number of log graph nodes generated by threat intelligence generally does not exceed 15, and an A-x algorithm is used for the data set to generate the similarity scores of the log graph pairs.
Analyzing experimental results of different models: experiment the HTTN threat hunting model proposed in the present application was compared with the traditional SimGNN, graphSim, HGMN and H2MN graph regression models, and the experimental results are shown in table 2:
in the context of Table 2, the following examples are,
for example, as shown in fig. 5, 6, and 7, in the Linux log data set containing APT attacks, the HTTN threat hunting model provided by the present application has a mean square error index that is 0.81 lower than that of SimGNN, about 0.27 lower than that of GraphSim, about 0.166 lower than that of HGMN, and about 0.046 lower than that of H2 MN;
in the aspect of Spearman grade correlation coefficient, compared with a SimGNN model, the HTTN threat hunting model provided by the application is improved by 0.06, 0.0226, 0.0076 and 0.0126 respectively compared with a GraphSim model, and an H2MN model;
in the aspect of the p @10 index, the HTTN threat hunting model is improved by about 0.1 compared with the SimGNN model, is improved by about 0.015 compared with the GraphSim model, is improved by 0.0147 compared with the HGMN model, and is improved by 0.011 compared with the H2MN model. By taking the MSE,Compared with the p @10 index, the effectiveness of multi-head attention of the HTTN threat hunting model for adding the transform coding layer to the log graph super-edge matrix can be fully proved, and the method has a better effect on threat information matching compared with other four models.
When the new power system is subjected to the APT attack based on the zero-day vulnerability, the longer the APT attack exists in the new power system, the larger the generated damage is, and therefore, the shorter the time requirement for threatening the hunting model is, the better, we have conducted a comparison experiment of the similarity score calculation time of different model log graphs,
the experimental results are shown in fig. 8, the computing time of the HTTN threat hunting model for the log graph similarity score is respectively shortened by 6.14, 7.1 and 5.35 milliseconds compared with the SimGNN, graphSim and HGMN models, and is only slightly different from the time consumed by the H2MN model. It can be seen that the HTTN threat hunting model optimizes the log graph for computation time.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" in this application is only one type of association relationship that describes the associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in the present application generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the former and latter text specifically.
In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not imply any order of execution, and the order of execution of the processes should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Those of ordinary skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a portable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A hypergraph transform-based threat hunting model establishing method is characterized by comprising the following steps: the establishing method comprises the following steps:
s1: using threat intelligence and system logs as input data, encoding the input data and constructing a hypergraph, and processing the hypergraph by a hypergraph neural network layer to generate preprocessed data;
s2: extracting characteristic data from the preprocessed data through a Transformer multi-head attention mechanism;
s3: and calculating the score of the characteristic data through a super-edge matching algorithm, completing the matching of threat intelligence in a power system log library, and establishing an HTTN threat hunting model of the APT attack of the power system.
2. The hypergraph Transformer-based threat hunting model building method of claim 1, wherein: in step S1, the threat intelligence acquisition includes the following steps:
s1.1: acquiring kernel audit log streams of the power system through various kernel audit engines of the operating system, and constructing a log graph of the power system by the log streams through an overcurrent processing unit module;
s1.2: collecting network threat intelligence in various open sources or private threat intelligence libraries, and generating a threat intelligence log graph through a threat intelligence processing module;
s1.3: inputting the power system log graph and the threat intelligence log graph into an HTTN threat hunting model together, and calculating scores of a novel power system log graph subgraph and the threat intelligence log graph through matching the log graphs;
s1.4: all operating system logs matched with threat intelligence in a novel power system log library are obtained by setting a score threshold value for the HTTN threat hunting model, unknown APT attack is found through the HTTN threat hunting model, and the threat hunting of the APT attack is completed.
3. The hypergraph Transformer-based threat hunting model building method of claim 2, wherein: the HTTN threat hunting model comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hypergraph matching layer and a function calculation layer;
the generating step of the graph information input layer comprises the following steps:
any set of log graph entriesThe log map is shown as,Andrespectively representing the number of nodes and the number of edges;
using a contiguous matrixTo characterize a log graphConnection information of, whereinIs a set of real numbers;
4. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: in the hypergraph construction layer, the log hypergraph is defined asThe log hypergraph comprises a set of log nodesLog edge setLog node feature matrixAnd log diagonal edge weight matrixEach superedge of the log hypergraph comprises at least two nodes, and the incidence matrix is usedTo model unpaired node relationships, the entries in H are defined as:
wherein ,representing the assignment of elements in the incidence matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of nodes v is represented as,Representing the degree of the fixed point; the number of times of the edge e is expressed asThe node degree diagonal matrix and the super-edge degree diagonal matrix are respectively expressed asAnd。
5. the hypergraph Transformer-based threat hunting model building method of claim 4, wherein: in the hypergraph construction layer, a log hypergraph of the power system is constructed by adopting a random walk method, for each log node v, a common log graph G with the step length of K is selected to carry out random walk, and then a sampling node sequence is used as a hyperedge to obtain a hypergraphA supercide matrix.
6. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: in the hypergraph neural network layer, an HGNN layer is added in an HTTN threat hunting model, and for the l-th layer in the HGNN layer, a log hypergraph H and a hidden representation matrix are usedAs a transfusionThen, the nodes of the next layer are calculated:
7. The hypergraph Transformer-based threat hunting model building method of claim 6, wherein: and the HGNN layer executes the node-edge-node conversion of the log graph, so that the log hypergraph structure refines the hyperedge characteristics of the log.
8. The hypergraph Transformer based hunting model for threat model according to claim 3, wherein: the hypergraph Transformer coding layer inputs the log super-edge matrix E processed by the hypergraph neural network layer into the Transformer coding layer, the Transformer coding layer extracts core characteristics in the log super-edge matrix, and the hypergraph Transformer coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the calculation formula of the self-attention mechanism is as follows:
wherein E is a log super-edge matrix, Q, K, V are Query, key and Value vectors, respectively, from E,represents the dimension of the vector of Q and K,、、initializing a matrix for random;
the multi-head attention mechanism passes through h different linear transformation pairsProjection mapping is carried out, and finally, the calculation results of the self-attention modules are spliced, wherein the expression is as follows:
initializing multiple sets of weight matrices、、, wherein Respectively calculate the respective、、Then obtaining the result according to the attention mechanism calculation formulaEach group ofSpliced sum weight matrixMultiplying, and finally mapping to the original space to obtain the matrix with the same dimension as the input dimension of the original super-edge matrix;
A feed-forward neural network: the full-connection mechanism is composed of a full-connection layer with an activation function of RELU and a full-connection layer with a linear activation function, and is used for solving the problem that the fitting degree of a multi-head attention mechanism on data processed by a hypergraph neural network layer is not enough.
9. The hypergraph Transformer-based threat hunting model establishing method according to claim 3, wherein: the super edge matching layer pair is a super graph pairAndscores between hypergraph edges, constructing a score matrix of hypergraph pairsTo aEach of the super edgesCalculating it from the other graph of the pairThe gaussian kernel function of all hyper-edges computes a score:
10. The hypergraph Transformer-based threat hunting model building method of claim 9, wherein: in the function calculation layer, the matrix generates scores after being processed by the full connection layerThe calculation formula is as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310108673.8A CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310108673.8A CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115834251A true CN115834251A (en) | 2023-03-21 |
CN115834251B CN115834251B (en) | 2023-09-29 |
Family
ID=85521200
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310108673.8A Active CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115834251B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117240598A (en) * | 2023-11-07 | 2023-12-15 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150128274A1 (en) * | 2013-11-04 | 2015-05-07 | Crypteia Networks S.A. | System and method for identifying infected networks and systems from unknown attacks |
US20160162690A1 (en) * | 2014-12-05 | 2016-06-09 | T-Mobile Usa, Inc. | Recombinant threat modeling |
CN112269316A (en) * | 2020-10-28 | 2021-01-26 | 中国科学院信息工程研究所 | High-robustness threat hunting system and method based on graph neural network |
US11128649B1 (en) * | 2019-03-06 | 2021-09-21 | Trend Micro Incorporated | Systems and methods for detecting and responding to anomalous messaging and compromised accounts |
CN115221511A (en) * | 2022-09-20 | 2022-10-21 | 国网江西省电力有限公司信息通信分公司 | Power distribution Internet of things threat hunting method |
CN115543951A (en) * | 2022-11-30 | 2022-12-30 | 浙江工业大学 | Log acquisition, compression and storage method based on origin map |
CN115664696A (en) * | 2022-08-30 | 2023-01-31 | 华北电力大学 | APT attack active defense method based on threat hunting |
-
2023
- 2023-02-14 CN CN202310108673.8A patent/CN115834251B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150128274A1 (en) * | 2013-11-04 | 2015-05-07 | Crypteia Networks S.A. | System and method for identifying infected networks and systems from unknown attacks |
US20160162690A1 (en) * | 2014-12-05 | 2016-06-09 | T-Mobile Usa, Inc. | Recombinant threat modeling |
US11128649B1 (en) * | 2019-03-06 | 2021-09-21 | Trend Micro Incorporated | Systems and methods for detecting and responding to anomalous messaging and compromised accounts |
CN112269316A (en) * | 2020-10-28 | 2021-01-26 | 中国科学院信息工程研究所 | High-robustness threat hunting system and method based on graph neural network |
CN115664696A (en) * | 2022-08-30 | 2023-01-31 | 华北电力大学 | APT attack active defense method based on threat hunting |
CN115221511A (en) * | 2022-09-20 | 2022-10-21 | 国网江西省电力有限公司信息通信分公司 | Power distribution Internet of things threat hunting method |
CN115543951A (en) * | 2022-11-30 | 2022-12-30 | 浙江工业大学 | Log acquisition, compression and storage method based on origin map |
Non-Patent Citations (3)
Title |
---|
KHAN SALMAN MUHAMMAD;RICHARD RENE;MOLYNEAUX HEATHER;COTE MARTEL DANICK;KAMALANATHAN ELANGO JACKSON HENRY;LIVINGSTONE STEVE;GAUDET : "Cyber Threat Hunting: A Cognitive Endpoint Behavior Analytic System" * |
徐嘉涔;王轶骏;薛质: "网络空间威胁狩猎的研究综述" * |
胡钊;金文娴;陈禹旭: "关于威胁情报的研究分析" * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117240598A (en) * | 2023-11-07 | 2023-12-15 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
CN117240598B (en) * | 2023-11-07 | 2024-02-20 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN115834251B (en) | 2023-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI764640B (en) | Training method and device for anomaly detection model based on differential privacy | |
CN110032665B (en) | Method and device for determining graph node vector in relational network graph | |
CN113408743A (en) | Federal model generation method and device, electronic equipment and storage medium | |
CN112700252A (en) | Information security detection method and device, electronic equipment and storage medium | |
Tian et al. | MANE: Model-agnostic non-linear explanations for deep learning model | |
CN113378160A (en) | Graph neural network model defense method and device based on generative confrontation network | |
CN114417427A (en) | Deep learning-oriented data sensitivity attribute desensitization system and method | |
CN115834251A (en) | Hypergraph transform based threat hunting model establishing method | |
CN114021188A (en) | Method and device for interactive security verification of federated learning protocol and electronic equipment | |
Zeng et al. | Licality—likelihood and criticality: Vulnerability risk prioritization through logical reasoning and deep learning | |
Drakopoulos et al. | Approximate high dimensional graph mining with matrix polar factorization: A Twitter application | |
CN115238827A (en) | Privacy-protecting sample detection system training method and device | |
Zakariyya et al. | Towards a robust, effective and resource efficient machine learning technique for IoT security monitoring | |
CN110992194A (en) | User reference index algorithm based on attribute-containing multi-process sampling graph representation learning model | |
Zheng et al. | Wmdefense: Using watermark to defense byzantine attacks in federated learning | |
CN113627597A (en) | Countermeasure sample generation method and system based on general disturbance | |
Nazari et al. | Using cgan to deal with class imbalance and small sample size in cybersecurity problems | |
Rahman et al. | Multi-objective evolutionary optimization for worst-case analysis of false data injection attacks in the smart grid | |
Li et al. | Online alternate generator against adversarial attacks | |
CN113988519A (en) | Method for representing risk of cultural relic preservation environment in collection of cultural relics | |
Li et al. | Optimal feature manipulation attacks against linear regression | |
Yao et al. | RemovalNet: DNN Fingerprint Removal Attacks | |
CN114139601A (en) | Evaluation method and system for artificial intelligence algorithm model of power inspection scene | |
CN112966732A (en) | Multi-factor interactive behavior anomaly detection method with periodic attribute | |
Hao et al. | Privacy-preserving Blockchain-enabled Parametric Insurance via Remote Sensing and IoT |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |