CN115834251B - Hypergraph-transform-based threat hunting model building method - Google Patents
Hypergraph-transform-based threat hunting model building method Download PDFInfo
- Publication number
- CN115834251B CN115834251B CN202310108673.8A CN202310108673A CN115834251B CN 115834251 B CN115834251 B CN 115834251B CN 202310108673 A CN202310108673 A CN 202310108673A CN 115834251 B CN115834251 B CN 115834251B
- Authority
- CN
- China
- Prior art keywords
- log
- hypergraph
- layer
- matrix
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 239000011159 matrix material Substances 0.000 claims abstract description 72
- 238000010586 diagram Methods 0.000 claims abstract description 32
- 238000004364 calculation method Methods 0.000 claims abstract description 26
- 238000013528 artificial neural network Methods 0.000 claims abstract description 24
- 230000007246 mechanism Effects 0.000 claims abstract description 24
- 238000012550 audit Methods 0.000 claims abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 8
- 238000013507 mapping Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 27
- 238000012549 training Methods 0.000 claims description 16
- 238000010276 construction Methods 0.000 claims description 10
- 230000004913 activation Effects 0.000 claims description 9
- 238000005295 random walk Methods 0.000 claims description 7
- 230000009466 transformation Effects 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 4
- 230000009471 action Effects 0.000 claims description 3
- 230000010365 information processing Effects 0.000 claims description 3
- 238000005070 sampling Methods 0.000 claims description 3
- 241001235534 Graphis <ascomycete fungus> Species 0.000 claims 1
- 230000007123 defense Effects 0.000 abstract description 3
- 230000004044 response Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 14
- 238000003860 storage Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 238000002474 experimental method Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- HPTJABJPZMULFH-UHFFFAOYSA-N 12-[(Cyclohexylcarbamoyl)amino]dodecanoic acid Chemical compound OC(=O)CCCCCCCCCCCNC(=O)NC1CCCCC1 HPTJABJPZMULFH-UHFFFAOYSA-N 0.000 description 1
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 238000003646 Spearman's rank correlation coefficient Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a hunting model building method based on hypergraph Transformer threat, which comprises the following steps: the threat information and the system log are used as input data, a log diagram is generated through a processing module, and the threat information and the system log are input into a threat hunting model; the threat hunting model encodes input data and constructs hypergraphs, and matrix data is generated through hypergraph neural network layer processing; extracting features from the preprocessed data through a multi-head attention mechanism, mapping the features into a superside matrix, finally realizing similarity score calculation on a log graph through superside matching, finding a novel electric power system kernel audit log matched with network threat information, and completing threat hunting. The model can adapt to APT attacks which are updated and changed continuously, threat hunting of APT attacks of a novel power system is completed, and quick response and active defense against the APT attacks are realized.
Description
Technical Field
The application relates to the technical field of threat hunting model establishment, in particular to a method for establishing a hunting model based on hypergraph transformation threat.
Background
Because the novel power system power distribution is being converted towards the distributed direction, the risk of APT attack is increased due to the increase of vulnerability of the cross space, an attacker can invade and latency into the novel power system information network through an external network, modify the novel power system business layer and finally destroy the power system, meanwhile, huge log information can be generated in the latent process of the APT attack, so that the conventional detection model can lose APT attack characteristics or gradually train malicious behaviors into normal behaviors during training, and therefore, how to effectively mine a system log library actively discovers the APT attack hidden for a long time is a key problem.
Based on the above, the application provides a hunting model establishment method based on hypergraph transformation threat to solve the above problems.
Disclosure of Invention
The application aims to provide a hunting model building method based on hypergraph Transformer threat, which can not only furthest reserve novel power system APT attack traces aiming at the characteristic of long-term latency of APT attacks when a log graph is built, but also can self-adaptively and continuously update changing APT attacks by utilizing network threat information so as to solve the defects in the background technology.
In order to achieve the above object, the present application provides the following technical solutions: a hunting model building method based on hypergraph Transformer threat comprises the following steps:
s1: the threat information and the system log are used as input data, the input data are encoded, hypergraphs are constructed, and then the preprocessing data are generated through the hypergraph neural network layer processing;
s2: extracting characteristic data from the preprocessed data through a transducer multi-head attention mechanism;
s3: the feature data calculates the score through a superside matching algorithm, so that the matching of threat information in a log library of the electric power system is completed, and an HTTN threat hunting model of the APT attack of the electric power system is established.
In a preferred embodiment, the HTTN threat hunting model performs the threat hunting steps as follows:
s1.1: collecting electric power system kernel audit log streams through various operating system kernel audit engines, and constructing an electric power system log diagram by the log streams through a stream processing unit module;
s1.2: collecting network threat information in various open source or private threat information libraries, and generating a threat information log diagram through a threat information processing module;
s1.3: inputting the electric power system log diagram and the threat information log diagram into an HTTN threat hunting model together, and calculating the scores of the novel electric power system log diagram subgraph and the threat information log diagram through matching the log diagram;
s1.4: and setting a score threshold value for the HTTN threat hunting model, acquiring all operating system logs matched with threat information in a novel electric power system log library, and finding unknown APT attacks through the HTTN threat hunting model to finish threat hunting of the APT attacks.
In a preferred embodiment, the HTTN threat hunting model comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a superside matching layer and a function calculation layer;
the generation steps of the graph information input layer are as follows:
n log graph pairs constitute data input, each log graph pair being represented as
;
Each log graphOr log map->The nodes and the edges of the log graph are arbitrary;
arbitrary set of log graph inputsThe log graph is expressed as +.>, and />Respectively representing the node number and the edge number;
using adjacency matricesTo characterize log diagrams->Wherein->Is a real set;
usingTo represent log diagram +.>Characteristic matrix of nodes, wherein->Is the dimension of the node, log diagram->Representation method and log diagram->The same applies.
In a preferred embodiment, in the hypergraph construction layer, the log hypergraph is defined asThe log hypergraph comprises a log node set +.>Log edge set->Log node feature matrix->And log diagonal side weight matrix->Each superside of the log supergraph comprises at least two nodes, and an association matrix is used for +.>To model unpaired node relationships, the entries in H are defined as:
,
wherein ,representing element assignment in the association matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of times of node v is denoted +.>,/>A degree representing the fixed point; the number of times of edge e is denoted +.>The node degree diagonal matrix and the superside degree diagonal matrix are respectively expressed as +.> and />。
In a preferred embodiment, in the hypergraph construction layer, a power system log hypergraph is constructed by adopting a random walk method, for each log node v, a normal log graph G with a step length of K is selected to carry out random walk, and then a sampling node sequence is taken as a hyperedge, so that the method is obtainedAnd (5) a superside matrix.
In a preferred embodiment, in the hypergraph neural network layer, an HGNN layer is added in the HTTN threat hunting model, and for the first layer in the HGNN layer, a log hypergraph H and a hidden representation matrix are usedAs input, the nodes of the next layer are then calculated:
,
wherein Nonlinear activation function>Representing a layer I training parameter matrix,/a matrix of parameters>、/>、/>Diagonal node degree, edge degree and edge weight matrix respectively, < ->Is a training parameter matrix.
In a preferred embodiment, the HGNN layer performs log graph node-edge-node conversion, causing the log hypergraph structure to refine the superedge characteristics of the log.
In a preferred embodiment, the hypergraph transform coding layer inputs the log hyperedge matrix E processed by the hypergraph neural network layer to the transform coding layer, and the transform coding layer extracts core features in the log hyperedge matrix, wherein the hypergraph transform coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the self-attention mechanism calculation formula is as follows:
,
,
,
,
wherein E is a log superside matrix, Q, K, V is a Query, key and Value vector respectively from E,represents the dimension of the Q, K vector,/->、/>、/>Initializing a matrix for random;
multi-head attention mechanism through h different linear transformation pairsAnd performing projection mapping, and finally splicing calculation results of all the self-attention modules, wherein the expression is as follows:
,
initializing multiple sets of weight matrices、/>、/>, wherein />Calculating respective ∈>、/>、Obtaining +.about.according to the attention mechanism calculation formula>The groups are->After splicing and weight matrix->Multiplying and mapping to the original space to obtain the input dimension of the matrix with the original supersideDegree of identical +.>;
Feedforward neural network: the system consists of a full-connection layer with an RELU activation function and a full-connection layer with a linear activation function, and is used for solving the problem that the fitting degree of a multi-head attention mechanism to data processed by a hypergraph neural network layer is insufficient.
In a preferred embodiment, the superside matching layer pair supergraph pair and />Score between hyperedges, constructing score matrix of hypergraph pair +.>For->Is ++>Calculating it +.>The gaussian kernel function of all the supersides of (a) calculates the score:
,
wherein ,is->Number of middle-upper edges> and />Representing hypergraph ++> and />The supersound of (a) represents ∈10>Controlling the range of action of the Gaussian kernel function, +.>The larger the value, the larger the local influence range of the gaussian kernel.
In a preferred embodiment, in the function calculation layer, the matrix is processed by the full connection layer to generate a scoreThe calculation formula is as follows:
,
where G is the set of training graph pairs, anRepresenting log diagram->And log map->Actual score between.
In the technical scheme, the application has the technical effects and advantages that:
according to the application, the hypergraph is constructed by the network threat information and the novel electric power system kernel audit log, the relationship between the hypergraph high-order nodes is learned through the HGNN layer, the characteristics are mapped into the hyperedge matrix, the Transformer coding layer is adopted to add a multi-head attention mechanism to the hyperedge matrix, finally, similarity score calculation of the log graph is realized through hyperedge matching, the novel electric power system kernel audit log matched with the network threat information is found, the model can adapt to APT attacks which are updated continuously, threat hunting of the novel electric power system APT attacks is completed, and rapid response and active defense to the APT attacks are realized.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
Fig. 1 is a threat hunting flow chart of the power system of the present application.
FIG. 2 is a schematic diagram of an HTTN threat hunting model of the present application.
Fig. 3 is a flow chart of the construction of the Trojan log hypergraph of the present application.
FIG. 4 is a diagram of a multi-headed attention mechanism of the present application.
Fig. 5 is a graph showing the mean square error change in the training process of each model according to the present application.
FIG. 6 is a diagram of the model training process of the present applicationA variation graph.
FIG. 7 is a graph of the variation of accuracy @10 of each model training process of the present application.
FIG. 8 is a comparison of hunting time for each model of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Example 1
The method for establishing the hunting model based on the hypergraph Transformer threat according to the embodiment comprises the following steps:
s1, threat information and a system log are used as input data, the input data are encoded, hypergraphs are constructed, and then preprocessing data are generated through hypergraph neural network layer processing;
s2, extracting characteristic data from the preprocessed data through a transducer multi-head attention mechanism;
and S3, calculating similarity scores of the feature data through a superside matching algorithm, completing matching of threat information in a power system log library, and establishing an HTTN threat hunting model of the power system APT attack.
According to the application, the hypergraph is constructed by the network threat information and the novel electric power system kernel audit log, the relationship between the hypergraph high-order nodes is learned through the HGNN layer, the characteristics are mapped into the hyperedge matrix, the Transformer coding layer is adopted to add a multi-head attention mechanism to the hyperedge matrix, finally, similarity score calculation of the log graph is realized through hyperedge matching, the novel electric power system kernel audit log matched with the network threat information is found, the model can adapt to APT attacks which are updated continuously, threat hunting of the novel electric power system APT attacks is completed, and rapid response and active defense to the APT attacks are realized.
Referring to fig. 1, the steps of threat hunting by the HTTN threat hunting model are as follows:
1) The method comprises the steps that collection of novel electric power system kernel audit log streams is achieved through kernel audit engines of various types of operating systems, and the log streams construct novel electric power system log diagrams through stream processing unit modules;
2) Manually collecting network threat information in various open source or private threat information libraries, and generating a threat information log diagram through a threat information processing module;
3) Inputting the novel electric power system log diagram and the threat information log diagram into an HTTN threat hunting model together, and calculating similarity scores of the novel electric power system log diagram subgraph and the threat information log diagram through similarity matching of the log diagrams;
4) Threat hunting experts acquire all operating system logs matched with threat information in a novel electric power system log library by setting a similarity score threshold value for the HTTN threat hunting model, and find unknown APT attacks through the HTTN threat hunting model to finish threat hunting of the APT attacks.
Example 2
Referring to fig. 2, the HTTN threat hunting model is composed of a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph transform coding layer, a hyperedge matching layer, and a similarity score calculation layer.
wherein ,
graph information input layer: the data input of the HTTN threat hunting model consists of N log graph pairs, each log graph pair may be represented asWherein for each log graph +.>Or log map->The number of nodes and edges of the log graph may be arbitrary; input +.>The log graph is expressed as +.>,/> and />Respectively representing the number of nodes and the number of edges, then using the adjacency matrix +.>To characterize log diagrams->Wherein R is the real number set; use->To represent log diagram +.>Characteristic matrix of nodes, wherein->Is the dimension of the node, log diagram->Representation method and log diagram->The same applies.
Hypergraph construction layer: in order to complete the superside matching of the system log graph, the supergraph needs to be constructed for the log graph data input by the information input layer, and the log supergraph is defined asThe log hypergraph is composed of a log node set +.>Log edge set->Log node feature matrix->And log diagonal side weight matrix->Different from the common log graph G, each superside of the log supergraph comprises two or more nodes; and uses the association matrix->To model unpaired node relationships, the entries in H are defined as:
,
wherein ,representing element assignment in the association matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of times of node v is denoted +.>,/>A degree representing the fixed point; the number of times of edge e is denoted +.>The node degree diagonal matrix and the superside degree diagonal matrix are respectively expressed as +.> and />。
In the hypergraph construction layer, the application adopts a random walk (random walk) method to construct a novel power system log hypergraph;
for each log node v, selecting to perform random walk on a common log graph G with a step length of K, and taking a sampling node sequence as a superside to obtainAnd (5) a superside matrix.
Referring to fig. 3, a process for constructing a log hypergraph under a Trojan attack scenario of an APT attack is shown, where,
node a represents an untrusted external address;
node B represents a browser;
node C represents a Trojan file;
node D represents the Trojan process being executed;
node E represents a dash script command line;
node F represents a command to display a server network configuration;
node G represents a command to display a host name;
node H represents a command to monitor the server TCP/IP network connection;
the node I represents a configuration file containing sensitive information such as account passwords and the like in a server;
disclosure of these profiles can directly lead to an attacker invading the business layer of the new power system, tampering with the business layer data, etc.
Hypergraph neural network layer: the hypergraph neural network (HyperGraphNeuralNetwork, HGNN) is a neural network model considering the higher-order node relation rather than the paired node relation, and because the relation between nodes of the log graph is audited by the novel electric power system kernel and the APT attack has the characteristic of being stepwise, the correlation of the nodes between the log graphs cannot be fully extracted by only carrying out matching training on the paired nodes of the log graph, and therefore, the trained model has poor matching effect on the threat information log of the APT attack.
In order to better capture the complex node relation in the log hypergraph, an HGNN layer is added in the HTTN threat hunting model due to the fact that the HGNN shows better performance in the aspect of the position correlation of the encoded log nodes than the traditional graph rolling network (GraphConvolutionalNetwork, GCN). Wherein, for the first layer in the HGNN layers, the first layer is represented by a log hypergraph H and a hidden representation matrixAs input, the nodes of the next layer are then calculated as follows:
,
wherein Nonlinear activation function>Representing a layer I training parameter matrix,/a matrix of parameters>、/>、/>Diagonal node degree, edge degree and edge weight matrix respectively, < ->Is a trainable parameter matrix.
The HGNN layer can perform log graph node-edge-node conversion, so that the log hypergraph structure can better refine the hyperedge characteristic of the log. In the HTTN threat hunting model, in order to improve the matching effect of the superside matching layer in the following module on the superside, a node-side conversion method is adopted for the novel electric power system log diagram, so that node characteristics are embedded into the superside matrix.
Initial log node in HTTN threat hunting modelCan learn to process->The characteristic of the parameter matrix, and then the characteristic matrix of the superside is formed according to the characteristic of the superside collection log node>By->Finally, through multiplication with the matrix H, relevant superside characteristics are aggregated, and the HGNN layer can fully extract the position and characteristic information of nodes in the novel power system and threat information log diagram, so that the similarity score of subsequent superside matching is improved.
Hypergraph transducer coding layer: and inputting the log superside matrix E processed by the supergraph neural network layer into a transducer coding layer. The Transformer coding layer can extract core features in the log superside matrix and weaken dependence problems among log supersides. Wherein the transducer coding layer is mainly composed of the following two structures:
multi-head attention mechanism: the self-attention mechanism is an improvement on the original attention mechanism and is a core technology in a transducer model. The self-attention calculation formula is as follows:
(3),
wherein E is a log superside matrix, Q, K, V is a Query, key and Value vector respectively from E,represents the dimension of the Q, K vector,/->、/>、/>For randomly initializing the matrix, the model can learn proper parameters in back propagation;
the multi-head attention mechanism can find the position characteristics in the superside of the log, simultaneously realize the simultaneous calculation of multiple sets of weights, and does not share the weights among each other, and the nodes of each superside in the superside of the log pay attention to the characteristics of surrounding nodes through stacking the attention layers, wherein the multi-head attention mechanism is formed by h different linear transformation pairsPerforming projection mapping;
as shown in fig. 4, the calculation results of the self-attention modules are finally spliced together, and the formula is as follows:
(4),
first initializing multiple sets of weight matrix、/>、/>, wherein />Calculating respective ∈>、、/>Obtaining +.about.according to the attention mechanism calculation formula>The groups are->Spliced (Concat) and weight matrixMultiplying and mapping to the original space to obtain the same ++I-ray as the original super-edge matrix input dimension>。
Feedforward neural network: the feedforward neural network of the hypergraph Transformer coding layer mainly solves the problem that the fitting degree of a multi-head attention mechanism to data processed by the hypergraph neural network layer is insufficient, so that functions can be generalized better, and the feedforward neural network consists of a full-connection layer with an RELU as an activation function and a full-connection layer with a linear activation function.
Superside matching layer: because correlation among log superedges is very important for a graph matching model, a superedge matching mechanism is used in an HTTN threat hunting model, the traditional graph matching problem is mostly to match nodes one by one, and because of the characteristics of APT attack concealment and long-term entanglement, the matching effect of threat information of the APT attack in a novel electric power system log library is not good only by considering the correlation of log graph nodes or single edges, so that the HTTN threat hunting model does not use node feature matching, but uses a superedge matching method, and compared with the matching of all nodes in the whole graph, the calculation efficiency and the calculation accuracy are higher;
the core part of the superside matching layer is the hypergraph pair and />Similarity scores between hyperedges are first constructed by constructing a similarity score matrix of the graph pairs>For->Is ++>Calculating it +.>The gaussian kernel function of all the supersides of (a), calculates the score, i.e.:
(5),
wherein ,is->Number of middle-upper edges> and />Representing hypergraph ++> and />The supersound of (a) represents ∈10>The larger the value of the range of action of the gaussian kernel function is controlled, the larger the local influence range of the gaussian kernel function is.
Similarity score calculation layer: after obtaining the log graph similarity score matrix, a full-connection layer neural network is needed to gradually reduce the dimension of the log graph similarity matrix, and then a function is fitted to realize similarity score calculation of the log graph, the principle of the full-connection layer is that linear transformation from one feature space to another feature space is realized through vector product of the matrix, and finally dimension reduction of the matrix is realized;
the similarity matrix is processed by the full connection layer to generate a similarity scoreAnd comparing the following mean square error loss function with the actual similarity score, and measuring the matching effect of the model on the novel electric power system log diagram and the threat information log diagram:
(6),
where G is the set of training graph pairs, anRepresenting log diagram->And log map->Actual similarity score between.
Example 3
In order to verify the accuracy and the high efficiency of the HTTN threat hunting model on the APT attack threat hunting, the application adopts a data set of a Linux kernel audit log and a plurality of APT attack scenes, and carries out a comparison experiment with a SimGNN, graphSim, H2MN, HGMN and other traditional graph regression models, and finally proves that the HTTN threat hunting model provided by the application has better performance in the matching of the APT attack threat information.
Experimental preparation and experimental environment: the server version of the experiment is ubuntu16.04, the device is configured with 4 NVIDIATITANRTX2080Ti graphic cards and CUDA of 10.2 version, the experimental environment is python3.7 version, the Pytorch framework is used for writing, the optimal super parameters of the HTTN threat hunting model are determined based on grid search experiments, and the relevant super parameters are shown in table 1:
,
in the table 1 of the description,
the Adam algorithm is used for optimizing model parameters in the training process of the HTTN threat hunting model, the method is a first-order optimization algorithm, a traditional gradient descent process can be replaced, less memory is required in the training process, calculation is more efficient, and the method is suitable for solving the problem of large data scale of the kernel audit log of the electric power system.
The evaluation method comprises the following steps: in order to accurately evaluate the matching effect of the HTTN threat hunting model provided by the application, the mean square error (Mean Square Error, MSE) and Spearman class correlation coefficient are adopted) And precision @10 (precision @10, p @ 10) measure model performance, respectively;
where MSE is used to measure the predicted similarity scoreMean square variance with true similarity score as in equation (6);evaluating a ranking correlation between the predicted result and the true ranking result; p@10 calculates the interaction of the predicted similarity score with the actual similarity score divided by 10.
Data set introduction and preprocessing: the experimental data set comes from Linux kernel audit logs under certain APT attack scenes, the novel electric power system belongs to a distributed architecture, and most of services are deployed in a Linux server, so that the safety requirement on the server is extremely high, the kernel audit logs record user system programs, processes and operations based on a Linux bottom layer, and log information of each stage of APT attack can be collected. One node in the log graph represents one command or program and one edge represents the correlation between commands or programs.
In the data set, 1000 log graph pairs are randomly selected, and are divided into a training set, a test set and a verification set according to 60%, 20% and 20%, and the number of log graph nodes generated by threat information is generally not more than 15 because of the characteristic of masking of an APT attack, and the similarity score of the log graph pairs is generated by using an A-type algorithm on the data set.
Analysis of experimental results of different models: experiments the HTTN threat hunting model provided by the application is compared with the conventional SimNGN, graphSim, HGMN and H2MN graph regression model, and the experimental results are shown in Table 2:
,
in the table 2, the data of the table,
5, 6 and 7, in a Linux log data set including an APT attack, the HTTN threat hunting model provided by the application is reduced by 0.81 compared with SimNN, about 0.27 compared with the GraphSim model, about 0.166 compared with the HGMN model and 0.046 compared with the H2MN model in a mean square error index;
in terms of Spearman rank correlation coefficients, the HTTN threat hunting model provided by the application is improved by 0.06 compared with SimNN, 0.0226 compared with the GraphSim model, 0.0076 compared with the HGMN model and 0.0126 compared with the H2MN model;
in terms of the p@10 index, the HTTN threat hunting model is improved by about 0.1 compared with the SimNN, is improved by about 0.015 compared with the GraphSim model, is improved by 0.0147 compared with the HGMN model, and is improved by 0.011 compared with the H2MN model. By applying a magnetic field to MSE,Compared with the p@10 index, the effectiveness of adding the transform coding layer multi-head attention to the log graph superside matrix in the HTTN threat hunting model can be fully proved, and compared with other four models, the effectiveness of adding the transform coding layer multi-head attention to the log graph superside matrix in the HTTN threat hunting model is better in threat information matching.
When the novel electric power system is subjected to APT attack based on zero-day loopholes, the longer the APT attack exists in the novel electric power system, the larger the generated harm is, so that the shorter the time requirement for threatening hunting models is, the better, we perform comparison experiments on calculation time of log graph similarity scores of different models,
as shown in fig. 8, the HTTN threat hunting model has reduced the computation time of log plot similarity scores by 6.14, 7.1 and 5.35 milliseconds compared to the SimGNN, graphSim, HGMN model, respectively, while consuming only a modest amount of time compared to the H2MN model. From this, it can be seen that the HTTN threat hunting model optimizes log graphs versus computation time.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" in the present application is merely an association relation describing the association object, and indicates that three relations may exist, for example, a and/or B may indicate: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" in the present application generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (3)
1. The hypergraph-transform-based threat hunting model building method is characterized by comprising the following steps of:
the threat hunting model is an HTTN threat hunting model and comprises a graph information input layer, a hypergraph construction layer, a hypergraph neural network layer, a hypergraph Transformer coding layer, a hyperedge matching layer and a function calculation layer;
the generation steps of the graph information input layer are as follows:
n log graph pairs constitute data input, each log graph pair being represented as
;
Each log graphOr log map->The nodes and the edges of the log graph are arbitrary;
arbitrary set of log graph inputsThe log graph is expressed as +.>,/> and />Respectively representing the node number and the edge number;
using adjacency matricesTo characterize log diagrams->Wherein->Is a real set;
usingTo represent log diagram +.>Characteristic matrix of nodes, wherein->Is the dimension of the node, log graphIs a representation of (a)Law and log graph->The same;
in the hypergraph construction layer, the log hypergraph is defined asThe log hypergraph comprises a log node set +.>Log edge set->Log node feature matrix->And log diagonal side weight matrix->Each superside of the log supergraph comprises at least two nodes, and an association matrix is used for +.>To model unpaired node relationships, the entries in H are defined as:
,
wherein ,representing element assignment in the association matrix, wherein if an edge exists between two nodes, the value is 1, and if no edge exists between the two nodes, the value is 0; the number of times of node v is denoted +.>,/>A degree representing the fixed point; the number of times of edge e is denoted +.>The node degree diagonal matrix and the superside degree diagonal matrix are respectively expressed as +.> and />;
In the hypergraph neural network layer, a layer of HGNN layer is added in an HTTN threat hunting model, and for the first layer in the HGNN layer, a log hypergraph H and a hidden representation matrix are usedAs input, the nodes of the next layer are then calculated:
,
wherein SigmoidNonlinear activation function>Representing a layer I training parameter matrix,/a matrix of parameters>、/>、/>Diagonal node degree, edge degree and edge weight matrix respectively, < ->Training a parameter matrix;
the hypergraph Transformer coding layer inputs the log hyperedge matrix E processed by the hypergraph neural network layer into the Transformer coding layer, and the Transformer coding layer extracts core features in the log hyperedge matrix, and the hypergraph Transformer coding layer comprises a multi-head attention mechanism and a feedforward neural network;
the self-attention mechanism calculation formula is as follows:
,
,
,
,
wherein E is a log superside matrix, Q, K, V is a Query, key and Value vector respectively from E,represents the dimension of the Q, K vector,/->、/>、/>Initializing a matrix for random;
multi-head attention mechanism through h different linear transformation pairsAnd performing projection mapping, and finally splicing calculation results of all the self-attention modules, wherein the expression is as follows:
,
,
initializing multiple sets of weight matrices、/>、/>, wherein />Calculating respective ∈>、/>、/>Obtaining +.about.according to the attention mechanism calculation formula>The groups are->After splicing and weight matrix->Multiplying and finally mapping to the original space to obtain the sum of the original space and the original spaceSuper-edge matrix input dimension is identical +.>;
Feedforward neural network: the system consists of a full-connection layer with an RELU activation function and a full-connection layer with a linear activation function, and is used for solving the problem that a multi-head attention mechanism is insufficient in fitting degree of data processed by a hypergraph neural network layer;
the superside matching layer pair supergraph pair and />Score between hyperedges, constructing score matrix of hypergraph pair +.>For->Is ++>Calculating it +.>The gaussian kernel function of all the supersides of (a) calculates the score:
,
wherein ,is->Number of middle-upper edges> and />Representing hypergraph ++> and />The supersound of (a) represents ∈10>Controlling the range of action of the Gaussian kernel function, +.>The larger the value, the larger the local influence range of the gaussian kernel;
in the function calculation layer, the matrix is processed by the full connection layer to generate a fractionThe calculation formula is as follows:
,
where G is the set of training graph pairs, anRepresenting log diagram->And log map->Actual score between;
the steps of the HTTN threat hunting model for threat hunting are as follows:
s1.1: collecting electric power system kernel audit log streams through various operating system kernel audit engines, and constructing an electric power system log diagram by the log streams through a stream processing unit module;
s1.2: collecting network threat information in various open source or private threat information libraries, and generating a threat information log diagram through a threat information processing module;
s1.3: inputting the electric power system log diagram and the threat information log diagram into an HTTN threat hunting model together, and calculating the scores of the novel electric power system log diagram subgraph and the threat information log diagram through matching the log diagram;
s1.4: and setting a score threshold value for the HTTN threat hunting model, acquiring all operating system logs matched with threat information in a novel electric power system log library, and finding unknown APT attacks through the HTTN threat hunting model to finish threat hunting of the APT attacks.
2. The hypergraph-transform threat hunting model building method according to claim 1, wherein: in the hypergraph construction layer, a power system log hypergraph is constructed by adopting a random walk method, for each log node v, the random walk is carried out on a common log graph G with the step length of K, and then a sampling node sequence is taken as a hyperedge, so that the hypergraph is obtainedAnd (5) a superside matrix.
3. The hypergraph-transform threat hunting model building method according to claim 1, wherein: and the HGNN layer performs log graph node-edge-node conversion to enable the log hypergraph structure to refine the hyperedge characteristic of the log.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310108673.8A CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310108673.8A CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115834251A CN115834251A (en) | 2023-03-21 |
| CN115834251B true CN115834251B (en) | 2023-09-29 |
Family
ID=85521200
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310108673.8A Active CN115834251B (en) | 2023-02-14 | 2023-02-14 | Hypergraph-transform-based threat hunting model building method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834251B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240598B (en) * | 2023-11-07 | 2024-02-20 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112269316A (en) * | 2020-10-28 | 2021-01-26 | 中国科学院信息工程研究所 | High-robustness threat hunting system and method based on graph neural network |
| US11128649B1 (en) * | 2019-03-06 | 2021-09-21 | Trend Micro Incorporated | Systems and methods for detecting and responding to anomalous messaging and compromised accounts |
| CN115221511A (en) * | 2022-09-20 | 2022-10-21 | 国网江西省电力有限公司信息通信分公司 | Power distribution Internet of things threat hunting method |
| CN115543951A (en) * | 2022-11-30 | 2022-12-30 | 浙江工业大学 | Log acquisition, compression and storage method based on origin map |
| CN115664696A (en) * | 2022-08-30 | 2023-01-31 | 华北电力大学 | APT attack active defense method based on threat hunting |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015066604A1 (en) * | 2013-11-04 | 2015-05-07 | Crypteia Networks S.A. | Systems and methods for identifying infected network infrastructure |
| US10216938B2 (en) * | 2014-12-05 | 2019-02-26 | T-Mobile Usa, Inc. | Recombinant threat modeling |
-
2023
- 2023-02-14 CN CN202310108673.8A patent/CN115834251B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11128649B1 (en) * | 2019-03-06 | 2021-09-21 | Trend Micro Incorporated | Systems and methods for detecting and responding to anomalous messaging and compromised accounts |
| CN112269316A (en) * | 2020-10-28 | 2021-01-26 | 中国科学院信息工程研究所 | High-robustness threat hunting system and method based on graph neural network |
| CN115664696A (en) * | 2022-08-30 | 2023-01-31 | 华北电力大学 | APT attack active defense method based on threat hunting |
| CN115221511A (en) * | 2022-09-20 | 2022-10-21 | 国网江西省电力有限公司信息通信分公司 | Power distribution Internet of things threat hunting method |
| CN115543951A (en) * | 2022-11-30 | 2022-12-30 | 浙江工业大学 | Log acquisition, compression and storage method based on origin map |
Non-Patent Citations (4)
| Title |
|---|
| Khan Salman Muhammad ; Richard Rene ; Molyneaux Heather ; Cote Martel Danick ; Kamalanathan Elango Jackson Henry * |
| Livingstone Steve ; Gaudet Manon ; Trask Dave.Cyber Threat Hunting: A Cognitive Endpoint Behavior Analytic System.International Journal of Cognitive Informatics and Natural Intelligence (IJCINI) .2022,全文. * |
| 徐嘉涔 ; 王轶骏 ; 薛质.网络空间威胁狩猎的研究综述.《通信技术》.2020,全文. * |
| 胡钊 ; 金文娴 ; 陈禹旭.关于威胁情报的研究分析.科技资讯.2021,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115834251A (en) | 2023-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113408743A (en) | Federal model generation method and device, electronic equipment and storage medium | |
| CN112165485A (en) | Intelligent prediction method for large-scale network security situation | |
| Ma et al. | Learn to forget: Machine unlearning via neuron masking | |
| Inan et al. | Training data leakage analysis in language models | |
| CN115834251B (en) | Hypergraph-transform-based threat hunting model building method | |
| CN111475838A (en) | Graph data anonymizing method, device and storage medium based on deep neural network | |
| CN114091034A (en) | Safety penetration testing method and device, electronic equipment and storage medium | |
| Taran et al. | Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation | |
| Muslihi et al. | Detecting SQL injection on web application using deep learning techniques: a systematic literature review | |
| CN115238827A (en) | Privacy-protecting sample detection system training method and device | |
| Amouei et al. | RAT: Reinforcement-learning-driven and adaptive testing for vulnerability discovery in web application firewalls | |
| Chen et al. | Dyn-backdoor: Backdoor attack on dynamic link prediction | |
| CN114358278A (en) | Training method and device of neural network model | |
| CN115604032B (en) | Method and system for detecting complex multi-step attack of power system | |
| CN116962047A (en) | Interpretable threat information generation method, system and device | |
| CN110290101B (en) | Deep trust network-based associated attack behavior identification method in smart grid environment | |
| CN116232694A (en) | Lightweight network intrusion detection method and device, electronic equipment and storage medium | |
| Li et al. | Online alternate generator against adversarial attacks | |
| Zhang et al. | SeqA-ITD: User behavior sequence augmentation for insider threat detection at multiple time granularities | |
| Lin et al. | The prediction of network security situation based on deep learning method | |
| Du et al. | DBWE-Corbat: Background network traffic generation using dynamic word embedding and contrastive learning for cyber range | |
| Krithivasan et al. | Sparsity turns adversarial: Energy and latency attacks on deep neural networks | |
| Gu et al. | A practical multi-tab website fingerprinting attack | |
| Shukla et al. | On the evaluation of user privacy in deep neural networks using timing side channel | |
| Zhou et al. | Check for updates Conductance-Threshold Dual Adaptive Spiking Neural Networks for Speech Recognition |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |