CN116318990A - Attack chain real-time detection method and device, electronic equipment and storage medium - Google Patents
Attack chain real-time detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116318990A CN116318990A CN202310266446.8A CN202310266446A CN116318990A CN 116318990 A CN116318990 A CN 116318990A CN 202310266446 A CN202310266446 A CN 202310266446A CN 116318990 A CN116318990 A CN 116318990A
- Authority
- CN
- China
- Prior art keywords
- graph
- attack
- nodes
- traceability
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000011897 real-time detection Methods 0.000 title claims abstract description 39
- 230000006835 compression Effects 0.000 claims abstract description 23
- 238000007906 compression Methods 0.000 claims abstract description 23
- 201000007023 Thrombotic Thrombocytopenic Purpura Diseases 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 238000005457 optimization Methods 0.000 claims description 12
- 238000007405 data analysis Methods 0.000 claims description 4
- 238000013480 data collection Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 22
- 238000012217 deletion Methods 0.000 abstract description 10
- 230000037430 deletion Effects 0.000 abstract description 10
- 238000010223 real-time analysis Methods 0.000 abstract description 7
- 230000008569 process Effects 0.000 description 25
- 238000004422 calculation algorithm Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000009467 reduction Effects 0.000 description 7
- 230000003068 static effect Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004374 forensic analysis Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011838 internal investigation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a real-time detection method and device for an attack chain, electronic equipment and a storage medium, and relates to the technical field of threat detection. Generating an original traceability map based on the acquired log data; adding an attack tag to the original traceability graph by using a preset matching rule to generate a tag traceability graph; reducing the label tracing graph, creating time sequence nodes and optimizing the nodes, and generating a compressed tracing graph; and associating the attack labels based on the compressed traceability graph to obtain an attack chain. According to the method, the original traceability map is matched by utilizing the rule base before compression, so that false deletion of alarm events can be avoided, the accuracy is improved, the detection efficiency is improved, the real-time detection is realized by creating time sequence nodes, and the problems that the existing method is long in time, low in accuracy and incapable of realizing real-time analysis are solved.
Description
Technical Field
The application relates to the technical field of threat detection, in particular to a real-time detection method and device for an attack chain, electronic equipment and a storage medium.
Background
With the recent development of information technology, advanced persistent threats (Advanced Persistent Threat, APT) have become a major threat to organizations. A complete APT attack is generally divided into seven phases: initial intrusion, establishment of footholds, privilege elevation, internal investigation, lateral movement, stay present, trace removal. These seven phases are called as the life cycle of APT, and are also an attack chain model, which can assist in detecting APT attack flows, and are now widely used in APT attack detection field research.
The main attack target of the APT is a host system, the traditional detection method analyzes an intrusion process based on system call, and utilizes TTP numbers to understand attack intention, attack technology and attack process, but a host log does not record the TTP numbers, so that the analysis of attack behaviors from unstructured audit logs is a very complicated process. Most of the existing intrusion detection systems based on the traceability graph find out local abnormal points first and then associate the abnormal points through the dependency relationship. The method can only detect alarm information at a certain stage, can not show the attack process of APT, and can not realize real-time analysis due to long detection time, low accuracy and incapability of realizing real-time analysis of APT attack with long cross-host and activity time.
Disclosure of Invention
The embodiment of the application aims to provide a real-time detection method, device, electronic equipment and storage medium for an attack chain, which are used for matching an original traceability graph by utilizing a rule base before compression, so that false deletion of alarm events can be avoided, the accuracy is improved, the detection efficiency is improved by creating time sequence nodes, the real-time detection is realized, and the problems that the existing method is long in time, low in accuracy and incapable of realizing real-time analysis are solved.
The embodiment of the application provides a real-time detection method for an attack chain, which comprises the following steps:
generating an original traceability map based on the acquired log data;
adding an attack tag to the original traceability graph by using a preset matching rule to generate a tag traceability graph;
reducing the label tracing graph, creating time sequence nodes and optimizing the nodes, and generating a compressed tracing graph;
and associating the attack labels based on the compressed traceability graph to obtain an attack chain.
In the implementation process, the rule base is utilized to carry out rule matching on the original traceability graph before compression, so that false deletion of alarm events can be avoided, the detection accuracy is improved, time stamps of edges are transferred to the nodes through creation of time sequence nodes, and the dynamic graph is converted into a static graph, so that real-time detection is realized, the speed of evidence collection analysis can be increased, the detection efficiency is improved, and the problems that the existing method is long in time, low in accuracy and incapable of realizing real-time analysis are solved.
Further, the adding an attack tag to the original tracing graph by using a preset matching rule to generate a tag tracing graph includes:
adding APT information to the edges of the original traceability graph based on the matching rule, wherein the APT information comprises TTP numbers and APT stage information;
and extracting edges containing the APT information and corresponding nodes to generate a label tracing graph.
In the implementation process, the rule base is utilized to match the original traceability graph, APT information is added to the edges, and false deletion of alarm events can be avoided when compression and attack phase association are carried out subsequently, so that good detection accuracy can be achieved.
Further, the reducing the label tracing graph includes:
judging whether the edge between two nodes is a repeated edge or not based on the APT information;
if yes, the corresponding side of the first occurrence event is reserved, and the corresponding side of the first occurrence event is deleted.
In the implementation process, repeated edges are deleted, namely key information is reserved and redundant information is removed, the operation does not influence the evidence obtaining analysis result, and the detection efficiency can be improved.
Further, the creating a timing node for the label tracing graph includes:
obtaining the incoming edge of each node;
and transferring the time stamp of the incoming edge to a corresponding node to create a time sequence node.
In the implementation process, the time stamp of the incoming edge is transferred to the corresponding node so as to create a time sequence node, and the dynamic graph is converted into the static graph, so that real-time detection is realized, and the speed of evidence collection analysis can be increased.
Further, the node optimization of the label tracing graph includes:
judging whether a time sequence node corresponding to the last moment of the current time sequence node has an edge;
if not, merging the time stamps of the two time sequence nodes, and reserving all the incoming edges of the time sequence nodes.
In the implementation process, the time sequence nodes are combined based on the time stamps, so that the aim of node optimization is fulfilled.
Further, the associating the attack tag based on the compressed traceability graph to obtain an attack chain includes:
acquiring edges and nodes corresponding to TTP numbers in the compressed graph;
filling the edges and the nodes into each APT stage in a preset attack chain model;
and generating a complete attack chain by using the time sequence relation association TTPs between the nodes.
In the implementation process, the attack chain model is used as a filling template, and the positioned TTPs are filled in the corresponding APT attack stage, so that a complete attack chain is displayed.
The embodiment of the application also provides a real-time detection device for the attack chain, which comprises:
the data collection and analysis module is used for generating an original traceability map based on the acquired log data;
the rule matching module is used for adding an attack tag to the original traceability graph by utilizing a preset matching rule so as to generate a tag traceability graph;
the compression module is used for reducing the label traceability graph, creating time sequence nodes and optimizing the nodes, and generating a compression traceability graph;
and the attack stage association module is used for associating attack labels based on the compressed traceability graph to obtain an attack chain.
In the implementation process, the rule base is utilized to carry out rule matching on the original traceability graph before compression, so that false deletion of alarm events can be avoided, the detection accuracy is improved, time stamps of edges are transferred to the nodes through creation of time sequence nodes, and the dynamic graph is converted into a static graph, so that real-time detection is realized, the speed of evidence collection analysis can be increased, the detection efficiency is improved, and the problems that the existing method is long in time, low in accuracy and incapable of realizing real-time analysis are solved.
Further, the rule matching module includes:
the information adding module is used for adding APT information to the edges of the original traceability graph based on the matching rule, wherein the APT information comprises TTP numbers and APT stage information;
and the extraction module is used for extracting the edges containing the APT information and the corresponding nodes and generating a label tracing graph.
In the implementation process, the rule base is utilized to match the original traceability graph, APT information is added to the edges, and false deletion of alarm events can be avoided when compression and attack phase association are carried out subsequently, so that good detection accuracy can be achieved.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic equipment to execute the attack chain real-time detection method.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and when the computer program instructions are read and run by a processor, the attack chain real-time detection method of any one of the above is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an attack chain real-time detection method provided in an embodiment of the present application;
FIG. 2 is a flow chart of rule matching provided in an embodiment of the present application;
FIG. 3 is a reduced flow chart provided by an embodiment of the present application;
FIG. 4 is a flow chart for creating a timing node according to an embodiment of the present application;
FIG. 5 is a node optimization flow chart provided in an embodiment of the present application;
FIG. 6 is a flowchart of attack stage association provided in an embodiment of the present application;
fig. 7 is a block diagram of an attack chain real-time detection device according to an embodiment of the present application;
fig. 8 is a block diagram of another attack chain real-time detection device according to an embodiment of the present application.
Icon:
100-a data collection and analysis module; 200-a rule matching module; 201-an information adding module; 202-an extraction module; 300-a compression module; 301-a reduction module; 302-a timing node creation module; 303-a node optimization module; 400-attack stage association module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of an attack chain real-time detection method according to an embodiment of the present application.
In the prior art, when the original traceability map is subjected to anomaly detection, three limitations exist: firstly, the original traceability map occupies a larger storage space and contains a large amount of redundant information, which can interfere detection; secondly, the calculated amount is large, when tracing analysis is carried out, local outliers are usually found first, and then the outliers are associated according to the dependency relationship, so that global information, such as reachability, of an original tracing graph needs to be considered. Because the time stamp of the original traceability graph is stored on the edge, the reachability between the nodes can change along with the time change, and the reachability needs to be repeatedly calculated according to the time change. In practical situations, two nodes are reachable only in one time window, and if the result of the last calculation can be cached for subsequent use, the speed of evidence obtaining analysis can be increased. Third, many detection methods store data first, and then perform intrusion detection on the stored data, which cannot realize real-time detection.
The redundant information of the original traceability graph can be deleted by using the compression algorithm, so that the storage amount of data is reduced, but if the original traceability graph is only compressed, the deleting process cannot be guaranteed to be all normal events, and therefore, the alarm events related to the attack behaviors can be deleted.
Therefore, before compression, rule matching is required, labels related to APT attack, such as TTPs, are set for dependency relationship, entity behavior information and the like in the original traceability graph, and when compression operation is performed, the TTPs can be used as conditions of whether events can be deleted or not, so that false deletion alarms can be avoided as far as possible. The compression algorithm of the present application is divided into three sub-algorithms: a reduction algorithm, a creation time sequence node algorithm and a node optimization algorithm. The reducing algorithm is used for deleting repeated edges, the time stamp of the edges is transferred to the nodes by creating the time sequence nodes, the dynamic tracing graph is converted into the static graph, the reachability of the static graph is not changed with time, and real-time detection can be realized. The first two steps may generate redundant nodes due to reserved dependency relationships, and node optimization is also needed to delete redundant nodes.
Firstly, collecting log data, and analyzing the log to obtain an original traceability map; and secondly, carrying out rule matching on the original traceability graph to enable edges in the original traceability graph to have information related to attack behaviors, such as TTPs and the like. Then deleting repeated events by using a reduction algorithm, transferring the time stamp of the edge to the node by using a time sequence node creation algorithm, optimizing the node, and deleting redundant nodes; and finally, an attack entry point and an alarm event are found by using an attack stage association module, TTPs are associated through a time sequence relationship between nodes, and a complete APT attack chain is displayed.
TTP (Tactics, technology and procedure) numbers are one number from within the ATT & CK framework, with each attack technology corresponding to a unique technologies number.
The traceability graph can represent interaction relations between nodes, the nodes represent system entities (such as processes, files and the like), the side is provided with a timestamp, the dependency relation between the nodes is represented, the direction of information flow is oriented, for example, the side between the node u and the node v is from the node u to the node v, and the side is the entering side of the node v. Compared with system audit data, the traceability graph can correlate the attack steps, so that a technician can conveniently and accurately find an attack entry point and a system vulnerability.
The method specifically comprises the following steps:
step S100: generating an original traceability map based on the acquired log data;
by monitoring the audit log of the target host and analyzing the log into a traceability map format (or an original traceability map) according to a log analysis rule, nodes and edges in the traceability map respectively have different attributes, such as attributes of a process ID, a process name and the like, and edges have attributes of a time stamp, an event type and the like.
Step S200: adding an attack tag to the original traceability graph by using a preset matching rule to generate a tag traceability graph;
step S300: reducing the label tracing graph, creating time sequence nodes and optimizing the nodes, and generating a compressed tracing graph;
step S400: and associating the attack labels based on the compressed traceability graph to obtain an attack chain.
As shown in fig. 2, in the rule matching flowchart, step S200 specifically includes the following steps:
step S201: adding APT information to the edges of the original traceability graph based on the matching rule, wherein the APT information comprises TTP numbers and APT stage information;
step S202: and extracting edges containing the APT information and corresponding nodes to generate a label tracing graph.
And matching alarm events by using a rule base, namely adding information related to APT attack, such as TTP number, APT stage information and other attributes, to the edges of the original traceability graph. The rule base defines the relevant rules for triggering the alarm, such as information including actions for triggering the alarm, file names with malicious programs, attack techniques, APT stages where abnormal behaviors are located, and the like. According to the rule base, the edges of the original tracing graph are marked with TTP numbers, APT stage information and the like, and the edges containing the TTP numbers, APT stage information and the corresponding nodes are extracted to form the label tracing graph.
Through rule matching, false deletion of alarm events by a compression algorithm can be avoided, and detection accuracy is improved.
And compressing the label tracing graph, and generating the compressed tracing graph through reducing, creating time sequence nodes and node optimization. As shown in fig. 3, in order to reduce the flowchart, in step S300, the label tracing chart is reduced, which specifically includes the following steps:
step S311: judging whether the edge between two nodes is a repeated edge or not based on the APT information;
step S312: if yes, the corresponding side of the first occurrence event is reserved, and the corresponding side of the first occurrence event is deleted.
The purpose of the downscaling is to preserve critical information and reject redundant information. Specifically, the reduced redundant information refers to repeated edges between node pairs (two nodes), and if the event types and TTP numbers of the edges are the same, only one edge can be reserved. To preserve global information, such as reachability, of the trace-source graph, the reduction operation preserves events that occurred first, deletes events that occurred later. The downscaling operation only considers the attack path, regardless of the time at which the alarm event occurred, and once the entry point of the attack is determined, the attack path can be found, which does not affect the results of the forensic analysis.
As shown in fig. 4, a flowchart is created for a timing node, and in step S300, creating a timing node for the label tracing graph includes:
step S321: obtaining the incoming edge of each node;
step S322: and transferring the time stamp of the incoming edge to a corresponding node to create a time sequence node.
When a node obtains an incoming edge, a time sequence node of the node is created, i.e. a time stamp of the incoming edge is transferred to the node. When a node has a plurality of incoming edges, the time sequence node of the node is called as having a time sequence relationship. Through the operation, the reachability of the traceability graph is not influenced by time, and the reachability between each pair of nodes does not need to be repeatedly calculated. Once the reachability between the node pairs is determined, when a new log is collected subsequently, log analysis, rule matching operation and subsequent operation can be performed on the newly collected log in real time, and the node and the edge corresponding to the log can be pieced together with the previously generated graph.
It should be noted that, although the timestamp of the edge is transferred to the node, other information of the edge is still remained on the edge.
As shown in fig. 5, in step S300, performing node optimization on the label tracing graph, which includes:
step S331: judging whether a time sequence node corresponding to the last moment of the current time sequence node has an edge;
step S332: if not, merging the time stamps of the two time sequence nodes, and reserving all the incoming edges of the time sequence nodes.
The node optimization judges whether the node at the previous moment of the time sequence node at a certain moment (or time interval) has an outgoing edge, if not, the time stamps of the two nodes are combined, all incoming edges of the nodes are reserved, otherwise, the node at the current moment is reserved, and the original dependency relationship is kept unchanged.
The pseudo code of the compressed code is as follows:
wherein V represents a set of nodes in the label tracing graph, E T Representing a set of edges in the label tracing graph, (u, v, t) representing the edges of the label tracing graph, u representing the node corresponding to the start point, v representing the node corresponding to the end point, and t representing the timestamp of the edge. (u, v,<t) represents the edge of u and v before time t, and the latest timing node of v before time t is last (v).
The algorithm may be expressed as: compression (V, E) T );
Input: edge (u, V, t), label tracing graph g= (V, E) T );
And (3) outputting: compressed trace-source graph g= (V, E);
for each edge (u, v, t) belonging to the label tracing graph;
if present (u, v, < t);
if the event types and TTP numbers of (u, v, t) and (u, v, < t) are the same, deleting (u, v, t) and continuing to judge the next group of edges;
otherwise, create v t ,v t Representing the state of the node v at the time t, namely, the time stamp of the edge is transferred to the node v after the time sequence node is established;
if a side exists in the last (v), then connect last (u) and v t Connect last (v) and v t ;
Otherwise, merge the latest (v) and v t And reserving all incoming edges of v, and connecting the last (u) and v;
otherwise, repeating the above steps (step creation v t Step-join the latest (u) and v).
As shown in fig. 6, in order to associate the attack phase with the flowchart, step S400 specifically includes the following steps:
step S401: acquiring edges and nodes corresponding to TTP numbers in the compressed graph;
step S402: filling the edges and the nodes into each APT stage in a preset attack chain model;
step S403: and generating a complete attack chain by using the time sequence relation association TTPs between the nodes.
And in the attack association stage, the attack chain model is used as a filling template, and the positioned TTPs are filled in the corresponding APT attack stage. Firstly, positioning an event containing a TTP number in a compressed traceability graph, then filling corresponding nodes and edges into each APT stage, and finally associating the TTPs by utilizing a time sequence relationship among the nodes so as to show a complete APT attack chain.
The method can be applied to real-time monitoring of APT attacks in a host system, and timely alarming is achieved, and the specific steps are as follows:
step S11: and collecting system logs by using a collecting function, analyzing the logs into nodes and edges by using a log analyzing function, and converting unstructured logs into a structured original traceability map. The nodes have attributes such as type, name, etc., and the edges have attributes such as time stamp, event type, etc.
Step S12: and carrying out rule matching on the original traceability graph generated in the previous step by utilizing a rule base, and adding attributes capable of explaining the invasion process, such as TTP numbers, to edges in the traceability graph.
Step S13: firstly, the tracing graph of the previous step is reduced, and the repeated edges are deleted. Specifically, assuming that a process P performs two read operations on a file F, TTP of both operations is T1106, the reduction unit deletes the side with the later timestamp and retains the side with the earlier timestamp; then transferring the time stamp of the edge to the node, wherein the edge does not have the time stamp, and the tracing graph is converted into a static graph from a dynamic graph; and finally deleting redundant nodes.
Step S14: and detecting the compressed traceability graph, and filling the positioned TTPs into the corresponding APT attack stage. Assuming that the parent process P creates the child process Q at time T1, the technique used for this operation is T1036, and the event belongs to the initial intrusion phase, the technique used for this operation of the process P writing the file F at time T2 is T1074, and belongs to the set-up foothold phase, the two TTPs are associated with the timing relationship of the process P at different times.
The real-time detection attack chain method based on the traceability graph is designed by taking the real-time detection attack chain as a starting point, and the real-time performance is mainly embodied in the creation of a time sequence node algorithm. According to the flow of the application, real-time detection means that a log is collected, the log is analyzed into nodes and edges, then rule matching is utilized to judge whether the log is an alarm event, and if yes, labels such as TTP numbers and the like are marked on the corresponding edges. And then compressing the edges and the nodes corresponding to the event by using a compression algorithm, adding the compressed nodes and edges into the corresponding APT stage, and correlating the TTP with the TTP which is detected in the past by using a time sequence relation among the nodes to update an APT attack chain.
In the attack association stage, a new alarm and the APT attack chain which is detected and completed before can be spliced together to form a new attack chain.
According to the method and the device, the original traceability graph is matched by utilizing the rule base before compression, TTP and other information are added to the event, and false deletion of alarm events can be avoided when compression and attack phase association are carried out subsequently, so that good detection accuracy can be achieved. According to the method and the device, the time stamp of the edge is transferred to the node by creating the time sequence node, so that the dynamic graph is converted into the static graph, real-time detection is realized, and the evidence collection analysis speed can be increased.
Example 2
An embodiment of the present application provides an attack chain real-time detection device, which is applied to the attack chain real-time detection method in embodiment 1, as shown in fig. 7, and is a structural block diagram of the attack chain real-time detection device, where the device includes, but is not limited to:
a data collection and analysis module 100, configured to generate an original traceability map based on the obtained log data;
the rule matching module 200 is configured to add an attack tag to the original traceability graph by using a preset matching rule, so as to generate a tag traceability graph;
the compression module 300 is configured to reduce the label traceability graph, create a time sequence node and optimize the node, and generate a compressed traceability graph;
and the attack stage association module 400 is configured to associate attack tags based on the compressed traceability graph, and obtain an attack chain.
As shown in fig. 8, another block diagram of an attack chain real-time detection apparatus is shown, wherein the rule matching module 200 includes:
an information adding module 201, configured to add APT information to an edge of the original traceability graph based on the matching rule, where the APT information includes a TTP number and APT stage information;
and the extracting module 202 is configured to extract edges and corresponding nodes containing the APT information and generate a label tracing graph.
The compression module comprises a reduction module 301, a timing node creation module 302 and a node optimization module 303, wherein the reduction module 301 is configured to:
judging whether the edge between two nodes is a repeated edge or not based on the APT information;
if yes, the corresponding side of the first occurrence event is reserved, and the corresponding side of the first occurrence event is deleted.
The timing node creation module 302 is configured to:
obtaining the incoming edge of each node;
and transferring the time stamp of the incoming edge to a corresponding node to create a time sequence node.
The node optimization module 303 is configured to:
judging whether a time sequence node corresponding to the last moment of the current time sequence node has an edge;
if not, merging the time stamps of the two time sequence nodes, and reserving all the incoming edges of the time sequence nodes.
The attack stage association module 400 is configured to:
acquiring edges and nodes corresponding to TTP numbers in the compressed graph;
filling the edges and the nodes into each APT stage in a preset attack chain model;
and generating a complete attack chain by using the time sequence relation association TTPs between the nodes.
The device utilizes the rule base to match the original traceability map before compression, can avoid false deletion of alarm events, improves the accuracy, improves the detection efficiency by creating time sequence nodes, realizes real-time detection, and solves the problems that the prior method has longer time, low accuracy and can not realize real-time analysis.
The embodiment of the application also provides an electronic device, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic device to execute the attack chain real-time detection method described in the embodiment 1.
The embodiment of the application further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the attack chain real-time detection method described in embodiment 1 is executed.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An attack chain real-time detection method is characterized by comprising the following steps:
generating an original traceability map based on the acquired log data;
adding an attack tag to the original traceability graph by using a preset matching rule to generate a tag traceability graph;
reducing the label tracing graph, creating time sequence nodes and optimizing the nodes, and generating a compressed tracing graph;
and associating the attack labels based on the compressed traceability graph to obtain an attack chain.
2. The method for detecting the attack chain in real time according to claim 1, wherein the step of adding the attack tag to the original trace-source graph by using a preset matching rule to generate a tag trace-source graph includes:
adding APT information to the edges of the original traceability graph based on the matching rule, wherein the APT information comprises TTP numbers and APT stage information;
and extracting edges containing the APT information and corresponding nodes to generate a label tracing graph.
3. The attack chain real-time detection method according to claim 2, wherein the reducing the label tracing map comprises:
judging whether the edge between two nodes is a repeated edge or not based on the APT information;
if yes, the corresponding side of the first occurrence event is reserved, and the corresponding side of the first occurrence event is deleted.
4. The attack chain real-time detection method according to claim 1, wherein the creating a timing node for the label tracing graph includes:
obtaining the incoming edge of each node;
and transferring the time stamp of the incoming edge to a corresponding node to create a time sequence node.
5. The attack chain real-time detection method according to claim 3, wherein the node optimization of the label tracing graph comprises:
judging whether a time sequence node corresponding to the last moment of the current time sequence node has an edge;
if not, merging the time stamps of the two time sequence nodes, and reserving all the incoming edges of the time sequence nodes.
6. The method for detecting the attack chain in real time according to claim 1, wherein the associating the attack tag based on the compressed traceability graph to obtain the attack chain comprises:
acquiring edges and nodes corresponding to TTP numbers in the compressed graph;
filling the edges and the nodes into each APT stage in a preset attack chain model;
and generating a complete attack chain by using the time sequence relation association TTPs between the nodes.
7. An attack chain real-time detection device, characterized in that the device comprises:
the data collection and analysis module is used for generating an original traceability map based on the acquired log data;
the rule matching module is used for adding an attack tag to the original traceability graph by utilizing a preset matching rule so as to generate a tag traceability graph;
the compression module is used for reducing the label traceability graph, creating time sequence nodes and optimizing the nodes, and generating a compression traceability graph;
and the attack stage association module is used for associating attack labels based on the compressed traceability graph to obtain an attack chain.
8. The attack chain real-time detection apparatus according to claim 7, wherein the rule matching module comprises:
the information adding module is used for adding APT information to the edges of the original traceability graph based on the matching rule, wherein the APT information comprises TTP numbers and APT stage information;
and the extraction module is used for extracting the edges containing the APT information and the corresponding nodes and generating a label tracing graph.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the attack chain real-time detection method according to any of claims 1 to 6.
10. A readable storage medium, wherein computer program instructions are stored in the readable storage medium, which when read and executed by a processor, perform the attack chain real-time detection method according to any of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310266446.8A CN116318990A (en) | 2023-03-13 | 2023-03-13 | Attack chain real-time detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310266446.8A CN116318990A (en) | 2023-03-13 | 2023-03-13 | Attack chain real-time detection method and device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116318990A true CN116318990A (en) | 2023-06-23 |
Family
ID=86826899
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310266446.8A Pending CN116318990A (en) | 2023-03-13 | 2023-03-13 | Attack chain real-time detection method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116318990A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117014211A (en) * | 2023-08-16 | 2023-11-07 | 华能信息技术有限公司 | Power plant network security dynamic defense method and system based on big data |
-
2023
- 2023-03-13 CN CN202310266446.8A patent/CN116318990A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117014211A (en) * | 2023-08-16 | 2023-11-07 | 华能信息技术有限公司 | Power plant network security dynamic defense method and system based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106656536B (en) | Method and equipment for processing service calling information | |
CN107171819B (en) | Network fault diagnosis method and device | |
CN113676464A (en) | Network security log alarm processing method based on big data analysis technology | |
CN111078513A (en) | Log processing method, device, equipment, storage medium and log alarm system | |
CA2816781C (en) | Identifying client states | |
CN111722984A (en) | Alarm data processing method, device, equipment and computer storage medium | |
CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
CN116318990A (en) | Attack chain real-time detection method and device, electronic equipment and storage medium | |
CN114528457A (en) | Web fingerprint detection method and related equipment | |
US9600572B2 (en) | Method, computer program and apparatus for analyzing symbols in a computer system | |
CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns | |
US11507742B1 (en) | Log parsing using language processing | |
Richter et al. | OTOSO: online trace ordering for structural overviews | |
CN116346458A (en) | Network security prediction method, device, computing equipment and storage medium | |
CN114756401A (en) | Abnormal node detection method, device, equipment and medium based on log | |
CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
Lin et al. | Dcsa: Using density-based clustering and sequential association analysis to predict alarms in telecommunication networks | |
CN114124834A (en) | Integrated learning device and method for ICMP (information control network protocol) hidden tunnel detection in industrial control network | |
CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
Iman et al. | Anomalous File System Activity Detection Through Temporal Association Rule Mining. | |
CN110610083A (en) | Method for judging pollution of monitoring data and corresponding device | |
JP2013003681A (en) | Service operation management device | |
CN117499088A (en) | Method, device, equipment and storage medium for restoring attack chain of cross-terminal network | |
CN114006775A (en) | Intrusion event detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |