CN116405323B - Security situation awareness attack prediction method, device, equipment, medium and product - Google Patents

Security situation awareness attack prediction method, device, equipment, medium and product Download PDF

Info

Publication number
CN116405323B
CN116405323B CN202310658443.9A CN202310658443A CN116405323B CN 116405323 B CN116405323 B CN 116405323B CN 202310658443 A CN202310658443 A CN 202310658443A CN 116405323 B CN116405323 B CN 116405323B
Authority
CN
China
Prior art keywords
attack
information
path
model
outputting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310658443.9A
Other languages
Chinese (zh)
Other versions
CN116405323A (en
Inventor
王洪波
李胤哲
王玉兰
李远思
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tols Tianxiang Net An Information Technology Co ltd
Original Assignee
Tols Tianxiang Net An Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tols Tianxiang Net An Information Technology Co ltd filed Critical Tols Tianxiang Net An Information Technology Co ltd
Priority to CN202310658443.9A priority Critical patent/CN116405323B/en
Publication of CN116405323A publication Critical patent/CN116405323A/en
Application granted granted Critical
Publication of CN116405323B publication Critical patent/CN116405323B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The application discloses a security situation awareness attack prediction method, a device, equipment, a medium and a product, wherein the security situation awareness attack prediction method comprises the following steps: inputting attack parameter information into the SAHMM model, and outputting first attack path information; inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information; inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information; and inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result. The application can predict the network attack mode by collecting the attack path information and collecting the attack path information into the prediction model.

Description

Security situation awareness attack prediction method, device, equipment, medium and product
Technical Field
The application relates to the field of network security generally, in particular to a security situation awareness attack prediction method, a security situation awareness attack prediction device, security situation awareness attack prediction equipment, security situation awareness attack prediction media and security situation awareness attack product.
Background
With the development of networks, protecting network services from interruption, and information in a system from being destroyed, altered or revealed by malicious attack acts becomes a serious issue in network use. In general, a network attacker can find out the network attacker according to the attack path combination and predict the attack path of the network attacker according to the attack path combination by analyzing various logs and reserving the attack combination path to the billions of N power of the network user in the whole attack process.
However, in the prior art, experience or feature matching association is usually adopted for predicting the attack path, so that the prediction is often dependent on the experience of a user, and the prediction is difficult to have universality and poor expansibility.
Disclosure of Invention
In view of the foregoing drawbacks or shortcomings of the prior art, it is desirable to provide a security situation aware attack prediction method, apparatus, device, medium and product.
On one hand, the security situation awareness attack prediction method is provided, and comprises the following steps:
inputting attack parameter information into the SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector;
inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information;
inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
and inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
In some embodiments, after inputting the first attack path information and the second attack path set information into the fusion model to obtain the optimal path information, the method further includes:
based on the SAHMM model, acquiring a first path probability of a first preset stage and acquiring a second path probability of a second preset stage;
and obtaining an attack prediction result based on the first path probability of the first preset stage and the second path probability of the second preset stage.
In some embodiments, the first attack path information and the second attack path set information are input into a fusion model to obtain optimal path information, which specifically includes:
judging whether the second path set information comprises the first path information or not;
and outputting the second path set information as optimal path information when the second path set information includes the first path information.
In some embodiments, the attack parameter information, the optimal path information and the network attack information are input into an attack prediction model, and an attack prediction result is output, and the method further includes:
acquiring network attack information and generating attack stage information based on a preset rule;
generating original sequence information based on the network attack information and the attack stage information;
inputting the original sequence into a pre-constructed gray verhulst model, and outputting prediction information;
and generating an attack prediction result based on the prediction information, the attack stage information and a preset rule.
In some embodiments, determining whether the second path set information includes the first path information further includes:
generating third path set information based on the second path set information and the first path information when the second path set information does not include the first path information;
and outputting the third path set information as optimal path information.
In a second aspect, the present application provides a security situation aware attack prediction apparatus, including:
the first acquisition module is used for inputting attack parameter information into the SAHMM model and outputting first attack path information, and the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector;
the second acquisition module is used for inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information;
the fusion module is used for inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
the prediction module is used for inputting the attack parameter information, the optimal path information and the network attack information into the attack prediction model and outputting an attack prediction result.
In some embodiments, the fusion module is configured to:
judging whether the second path set information comprises the first path information or not;
and outputting the second path set information as optimal path information when the second path set information includes the first path information.
In a third aspect, the present embodiment provides an electronic device, including a processor and a memory, where the memory stores at least one instruction, at least one section of program, a code set, or an instruction set, where the instruction, the program, the code set, or the instruction set is loaded and executed by the processor to implement the steps of the security situation aware attack prediction method provided by the embodiment of the first aspect of the present application.
In a fourth aspect, the present embodiment provides a non-transitory computer readable storage medium, which when executed by a processor of a mobile terminal, causes the mobile terminal to implement the steps of the security posture awareness attack prediction method provided by the above-mentioned embodiment of the first aspect of the present application.
In a fifth aspect, the present embodiment provides a computer program product, which when executed by a processor of a mobile terminal, enables the mobile terminal to perform the steps of implementing the security posture awareness attack prediction method provided by the embodiment of the first aspect of the present application.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
The technical scheme provided by the embodiment of the disclosure can comprise the following beneficial effects: the application can predict the network attack mode by collecting the attack path information and collecting the attack path information into the prediction model, and the prediction operation is simple and the prediction information is reliable.
According to the application, the first encryption algorithm type information is obtained through the analysis model, the flow data type information and the second encryption algorithm type information are obtained through the mixed model, and then the index level of the flow data and/or the application program is determined through the information.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is a flow chart of a security situation aware attack prediction method according to an embodiment of the present application;
fig. 2 is a block diagram of a security situation aware attack prediction device according to an embodiment of the present application;
fig. 3 is an internal structural diagram of an electronic device according to an embodiment of the present application;
fig. 4 is a flowchart of another security situation aware attack prediction method according to an embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
The scheme can be applied to the field of network security and used for predicting network attack prediction in network security.
In network security attack prediction, if a model based on a hidden markov method is used, the following problems exist: 1. the stages of the multi-step attack are required to be sequential and no attack steps are lost. 2. Longer observation sequences are needed to train parameters of the HMM model, otherwise, the correctness of the model training result cannot be guaranteed. 3. With the continuous expansion of the network scale and the complexity of attack, the state transition probability between attack behaviors is difficult to calculate, and the expandability is not ideal.
Referring to fig. 1 in detail, the present application provides a security situation awareness attack prediction method, which includes:
s101, inputting attack parameter information into an SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack pattern information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector.
Specifically, the adaptive hidden Markov SAHMM is utilized, and the model isAttack parameter information is input, wherein M represents an attack mode. From this M value, the SAHMM model knows how to calculate attack sequences that are missing and of indefinite length. I represents the elements present in the attack sequence or possible attack paths (paths to the power N of billions), A represents the transition probability matrix of all attack phases, B represents the observation probability matrix of each attack element in the phase,/o>Representing the probability vector of the initial state of each attack element, consisting ofI,A,B,/>It can be determined which attack elements need to be computed to achieve improved performance and accuracy. Thereby outputting first attack path information, the first attack path information: />
First, an observation is determined. Specifically, the observation value is determined by M value +.>Is a variable quantity, different attack modes can be identified according to different attack scenes, so as to form different mode M values.
Further, initialization is performed. In particular, the method comprises the steps of,
the initialization is used to set an initial value, I representing the elements present in the attack sequence or possible attack paths.
Representing a set of values for the 1 st element in each attack path.
Representing the probability that the element value i appears at the first position.
Indicating that the element value i appears in the observation +.>Or->Probability of stage one.
The multiplication of these two forms the element value i in the first element, and +.>Probability of stage.
Further, the recurrence is performed. In particular, the method comprises the steps of,
from the t-1 state (or phase) to the t state, the value of j in the t-1 state isFrom the initial state to the t-1 state, the probability of the element j-overlap is +.>,/>The probability (likelihood) representing element j to element i +.>Representing that the element value i is +.>Probability of occurrence of phase +.>For each i, +.>Which are identical, so that for each element j the probability of the occurrence of the element j of the previous stage is determined>The product of the probability from element j to i, based on dynamic programming principles, determines which element j to i has the greatest probability, i.e. +.>At the same time can determine the function ofIs a value of (2).
According to each observation value, the method shown and described above is calculated to obtain each current stageValue, at the same time, the most probable path passing point of the previous stage is obtained>
Further, the process is terminated. In particular, the method comprises the steps of,
obtaining the probability value of the optimal path passing point and the end point in the previous stage through the stepsMaximum path-through comparison for end phase>Determining that the most probable element i is the optimal path point, i.e + ->
And finally, backtracking the optimal path. In particular, to,/>. And (3) obtaining an optimal path:. The optimal path passing point in the previous stage is calculated by the steps, and t corresponds to t+1 through reverse deduction. Thereby obtaining first attack path information: />
S102, inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information.
Specifically, only one optimal path is generated through the SAHMM model, so that the requirement on fault tolerance is high, and the method is particularly obvious when a network attacker carries out complex attack. The adaptive multi-level reinforcement association learning algorithm TXSA5 model is utilized to input attack parameter information and reinforcement factors, and the attack parameters also comprise the received attack event and model parameter information to obtain second attack path set information. The problem of incomplete single attack path information is solved. And inputting attack parameter information.Wherein M represents an attack mode, and a TXSA5 model of a multi-level reinforcement association learning algorithm knows how to calculate attack sequences with missing attack steps and variable lengths through an M value. I represents the elements present in the attack sequence or possible attack paths, A represents the transition probability matrix of all attack phases, B represents the observation probability matrix of each attack element in the phase, and +.>Representing the probability vector of the initial state of each attack element, < >>Representing the strengthening factors A, B, & lt + & gt>Is obtained by training HMM in advance, and +.>And determining the reinforcement factor value according to a preset algorithm by the front-back relation, the IP address threat index, the mixed combat mode, the experience index and the like. Thereby outputting second attack path set information: />
First, an observation is determined. Specifically, the observation value +.>Is a variable amount. According to different attack scenes, different attack modes are identified, and different mode M values are formed. Determining element category participating in attack procedure from M value to determine observation value +.>
Next, the value of each level is calculated. In particular, the method comprises the steps of,
representing a set of values for the 1 st element in each attack path.
Representing the probability that the element value i appears at the first position.
Indicating that the element value i appears in the observation +.>Or->Probability of stage one.
Representing the conversion (occurrence) probability of element j to element i and element i at +.>One product of the likelihood of a phase occurring.
Then, a probability value is calculated. In particular, the method comprises the steps of,,/>,/>representing a specific small reinforcement factor value for each path.
The weight of each class of enhancement factor is represented.
The representation is in essence the probability of occurrence between elements at each stage and the probability of occurrence of elements at a stage, i.e. the joint probability.
The value is the sum of the products of the various reinforcement factor values and the weights, < ->Training the result by another algorithm shows information other than the probability of transformation with the path element.
The result of the multiplication, representing the probabilities of two different dimensions, makes the certainty higher.
Finally, the optimal ten paths are determined.
And firstly, sorting so as to select 10 paths with the largest probability value as optimal paths, thereby obtaining second attack path set information. Where sort is a ranking function by which a number of path PB probability values are ranked from large to small.The method is a language representation method and is used for extracting the 10 probability values with the largest probability values, so that the corresponding optimal 10 paths are obtained.
S103, inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information.
Specifically, optimal path information is obtained according to the first attack path information and the second attack path set information, so that attack tracing is performed.
In some embodiments, the first attack path information and the second attack path set information are input into a fusion model to obtain optimal path information, which specifically includes:
judging whether the second path set information comprises the first path information or not;
and outputting the second path set information as optimal path information when the second path set information includes the first path information.
Specifically, whether the second path set information comprises the first path information is judged, if the second path set information comprises the first path information, the second path set output is considered to have no deviation, and therefore the second path set information is output as optimal path information.
In some embodiments, determining whether the second path set information includes the first path information further includes:
generating third path set information based on the second path set information and the first path information when the second path set information does not include the first path information;
and outputting the third path set information as optimal path information.
Specifically, whether the second path set information comprises the first path information is judged, if the second path set information comprises the first path information, the second path set output is considered to have deviation, so that the first path information and the second path set information form an intersection to form third path set information, and the third path set information is output as optimal path information.
S104, inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
Specifically, the attack parameter information, the optimal path information and the network attack information which are collected in advance are collected, so that a more accurate attack prediction result is output.
In some embodiments, after inputting the first attack path information and the second attack path set information into the fusion model to obtain the optimal path information, the method further includes:
based on the SAHMM model, acquiring a first path probability of a first preset stage and acquiring a second path probability of a second preset stage;
and obtaining an attack prediction result based on the first path probability of the first preset stage and the second path probability of the second preset stage.
Specifically, using the optimal path information obtained by the SAHMM and TAXA5 algorithms, events that do not occur but are likely to occur are predicted. The first preset phase is a known path ending at a certain phase, and the probability of a single known path with a state j is assumed to be as follows:
the next stage t is a second preset stage, and the second stage predicts the next non-occurring stage based on a certain previous path, and the probability of the path with the highest probability in all the single paths with the state i is:
then, correspondingly, in stage t, the node with the highest probability in all the single paths with state i is:
while the node of the next stage t traverses all possible states of the t stage according to the homogeneous Markov assumption, calculates joint probabilities respectively, and then takes the maximum value to obtain. I.e.)>The result is predicted for the attack.
In some embodiments, the attack parameter information, the optimal path information and the network attack information are input into an attack prediction model, and an attack prediction result is output, and the method further includes:
acquiring network attack information and generating attack stage information based on a preset rule;
generating original sequence information based on the network attack information and the attack stage information;
inputting the original sequence into a pre-constructed gray verhulst model, and outputting prediction information;
and generating an attack prediction result based on the prediction information, the attack stage information and a preset rule.
In particular, the Verhulst model is a gray predictive model that describes an evolution process with saturation, i.e., an S-shaped process. The captured timestamp of the network attack implies the security state of a certain IP address at a certain time point, and the accumulated severity of the attack on the IP address in a period can be known by counting the network attack on the same IP address in the period. And training a gray verhulst model by using the accumulated degree of the attacked threat to obtain a risk index of each IP under network attack in the next stage.Where I represents all collected cyber attacks and P represents the trace-source path generated by the SAHMM and TXSA5 models. M represents attack mode, A represents transition probability matrix of all attack stages, B represents observation probability matrix of each attack element in stage, and +.>Representing the initial state probability vector, A, B, < >>Training by HMM. Thereby outputting attack prediction result +.>
First, a division stage is performed. Specifically, a network attack is a structure in the form { source IP, destination IP, attack time stamp, attack type, threat level }. For all data, it can be divided into different attack phases according to its threat type, such as:. Representing, for each attack, the occurrence of a threat in accordance therewithThe type, which is divided into t phases.
Second, the severity of the IP attack is calculated. Specifically, all data are traversed, and the degree of attack of each IP in each stage is counted. The calculation method is as follows:. Wherein att is an indication function, and when an IP address is attacked once in a certain time interval, the value is 1, otherwise, the value is 0.l represents the threat level of this attack, which is classified as [3,5, 10 in our qualitative model]Three levels. By accumulation, the overall threat level of the address i being attacked in one stage is obtained. In our qualitative model, the attack is divided into 6 phases, so we represent the calculated original sequence as: />
Further, a gray verhulst model was established. Specifically, a 1-AGO accumulation sequence is generated according to a pre-generated original sequence
Further generating a neighbor mean sequence
Then it is called:
for the gray verhulst model, a and b are parameters, and the following formula is shown:
the whitened differential equation for the gray verhulst model, t represents the phase.
Then, the gray verhulst model parameters are solved. Specifically, the parameters a and b are solved using the least squares method. a. b is expressed as:
wherein:
the time response formula thus obtained is expressed as:
based on the prediction result, the original sequence can be calculated by using the cumulative subtractionPrediction of->
Finally, the threat level of the missing stage is calculated. Specifically, a complete network attack consists of multiple phases, only a portion of which can be observed in the collected data, and there may be some missing phases, which are what we consider to be potential attack events. In our SAHMM and TXSA5 models described above, the attack path has been traced, and the following prediction task is to predict unknown phases through known phases in the path using a hidden Markov model. Specifically, taking the trace-source path of the 6 th stage (the post-destruction stage) as an example, the obtained path is:
the probability of this path can be easily calculated due to markov. In predicting the unknown phase 6, it is necessary to use the probabilities of the known paths to traverse all possible values to select the one with the highest probability, namely, as described in the SAHMM model:
the above equation is the predictive equation for a standard hidden Markov model. The transition probability and the observation probability of the attack among different events in different stages are considered, but the threat degree of an IP address in a certain stage is not considered, so that the index calculated by the gray verhulst model is fused into calculation to obtain:
normalizing all calculation results in the same stage to enable the probability to be scaled to be between 0 and 1:
selecting the probability of maximumAs the prediction result at the time t, namely, generating an attack prediction result, wherein the prediction result has the advantage of accurate prediction result.
In other embodiments, as shown in fig. 4, another security posture aware attack prediction method is shown, comprising:
s101, inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information;
s102, inputting attack parameter information into an SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector;
s103, inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
s104, inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
Specifically, the order of acquiring the first attack path information and the second attack path information is not limited herein, and the first attack path may be acquired first, or the second attack path may be acquired first. That is, the order in which the first attack path and the second attack path are acquired is parallel.
In conclusion, the security situation aware attack prediction method can predict the network attack mode by collecting the attack path information and collecting the attack path information into the prediction model, and the prediction operation is simple and the prediction information is reliable.
With further reference to fig. 2, there is shown an exemplary block diagram of a security posture aware attack prediction device 200 according to the present application, comprising: the first acquisition module 210, the second acquisition module 220, the fusion module 230, the prediction module 240:
the first obtaining module 210 is configured to input attack parameter information into the SAHMM model, and output first attack path information, where the attack parameter information includes one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector;
the second obtaining module 220 is configured to input attack parameter information and reinforcement factors into a multi-level reinforcement association learning algorithm TXSA5 model, and output second attack path set information, where the attack parameter information includes received attack event and model parameter information;
the fusion module 230 is configured to input the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
the prediction module 240 is configured to input attack parameter information, optimal path information, and network attack information to the attack prediction model, and output an attack prediction result.
In some embodiments, the fusion module is configured to:
judging whether the second path set information comprises the first path information or not;
and outputting the second path set information as optimal path information when the second path set information includes the first path information.
In summary, the security situation aware attack prediction device of the application can predict the network attack mode by collecting the attack path information and collecting the attack path information into the prediction model, and the prediction operation is simple and the prediction information is reliable.
The division of the modules or units mentioned in the above detailed description is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation instructions of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, blocks shown in two separate connections may in fact be performed substantially in parallel, or they may sometimes be performed in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in the present application is not limited to the specific combinations of technical features described above, but also covers other technical features which may be formed by any combination of the technical features described above or their equivalents without departing from the spirit of the disclosure. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.
In one embodiment, an electronic device, which may be a terminal, is provided, and an internal structure thereof may be as shown in fig. 3. The electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, near Field Communication (NFC) or other technologies. The computer program when executed by a processor implements a security situation aware asset vulnerability prediction method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 3 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, the security posture aware attack prediction apparatus provided by the present application may be implemented in the form of a computer program that is executable on an electronic device as shown in fig. 3. The memory of the electronic device may store various program modules that make up the security posture aware attack prediction device.
At least one instruction, at least one section of program, code set or instruction set is stored in a memory in the electronic device, and the instruction, the program, the code set or the instruction set is loaded and executed by the processor to implement the security posture aware attack prediction method according to any one of the embodiments, for example, implement the security posture aware attack prediction method, including: inputting attack parameter information into the SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector; inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information; inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information; and inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: inputting attack parameter information into the SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector; inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information; inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information; and inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
In one embodiment, a computer program product is provided, which when executed by a processor of a mobile terminal, causes the mobile terminal to perform the steps of: inputting attack parameter information into the SAHMM model, and outputting first attack path information, wherein the attack parameter information comprises one or more of the following: attack mode information, elements or possible attack paths existing in an attack sequence, a transition probability matrix of an attack stage, an observation probability matrix of the stage where the attack element is located, and an attack element initial state probability vector; inputting attack parameter information and reinforcement factors into a TXSA5 model of a multi-level reinforcement association learning algorithm, and outputting second attack path set information, wherein the attack parameter information comprises received attack event and model parameter information; inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information; and inputting the attack parameter information, the optimal path information and the network attack information into an attack prediction model, and outputting an attack prediction result.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program, which may be stored on a non-transitory computer readable storage medium, that when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms, such as static random access memory (Static Random Access Memory, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features of each of the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (4)

1. The security situation awareness attack prediction method is characterized by comprising the following steps of:
inputting elements or possible attack paths, attack modes, transition probability matrixes of attack stages, observation probability matrixes of stages of each attack element and initial state probability vectors of the attack elements existing in the attack sequence into the SAHMM model, and outputting first attack path information;
inputting elements or possible attack paths, attack modes, transition probability matrixes of all attack stages, observation probability matrixes of the stages of each attack element, initial state probability vectors of each attack element and reinforcement factors in a multi-level reinforcement association learning algorithm TXSA5 model, and outputting second attack path set information, wherein the TXSA5 model is used for calculating attack sequences with missing attack steps and indefinite length, and the reinforcement factors are determined based on a front-back relation, an IP address threat index, a mixed combat mode and an experience index;
inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
inputting network attack information, optimal path information, attack modes, transition probability matrixes of all attack stages, observation probability matrixes of the stages of each attack element and initial state probability vectors of each attack element into an attack prediction model, and outputting attack prediction results;
the first attack path information and the second attack path set information are input into a fusion model to obtain optimal path information, specifically:
judging whether the second attack path set information comprises the first attack path information or not;
outputting the second attack path set information as optimal path information when the second attack path set information includes the first attack path information;
when the second attack path set information does not include the first attack path information, forming an intersection of the first path information and the second path set information to form third path set information, and outputting the third path set information as optimal path information.
2. A security posture aware attack prediction apparatus, comprising:
the first acquisition module is used for inputting elements or possible attack paths, attack modes, transition probability matrixes of attack stages, observation probability matrixes of the stages of each attack element and initial state probability vectors of the attack elements existing in the attack sequence into the SAHMM model and outputting first attack path information;
the second acquisition module is used for inputting elements or possible attack paths, attack modes, transition probability matrixes of all attack stages, observation probability matrixes of the stages of each attack element, initial state probability vectors of each attack element and reinforcement factors in a multi-level reinforcement association learning algorithm TXSA5 model, and outputting second attack path set information, wherein the TXSA5 model is used for calculating attack sequences with missing attack steps and indefinite length, and the reinforcement factors are determined based on a front-back relation, an IP address threat index, a mixed combat mode and an experience index;
the fusion module is used for inputting the first attack path information and the second attack path set information into a fusion model to obtain optimal path information;
the prediction module is used for inputting the network attack information, the optimal path information, the attack mode, the transition probability matrix of all attack stages, the observation probability matrix of each attack element at the stage and the initial state probability vector of each attack element into the attack prediction model, and outputting an attack prediction result;
wherein, fusion module is still used for:
judging whether the second attack path set information comprises the first attack path information or not;
outputting the second attack path set information as optimal path information when the second attack path set information includes the first attack path information;
when the second attack path set information does not include the first attack path information, forming an intersection of the first path information and the second path set information to form third path set information, and outputting the third path set information as optimal path information.
3. An electronic device comprising a processor and a memory, wherein the memory has stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the instruction, the program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the security posture aware attack prediction method of claim 1.
4. A non-transitory computer readable storage medium, characterized in that instructions in the storage medium, when executed by a processor of a mobile terminal, enable the mobile terminal to perform the security posture aware attack prediction method according to claim 1.
CN202310658443.9A 2023-06-05 2023-06-05 Security situation awareness attack prediction method, device, equipment, medium and product Active CN116405323B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310658443.9A CN116405323B (en) 2023-06-05 2023-06-05 Security situation awareness attack prediction method, device, equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310658443.9A CN116405323B (en) 2023-06-05 2023-06-05 Security situation awareness attack prediction method, device, equipment, medium and product

Publications (2)

Publication Number Publication Date
CN116405323A CN116405323A (en) 2023-07-07
CN116405323B true CN116405323B (en) 2023-09-22

Family

ID=87020194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310658443.9A Active CN116405323B (en) 2023-06-05 2023-06-05 Security situation awareness attack prediction method, device, equipment, medium and product

Country Status (1)

Country Link
CN (1) CN116405323B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115643115A (en) * 2022-12-23 2023-01-24 武汉大学 Industrial control network security situation prediction method and system based on big data
CN116112278A (en) * 2023-02-17 2023-05-12 西安电子科技大学 Q-learning-based network optimal attack path prediction method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8504504B2 (en) * 2008-09-26 2013-08-06 Oracle America, Inc. System and method for distributed denial of service identification and prevention

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115643115A (en) * 2022-12-23 2023-01-24 武汉大学 Industrial control network security situation prediction method and system based on big data
CN116112278A (en) * 2023-02-17 2023-05-12 西安电子科技大学 Q-learning-based network optimal attack path prediction method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于攻击意图的信息物理系统跨域攻击路径行为分析方法研究;何定坤;自然科学与工程技术类专辑 信息科技辑;第37-38页 *
基于攻击意图的信息物理系统跨域攻击路径行为分析方法研究;何定坤;自然科学与工程技术类专辑信息科技辑;第37-38页 *

Also Published As

Publication number Publication date
CN116405323A (en) 2023-07-07

Similar Documents

Publication Publication Date Title
CN107808122B (en) Target tracking method and device
CN110929047B (en) Knowledge graph reasoning method and device for focusing on neighbor entity
CN111818093B (en) Neural network system, method and device for risk assessment
Kroese et al. Network reliability optimization via the cross-entropy method
Wierstra et al. Modeling systems with internal state using evolino
CN111311030B (en) User credit risk prediction method and device based on influence factor detection
CN111914516B (en) Method, device, equipment and storage medium for generating network data prediction sequence
CN111325417A (en) Method and device for realizing privacy protection and realizing multi-party collaborative updating of business prediction model
Bidgoly et al. Modelling and quantitative verification of reputation systems against malicious attackers
Jabeen et al. An improved software reliability prediction model by using high precision error iterative analysis method
Ibor et al. Novel hybrid model for intrusion prediction on cyber physical systems’ communication networks based on bio-inspired deep neural network structure
CN111275106B (en) Countermeasure sample generation method and device and computer equipment
CN110889493A (en) Method and device for adding disturbance aiming at relational network
Ibarguengoytia et al. Any time probabilistic reasoning for sensor validation
CN110717537B (en) Method and device for training user classification model and executing user classification prediction
CN116405323B (en) Security situation awareness attack prediction method, device, equipment, medium and product
CN113449176A (en) Recommendation method and device based on knowledge graph
CN112396477B (en) Construction method and device of business prediction model
An et al. DiffusionNAG: Task-guided Neural Architecture Generation with Diffusion Models
CN112541574A (en) Privacy-protecting business prediction method and device
CN112085279A (en) Method and device for training interaction prediction model and predicting interaction event
Hamza et al. Evolutionary constrained optimization with dynamic changes and uncertainty in the objective function
CN114648070B (en) Critical behavior extraction network, and training method and device of critical attribute extraction network
KR20140118195A (en) Method and system for computing management criteria of warships using genetic algorithm
CN116881916B (en) Malicious user detection method and device based on heterogeneous graph neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant