CN115913791B - MDTA dynamic subgraph matching method and system based on incremental query index tree - Google Patents
MDTA dynamic subgraph matching method and system based on incremental query index tree Download PDFInfo
- Publication number
- CN115913791B CN115913791B CN202310213291.1A CN202310213291A CN115913791B CN 115913791 B CN115913791 B CN 115913791B CN 202310213291 A CN202310213291 A CN 202310213291A CN 115913791 B CN115913791 B CN 115913791B
- Authority
- CN
- China
- Prior art keywords
- query
- graph
- dynamic
- mdata
- tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an MDTA dynamic subgraph matching method, an MDAT dynamic subgraph matching system and a storage medium based on an incremental query index tree, wherein based on the space-time characteristic advantage of MDAT on the representation of security situation in the network security field, an attack behavior is depicted as a query graph in the subgraph matching problem through the attribute characteristics of MDAT entity and relationship, the whole network environment is depicted as a data graph, the data graph is dynamically updated and a corresponding auxiliary data structure is designed when a new network changes, the attack behavior in the network is rapidly and accurately detected in real time by applying the dynamic subgraph matching method, and the network security is protected. The MDTA sub-graph matching method of the incremental query index tree can detect the attack behavior in fact, reduce the probability of false alarm and missing report, reduce the time complexity and improve the detection speed.
Description
Technical Field
The application relates to the technical field of network security, in particular to an MDTA dynamic subgraph matching method and system based on an incremental query index tree.
Background
The MDTA model is a model suitable for dynamic network security situation awareness, can perform association analysis on multidimensional data, can construct network security knowledge with space-time characteristics, and can provide an analyst with a cognitive model suitable for network security situation awareness. In terms of expression form, the MDTA model is an improved Knowledge Graph (KG) model, and because the Knowledge Graph generally adopts triples to represent Knowledge, the Knowledge Graph needs to be frequently updated when the Knowledge is changed, and Knowledge Graph is difficult to represent Knowledge of time sequence relationships and spatial features, and the like, the MDTA model solves the limitation of the Knowledge Graph in the field of network security, which is represented by the network security situation, and specifically comprises the following steps: MDATA data model= < accept, activity, relation, property >, wherein: concept represents a set of concepts; entity represents a collection of entities, i.e., specific instances of a concept; the relationship represents a set of relationships; property represents a set of properties. The Relation set Relation and the attribute set Property both comprise space-time characteristics, and knowledge with space-time characteristics can be effectively represented by adding the space-time characteristics to the Relation and the attribute, and when the knowledge is changed, the knowledge with space-time characteristics can be improved or new knowledge with space-time characteristics is added only by perfecting the corresponding space-time characteristics.
Along with diversification of network attacks, the sustainable development of the attack process needs to consider the dynamic change condition of the network attacks at different moments. The attack behavior and the network situation can be characterized into a graph form through the MDTA data model, and the detection can be performed by using a sub-graph matching method. However, the traditional sub-graph matching research is that graph data are kept unchanged, but in practical application, the graph data are always updated continuously along with time, and the sub-graph matching algorithm based on the static graph does not have the real-time performance of dynamic matching due to the fact that complex mining analysis is required to be carried out on the data graph, and does not accord with the actual situation, and the dynamic graph matching can meet the performance requirement of real-time matching when the data is updated, so that the sub-graph isomorphic matching method of the dynamic graph has great practicability.
Dynamic sub-graph matching is continuous sub-graph matching that changes towards the graph. A data map is knownG=(V,E,L) A query graphP=(V p ,E p ,L p ) And an update sequence
Wherein->
Representing a triplet<op, u i ,u j >The continuous sub-graph matching for describing the change of the query graph when adding (op=1) or deleting (op=0) an edge is thatPBecome->
The continuous sub-graph matching for the change of the data graph means when G becomes +.>
. The dynamic graph sub-graph matching problem can be used for inquiring the corresponding problem of the knowledge graph. The mainstream data model adopted by the current knowledge graph is an RDF graph model. RDF is collectively referred to as a resource description framework (resource description framework), defined as a finite set of triples (s, p, o), each triplet representing a factual statement, where s is the subject, p is the predicate, and o is the object. The standard query language SPARQL of RDF knowledge graph is a triple pattern (triple pattern), and a plurality of triple patterns can form a basic graph pattern (basic graph pattern, BGP). In the solution based on sub-graph matching, SPARQL BGP query can be converted into a query graph, and then all sub-graphs matched with the query are returned in the RDF knowledge graph through sub-graph homomorphic matching, so that data graph nodes corresponding to variable nodes in all sub-graphs are returned as query results. Dynamic sub-graph matching is useful in many practical applicationsThe method has very important functions, such as real-time detection of network attacks in the field of network security, and reduction of network attack hazards. But the conventional sub-graph matching method does not consider the point and edge variation.
The structure and the content of the graph data can change along with time, and in the situation of changing the graph structure in the sub-graph pattern matching problem facing the change of the data graph, a matching technology based on snapshot or a matching technology based on increment processing can be adopted. The snapshot-based matching technology is to recalculate updated graph data, which is equivalent to repeatedly performing static graph matching calculation at different moments, and because the computational complexity of the sub-graph matching algorithm is relatively high, a distributed parallel graph calculation framework or an approximation algorithm is adopted to accelerate the calculation speed and meet the timeliness requirement.
For the problem of dynamic graph query matching, the methods based on snapshot detection technology and the like in the prior art need to re-match the complete data graph, so that the matching efficiency is affected; based on the increment matching strategy, special optimization is not carried out on the data in the network security field, for example, part of the data is isomorphic matching, heterogeneous graphs are not considered, most of the methods only match the structure, the attributes and the isomerism of points and edges are not considered, but most of graphs carved out by the network security data are heterogeneous graphs, the dynamic property of a knowledge graph is not considered in most of the knowledge graph matching problems, the knowledge graph data are also one of the large graph data, so that frequent updating can occur, the prior art has little consideration on the problem, the built index is updated and maintained, and continuous sub-graph matching problems are not considered.
Disclosure of Invention
Aiming at the problems, the invention provides an MDTA dynamic sub-graph matching method and system based on an incremental query index tree, which aim at solving the problems that the dynamic sub-graph matching condition is rarely considered and the algorithm isomerism is not considered in the network security sub-graph matching method, and the problems that the complexity of the sub-graph matching algorithm is high, the efficiency is low, the matching speed is low due to repeated calculation and the like.
The invention provides a MDTA dynamic subgraph matching method based on an incremental query index tree, which comprises the following steps:
extracting the attack rule to form an MDTA knowledge graph query graph;
generating a dynamic MDATA network security situation knowledge graph data map based on the network equipment alarm flow;
generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
the method comprises the steps of establishing a dynamic MDATA data optimization querier, decomposing an equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization querier, wherein the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises a single-step attack of the MDATA knowledge graph query graph, and storing a decomposition result of the dynamic MDATA data optimization querier into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking decomposition conditions of the equivalent query Tree;
respectively inquiring the core part and the forest part in an MDTA network security situation knowledge graph data diagram, and storing an inquiry result into a connection table, wherein the connection table corresponds to a connection node stored in a dynamic index Tree-shaped auxiliary structure DSQM-Tree;
when new alarm flow is generated at different moments, the new matching is stored in the connection table, and if the matching is successful, the matching flow is ended.
The invention further adopts the technical scheme that: and obtaining a matching result of the core part through pruning operation by utilizing the minimum connected subgraph of the core part.
The invention further adopts the technical scheme that: and extracting the attack rule to form an MDATA knowledge graph query graph, wherein the extracted content comprises an entity, a relationship, an attribute and a concept set, and the entity and the relationship comprise time characteristics and space characteristics.
The invention further adopts the technical scheme that: and generating a dynamic MDATA network security situation knowledge graph data graph based on the network equipment alarm flow, wherein the data form of extracting the network equipment alarm flow information is the same as that of extracting the attack rule to form the MDATA knowledge graph query graph.
The invention further adopts the technical scheme that: and storing the forest parts which are not successfully matched into a connection table, and waiting for updating of the MDTA network security situation knowledge graph data map.
The invention further adopts the technical scheme that: when the matching of the forest part or the core part is successful, the connection operation is performed in the connection table, and a final matching result is obtained.
In a second aspect of the present invention, there is provided an MDATA dynamic subgraph matching system based on an incremental query index tree, the system comprising:
the query graph acquisition unit is used for extracting the attack rules to form an MDTA knowledge graph query graph;
the data diagram acquisition unit is used for generating a dynamic MDTA network security situation knowledge graph data diagram based on the network equipment alarm flow;
the equivalent query tree acquisition unit is used for generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
the equivalent query Tree decomposition unit is used for establishing a dynamic MDATA data optimization query device, decomposing an equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization query device, wherein the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises single-step attack of the MDATA knowledge graph query graph, and storing a decomposition result of the dynamic MDATA data optimization query device into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking the decomposition condition of the equivalent query Tree;
the inquiring unit is used for inquiring the core part and the forest part in the MDTA network security situation knowledge graph data diagram respectively, and storing an inquiring result into a connection table, wherein the connection table corresponds to the connection node stored in the dynamic index Tree-shaped auxiliary structure DSQM-Tree;
and the dynamic matching unit is used for storing the new matching into the connection table when new alarm flow generates the MDTA network security situation knowledge graph data graph at different moments, and ending the matching flow if the matching is successful.
The invention further adopts the technical scheme that: the content extracted in the query graph acquisition unit comprises an entity, a relationship, an attribute and a concept set, wherein the entity and the relationship comprise time characteristics and space characteristics.
In a third aspect of the present invention, an MDATA dynamic subgraph matching system based on an incremental query index tree is provided, including: a processor; and a memory, wherein the memory stores a computer executable program, and when the processor executes the computer executable program, the MDTA dynamic subgraph matching method based on the incremental query index tree is executed.
In a fourth aspect of the present invention, a computer readable storage medium is provided, having instructions stored thereon, which when executed by a processor, cause the processor to perform the above-described MDATA dynamic sub-graph matching method based on an incremental query index tree.
The MDTA dynamic subgraph matching method and system based on the incremental query index tree provided by the invention are based on the space-time characteristic advantages of MDTA on the representation of security situation in the network security field, and represent the attack behavior as a graph structure through the attribute characteristics of MDTA entity and relationship, and the effective dynamic subgraph matching technology is designed to face the continuously coming new points and edges so as to effectively detect the network attack behavior in real time. The MDTA sub-graph matching technology of the incremental query index tree designed by the invention can detect the attack behavior in fact, reduce the probability of false alarm and missing report, reduce the time complexity and improve the detection speed. The beneficial effects of the invention are as follows:
the subgraph matching method for the dynamic MDATA knowledge graph, which is designed by the invention, can detect the attack behavior in the network in real time; the traditional dynamic graph sub-graph detection technology is mainly a structure-based sub-graph isomorphism detection method, the attributes and the isomerism of points and edges are not considered, but graphs carved out by network security data are mostly heterogeneous graphs, and many of the graphs need to be re-matched with complete data graphs, so that the matching efficiency is affected. According to the method, the attack detection problem in the MDTA is described as the real-time sub-graph matching problem, so that the time characteristics of the MDTA knowledge graph can be effectively utilized, and the detection efficiency is improved;
the invention decomposes the MDTA inquiry graph into a core part and a forest part. In the existing query language, the simple ring can be directly obtained through pruning, so that sub-graph matching calculation is avoided. Thereby accelerating the detection speed and improving the detection efficiency;
the space-time characteristics and the isomerism of the MDTA knowledge graph are fully considered, the core subgraph is searched through the DSQM-Tree auxiliary data structure and the connection table design and the pruning method, so that the NP-hard problem of dynamic subgraph matching is relieved, and the detection speed is increased;
compared with the existing dynamic graph matching technology and knowledge graph query technology, the method and the device utilize the dynamic subgraph matching technology to detect the attack behaviors in the MDTA, and can realize real-time detection of network attack; the designed SQM-Tree auxiliary data structure decomposition query graph method and the connection table method can accelerate the detection speed and accuracy, the whole process can display the detection process more intuitively and clearly, and the method is beneficial to the research, judgment and defense of attack behaviors.
Drawings
FIG. 1 is a flow chart of an MDTA dynamic subgraph matching method based on an incremental query index tree in an embodiment of the present invention;
FIG. 2 is a flowchart illustrating an exemplary MDTA dynamic subgraph matching method based on an incremental query index tree in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a DSQM-Tree-assisted data structure in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an MDATA dynamic subgraph matching system based on an incremental query index tree in an embodiment of the present invention;
fig. 5 shows an architecture of a computer device in an embodiment of the invention.
Description of the embodiments
In order to further describe the technical scheme of the invention in detail, the embodiment is implemented on the premise of the technical scheme of the invention, and detailed implementation modes and specific steps are given.
The described features, structures, or characteristics of the disclosure may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present disclosure. However, those skilled in the art will recognize that the aspects of the present disclosure may be practiced with one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
Before discussing exemplary embodiments in more detail, it should be mentioned that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts steps as a sequential process, many of the steps may be implemented in parallel, concurrently, or with other steps. Furthermore, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The drawings are merely schematic illustrations of the present disclosure, in which like reference numerals denote like or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or both of a hardware acquisition module or an integrated circuit or in a different network and/or processor device and/or microcontroller device.
The embodiment of the invention provides the following embodiments aiming at an MDTA dynamic subgraph matching method, an MDTA dynamic subgraph matching system and a computer storage medium based on an incremental query index tree:
example 1 according to the invention
The embodiment provides an MDTA dynamic subgraph matching method based on an incremental query index tree, which is specifically shown in fig. 1 and comprises the following steps:
s110, extracting an attack rule to form an MDATA knowledge graph query graph;
s120, generating a dynamic MDATA network security situation knowledge graph data map based on the network equipment alarm flow;
s130, generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
s140, a dynamic MDATA data optimization querier is established, the dynamic MDATA data optimization querier is utilized to decompose an equivalent query Tree into a core part and a forest part, the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises a single-step attack of the MDATA knowledge graph query graph, and a decomposition result of the dynamic MDATA data optimization querier is stored in a dynamic index Tree-shaped auxiliary structure DSQM-Tree and is used for tracking decomposition conditions of the equivalent query Tree;
s150, respectively inquiring the core part and the forest part in the MDTA network security situation knowledge graph data map, and storing the inquiry result into a connection table, wherein the connection table corresponds to the connection node stored in the dynamic index Tree-shaped auxiliary structure DSQM-Tree;
and S160, when new alarm flow is generated at different moments, storing new matching into the connection table, and ending the matching flow if the matching is successful.
Preferably, the matching result of the core part is obtained through pruning operation by utilizing the minimum connected subgraph of the core part.
Preferably, the extracting the attack rule forms an MDATA knowledge graph query graph, wherein the extracted content includes an entity, a relationship, an attribute and a concept set, and the entity and the relationship include a time feature and a space feature.
Preferably, the generating the dynamic MDATA network security situation knowledge graph based on the network device alarm traffic has the same data form of extracting the network device alarm traffic information as the extracting the attack rule to form the MDATA knowledge graph query graph.
Preferably, the forest part which is not successfully matched is stored in the connection table, and the MDTA network security situation knowledge graph data map is waited for updating.
Preferably, when the matching of the forest part or the core part is successful, a connection operation is performed in the connection table, and a final matching result is obtained.
The specific implementation process is shown in fig. 2, which is an example of a flow chart of an MDATA dynamic subgraph matching method based on an incremental query index tree designed for an embodiment, firstly, according to the general flow of the subgraph matching method, a corresponding data chart and a flow chart are established, wherein the data chart and the flow chart are respectively an MDATA network security situation chart and an MDATA query chart set of two times on the left and right sides of the flow chart, and the MDATA network security situation chart is not completely unchanged but is continuously changed according to different moments; then, converting each query graph into an equivalent query tree for the MDTA query graph set, and laying a cushion for subsequent operation; then the query tree is decomposed into two main parts, namely a Core part (Core) and a Forest part (Forest), each Core part can have different minimum connected graphs, the Forest part mainly represents a plurality of single-step attacks and can have a plurality of subtrees, as shown in fig. 3, and then the decomposed result is stored into an auxiliary data structure named as a dynamic index tree auxiliary structure DSQM-Tree (Dynamic Subgraph Query MDATA Tree) for tracking the decomposition condition of the dynamic graph and storing the corresponding candidate node set of the query tree. And inquiring the forest part and the core part in the MDTA network security situation map respectively, storing the inquiry result into a connection table, and finally storing the connection node stored in the corresponding DSQM-Tree, wherein the MDTA network security situation map is possibly changed, so that the forest part is not necessarily completely matched and needs to wait for matching, the change condition of the data map and the matching result of the forest part can be reflected in the connection table in the process, and finally ending the process if the matching is successful.
Specifically, in S110, the complex attack rule is converted into an MDATA knowledge graph query graph, a large number of attack logs are obtained through a large number of experiments before the embodiment starts, and keywords in the logs are extracted to form the MDATA knowledge graph. The extracted content includes entity, relation, attribute, concept set, and the time characteristic space characteristic of entity and relation is extracted. A series of MDATA query graph sets is constructed.
In S120, a dynamic MDATA network security situation knowledge graph is generated based on the alarm traffic of network devices (IDS, IPS and firewall), and useful fields are extracted according to the method of S110 at this time, and unlike S110, the method is different from the method of S110 in that the MDATA knowledge graph representing the attack is recorded, but the whole network security situation graph is recorded. The whole MDTA network security situation map comprises an MDTA knowledge map generated by a log of an alarm and an MDTA knowledge map generated by a normal system log, and forms a large map together. Because various log information in the real scene is continuously changed, the security situation map of the whole MDTA network is continuously changed, and thus the matching difficulty is increased.
And S130, generating an equivalent query tree based on the MDATA knowledge graph, wherein the equivalent query tree comprises all edges and nodes in the query graph, and preparing for subsequent pruning operation. A corresponding equivalent query tree is generated for each query graph because one graph structure is detrimental to pruning operations. For this equivalent query tree, all edges in the original query graph are included, so pruning is more powerful.
And S140, establishing a dynamic MDATA data optimization querier, and decomposing an equivalent query tree into two parts, namely a Core part (Core) and a Forest part (Forest) according to the optimizer. The core part is mainly the minimum connected subgraph of the query graph, and the forest part mainly represents each single-step attack. The result of the decomposition is then stored in a data structure of a dynamic index tree-like auxiliary structure DSQM-Tree (Dynamic Subgraph Query MDATA Tree) for tracking the decomposition of the dynamic graph, storing the corresponding set of query tree candidate nodes. In the specific implementation process, the dynamic MDATA data optimization inquirer decomposes the equivalent inquiry tree into two parts according to the optimizer. Because sub-graph matching is expensive, for some simple queries, query results can be obtained directly by designing an effective pruning strategy. Part of researches show that in the existing query language, a simple ring can be directly obtained through pruning, so that sub-graph matching calculation is avoided. Therefore, the equivalent query tree is decomposed into two parts, namely a Core part (Core) and a Forest part (Forest) according to the optimizer, wherein the Core part is a minimum connected subgraph, namely a small annular structure, so that the matching result of the Core part can be obtained only through pruning operation without a subgraph matching algorithm. In addition, other forest parts which are not successfully matched are stored in the connection table, and the MDTA data diagram is waited to change.
And S160, when the MDTA dynamic knowledge graph generated by the new alarm flow arrives at different moments, storing the new match into a connection table for proving whether the new detection is successful. In the specific implementation process, according to the new alarm flow at different moments, points and edges in the MDTA are generated and added into the original data graph, in order to avoid repeated calculation, a connection table is designed, if the forest part or the core part is successfully matched, connection operation is performed in the connection table, a final matching result is seen, and if the matching result of the querier q is not 0, the matching is successful.
One specific example of this embodiment:
as shown in fig. 3, a query graph is shown, which is broken down into two Core graphs Core1 and Core2 and two Forest graphs Forest1 and Forest2. And the four parts are respectively stored in a connection table, as shown in the table 1, the matching results are recorded, and the core part can be successfully matched only by pruning operation, so that the calculation complexity is greatly reduced. When the data diagram is the original g 0 In the process of (1), the matching is not successful,
and->
The arrival of (1) causes the two decomposed sub-graphs of Forest1 and Forest2, respectively, to successfully match, so the final match is successful through the join operation.
Table 1 connection table
Example 2 according to the invention
The MDATA dynamic subgraph matching system 4 based on the incremental query index tree provided in the embodiment 2 of the present invention can execute the MDATA dynamic subgraph matching method based on the incremental query index tree provided in the embodiment 1 of the present invention, and has the corresponding functional module and beneficial effects of the execution method. Fig. 4 is a schematic structural diagram of an MDATA dynamic sub-graph matching system 4 based on an incremental query index tree in embodiment 2 of the present invention. Referring to fig. 4, the MDATA dynamic subgraph matching system 4 based on the incremental query index tree according to the embodiment of the present invention may specifically include:
a query graph obtaining unit 410, configured to extract an attack rule to form an MDATA knowledge graph query graph;
the data diagram obtaining unit 420 is configured to generate a dynamic MDATA network security situation knowledge graph data diagram based on the network device alarm traffic;
an equivalent query tree obtaining unit 430, configured to generate an equivalent query tree based on the MDATA knowledge graph query graph, where the equivalent query tree includes all edges and nodes in the MDATA knowledge graph query graph;
the equivalent query Tree decomposition unit 440 is configured to establish a dynamic MDATA data optimization querier, decompose the equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization querier, where the core part includes a minimum connected subgraph of the MDATA knowledge graph query graph, the forest part includes a single step attack of the MDATA knowledge graph query graph, and store a decomposition result of the dynamic MDATA data optimization querier into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking decomposition conditions of the equivalent query Tree;
the query unit 450 is configured to query the core portion and the forest portion in the MDATA network security situation knowledge graph data map, store the query result in a connection table, and the connection table corresponds to the connection node stored in the dynamic index Tree-shaped auxiliary structure DSQM-Tree;
the dynamic matching unit 460 is configured to store the new match into the connection table when new alarm traffic generates the MDATA network security situation knowledge graph data graph at different times, and end the matching process if the match is successful.
Preferably, the content extracted in the query graph obtaining unit 450 includes an entity, a relationship, an attribute, and a concept set, where the entity and the relationship include a temporal feature and a spatial feature.
In addition to the elements described above, the MDATA dynamic subgraph matching system 4 based on the incremental query index tree may also include other components, however, since these components are not related to the contents of the embodiments of the present disclosure, illustration and description thereof are omitted herein.
The specific working process of the MDATA dynamic sub-graph matching system 4 based on the incremental query index tree refers to the description of the MDATA dynamic sub-graph matching method embodiment 1 based on the incremental query index tree, and is not repeated.
Embodiment III based on the invention
A system according to an embodiment of the invention may also be implemented by means of the architecture of the computing device shown in fig. 5. Fig. 5 illustrates an architecture of the computing device. As shown in fig. 5, a computer system 510, a system bus 530, one or more CPUs 540, input/output 520, memory 550, and the like. The memory 550 may store various data or files used for computer processing and/or communication and program instructions executed by the CPU including the method of embodiment 1. The architecture shown in fig. 5 is merely exemplary, and one or more of the components in fig. 5 may be adapted as needed to implement different devices. The memory 550 is used as a computer readable storage medium, and may be used to store a software program, a computer executable program, and a module, such as program instructions/modules corresponding to the MDATA dynamic sub-graph matching method based on the incremental query index tree in the embodiment of the present invention (for example, the query graph obtaining unit 410, the data graph obtaining unit 420, the equivalent query tree obtaining unit 430, the equivalent query tree decomposing unit 440, the query unit 450, and the dynamic matching unit 460 in the MDATA dynamic sub-graph matching system 4 based on the incremental query index tree). The one or more CPUs 540 execute the various functional applications and data processing of the system of the present invention by running software programs, instructions and modules stored in the memory 550, i.e., implement the MDATA dynamic subgraph matching method based on the incremental query index tree described above, which includes:
extracting the attack rule to form an MDTA knowledge graph query graph;
generating a dynamic MDATA network security situation knowledge graph data map based on the network equipment alarm flow;
generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
the method comprises the steps of establishing a dynamic MDATA data optimization querier, decomposing an equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization querier, wherein the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises a single-step attack of the MDATA knowledge graph query graph, and storing a decomposition result of the dynamic MDATA data optimization querier into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking decomposition conditions of the equivalent query Tree;
respectively inquiring the core part and the forest part in an MDTA network security situation knowledge graph data diagram, and storing an inquiry result into a connection table, wherein the connection table corresponds to a connection node stored in a dynamic index Tree-shaped auxiliary structure DSQM-Tree;
when new alarm flow is generated at different moments, the new matching is stored in the connection table, and if the matching is successful, the matching flow is ended.
Of course, the processor of the server provided by the embodiment of the present invention is not limited to executing the method operations described above, and may also execute the related operations in the MDATA dynamic subgraph matching method based on the incremental query index tree provided by any embodiment of the present invention.
The memory 550 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 550 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 550 may further include memory located remotely from one or more CPUs 540, which may be connected to the device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input/output 520 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the device. The input/output 520 may also include a display device such as a display screen.
Fourth embodiment based on the present invention
Embodiments of the present invention may also be implemented as a computer-readable storage medium. The computer-readable storage medium according to embodiment 4 has a computer program stored thereon. When the computer program is executed by a processor, the MDATA dynamic subgraph matching method based on the incremental query index tree according to embodiment 1 of the present invention described with reference to the above drawings can be performed.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present invention is not limited to the method operations described above, and may also perform the related operations in the incomplete multi-view multi-label classification method based on label guidance provided in any embodiment of the present invention.
The computer-readable storage media of embodiments of the present invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or terminal. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
In summary, it can be seen from the embodiments that, according to the MDATA dynamic sub-graph matching method, system and storage medium based on the incremental query index tree provided by the invention, based on the advantages of MDATA on the space-time characteristics of the network security domain on the security situation representation, the attack behavior is represented as a graph structure by the attribute characteristics of MDATA entities and relationships, and the effective dynamic sub-graph matching technology is designed to face the new points and edges coming continuously, so as to effectively detect the network attack behavior in real time. The MDTA sub-graph matching technology of the incremental query index tree designed by the invention can detect the attack behavior in fact, reduce the probability of false alarm and missing report, reduce the time complexity and improve the detection speed. The beneficial effects of the invention are as follows: the subgraph matching method for the dynamic MDATA knowledge graph, which is designed by the invention, can detect the attack behavior in the network in real time; the traditional dynamic graph sub-graph detection technology is mainly a structure-based sub-graph isomorphism detection method, the attributes and the isomerism of points and edges are not considered, but graphs carved out by network security data are mostly heterogeneous graphs, and many of the graphs need to be re-matched with complete data graphs, so that the matching efficiency is affected. According to the method, the attack detection problem in the MDTA is described as the real-time sub-graph matching problem, so that the time characteristics of the MDTA knowledge graph can be effectively utilized, and the detection efficiency is improved; the invention decomposes the MDTA inquiry graph into a core part and a forest part. In the existing query language, the simple ring can be directly obtained through pruning, so that sub-graph matching calculation is avoided. Thereby accelerating the detection speed and improving the detection efficiency; the space-time characteristics and the isomerism of the MDTA knowledge graph are fully considered, the core subgraph is searched through the DSQM-Tree auxiliary data structure and the connection table design and the pruning method, so that the NP-hard problem of dynamic subgraph matching is relieved, and the detection speed is increased; compared with the existing dynamic graph matching technology and knowledge graph query technology, the method and the device utilize the dynamic subgraph matching technology to detect the attack behaviors in the MDTA, and can realize real-time detection of network attack; the designed SQM-Tree auxiliary data structure decomposition query graph method and the connection table method can accelerate the detection speed and accuracy, the whole process can be more visual and clear to show the detection process, and the method is beneficial to the research, judgment and defense of attack behaviors.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (10)
1. An MDTA dynamic subgraph matching method based on an incremental query index tree is characterized by comprising the following steps:
extracting the attack rule to form an MDTA knowledge graph query graph;
generating a dynamic MDATA network security situation knowledge graph data map based on the network equipment alarm flow;
generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
the method comprises the steps of establishing a dynamic MDATA data optimization querier, decomposing an equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization querier, wherein the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises a single-step attack of the MDATA knowledge graph query graph, and storing a decomposition result of the dynamic MDATA data optimization querier into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking decomposition conditions of the equivalent query Tree;
respectively inquiring the core part and the forest part in an MDTA network security situation knowledge graph data diagram, and storing an inquiry result into a connection table, wherein the connection table corresponds to a connection node stored in a dynamic index Tree-shaped auxiliary structure DSQM-Tree;
when new alarm flow is generated at different moments, the new matching is stored in the connection table, and if the matching is successful, the matching flow is ended.
2. The MDATA dynamic subgraph matching method based on the incremental query index tree according to claim 1, characterized in that the matching result of the core part is obtained through pruning operation by utilizing the minimum connected subgraph of the core part.
3. The MDATA dynamic subgraph matching method based on the incremental query index tree according to claim 1, characterized in that the attack rule is extracted to form an MDATA knowledge graph query graph, wherein the extracted content includes an entity, a relationship, an attribute and a concept set, and the entity and the relationship include a temporal feature and a spatial feature.
4. The MDATA dynamic subgraph matching method based on the incremental query index tree according to claim 1, wherein the dynamic MDATA network security situation knowledge graph data graph is generated based on the network device alarm traffic, and the data form of extracting the network device alarm traffic information is the same as that of extracting the attack rule to form the MDATA knowledge graph query graph.
5. The MDATA dynamic subgraph matching method based on the incremental query index tree according to claim 1, characterized in that the unsuccessfully matched forest parts are stored in a connection table to wait for the update of the MDATA network security situation knowledge graph data map.
6. The method for dynamic sub-graph matching of MDTA based on incremental query index tree according to claim 5, wherein when the matching of the forest part or the core part is successful, the connection operation is performed in the connection table, and the final matching result is obtained.
7. An MDATA dynamic subgraph matching system based on an incremental query index tree, the system comprising:
the query graph acquisition unit is used for extracting the attack rules to form an MDTA knowledge graph query graph;
the data diagram acquisition unit is used for generating a dynamic MDTA network security situation knowledge graph data diagram based on the network equipment alarm flow;
the equivalent query tree acquisition unit is used for generating an equivalent query tree based on the MDTA knowledge graph query graph, wherein the equivalent query tree comprises all edges and nodes in the MDTA knowledge graph query graph;
the equivalent query Tree decomposition unit is used for establishing a dynamic MDATA data optimization query device, decomposing an equivalent query Tree into a core part and a forest part by using the dynamic MDATA data optimization query device, wherein the core part comprises a minimum connected subgraph of an MDATA knowledge graph query graph, the forest part comprises single-step attack of the MDATA knowledge graph query graph, and storing a decomposition result of the dynamic MDATA data optimization query device into a dynamic index Tree-shaped auxiliary structure DSQM-Tree for tracking the decomposition condition of the equivalent query Tree;
the inquiring unit is used for inquiring the core part and the forest part in the MDTA network security situation knowledge graph data diagram respectively, and storing an inquiring result into a connection table, wherein the connection table corresponds to the connection node stored in the dynamic index Tree-shaped auxiliary structure DSQM-Tree;
and the dynamic matching unit is used for storing the new matching into the connection table when new alarm flow generates the MDTA network security situation knowledge graph data graph at different moments, and ending the matching flow if the matching is successful.
8. The MDATA dynamic sub-graph matching system based on the incremental query index tree according to claim 7, wherein the contents extracted in the query graph obtaining unit include an entity, a relationship, an attribute and a concept set, and the entity and the relationship include a temporal feature and a spatial feature.
9. An MDATA dynamic subgraph matching system based on an incremental query index tree, comprising:
a processor; and a memory, wherein the memory has stored therein a computer executable program that, when executed by the processor, performs the MDATA dynamic subgraph matching method based on the incremental query index tree of any one of claims 1-6.
10. A computer-readable storage medium having instructions stored thereon that, when executed by a processor, cause the computer to
The processor performs the MDATA dynamic subgraph matching method based on the incremental query index tree of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310213291.1A CN115913791B (en) | 2023-03-08 | 2023-03-08 | MDTA dynamic subgraph matching method and system based on incremental query index tree |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310213291.1A CN115913791B (en) | 2023-03-08 | 2023-03-08 | MDTA dynamic subgraph matching method and system based on incremental query index tree |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913791A CN115913791A (en) | 2023-04-04 |
| CN115913791B true CN115913791B (en) | 2023-06-13 |
Family
ID=86496427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310213291.1A Active CN115913791B (en) | 2023-03-08 | 2023-03-08 | MDTA dynamic subgraph matching method and system based on incremental query index tree |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913791B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560228B (en) * | 2024-01-10 | 2024-03-19 | 西安电子科技大学杭州研究院 | Real-time attack detection method and system for flow tracing graph based on label and graph alignment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111930860A (en) * | 2020-08-14 | 2020-11-13 | 广州大学 | Multidimensional data association and analysis method and device, storage medium and computer equipment |
| AU2021200046A1 (en) * | 2018-08-07 | 2021-03-11 | Accenture Global Solutions Limited | Approaches for knowledge graph pruning based on sampling and information gain theory |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11636327B2 (en) * | 2017-12-29 | 2023-04-25 | Intel Corporation | Machine learning sparse computation mechanism for arbitrary neural networks, arithmetic compute microarchitecture, and sparsity for training mechanism |
-
2023
- 2023-03-08 CN CN202310213291.1A patent/CN115913791B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2021200046A1 (en) * | 2018-08-07 | 2021-03-11 | Accenture Global Solutions Limited | Approaches for knowledge graph pruning based on sampling and information gain theory |
| CN111930860A (en) * | 2020-08-14 | 2020-11-13 | 广州大学 | Multidimensional data association and analysis method and device, storage medium and computer equipment |
Non-Patent Citations (2)
| Title |
|---|
| Yan Jia 等.MDATA: A New Knowledge Representation Model Theory, Methods and Applications.Springer,2021,全文. * |
| 移动Ad hoc网络的NS2仿真机制及代码分析;石硕;顾学迈;张文彬;沙学军;;计算机工程与设计(第18期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913791A (en) | 2023-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10810210B2 (en) | Performance and usability enhancements for continuous subgraph matching queries on graph-structured data | |
| CN104123288B (en) | A kind of data query method and device | |
| US20200210423A1 (en) | Multi-party data joint query method, device, server and storage medium | |
| CN107729371B (en) | Data indexing and querying method, device, equipment and storage medium of block chain | |
| US7676453B2 (en) | Partial query caching | |
| CN110704290A (en) | Log analysis method and device | |
| CN111026874A (en) | Data processing method and server of knowledge graph | |
| CN115913791B (en) | MDTA dynamic subgraph matching method and system based on incremental query index tree | |
| US20200320045A1 (en) | Sytems and methods for context-independent database search paths | |
| CN108694221B (en) | Data real-time analysis method, module, equipment and device | |
| Wang et al. | Distributed Pregel-based provenance-aware regular path query processing on RDF knowledge graphs | |
| Zhang et al. | Multi-query optimization for complex event processing in SAP ESP | |
| CN115242438B (en) | Potential victim group positioning method based on heterogeneous information network | |
| CN114356971A (en) | Data processing method, device and system | |
| Qi et al. | Cybersecurity knowledge graph enabled attack chain detection for cyber-physical systems | |
| Rasool et al. | A novel JSON based regular expression language for pattern matching in the internet of things | |
| CN107463671B (en) | Method and device for path query | |
| Yan et al. | A review on application of knowledge graph in cybersecurity | |
| Li et al. | Research on storage method for fuzzy RDF graph based on Neo4j | |
| Wickramaarachchi et al. | Distributed exact subgraph matching in small diameter dynamic graphs | |
| CN113297274B (en) | Signing data query method and system | |
| Zhang et al. | Hybrid Subgraph Matching Framework Powered by Sketch Tree for Distributed Systems | |
| Wang et al. | Answering provenance-aware regular path queries on RDF graphs using an automata-based algorithm | |
| Chen et al. | Research on ontology-based network security knowledge map | |
| CN112052341A (en) | Knowledge graph pruning method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |