CN116738413A - Method, system and device for back propagation attack investigation based on traceability graph - Google Patents
Method, system and device for back propagation attack investigation based on traceability graph Download PDFInfo
- Publication number
- CN116738413A CN116738413A CN202310660997.2A CN202310660997A CN116738413A CN 116738413 A CN116738413 A CN 116738413A CN 202310660997 A CN202310660997 A CN 202310660997A CN 116738413 A CN116738413 A CN 116738413A
- Authority
- CN
- China
- Prior art keywords
- graph
- traceability
- attack
- nodes
- weighted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000011835 investigation Methods 0.000 title claims abstract description 37
- 230000001364 causal effect Effects 0.000 claims description 44
- 230000000694 effects Effects 0.000 claims description 14
- 238000012550 audit Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 9
- 230000004927 fusion Effects 0.000 claims description 8
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000000875 corresponding effect Effects 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000000593 degrading effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method, a system and a device for back propagation attack investigation based on a traceability graph, wherein the method comprises the following steps: s1, acquiring a tracing graph, wherein nodes of the tracing graph represent system entities, and edges represent system events; s2, acquiring a weighted traceability map based on the traceability map; and S3, obtaining an attack scene subgraph according to the weighted traceability graph. The invention can realize the back propagation attack investigation based on the traceability graph.
Description
Technical Field
The invention relates to the field of back propagation attack investigation, in particular to a method, a system and a device for back propagation attack investigation based on a traceability graph.
Background
Attacks faced by current enterprise environments tend to be more and more hidden and long-term, and in order to better conduct effective investigation, tracing and response to the attacks, enterprises usually deploy a large number of terminal devices. Security analysts need to use to implement attack investigation by analyzing these logs.
Attack investigation typically begins with the underlying attack detection system collecting audit logs about the attack, and contextual analysis of alarm events (e.g., suspicious system events, DNS queries, and browser events) for investigation. In the whole process of safe operation, a security analyzer needs to perform causal analysis according to the log to perform backward backtracking analysis on an attacker and the damage range thereof, which is the concept of tracing. There are many methods for investigation of attacks, wherein investigation is carried out by utilizing a tracing graph as an auxiliary way of the current mainstream attack investigation means, because the tracing graph has strong semantic expression capability and attack history association capability, and is an ideal threat modeling method, the tracing graph represents audit logs in the form of causal dependency graph and is used as evidence obtaining tools to find attack entry nodes, and a tracing graph with nodes (entities) and edges (events) is generated, wherein the direction of the edges represents the direction of data flow. The audit logs are shown in the form of a graph, so that the security analyst can be helped to better analyze and obtain evidence. Most cases manually recover attack records from causal dependency graphs as subgraphs, where nodes and edges in the graph have causal dependencies with the location where the alarm was raised in order to begin the attack investigation.
The prior art typically relies on executing a configuration file to filter irrelevant events. However, due to the complexity of computer systems, it is almost impossible to obtain execution cases that cover most common system behaviors.
Disclosure of Invention
The invention aims to provide a method, a system and a device for back propagation attack investigation based on a traceability graph, and aims to solve the back propagation attack investigation based on the traceability graph.
The invention provides a method for back propagation attack investigation based on a traceability graph, which comprises the following steps:
s1, acquiring a tracing graph, wherein nodes of the tracing graph represent system entities, and edges represent system events;
s2, acquiring a weighted traceability map based on the traceability map;
and S3, obtaining an attack scene subgraph according to the weighted traceability graph.
The invention also provides a system for back propagation attack investigation based on the traceability graph, which comprises:
the acquisition module is used for: the method comprises the steps that a tracing graph is obtained, nodes of the tracing graph represent system entities, and edges represent system events;
and acquiring a weighted traceability graph module: acquiring a weighted traceability map based on the traceability map;
and the attack scene sub-graph module is used for obtaining an attack scene sub-graph according to the weighted traceability graph.
The embodiment of the invention also provides a device for back propagation attack investigation based on the traceability graph, which comprises: a memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the method described above.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores an information transmission implementation program, and the program realizes the steps of the method when being executed by a processor.
By adopting the embodiment of the invention, the back propagation attack investigation based on the traceability graph can be realized.
The foregoing description is only an overview of the present invention, and is intended to provide a more clear understanding of the technical means of the present invention, as it is embodied in accordance with the present invention, and to make the above and other objects, features and advantages of the present invention more apparent, as it is embodied in the following detailed description of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a trace-graph based back propagation attack survey in accordance with an embodiment of the present invention;
FIG. 2 is a schematic architecture diagram of a back propagation attack investigation method based on a traceability graph according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a system for trace-graph based back propagation attack investigation in accordance with an embodiment of the present invention;
fig. 4 is a schematic diagram of an apparatus for back propagation attack investigation based on a traceability map according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Method embodiment
According to an embodiment of the present invention, a flowchart of a method for back propagation attack investigation based on a traceability graph is provided, and fig. 1 is a flowchart of back propagation attack investigation based on a traceability graph according to an embodiment of the present invention, as shown in fig. 1, specifically including:
s1, acquiring a tracing graph, wherein nodes of the tracing graph represent system entities, and edges represent system events;
s1 specifically comprises: obtaining an audit log of an attacked system, formatting the audit log of the system to obtain formatted information, and performing inverse causal dependency analysis on the formatted information to obtain a local inverse traceability graph.
S2, acquiring a weighted traceability map based on the traceability map;
s2 specifically comprises: and merging parallel edges between two nodes in the traceability graph, calculating a time difference between POIs (point of interest) as a characteristic weight by each edge, defining a fan-out fan-in ratio of a source node of each edge as a characteristic weight, carrying out standardization processing on the time difference and the fan-out fan-in ratio, carrying out fusion on the time difference and the fan-out fan-in ratio after the standardization processing to obtain a fusion weight of each edge, and outputting the weighted traceability graph.
And S3, obtaining an attack scene subgraph according to the weighted traceability graph.
S3 specifically comprises: counter-propagating causal dependency effects from POI events along weighted edges until all ingress nodes with ingress 0; and sequencing the entry nodes according to the value influenced by the causal dependency relationship, performing forward analysis from the entry nodes with the top ranking to obtain an analysis result, and taking an intersection between the analysis result and a graph generated by back propagation, wherein the intersection is an attack scene subgraph output from the original traceability graph.
The specific implementation method is as follows:
fig. 2 is an architectural diagram of a back propagation attack investigation method based on a traceability graph according to an embodiment of the present invention, as shown in fig. 2:
given a POI event, an attack scenario subgraph of a traceability graph generated by causal dependency analysis is automatically identified. Mainly comprises three stages: (1) generating a traceability graph, (2) calculating edge weights, and (3) generating an attack scene subgraph:
in the first stage: the invention utilizes a system audit log collected from a kernel regarding system calls, formatted, and used as input to construct a global input traceability graph, wherein nodes represent system entities and edges represent system (call) events.
In order to uniquely identify an entity, the present invention uses uuid as a unique identification, and the entities are classified into three categories: the system comprises a flow entity, a file entity and a network connection entity, wherein each entity comprises a special attribute. Given a POI event, an inverse causal dependency analysis is performed from the event, and a local inverse traceability graph is generated for the POI event. Briefly, the anti-causal dependency analysis adds POI events to the queue and repeats the process of looking up an eligible edge/event's incoming edge (i.e., the edge of the edge's source node) in the queue until the queue is empty. The output of stage one is a backward trace that contains only system events (and related entities) and has causal dependencies on POI events.
And a second stage: the method first merges parallel edges between two nodes in the traceability graph, and the parallel edges are generated because an operating system usually completes the reading/writing task of the file by distributing data to a plurality of system calls in proportion. The weights of the edges are then calculated using both types of features (time order, node access number). Intuitively, edges that occur at relatively the same time are more likely to be correlated, so the time to approach the POI is calculatedThe weight of the edge of (c) is larger,
each edge calculates the time difference from the POI as a feature weight:
but this would make suspicious edge weights far from POIs too low. In the inverse causal dependency analysis, if the number of source nodes that can be traced from a node v is 1 (i.e., only one source node is traced back from v), it is indicated that the causal dependency represented by this edge is highly concentrated for v. At the same time, the method aims at giving higher weight to source nodes reachable from multiple paths in the backward direction. Thus, the fan-out fan-in ratio of the source node u of edge e (u, v) is defined herein as a calculated eigenvalue:
f C (e)=OutDegree(u)/InDegree(u)
the node associated with the attack tends to have many more outgoing edges than incoming edges, so fan-out fan-in ratios are used to balance time weights with each other to calculate the final weights of the edges. Based on the two characteristics, the method carries out a weight grading so that the weight of the edge far away from the POI event is corrected to a certain degree. Because the units of the two features are not uniform, the two features need to be subjected to normalization processing before subsequent calculation:
x=(x-x min )/(x max -x min )
for the obtained f T (e) Aggregate sum f c (e) The set is substituted into a formula to calculate x, so that f of a unified unit is obtained T (e) Time weight set and f c (e) Access ratio set:
the final step of weight calculation is to normalize the weight of each node, i.e. fuse the time characteristics with the access bits. This step also mitigates weight degradation of edges away from POI events. The projection vector selects an average feature projection:
and->Default to 0.5, adjustable;
and then the following formula is used for carrying out node edge entering total weight normalization operation.
The basic principle is to ensure that for each node, the weights of all incoming edges are in the range of 0.0,1.0, and the sum of the weights is equal to 1.0. In addition to the causal dependency scoring propagation scheme (third stage) of the method, such a normalized way ensures: (1) The causal dependency effect of any node does not exceed the maximum causal dependency effect of its child nodes, (2) the causal dependency effect of any node does not exceed the causal dependency effect of the node in the POI event (i.e. 1.0). The output of stage two is a weighted traceability graph of POI events.
And a third stage: in this stage, given the weighted traceability graph calculated in stage two, causal dependency effects are propagated back along the weighted edges from POI events up to all ingress nodes with an ingress of 0.
Specifically, the causal dependency impact of the destination node of the POI event is first set to 1.0 by default. For a node u associated with a POI event, its causal dependency effect is iteratively updated with the total number of its child nodes by weighting its child node causal dependency effect and the edge between the two points. And propagating the causal dependency influence of the node from the POI event point to all the entry nodes according to the causal dependency weight of the edge.
And then, sorting the entry nodes according to the influence value of the causal dependency relationship, and executing forward analysis from the entry nodes ranked at the front, and taking an intersection with a graph generated by back propagation, wherein the intersection is an attack scene subgraph output from the original traceability graph.
Wherein D is u Representing causal dependency effects of node u, W e(u,v) Represents the causal dependency weight normalized by edge e (u, v). This score propagation scheme ensures that the score of any node does not exceed the maximum score of its child nodes and that the score of any node does not exceed the score of the node in the POI event. In addition, in the case of the optical fiber,compared to distribution-based score propagation algorithms, the scheme of the present invention preserves the score along a longer causal dependency path and prevents the causal dependency score from rapidly degrading.
After the causal dependency effects are propagated, the entry nodes are ranked according to their causal dependency effects. The design of the method considers that the entry nodes with higher causal dependency influence are more relevant to POI events and are more likely to become attack entries, so that the descendant nodes and relevant edges of the entry nodes are more likely to be contained in an attack scene subgraph.
The method comprises three types of entry nodes, namely (1) file entry nodes, namely file nodes without edges except a system library; (2) The parent nodes are all process nodes of the system library; (3) network entry node-network node without incoming edge. In particular, system library files are typically loaded by some process and have no incoming edges on the causal dependency graph. Thus, for system library nodes, the method takes the flow node that loads them as the entry node. From which the top ranked entry nodes are then selected. Starting from the top-ranked entry node, forward causal dependency analysis is performed until a POI event is reached. And determining the overlapped part of the original tracing graph and the forward causal dependency graph as an attack scene subgraph. The key component generated contains a causal dependency portion that is actually related to POI events, with a significantly reduced size compared to the original large traceability graph. In addition, the attack scenario subgraph illustrates how information related to an attack flows from the attack entry node to the POI event via the critical edge, thereby facilitating further attack investigation.
The invention adopts a standardized data format, the graph database used is Neo4j, and the files output in each stage can be directly imported into Neo4j to check the graph structure. And storing node related information in the node file, storing side related information in the side file, and importing the final attack scene subgraph into Neo4j to form a visualized attack scene subgraph.
The beneficial effects are as follows:
the back propagation attack investigation method based on the traceability graph can be combined according to the time difference between the behavior edges, reduces the burden of the repeated system process behavior on the upper edge of the traceability graph, and simultaneously considers the combination error to ensure the accuracy of the final attack scene subgraph in the process of reducing the graph. The magnitude of the output tracing graph edge is smaller, and any key attack behavior nodes and edges are not lost. The number of the selected entry nodes can be changed, in most cases, the more the selected entry nodes are, the lower the false alarm rate of the output attack scene subgraph is, but the false alarm rate can be increased, so that the entry nodes can be selected to stop being increased when the number of edges of the attack scene subgraph is obviously increased due to the increase of the entry nodes, and the selection is flexible and variable. Compared with other existing methods, the method has low false alarm rate and false missing rate of the generated attack scene subgraph, and the logs collected by the bottom layer of the system are less likely to be tampered and forged by an attacker when subjected to attack investigation, and meanwhile, the method for projecting the double features and the normalized features can be effectively applied to log data with a longer period so as to investigate potential attacks. The attack scene subgraph generated by the method is smaller, so that security analysts can rapidly analyze attacks and survey to determine attack inlets. Meanwhile, the invention is a universal framework, has certain universality for different types of attacks, and can use different characteristic combinations to investigate different types of attacks.
System embodiment
According to an embodiment of the present invention, a system for back propagation attack investigation based on a traceability graph is provided, and fig. 3 is a schematic diagram of the system for back propagation attack investigation based on the traceability graph according to the embodiment of the present invention, as shown in fig. 3, specifically including:
the acquisition module is used for: the method comprises the steps that a tracing graph is obtained, nodes of the tracing graph represent system entities, and edges represent system events;
the acquisition module is specifically used for: obtaining an audit log of an attacked system, formatting the audit log of the system to obtain formatted information, and performing inverse causal dependency analysis on the formatted information to obtain a local inverse traceability graph.
And acquiring a weighted traceability graph module: acquiring a weighted traceability map based on the traceability map;
the weighted traceability graph acquisition module is specifically used for: and merging parallel edges between two nodes in the traceability graph, calculating a time difference between POIs (point of interest) as a characteristic weight by each edge, defining a fan-out fan-in ratio of a source node of each edge as a characteristic weight, carrying out standardization processing on the time difference and the fan-out fan-in ratio, carrying out fusion on the time difference and the fan-out fan-in ratio after the standardization processing to obtain a fusion weight of each edge, and outputting the weighted traceability graph.
And the attack scene sub-graph module is used for obtaining an attack scene sub-graph according to the weighted traceability graph.
The attack scene sub-graph module is specifically used for: counter-propagating causal dependency effects from POI events along weighted edges until all ingress nodes with ingress 0; and sequencing the entry nodes according to the value influenced by the causal dependency relationship, performing forward analysis from the entry nodes with the top ranking to obtain an analysis result, and taking an intersection between the analysis result and a graph generated by back propagation, wherein the intersection is an attack scene subgraph output from the original traceability graph.
The embodiment of the present invention is a system embodiment corresponding to the above method embodiment, and specific operations of each module may be understood by referring to the description of the method embodiment, which is not repeated herein.
Device embodiment 1
The embodiment of the invention provides a device for back propagation attack investigation based on a traceability graph, which is shown in fig. 4 and comprises the following components: memory 40, processor 42, and a computer program stored on memory 40 and executable on processor 42, which when executed by the processor, performs the steps of the method embodiments described above.
Device example two
The embodiment of the present invention provides a computer readable storage medium, on which a program for implementing information transmission is stored, which when executed by the processor 42 implements the steps in the above-described method embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; and these modifications or substitutions may be made to the technical solutions of the embodiments of the present invention without departing from the spirit of the corresponding technical solutions.
Claims (10)
1. A method of back propagation attack investigation based on a traceability graph, comprising:
s1, acquiring a tracing graph, wherein nodes of the tracing graph represent system entities, and edges represent system events;
s2, acquiring a weighted traceability map based on the traceability map;
and S3, obtaining an attack scene subgraph according to the weighted traceability graph.
2. The method according to claim 1, wherein S1 specifically comprises: obtaining an audit log of an attacked system, formatting the audit log of the system to obtain formatted information, and performing inverse causal dependency analysis on the formatted information to obtain a local inverse traceability graph.
3. The method according to claim 2, wherein S2 specifically comprises: and merging parallel edges between two nodes in the traceability graph, calculating a time difference between POIs (point of interest) as a characteristic weight by each edge, defining a fan-out fan-in ratio of a source node of each edge as a characteristic weight, carrying out standardization processing on the time difference and the fan-out fan-in ratio, carrying out fusion on the time difference and the fan-out fan-in ratio after the standardization processing to obtain a fusion weight of each edge, and outputting the weighted traceability graph.
4. A method according to claim 3, wherein S3 comprises: counter-propagating causal dependency effects from POI events along weighted edges until all ingress nodes with ingress 0; and sequencing the entry nodes according to the value influenced by the causal dependency relationship, performing forward analysis from the entry nodes with the top ranking to obtain an analysis result, and taking an intersection between the analysis result and a graph generated by back propagation, wherein the intersection is an attack scene subgraph output from the original traceability graph.
5. A system for trace-graph based back propagation attack investigation, comprising:
the acquisition module is used for: the method comprises the steps that a tracing graph is obtained, nodes of the tracing graph represent system entities, and edges represent system events;
and acquiring a weighted traceability graph module: acquiring a weighted traceability map based on the traceability map;
and the attack scene sub-graph module is used for obtaining an attack scene sub-graph according to the weighted traceability graph.
6. The system of claim 5, wherein the acquisition module is specifically configured to: obtaining an audit log of an attacked system, formatting the audit log of the system to obtain formatted information, and performing inverse causal dependency analysis on the formatted information to obtain a local inverse traceability graph.
7. The system of claim 6, wherein the acquiring weighted traceability map module is specifically configured to: and merging parallel edges between two nodes in the traceability graph, calculating a time difference between POIs (point of interest) as a characteristic weight by each edge, defining a fan-out fan-in ratio of a source node of each edge as a characteristic weight, carrying out standardization processing on the time difference and the fan-out fan-in ratio, carrying out fusion on the time difference and the fan-out fan-in ratio after the standardization processing to obtain a fusion weight of each edge, and outputting the weighted traceability graph.
8. The system of claim 7, wherein the attack scenario sub-graph module is specifically configured to: counter-propagating causal dependency effects from POI events along weighted edges until all ingress nodes with ingress 0; and sequencing the entry nodes according to the value influenced by the causal dependency relationship, performing forward analysis from the entry nodes with the top ranking to obtain an analysis result, and taking an intersection between the analysis result and a graph generated by back propagation, wherein the intersection is an attack scene subgraph output from the original traceability graph.
9. A trace-graph-based back propagation attack investigation device, comprising: memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the trace-graph based back propagation attack investigation method according to any of the claims 1-4.
10. A computer-readable storage medium, wherein a program for implementing information transfer is stored on the computer-readable storage medium, and the program, when executed by a processor, implements the steps of the method for trace-graph based back propagation attack investigation according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310660997.2A CN116738413B (en) | 2023-06-05 | 2023-06-05 | Method, system and device for back propagation attack investigation based on traceability graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310660997.2A CN116738413B (en) | 2023-06-05 | 2023-06-05 | Method, system and device for back propagation attack investigation based on traceability graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116738413A true CN116738413A (en) | 2023-09-12 |
| CN116738413B CN116738413B (en) | 2024-02-13 |
Family
ID=87905564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310660997.2A Active CN116738413B (en) | 2023-06-05 | 2023-06-05 | Method, system and device for back propagation attack investigation based on traceability graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116738413B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107403091A (en) * | 2017-07-06 | 2017-11-28 | 华中科技大学 | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source |
| US10409995B1 (en) * | 2017-05-08 | 2019-09-10 | Amazon Technologies, Inc. | End-to-end change tracking for triggering website security review |
| CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
| CN113660225A (en) * | 2021-07-29 | 2021-11-16 | 广州大学 | Network attack event prediction method, system, device and medium based on time sequence point |
| CN114117432A (en) * | 2021-12-07 | 2022-03-01 | 上海交通大学 | APT attack chain restoration system based on data tracing graph |
| CN114615063A (en) * | 2022-03-14 | 2022-06-10 | 清华大学 | Attack tracing method and device based on log correlation analysis |
| CN115134160A (en) * | 2022-07-11 | 2022-09-30 | 中国科学院信息工程研究所 | Attack migration-based attack detection method and system |
| CN115146271A (en) * | 2022-09-02 | 2022-10-04 | 浙江工业大学 | APT (advanced persistent threat) source tracing and researching method based on causal analysis |
| CN115277127A (en) * | 2022-07-12 | 2022-11-01 | 清华大学 | Attack detection method and device for searching matching attack mode based on system tracing graph |
| CN115396137A (en) * | 2022-06-01 | 2022-11-25 | 中债金科信息技术有限公司 | Attack tracing method and device based on log correlation analysis |
| CN116192477A (en) * | 2023-02-06 | 2023-05-30 | 复旦大学 | APT attack detection method and device based on mask pattern self-encoder |
-
2023
- 2023-06-05 CN CN202310660997.2A patent/CN116738413B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10409995B1 (en) * | 2017-05-08 | 2019-09-10 | Amazon Technologies, Inc. | End-to-end change tracking for triggering website security review |
| CN107403091A (en) * | 2017-07-06 | 2017-11-28 | 华中科技大学 | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source |
| CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
| CN113660225A (en) * | 2021-07-29 | 2021-11-16 | 广州大学 | Network attack event prediction method, system, device and medium based on time sequence point |
| CN114117432A (en) * | 2021-12-07 | 2022-03-01 | 上海交通大学 | APT attack chain restoration system based on data tracing graph |
| CN114615063A (en) * | 2022-03-14 | 2022-06-10 | 清华大学 | Attack tracing method and device based on log correlation analysis |
| CN115396137A (en) * | 2022-06-01 | 2022-11-25 | 中债金科信息技术有限公司 | Attack tracing method and device based on log correlation analysis |
| CN115134160A (en) * | 2022-07-11 | 2022-09-30 | 中国科学院信息工程研究所 | Attack migration-based attack detection method and system |
| CN115277127A (en) * | 2022-07-12 | 2022-11-01 | 清华大学 | Attack detection method and device for searching matching attack mode based on system tracing graph |
| CN115146271A (en) * | 2022-09-02 | 2022-10-04 | 浙江工业大学 | APT (advanced persistent threat) source tracing and researching method based on causal analysis |
| CN116192477A (en) * | 2023-02-06 | 2023-05-30 | 复旦大学 | APT attack detection method and device based on mask pattern self-encoder |
Non-Patent Citations (2)
| Title |
|---|
| 梁若舟 等: "基于序列特征提取的溯源图上APT攻击检测方法", 《中国科学:信息科学》, vol. 52, no. 08, pages 1463 - 1480 * |
| 石珍珍: "基于溯源的高效实时入侵检测研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 07, pages 139 - 89 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116738413B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108494810B (en) | Attack-oriented network security situation prediction method, device and system | |
| US11194906B2 (en) | Automated threat alert triage via data provenance | |
| US10735272B1 (en) | Graphical user interface for security intelligence automation platform using flows | |
| US10614226B2 (en) | Machine learning statistical methods estimating software system's security analysis assessment or audit effort, cost and processing decisions | |
| US10666666B1 (en) | Security intelligence automation platform using flows | |
| JP2018538587A (en) | Risk assessment method and system | |
| US10915626B2 (en) | Graph model for alert interpretation in enterprise security system | |
| US10657208B2 (en) | Analyzing model based on design interest | |
| US11030308B2 (en) | Inter-application dependency analysis for improving computer system threat detection | |
| CN106970788A (en) | A kind of object dependency relation based on tense finds method and system | |
| CN113139192A (en) | Third-party library security risk analysis method and system based on knowledge graph | |
| KR20210030361A (en) | Systems and methods for reporting computer security incidents | |
| KR101696694B1 (en) | Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack | |
| CN110968895B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115061874A (en) | Log information verification method, device, equipment and medium | |
| CN111552792A (en) | Information query method and device, electronic equipment and storage medium | |
| CN114491513A (en) | Knowledge graph-based block chain intelligent contract reentry attack detection system and method | |
| CN116738413B (en) | Method, system and device for back propagation attack investigation based on traceability graph | |
| CN115146263B (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| CN115412358B (en) | Network security risk assessment method and device, electronic equipment and storage medium | |
| CN109003181B (en) | Suspicious user determination method, device, equipment and computer readable storage medium | |
| CN113849817A (en) | Method and device for detecting pollution vulnerability of JavaScript prototype chain | |
| JP7120043B2 (en) | Graph summarization device, graph summarization method and program | |
| CN117155665B (en) | Attack tracing method, system, electronic device and storage medium | |
| CN115242614B (en) | Network information analysis method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |