CN116886379A

CN116886379A - Network attack reconstruction method, model training method and related devices

Info

Publication number: CN116886379A
Application number: CN202310907847.7A
Authority: CN
Inventors: 张曼; 韩伟红; 贾焰; 鲁辉; 胡宁; 贾世准; 孙丽群; 陶莎; 马兰; 李小霞
Original assignee: Peng Cheng Laboratory
Current assignee: Peng Cheng Laboratory
Priority date: 2023-07-21
Filing date: 2023-07-21
Publication date: 2023-10-13

Abstract

The application provides a network attack reconstruction method, a training method of a model and a related device, which belong to the technical field of network security.

Description

Network attack reconstruction method, model training method and related devices

Technical Field

The present application relates to the field of network security technologies, and in particular, to a network attack reconstruction method, a model training method, and related devices.

Background

With the rapid development of computers and the internet, network security has become a major concern. Today there is an advanced persistent threat (Advanced Persistent Threat, APT) attack in networks, a complex and organized network attack behaviour aimed at long-term latency and persistent attack and penetration of specific targets. And reconstructing the network attack is helpful for understanding attack means in depth, improving defense measures, predicting future threats and enhancing emergency response capability.

In the related art, network attack behaviors are often reconstructed by acquiring various system logs, but APT attacks are customized and hidden, so that attacks can be found from a large number of logs based on the hidden nature of the attacks, the workload of network attack reconstruction is increased, the complexity brought by a large amount of data and the hidden nature of the attacks can cause that the isolated attack steps are related to be more difficult to reconstruct the intrusion path of the network attack, the reconstruction and difficulty of the network attack are improved, and the efficiency and quality of network attack reconstruction are reduced.

Disclosure of Invention

The embodiment of the application mainly aims to provide a network attack reconstruction method, a model training method and a related device, which can improve the efficiency and quality of network attack reconstruction.

In order to achieve the above object, a first aspect of an embodiment of the present application provides a network attack reconstruction method, where the method includes: acquiring an execution audit log of ATT & CK technical tactics; analyzing the execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges; extracting the entity set, dividing the entity set into a plurality of entity subsets, and converting each entity subset into a corresponding entity sequence according to the causal relationship among the included entities; performing feature conversion on each entity sequence to obtain corresponding sequence feature vectors, inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence; determining the entity sequence marked as the ATT & CK action as a target sequence according to the prediction result, determining the entity in the target sequence as an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

In some embodiments, the extracting the set of entities, dividing into a plurality of entity subsets according to the set of entities, includes: extracting a set of entities from the causal graph, wherein the set of entities comprises all the entities in the causal graph; and selecting any at least two entities from the entity set, and forming an entity subset by the selected any at least two entities to obtain a plurality of entity subsets.

In some embodiments, the attack recognition model is provided with an encoder and a decoder; inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a predicted result of each entity sequence, wherein the method comprises the following steps: acquiring position information of each sequence feature vector in a sequence and model dimensions of the attack recognition model, establishing dimension indexes for each sequence feature vector, and calculating position codes of each sequence feature vector through the position information, the model dimensions and the dimension indexes; embedding each sequence feature vector into the corresponding position code, inputting the sequence feature vector into the encoder of the model, and obtaining the code feature vector corresponding to each sequence feature vector after the processing of a multi-head attention layer and a feedforward layer in the encoder; and after the coding feature vectors are embedded into the corresponding position codes, inputting the position codes into the decoder of the model, and predicting to obtain a prediction result of each entity sequence after processing of a multi-head attention layer, a residual connection and layer normalization layer, a feedforward layer, a linear layer and a classification output layer which are covered in the decoder.

In some embodiments, the attack recognition model is trained by the steps comprising: acquiring a sample audit log of ATT & CK technical tactics; analyzing the sample audit log, extracting a plurality of sample entities and corresponding sample events from the sample audit log, and constructing a sample causal graph by taking the sample entities as nodes and the causal relationship among the entities represented by the sample events as edges; extracting a set of sample entities from the sample causal graph, determining a plurality of sample ATT & CK entity subsets from the set of sample entities, and converting each sample ATT & CK entity subset into corresponding each sample entity sequence according to causal relation among contained entities, wherein at least one sample ATT & CK entity is included in the sample ATT & CK entity subset; performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into the attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence; marking sample labels for the sample entity sequences according to the included sample ATT & CK entity conditions, and adjusting parameters of the attack recognition model according to the sample labels and the sample prediction results to obtain the trained attack recognition model.

In some embodiments, the determining a plurality of sample ATT & CK entity subsets from the set of sample entities comprises: determining at least one sample ATT & CK entity marked as ATT & CK behaviour from the set of sample entities and constructing at least one attack subset from at least one sample ATT & CK entity, wherein the entities in each attack subset are the sample ATT & CK entities and at least one of the sample ATT & CK entities is contained in the attack subset; determining at least one sample normal entity marked as normal behavior from the set of sample entities, and adding any at least one sample normal entity for each attack subset to form at least one normal subset; at least one of the attack subset and the normal subset is taken as a sample ATT & CK entity subset.

In some embodiments, the sequentially inputting each of the sample sequence feature vectors into the attack identification model includes: if the ratio of the number of the subsets between the normal subset and the attack subset is greater than a preset threshold, performing oversampling processing on the sample sequence feature vectors to increase the number of the sample sequence feature vectors corresponding to the attack subset, or performing undersampling processing on the sample sequence feature vectors to reduce the number of the sample sequence feature vectors corresponding to the normal subset; and sequentially inputting the feature vectors of the sample sequences after the over-sampling or under-sampling treatment into the attack recognition model.

In some embodiments, the constructing a sample causal graph with the sample entities as nodes and causal relationships between entities characterized by the sample events as edges comprises: constructing an initial causal graph by taking the sample entities as nodes and the causal relations among the entities characterized by the sample events as edges; and cleaning and sorting nodes and edges in the initial causal graph to obtain a sample causal graph.

In some embodiments, the cleaning and sorting the nodes and edges in the initial causal graph to obtain a sample causal graph includes: determining a sample ATT & CK node marked as ATT & CK behaviors in the initial causal graph and a sample normal node marked as normal behaviors, deleting the sample normal node and a corresponding edge, which cannot reach the sample ATT & CK node, in the initial sample graph, and obtaining a sample causal graph; determining repeated edges between any two nodes in the initial causal graph, and deleting the repeated edges to obtain the sample causal graph; and determining different nodes of the same type of event in the initial causal graph, merging the different nodes into the same node, and reserving the same input and output edges to obtain the sample causal graph.

In some embodiments, the feature converting each entity sequence to obtain a corresponding feature vector of each sequence includes: acquiring a preset name mapping table; mapping entity names in each entity sequence into the name mapping table, redefining the entity names in each entity sequence according to the mapping result of the name mapping table, and determining the entity sequence with the morphology restored according to the redetermined entity names; and performing feature conversion on each entity sequence after morphological reduction to obtain corresponding feature vectors of each sequence.

In some embodiments, the determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes, including: configuring corresponding weights for each edge according to the causal relation or path length between nodes in the causal graph; selecting any ATT & CK node where any ATT & CK entity is located as an initial node, selecting any ATT & CK node where another ATT & CK entity is located as a target node, acquiring the shortest path between the initial node and the target node through a Di Jie St-Lag algorithm based on the weight, and taking the shortest path as a target path; and reserving the ATT & CK nodes and the nodes and edges on the target path in the causal graph, deleting the nodes and edges outside the target path, and taking the processed causal graph as a reconstructed attack traceability graph.

To achieve the above object, a second aspect of the embodiments of the present application provides a training method for an attack recognition model, where the method includes: acquiring a sample audit log of ATT & CK technical tactics; analyzing the sample audit log, extracting a plurality of sample entities and corresponding sample events from the sample audit log, and constructing a sample causal graph by taking the sample entities as nodes and the causal relationship among the entities represented by the sample events as edges; extracting a set of sample entities from the sample causal graph, determining a plurality of sample ATT & CK entity subsets from the set of sample entities, and converting each sample ATT & CK entity subset into corresponding each sample entity sequence according to causal relation among contained entities, wherein at least one sample ATT & CK entity is included in the sample ATT & CK entity subset; performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into an attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence; marking sample labels for the sample entity sequences according to the included sample ATT & CK entity conditions, and adjusting parameters of the attack recognition model according to the sample labels and the sample prediction results to obtain the trained attack recognition model.

To achieve the above object, a third aspect of the embodiments of the present application proposes a network attack reconstruction device, including: the log acquisition module is used for acquiring an execution audit log of the ATT & CK technical strategy; the causal graph construction module is used for analyzing the execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges; the sequence extraction module is used for extracting the set of the entities, dividing the set of the entities into a plurality of entity subsets, and converting each entity subset into corresponding each entity sequence according to the contained causal relationship among the entities; the model prediction module is used for carrying out feature conversion on each entity sequence to obtain corresponding sequence feature vectors, inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence; and the attack reconstruction module is used for determining the entity sequence marked as the ATT & CK action as a target sequence according to the prediction result, determining the entity in the target sequence as an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

To achieve the above object, a fourth aspect of the embodiments of the present application provides an electronic device, where the electronic device includes a memory and a processor, and the memory stores a computer program, and when the processor executes the computer program, implements the network attack reconstruction method described in the first aspect embodiment, or implements the training method of the attack recognition model described in the second aspect embodiment.

To achieve the above object, a fifth aspect of the embodiments of the present application proposes a storage medium, which is a computer-readable storage medium storing a computer program that, when executed by a processor, implements the network attack reconstruction method described in the first aspect embodiment or implements the training method of the attack recognition model described in the second aspect embodiment.

The embodiment of the application has the following beneficial effects:

the construction of the attack traceability graph is completed by acquiring an execution audit log of the ATT & CK technical tactics, an entity extracted from the execution audit log is firstly required to be used as a node and an event to construct a causal graph, the causal graph contains a large number of normal nodes, the nodes which are ATT & CK nodes are uncertain, the nodes cannot be used as a final traceability graph, and further processing is required. Therefore, the embodiment of the application needs to extract the entity set, divide the entity set to obtain a plurality of entity subsets, convert the causal relationship among the entities contained in each entity subset to obtain corresponding entity sequences, contain different nodes through the sequences to process models, then input each entity sequence into a pre-trained attack recognition model after converting the characteristics of each entity sequence, predict to obtain the predicted result of each entity sequence, and then judge whether the entity in the sequence is an ATT & CK entity through the models, wherein the node corresponding to the ATT & CK entity is an ATT & CK node, so that the target path among the ATT & CK nodes can be determined in the causal graph, and finally convert the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK node. The embodiment of the application can complete the construction of the attack traceability graph only by acquiring the execution audit log of the ATT & CK technical tactics without adding extra workload, and can accurately determine the ATT & CK entity and the node and complete the construction of the attack traceability graph by storing the entity in the entity sequence to determine the attack sequence through the attack identification model, so that the embodiment of the application can improve the efficiency and the quality of network attack reconstruction.

Drawings

FIG. 1 is a schematic illustration of an alternative implementation environment provided by an embodiment of the present application;

FIG. 2 is an alternative flow chart of a network attack reconstruction method provided by an embodiment of the present application;

FIG. 3 is a schematic illustration of an initial causal graph provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of extracting an entity sequence from a causal graph provided by an embodiment of the present application;

fig. 5 is a flow chart of step S103 in fig. 2;

FIG. 6 is a schematic diagram of an attack recognition model structure provided by an embodiment of the present application;

fig. 7 is a schematic flow chart of step S104 in fig. 2;

FIG. 8 is a flowchart of an attack recognition model training process according to an embodiment of the present application;

fig. 9 is a flowchart of step S403 in fig. 8;

FIG. 10 is a schematic diagram of an extracted attack subset and a normal subset provided by an embodiment of the present application;

fig. 11 is a flowchart of step S404 in fig. 8;

FIG. 12 is a schematic diagram of a training phase data processing procedure provided by an embodiment of the present application;

fig. 13 is a flowchart of step S402 in fig. 8;

fig. 14 is a flowchart of step S702 in fig. 13;

FIG. 15 is a schematic illustration of a causal graph of cleaned and conditioned samples provided by an embodiment of the present application;

Fig. 16 is another flow chart of step S104 in fig. 2;

fig. 17 is a flow chart of step S105 in fig. 2;

FIG. 18 is a schematic diagram of a complete flow of attack detection provided by an embodiment of the present application;

FIG. 19 is an alternative flow chart of a method of training an attack recognition model provided by an embodiment of the present application;

fig. 20 is a schematic functional block diagram of a network attack reconstruction device according to an embodiment of the present application;

fig. 21 is a schematic hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.

First, several nouns involved in the present application are parsed:

artificial intelligence (artificial intelligence, AI): is a new technical science for researching and developing theories, methods, technologies and application systems for simulating, extending and expanding the intelligence of people; artificial intelligence is a branch of computer science that attempts to understand the nature of intelligence and to produce a new intelligent machine that can react in a manner similar to human intelligence, research in this field including robotics, language recognition, image recognition, natural language processing, and expert systems. Artificial intelligence can simulate the information process of consciousness and thinking of people. Artificial intelligence is also a theory, method, technique, and application system that utilizes a digital computer or digital computer-controlled machine to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results.

The transducer model is a deep learning model based on a self-attention mechanism for processing sequence data. Transformer solves the problem of gradient disappearance and difficulty in parallel computation by introducing a mechanism called self-attention mechanism. The transducer model consists of an encoder and a decoder. The encoder is used to convert the input sequence into a series of hidden representations, which are used by the decoder to generate the output sequence. Each encoder and decoder contains multiple layers of attention mechanisms and feed-forward neural networks. In the attention mechanism, the model is able to focus itself on different positions in the input sequence, so that the interrelationship between them is better understood. By calculating the attention weight between each location and other locations, the transducer model can accurately capture important information in the sequence and achieve better modeling and feature extraction.

Advanced persistent threat (Advanced Persistent Threat, APT) attack, which is a complex and organized network attack, is a complex and targeted network attack approach, which is characterized by privacy, persistence, and high degree of customization, and is intended to be long-term hidden and capture of sensitive information in the target system, and is typically performed by highly specialized and organized groups of hackers, spying institutions, or other malicious organizations, by utilizing advanced technological means, social engineering, and exploit approaches, etc., to penetrate the target network and evade traditional security safeguards.

ATT & CK (Adversarial Tactics, techniques, and Common Knowledge) is a carefully chosen knowledge base and model for network adversary behavior, reflecting the different stages of the adversary's attack lifecycle and their known target platforms. ATT & CK focuses on how an external adversary attacks and operates within a computer information network. It originates from an item aimed at recording and classifying tactics, techniques and procedures (TTP) for system-adaptive attacks to improve the detection of malicious behaviour. The ATT & CK framework records various attack tactics and techniques in a structured manner, providing a better way for security practitioners to understand and deal with threats. It is divided into several parts, including tactics, technology, and software, each of which provides detailed attack patterns and corresponding defense suggestions.

In the related art, network attack behavior is often reconstructed by acquiring various system logs, but the APT attack is customized and hidden, so that attack can be found from a large number of logs based on the hidden nature of the attack, the behavior of searching for the attack from hundreds of millions of log data generated each day is like a sea fishing needle, the workload of network attack reconstruction is increased, the complexity brought by a large amount of data and the hidden nature of the attack can cause that the isolated attack steps are related to each other to reconstruct the intrusion path of the network attack more difficult, the network attack reconstruction and difficulty are improved, and security researchers often have difficulty in finding the APT attack because the attack can be hidden in an information system for a plurality of months, and the efficiency and quality of network attack reconstruction are reduced.

In order to solve the problem, related technology proposes a traceability graph construction method based on COTS audit data, which separates codes from data by setting two kinds of trust labels, marks dangerous behavior by a label propagation strategy, and finally determines the influence range of an APT attack by reverse search and forward search.

There are also some Techniques proposed to map APT activities to killing chains, and methods of introducing Tactics, technologies and Procedures (TTPs) and advanced scenegraphs (High-level Scenario Graph, HSG) to solve the huge semantic gap between low-level audit data and attack target intentions, but still face the problem of large data volume, and it is still difficult to link these isolated attack steps to reconstruct the intrusion path of network attacks.

There are also some technologies proposed methods for implementing attack detection by long-short-term memory network models (Long Short Term Memory, LSTM), but existing real-time detection methods based on LSTM may not accurately distinguish between malicious behavior and benign behavior, and the LSTM may also have a problem of gradient disappearance in a complex neural network, and each word may use the information input before, which belongs to serial operation.

Based on this, the embodiment of the application provides a network attack reconstruction method, a training method of a model and a related device, the construction of an attack tracing graph can be completed only by acquiring an execution audit log of an ATT & CK technology, no additional workload is required to be added, and an entity is stored in an entity sequence to determine an attack sequence through an attack identification model, so that the ATT & CK entity and the node can be accurately determined and the construction of the attack tracing graph is completed.

Compared with the prior art, the embodiment of the application has the following advantages:

(1) Although the behaviors in the ATT & CK technical tactics do not necessarily mean attacks, almost all attacks can be reflected in the technical tactics of the ATT & CK, most of the technical tactics used by the same APT organization do not change obviously within a period of time, and the matching of the ATT & CK technical tactics and other information are determined to be helpful for tracing the APT organization, so that the embodiment of the application can mine the trace of the APT attack in massive audit logs from days to months, link isolated and discrete attack behaviors with each other, reconstruct the complete flow of the APT attack, and in addition, the reconstructed causal graph can also be matched with the technical sequence of the ATT & CK to find out the attack behavior and extract the technical tactics used by the APT attack;

(2) Tag-based methods are prone to "explosion-dependent" problems if propagation strategies are not restricted, and how to accurately determine the initial tag is also a problem. In contrast to the embodiment of the present application, which uses a sequence learning method to train the transducer model to identify the suspicious attack sequences, the attack identification model in the embodiment of the present application is a transducer model.

(3) LSTM also suffers from gradient extinction in complex neural networks, and each word uses the previously entered information, belonging to serial operations. Whereas the transducer model belongs to parallel computing, directly computes the Attention mechanism (Attention) value of each word.

The network attack reconstruction method, the model training method and the related devices provided by the embodiment of the application are specifically described through the following embodiments, and the network attack reconstruction system in the embodiment of the application is described first.

Fig. 1 is a schematic diagram of an alternative implementation environment provided in an embodiment of the present application, where the implementation environment includes a terminal 11 and a server 12, where the terminal 11 and the server 12 are connected through a communication network.

The server 12 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligence platforms, and the like. In addition, the server 12 may also be a node server in a blockchain network.

The terminal 11 may be, but is not limited to, a virtual reality device, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, a car terminal, etc. The terminal 11 and the server 12 may be directly or indirectly connected through wired or wireless communication, and the embodiment of the present application is not limited herein.

Illustratively, the server 12 may obtain an audit log of the ATT & CK technical tactics, which may be obtained from the terminal 11 or from another server or terminal; then analyzing an execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges; extracting an entity set, dividing the entity set into a plurality of entity subsets, and converting the entity subsets into corresponding entity sequences according to causal relations among the entities contained in the entity subsets; performing feature conversion on each entity sequence to obtain corresponding feature vectors of each sequence, inputting the feature vectors of each sequence into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence; determining an entity sequence marked as ATT & CK behaviors as a target sequence according to a prediction result, determining that an entity in the target sequence is an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in a causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

For example, the terminal 11 may transmit an execution audit log of the ATT & CK technical to the server 12 so that the server 12 performs processing according to the execution audit log of the ATT & CK technical; the terminal 11 can also receive and display the attack tracing graph sent by the server 12; the terminal 11 may also send a request for generating the attack tracing graph to the server 12, so that after the server 12 receives the request for generating, a corresponding method is executed.

Based on this, the network attack reconstruction method in the embodiment of the present application can be described by the following embodiment.

The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.

Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.

It should be noted that, in each embodiment of the present application, when related processing is required according to user information, user behavior data, user history data, user location information, and other data related to user identity or characteristics, permission or consent of the user is obtained first, for example, permission or consent of the user is obtained first when an audit log of execution of ATT & CK technical tactics is obtained. Moreover, the collection, use, processing, etc. of such data would comply with relevant laws and regulations. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through popup or jump to a confirmation page and the like, and after the independent permission or independent consent of the user is definitely acquired, the necessary relevant data of the user for enabling the embodiment of the application to normally operate is acquired.

Fig. 2 is an optional flowchart of a network attack reconstruction method according to an embodiment of the present application, where the method in fig. 2 may include, but is not limited to, steps S101 to S105.

Step S101, obtaining an execution audit log of ATT & CK technical tactics;

by way of example, an execution audit log of ATT & CK technical tactics refers to a log of activities of recording and auditing execution ATT & CK technical tactics in a network environment. An attacker performing an APT attack or other malicious activity uses various techniques and skills to penetrate and manipulate the target network. ATT & CK technology defines a range of techniques and methods that these attackers may use.

Illustratively, the audit log is performed to collect and record events and activities related to the ATT & CK technique, generating a traceable log record in the network. These log records can be used to monitor and detect potential attack activity, analyze attack paths, evidence and survey, and provide valuable information to defend against and respond to future attacks.

Illustratively, there are a number of ways to collect and record performance audit logs associated with ATT & CK technology. For example, system audit functions may be configured and enabled to record events and activities related to ATT & CK technology; the SIEM tool can also be used to integrate and centrally manage log records from different systems and devices; network traffic monitoring tools may also be used to capture and record network traffic, which tools may provide real-time analysis and recording of data packets in the network and help detect and track attack activity related to ATT & CK technology; terminal security solutions, such as terminal detection and response (EDR) tools, terminal protection platforms, or other server communication connections, may also be used to collect and record terminal activity related to ATT & CK technology tactics; cloud-based environments may also collect and record cloud resource activities and events related to ATT & CK technology. The method for acquiring the execution audit log of the ATT and CK technical tactics is not particularly limited in the embodiment of the application.

Step S102, analyzing an execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges;

for example, after the audit log is obtained and executed, the log needs to be parsed, and after the parsing, the subject and the object in the log can be obtained and used as entities, for example, the entities can be processes, files, network connections and the like, and when the causal graph is formed, the entities are used as nodes in the causal graph, for example, a circle in fig. 3 is a node, and different nodes represent different entities. In executing an audit log, events representing specific operations or activities occurring in a system, network or application, such as user login, file access, process start, etc., may be considered events, by analyzing which information about an attacker's behavior, abnormal activity or potential security threat may be obtained, and when a causal graph is formed, the causal graph is constructed with causal relationships between entities represented by the events as edges, such as direct connection lines of nodes in fig. 3, with different edges representing different events.

Illustratively, the conversion of the log into a causal graph is a program implemented method. Both the subject and the object are entities (processes, files, network connections, etc.), i.e. nodes, which appear as circles on the figure. The entities are connected through actions, the event can represent the actions between the corresponding nodes, and the event is a four-dimensional vector (subject, action, object, time stamp), so that the action performed under a certain time stamp between the subject and the object can be represented through a causal graph. In the following example, a 6-point 6-second process a opens a file B, where process a and file B are the subject and object, respectively, and are the extracted entities, which can be used as nodes in the causal graph, "open" is an action, representing a causal relationship between process a and file B, which is an event in its entirety. It may be noted that attacks often involve multiple nodes and events, so a causal graph of multiple nodes and edges may be constructed.

Step S103, extracting a set of entities, dividing the set of the entities to obtain a plurality of entity subsets, and converting each entity subset into corresponding each entity sequence according to the causal relationship among the included entities;

illustratively, before input to the model for processing, input data of the model is required to be clarified, in the embodiment of the present application, the input data of the model is a feature vector obtained by converting a sequence, and the sequence is constructed by first extracting a set of entities. There are various ways to extract the entity set, for example, the entity set may be extracted from the causal graph, and each node in the causal graph is obtained and obtained; or, the audit log may be obtained from the time of analysis, and multiple entities may be obtained when the audit log is analyzed, and the collection of entities may be obtained and formed at the same time.

Illustratively, after the collection of entities is obtained, this is a total collection that needs to be partitioned into a plurality of subsets of entities, where one subset of entities is a subset that is the total collection of entities, and thus each subset of entities may include one or more entities. Then, after obtaining the plurality of entity subsets, each entity subset needs to be converted into corresponding each entity sequence according to the causal relationship among the included entities, and the entity subsets are converted into corresponding entity sequences according to the causal relationship among the entities, so that the development process of the attack events and the relationship among the events can be better understood and analyzed, for example, the related events can be connected according to the occurrence sequence by considering the causal relationship among the entities to form a time execution path, which is helpful for restoring the action track of an attacker, analyzing how the attack events develop and evolve gradually, and better capturing the dependency relationship among the attack events.

For example, converting the respective subset of entities into corresponding respective sequences of entities according to causal relationships between the included entities may be by concatenating time-stamped ordered suspicious attack events into a sequence. FIG. 4 is a schematic diagram of an embodiment of the present application for extracting an entity sequence from a causal graph, where normal nodes P1, P2, and P6, and ATT & CK entities P3 and P5 are set, where P5 performs T1 read operation on P3, P5 performs T2 write operation on P1, P1 performs T3 read operation on P4, P5 performs T4 read operation on P4, P1 performs T5 read operation on P2, P3 performs T6 read operation on P4 performs T7 read operation on P2, and P2 performs T8 read operation on P6, where T represents different time instants, given a subset { P3, P5} of entities characterized by ATT & CK behaviors, these nodes can be connected by suspicious attack events ordered by the attack entities P3 and P5 stamps, converted into a sequence, and trained to mark it as ATT & CK sequence.

Illustratively, the conversion to sequences is to better utilize the temporal order and contextual relationships between events through sequence modeling and natural language processing techniques, thereby improving the effectiveness of analysis and model training on ATT & CK skills. In particular, the events in the execution audit log are often recorded in time sequence, and by converting the events into a sequence form, the time relationship of the events can be preserved, which is very important to help analyze the behavior of an attacker and identify different stages of an attack chain. The context relation among the events can be considered when the events are converted into the sequence form, and certain dependency relation or semantic correlation can exist among adjacent events, so that the relation can be better captured through sequence modeling, and the performance of a subsequent model is improved. And after the events in the audit log are converted into sequences, natural language processing techniques can be applied for further analysis and processing. For example, word embedding, transform and other models are all processing methods based on sequence data, and have wide application in processing natural language text, so after extracting into sequences, further application of word shape reduction, word embedding and other technologies can convert events into computable vector representations for subsequent machine learning or deep learning model training.

It should be noted that in the embodiment of the present application, in constructing the entity subsets, the order of the entities in the entity subsets is ordered according to the causal relationship, so that the subsequent conversion of each entity subset into each corresponding entity sequence according to the causal relationship between the included entities is facilitated.

Step S104, carrying out feature conversion on each entity sequence to obtain corresponding feature vectors of each sequence, inputting the feature vectors of each sequence into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence;

after each entity sequence is obtained, each entity sequence needs to be subjected to feature conversion to obtain corresponding feature vectors of each sequence, and then each sequence feature vector is input into a pre-trained attack recognition model so as to carry out corresponding processing on the attack recognition model. The attack recognition model is a pre-trained transform model in the embodiment of the present application, and is used for finding out ATT & CK behaviors in an audit log, and after a sequence feature vector is input into the model, the sequence feature vector can be processed by an encoder and a decoder thereof, and finally a prediction result of a de-sequence feature vector is output, where the prediction result can represent whether the sequence feature vector is a vector of an ATT & CK sequence, that is, whether each entity sequence is an ATT & CK sequence.

By way of example, feature transformation is implemented in the embodiment of the present application by means of Word embedding (Word embedding ng), which is a technique of mapping words to a low-dimensional real vector space, which converts words into successive real-valued vector representations by learning the distribution and relationship of the words in the vector space. Through word embedding, the embodiment of the application can represent words into dense vectors with semantic information, thereby better capturing semantic and contextual relationships in natural language processing tasks. In addition, in the embodiment of the application, the feature conversion can be finished by adopting modes such as single-heat coding, word bag model and the like according to actual needs.

It should be noted that, in the embodiment of the present application, the entity sequence is obtained by converting each entity subset according to the causal relationship between the included entities, so that in the identifying process of the model, whether the entity sequence is an ATT & CK sequence can be identified according to the causal relationship between the nodes or the entities, thereby improving the accuracy of identifying the model.

Step S105, determining an entity sequence marked as ATT & CK behaviors as a target sequence according to a prediction result, determining that an entity in the target sequence is an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in a causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

For example, after the prediction result is obtained, the prediction situation of each entity sequence may be obtained according to the prediction result, after the prediction is performed by the model, some entity sequences are normal sequences, and some entity sequences are determined to be marked as entity sequences of ATT & CK behaviors, so that these entity sequences marked as ATT & CK behaviors may be defined as target sequences, and all entities in the target sequences are ATT & CK entities, that is, attack entities, and then the generation of the traceability map may be performed according to the determined ATT & CK entities.

Illustratively, the traceability map is a tool with strong abstract expression capability, and has relatively high efficiency. Thus, more and more research is now beginning to focus on trace-graph based detection and response algorithms, and it is believed that trace-graphs have the potential to be the next generation of more powerful detection mechanisms. The traceability graph is a set of all subjects, objects and events, and can be represented by g= (S, O, E), where S represents the set of subjects, O represents the set of objects, and E represents the set of events. These operations are collected by an auditing tool and generate a time-stamped event stream. The order of events affects semantics, events are directed, indicating data flow or control flow. Therefore, the traceability map has strong space-time characteristics. This property is called causality of the traceability map. In the traceability graph, both the subject and the object are represented as nodes, and the event is represented as an edge. There may be multiple edges between two nodes with different times or operations.

The attack traceability graph is an attack traceability graph finally generated in the embodiment of the application, and the traceability graph is obtained based on the conversion of the previously constructed causal graph. Specifically, after determining the ATT & CK entity, the node where the ATT & CK entity is located in the causal graph is the ATT & CK node, and in the ATT & CK technical tactics, the APT attack generally includes two associated attack entities, respectively, an APT organization and an APT tool, so that there are two general ATT & CK nodes, the application needs to determine a target path between ATT & CK nodes, and there are corresponding paths between nodes in the causal graph, after determining the target path between ATT & CK nodes, there are some normal nodes and edges not above the target path, the nodes and edges can be deleted, so that the causal graph is more simplified, and the target path can be a relatively short path reaching the other node.

According to the embodiment of the application, the construction of the attack tracing graph is completed by acquiring the execution audit log of the ATT & CK technical tactics, the entity extracted from the execution audit log is firstly required to be used as a node and an event to construct a causal graph, the causal graph contains a large number of normal nodes, and the nodes which are ATT & CK nodes are uncertain and cannot be used as a final tracing graph, so that further processing is required. Therefore, the embodiment of the application needs to extract the entity set, divide the entity set to obtain a plurality of entity subsets, convert the causal relationship among the entities contained in each entity subset to obtain corresponding entity sequences, contain different nodes through the sequences to process models, then input each entity sequence into a pre-trained attack recognition model after converting the characteristics of each entity sequence, predict to obtain the predicted result of each entity sequence, and then judge whether the entity in the sequence is an ATT & CK entity through the models, wherein the node corresponding to the ATT & CK entity is an ATT & CK node, so that the target path among the ATT & CK nodes can be determined in the causal graph, and finally convert the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK node. The embodiment of the application can complete the construction of the attack traceability graph only by acquiring the execution audit log of the ATT & CK technical tactics without adding extra workload, and can accurately determine the ATT & CK entity and the node and complete the construction of the attack traceability graph by storing the entity in the entity sequence to determine the attack sequence through the attack identification model, so that the embodiment of the application can improve the efficiency and the quality of network attack reconstruction.

It should be noted that, in the embodiment of the present application, the data is derived from the Mitre ATT & CK matrix of the universal attack knowledge base, the matrix almost covers all the current attack methods, the use of the matrix as a representative of attack behaviors can reflect the actual attack behaviors to a certain extent, and the update frequency of the used ATT & CK data is high, so that the data is suitable for the current actual attack and defense environment.

Referring to fig. 5, in some embodiments, step S103 may include steps S201 to S202:

step S201, extracting a set of entities from the causal graph, wherein the set of entities comprises all entities in the causal graph;

step S202, selecting any at least two entities from the entity set, and composing the selected any at least two entities into an entity subset to obtain a plurality of entity subsets.

Illustratively, in the embodiment of the present application, the set of entities is extracted from the causal graph, and the set of entities includes all the entities in the causal graph. For example, taking the causal graph in fig. 4 as an example, there are 6 nodes P1, P2, P3, P4, P5, P6 in fig. 4, then the entity set extracted according to the causal graph in fig. 4 is { P1, P2, P3, P4, P5, P6}.

The entity subsets constructed in the embodiment of the application comprise at least two entities, when each entity subset is obtained by dividing, any at least two entities need to be selected from the entity sets, and the selected at least two entities form the entity subsets to obtain a plurality of entity subsets. For example, again taking fig. 4 as an example, among the subsets of entities divided according to the sets { P1, P2, P3, P4, P5, P6}, there may be { P1, P2}, { P1, P3}, { P1, P2, P4}, { P1, P2, P3, P4, P5} and so on, and at least two of the subsets of entities may be included.

It should be noted that, in the ATT & CK technical tactics, the APT attack generally includes two associated attack entities, which are respectively an APT organization and an APT tool, so that, in general, there are at least two ATT & CK nodes or ATT & CK entities, by determining a subset of entities including the two entities to generate an entity sequence for model input, the recognition capability of ATT & CK behaviors can be further improved, for example, if there is an ATT & CK sequence { P3, P5}, only feature vectors corresponding to the { P3, P5} sequence are input to the model, and then the output prediction result is ATT & CK behaviors, while other sequences, such as sequences with normal nodes even if a certain ATT & CK node, are not recognized as ATT & CK behaviors, such as { P3, P6}, { P2, P5}, and the like sequences. Further, ATT & CK is a generic term generally comprising more than 100 technical strategies, and thus, the number of ATT & CK entities and normal entities involved is very large, so that the number of actual ATT & CK entities is more than 2, and thus, by including at least two entities in each subset of entities, the efficiency and quality of distinguishing ATT & CK sequences can be further improved, and normal behavior and ATT & CK behavior can be better distinguished.

The attack recognition model is illustratively a transducer model, so that an encoder and a decoder are arranged in the model, and as shown in fig. 6, a schematic diagram of the structure of the attack recognition model provided by the embodiment of the application is shown. The encoder is provided with two sub-layers of a Multi-Head Attention layer (Multi-Head Attention) and a Feed Forward layer (Feed Forward), the two sub-layers are connected with a normalization layer, a plurality of sub-layers of a Multi-Head Attention layer (Masked Multi Head Attention), a Multi-Head Attention layer, a Feed Forward layer, a linear layer and the like which are covered are arranged in the decoder, a residual connection and a normalization layer or a normalization layer are contained between each sub-layer, and a classified output layer is connected with the decoder at last, and the classified output layer is composed of a softmax layer.

Referring to fig. 7, in some embodiments, step S104 may include steps S301 to S303:

step S301, position information of each sequence feature vector in the sequence and model dimension of an attack recognition model are obtained, dimension indexes are established for each sequence feature vector, and position codes of each sequence feature vector are calculated through the position information, the model dimension and the dimension indexes;

Step S302, after embedding each sequence feature vector into a corresponding position code, inputting the sequence feature vector into an encoder of a model, and obtaining a code feature vector corresponding to each sequence feature vector after processing a multi-head attention layer and a feedforward layer in the encoder;

step S303, after each coding feature vector is embedded into a corresponding position code, the corresponding position code is input into a decoder of a model, and after the processing of a multi-head attention layer, a residual connection and layer normalization layer, a feedforward layer, a linear layer and a classification output layer which are covered in the decoder, the prediction result of each entity sequence is obtained through prediction.

Illustratively, the input portion of the attack recognition model has two inputs, one from the encoder and one from the decoder. But the data input twice is different, the actual decoder input is the samples of the encoder output, the input to the encoder is the embedded sequence samples, and the position encoding is also embedded before the input twice into the encoder and decoder.

For example, before the input enters the encoder and the decoder, a position code needs to be embedded, so that the position information of each sequence feature vector in the sequence and the model dimension of the attack recognition model are obtained, a dimension index is established for each sequence feature vector, and the position code of each sequence feature vector is calculated through the position information, the model dimension and the dimension index. Embedding position codes is required because the transducer does not process the data position information of the input model, and does not operate in a serial manner like a long and short-term memory neural network to obtain the position information, so the position information needs to be embedded into the input data.

Wherein the position encoding is calculated as follows:

PE(pos,2i)＝sin(pos/100002i/dmodel)

the pos is position information in the sequence, i is a dimension, that is, a dimension index established for each sequence feature vector, dmedel is a model dimension, 2i is an even index, corresponding to the even dimension in the position coding vector PE, 2i+1 is an odd index, corresponding to the odd dimension in the position coding vector PE, so that different dimensions can be distinguished when calculating position coding and applied to corresponding input data.

The position code dimension obtained by the above formula is the same as the input data, the input vector and the position code vector are added, namely the position code is embedded, the position information of the sequence is obtained, and the data vector with the embedded position code is input into the encoder and the decoder. Therefore, after the position codes are obtained, each sequence feature vector is embedded into the corresponding position codes and then is input into an encoder of a model, after the processing of a multi-head attention layer and a feedforward layer in the encoder, the coding feature vector corresponding to each sequence feature vector is obtained, after each coding feature vector is embedded into the corresponding position codes, the coding feature vector is input into a decoder of the model, and after the processing of a multi-head attention layer, a residual connection and layer normalization layer, a feedforward layer, a linear layer and a classification output layer which are covered in the decoder, the prediction result of each entity sequence is obtained through prediction.

Referring to fig. 8, in some embodiments, the attack recognition model is trained by the following steps, which may include steps S401 to S405:

step S401, obtaining a sample audit log of ATT & CK technical tactics;

step S402, analyzing a sample audit log, extracting a plurality of sample entities and corresponding sample events from the sample audit log, and constructing a sample causal graph by taking the sample entities as nodes and the causal relationship among the entities represented by the sample events as edges;

step S403, extracting a set of sample entities from the sample causal graph, determining a plurality of sample ATT & CK entity subsets from the set of sample entities, and converting each sample ATT & CK entity subset into a corresponding sample entity sequence according to causal relationships among the included entities, wherein at least one sample ATT & CK entity is included in the sample ATT & CK entity subset;

step S404, performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into an attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence;

step S405, marking sample labels for the sample entity sequences according to the conditions of the contained sample ATT & CK entities, and adjusting parameters of the attack recognition model according to the sample labels and sample prediction results to obtain the trained attack recognition model.

The sample audit log of ATT & CK technique is an example log obtained during training, and is similar to the execution audit log in the above embodiment, and only represents the model training stage, and will not be described here.

For example, after the sample audit log is obtained, the log needs to be parsed, after the parsing, the subject and the object in the log can be obtained, and the subject and the object are taken as sample entities, for example, the sample entities can be processes, files, network connections and the like, and the sample entities are taken as nodes in the causal graph when the sample causal graph is formed, and in the sample audit log, sample events represent specific operations or activities occurring in a system, a network or an application program, for example, user login, file access, process start and the like can be regarded as sample events, by analyzing the sample events, information about attacker behaviors, abnormal activities or potential security threats can be obtained, and the sample causal graph is constructed by taking sample causal relations among the entities represented by the events as edges when the causal graph is formed.

For example, before input to a model for processing, input data of the model needs to be clarified, in the embodiment of the present application, the input data of the model is a feature vector obtained according to sequence transformation, and a set of sample entities needs to be extracted first for constructing a sequence, and the set of sample entities can be obtained by extracting from a sample causal graph, and acquiring and obtaining each node in the sample causal graph.

Illustratively, after the set of sample entities is obtained, this is a total set that needs to be partitioned into multiple subsets, unlike the application process where the subsets established in the training process will contain ATT & CK entities. Specifically, in the embodiment of the present application, a plurality of sample ATT & CK entity subsets are determined from a set of sample entities, and each sample ATT & CK entity subset is converted into a corresponding sample entity sequence according to a causal relationship between the included entities, where at least one sample ATT & CK entity is included in the sample ATT & CK entity subset, that is, all of the sample ATT & CK entity subsets are sample ATT & CK entities or at least one sample ATT & CK entity is included in the sample ATT & CK entity subset.

It should be noted that, the training process may mark the sample causal graph, mark the sample ATT & CK node therein, and the sample entity extracted after marking is the sample ATT & CK entity, which is helpful for subsequent training by marking the attack behavior.

By way of example, each subset of entities is converted into corresponding each entity sequence according to the causal relationship between the included entities, and the sample ATT & CK subset of entities is converted into corresponding sample entity sequences according to the causal relationship between the entities, so that we can better understand and analyze the development process of the attack event and the relationship between the events, and the conversion process is similar to the process of converting into the entity sequence in the application process, and will not be repeated here.

After each sample entity sequence is obtained, each sample entity sequence needs to be subjected to feature conversion to obtain corresponding feature vectors of each sample sequence, and then each sample sequence feature vector is input into the attack recognition model so as to be subjected to corresponding processing by the attack recognition model. When the sample sequence feature vector is input into the model, the sample prediction result of the sample sequence feature vector can be finally output through the processing of the encoder and the decoder, wherein the sample prediction result can be used for indicating whether the sample sequence feature vector is a vector of an ATT & CK sequence or not, that is, whether each sample entity sequence can be used for indicating whether the sample entity sequence is the ATT & CK sequence or not.

It should be noted that, at least one sample ATT & CK entity is included in the sample ATT & CK entity subset in the embodiment of the present application, so that during training, the model can learn the abnormal sample better, so that in practical application, whether the input entity sequence is an ATT & CK sequence can be determined better.

Illustratively, the training process requires calculating a loss value from the prediction results and adjusting parameters of the attack recognition model. Specifically, in the embodiment of the application, a sample label is marked on a sample entity sequence according to the condition of the contained sample ATT & CK entity, that is, before the sample entity sequence is converted into a feature vector and input into a model, whether the feature vector is characterized as ATT & CK behavior or not can be known through the label, then, according to whether the sample label and a sample prediction result are the same or not, a loss value of the model can be calculated, and parameters of an attack recognition model are adjusted according to the loss value, so that a trained attack recognition model is obtained.

It should be noted that, in the embodiment of the present application, the adaptive motion estimation algorithm Adam optimizer is used for training, and the reason for using the adaptive motion estimation algorithm Adam optimizer is that the Adam gradient descent speed is relatively fast, so after each training is completed, it is determined whether the loss is greater than the previous one, if the loss is less than the previous one, the training is completed, and the specific training process is not specifically limited.

Referring to fig. 9, in some embodiments, step S403 may include steps S501 to S503:

step S501, determining at least one sample ATT & CK entity marked as ATT & CK behaviors from a set of sample entities, and constructing at least one attack subset according to the at least one sample ATT & CK entity, wherein the entities in each attack subset are sample ATT & CK entities, and at least one sample ATT & CK entity is contained in the attack subset;

step S502, determining at least one sample normal entity marked as normal behavior from a set of sample entities, and adding any at least one sample normal entity for each attack subset to form at least one normal subset;

step S503, at least one attack subset and normal subset are taken as sample ATT & CK entity subsets.

Illustratively, at least one sample ATT & CK entity is included in the sample ATT & CK entity subset, that is, either all or at least one sample ATT & CK entity is included in the sample ATT & CK entity subset. Specifically, the embodiment of the application can determine at least one sample ATT & CK entity marked as ATT & CK behavior from the collection of sample entities, and the number of the sample ATT & CK entities determined at this time can be multiple. At least one attack subset is then constructed from at least one sample ATT & CK entity, where there are a number of cases, for example, if there is one sample ATT & CK entity, only one attack subset is constructed if there are two sample ATT & CK entities, only one attack subset is constructed, or two attack subsets are formed, and if there are more than two sample ATT & CK entities, there are a number of attack subsets constructed.

Illustratively, the entities in each attack subset are sample ATT & CK entities, that is, the constructed attack subset is a set of ATT & CK entities, and at least one sample ATT & CK entity is contained in the attack subset. Furthermore, because the APT attack generally includes two associated attack entities, respectively APT organization and APT tool, there are at least two normal ATT & CK nodes or ATT & CK entities, so the attack subset constructed in the embodiment of the present application includes at least two sample ATT & CK entities.

For example, after the attack subset is constructed, the model learns the ATT & CK behaviors in the sequence through the attack subset, however, in the application process of the model, the number of nodes is large, which results in the number of normal nodes to be large, so that the number of normal sequences in the entity sequence which is subsequently constructed is very large and is far larger than the ATT & CK sequence. Therefore, in the embodiment of the application, the model is required to learn normal behaviors and can distinguish boundaries between malicious activities and non-malicious activities, so that some normal subsets are required to be formed in the embodiment of the application so as to be used for model training.

For example, the embodiment of the present application may determine at least one sample normal entity marked as normal behavior from the set of sample entities, and add any at least one sample normal entity to each attack subset to form at least one normal subset, for example, if the attack subset formed includes { P1, P2}, { P2, P3}, where the entities P1, P2, and P3 are sample ATT & CK entities and P4 is a sample normal entity, the normal subset that may be formed includes { P1, P2, P4}, { P2, P3, P4}.

Further, when adding any at least one normal entity of the sample to each attack subset, the attack subset can be split, that is, each sample ATT & CK entity can be obtained, at least one sample ATT & CK entity is randomly selected, and the at least one sample ATT & CK entity is combined with at least one normal entity of the sample to form at least one normal subset. For example, assuming there are sample entities { P1, P2, P3, P4, P5, P6} where { P1, P2, P3} is the attack sequence, the extracted attack subset is { P1, P2}, { P1, P3}, { P2, P3}, { P1, P2, P3}. When extracting the normal sequence, { P1}, { P2}, { P3}, { P1, P2}, { P1, P3}, { P2, P3}, { P1, P2, P3}, then add an entity to the aforementioned subset from three non-attacking entities { P4, P5, P6}, become { P1, P4}, { P2, P4}, and { P1, P2, P3, P4}, etc. as the normal subset of the progenitor red.

Exemplary, fig. 10 shows a schematic diagram of an extracted attack subset and a normal subset provided by an embodiment of the present application. Now, assuming that fig. 4 is a sample causal graph of the training process, fig. 10 is extracted from the sample causal graph in fig. 4, where P3 and P5 are sample ATT & CK nodes, and other nodes are sample normal nodes, { P5, P3} is extracted as an attack subset, where P5 performs a T1 read operation on P3, so that { P5, P1}, { P4, P5} and { P3, P2} in the subset may be extracted as normal subsets, and the normal subsets are also arranged according to the causal relationship of the performed actions, which will not be described herein.

For example, the normal entities of the samples in the normal subset may be added randomly, and during training, each normal entity of the samples may be added singly or in combination to form the normal subset, which is not limited in particular.

The normal subset further includes a full normal subset, that is, all sample entities in the subset are sample normal entities, and the attack subset added with the sample ATT & CK entities is a partial normal subset, and the full normal subset can be put into the model for training during training, so that the model can learn normal behaviors.

Referring to fig. 11, in some embodiments, step S404 may include steps S601 to S602:

step S601, if the ratio of the number of the subsets between the normal subset and the attack subset is greater than a preset threshold, performing oversampling processing on the sample sequence feature vectors to increase the number of the sample sequence feature vectors corresponding to the attack subset, or performing undersampling processing on the sample sequence feature vectors to reduce the number of the sample sequence feature vectors corresponding to the normal subset;

step S602, sequentially inputting feature vectors of each sample sequence after the over-sampling or under-sampling processing into the attack recognition model.

Fig. 12 is a schematic diagram illustrating a training stage data processing process according to an embodiment of the present application, in which a sample audit log is required to be processed to construct a sample causal graph, extract a sequence, and then perform morphological reduction and word embedding, and balance data before sample data is input into an attack recognition model for training.

Illustratively, based on the above embodiments, the number of sample normal entities will be much greater than the number of sample ATT & CK entities, then the number of normal subsets established will also be much greater than the number of attack subsets, the number of collected ATT & CK samples must be much less than the number of normal samples, and the model trained using such samples will be biased towards normal samples. Therefore, the embodiment of the application needs to balance the number between the normal samples and the ATT & CK samples, and considers that the normal samples are far larger than the ATT & CK samples when the ratio of the number of the subsets between the normal subset and the attack subset is larger than a preset threshold value, so that data balance operation is needed.

By way of example, in the embodiment of the present application, data balancing is achieved by employing Over-sampling (Over-sampling) and Under-sampling (undersampling) processes, which are both common methods for processing unbalanced data sets, so as to solve the problem of large sample number differences between classes.

Specifically, during the process of oversampling, the embodiment of the application can use the synthetic minority oversampling technology to artificially sample ATT by minority oversampling (Synthetic Minority Over-sampling Technique, SMOTE)&CK samples are oversampled, which is a method of synthesizing minority samples, by interpolating minority samples to generate new synthesized samples, thereby expanding the number of minority samples. Wherein, ATT&The CK sample is a minority sample, and the Euclidean distance is calculated for each sample of the minority sample to the distances of all samples in the minority sample set, so that k-neighborhood is obtained. Then setting a sampling ratio N according to the sample unbalance rate, randomly selecting a plurality of samples from k adjacent samples of a few classes x, and then setting the newly constructed samples asWherein x is _new Is balanced ATT&CK sample,/->For the average of all samples, rand (0, 1) is used to generate a random number between 0 and 1, and the oversampling operation is performed until the number of minority samples and majority samples are balanced.

Specifically, the undersampling balances the data set by reducing the number of the majority samples, wherein the majority samples are samples of a normal subset, and the undersampling can be performed by adopting a mode of randomly deleting the majority samples, a clustering center (Cluster Centroids) and the like in the embodiment of the application. The random deletion of the majority class samples is simply to randomly delete the majority class samples so that the number of the majority class samples is close to that of the minority class samples. The clustering center may cluster a plurality of classes of samples into fewer clusters by a clustering algorithm, and then select one sample from each cluster as a representation, ultimately generating a new undersampled dataset.

It should be noted that, in the embodiment of the present application, each sample sequence feature vector after the oversampling or undersampling process may be sequentially used as sample data input into the attack recognition model. Moreover, the embodiment of the application can combine two methods, such as oversampling few types of samples and undersampling most types of samples, so as to obtain a better balance effect, and integrate the feature vectors of each sample sequence after the oversampling and undersampling processes as sample data input into an attack recognition model.

Referring to fig. 13, in some embodiments, step S402 may include steps S701 to S702:

Step S701, constructing an initial causal graph by taking sample entities as nodes and causal relations among the entities characterized by sample events as edges;

step S702, cleaning and sorting nodes and edges in the initial causal graph to obtain a sample causal graph.

In the embodiment of the application, in the process of converting the audit logs into the causal graph, the causal graph is required to be cleaned and tidied because the number of nodes in the massive audit logs is very large during training. Specifically, first, a sample entity is taken as a node, causal relations among entities represented by sample events are taken as edges to construct an initial causal graph, the initial causal graph is not cleaned and tidied, and some useless nodes and edges exist, and then the nodes and edges in the initial causal graph are cleaned and tidied to obtain a cleaned sample causal graph.

It should be noted that, through the cleaning and arrangement of the nodes and the edges, the complexity of the causal graph can be greatly reduced, the graph is more concise and clear, unnecessary details and noise are reduced, the accuracy and consistency of data are ensured, the analysis and understanding of the whole situation are convenient, and meanwhile, the learning effect of the model can be improved, so that the model can pay attention to the nodes and the edges related to the security threat better.

For example, in embodiments of the present application, various cleaning and finishing means are provided, referring to fig. 14, in some embodiments, step S702 may include steps S801 to S803:

step S801, determining sample ATT & CK nodes marked as ATT & CK behaviors in an initial causal graph and sample normal nodes marked as normal behaviors, deleting sample normal nodes and corresponding edges, which cannot reach the sample ATT & CK nodes, in the initial causal graph, and obtaining a sample causal graph;

step S802, determining repeated edges between any two nodes in the initial causal graph, and deleting the repeated edges to obtain a sample causal graph;

step S803, determining different nodes of the same type of event in the initial causal graph, merging the different nodes into the same node, and reserving the same input and output edges to obtain the sample causal graph.

By way of example, in the embodiment of the application, edges and nodes which cannot be reached by the ATT & CK node can be eliminated in model learning, first, sample ATT & CK nodes marked as ATT & CK behaviors in an initial causal graph and sample normal nodes marked as normal behaviors are required to be determined according to the marked condition, then, sample normal nodes and corresponding edges which cannot reach the sample ATT & CK nodes in the initial sample graph are searched for and deleted, and thus, the sample causal graph is obtained.

By way of example, in the embodiment of the present application, repeated edges between any two nodes in the initial causal graph may be determined, which mainly refers to that the same entity repeatedly performs operations on another entity, such as repeated reading, repeated writing, and the like, and the repeated edges are deleted, so as to obtain the sample causal graph.

In an exemplary embodiment of the present application, different nodes of the same type of event in the initial causal graph, that is, the input node and the output node are the same, are combined into the same node, and the same input and output edges are reserved, so as to obtain the sample causal graph.

FIG. 3 is a schematic diagram of an initial causal graph provided by an embodiment of the present application. In the figure, 9 nodes including nodes P1, P2, P3, P4, P5, P6, P7, P8 and P9 are arranged, P9 is a sample ATT & CK node, P1 performs T1 read operation on P4, P1 performs T2 read operation on P2, P2 performs T3 write operation on P3, P4 performs T4 binding operation on P5, P4 performs T5 binding operation on P6, P4 performs T6 binding operation on P7, P5 performs T7 sending operation on P8, P6 performs T8 sending operation on P8, P7 performs T9 sending operation on P8, P1 performs T10 read operation on P4, and P8 performs T11 operation on P9, wherein T represents different moments.

Illustratively, according to the above steps, edges and nodes which are not reachable by the ATT & CK node are eliminated in model learning, such as deleting nodes P2 and P3 and deleting edges at times T2 and T3; secondly, deleting all repeated edges, wherein the timestamp uses the earliest representation, and the node P1 is read from the node P4 at the time T1 and the time T10, and the node P1 is read from the node P4 at the time T1, wherein the operation of repeatedly reading from one entity to another entity, such as repeated reading, repeated writing, and the like, is mainly referred to as the combination; in addition, if the same type of event is different nodes, such as nodes P5, P6 and P7, i.e. the input node and the output node are the same, they are also combined into one node, the same input and output are reserved, and after cleaning and sorting, the obtained sample causal graph is shown in fig. 15, and fig. 15 shows a schematic diagram of the cleaned and sorted sample causal graph provided by the embodiment of the present application.

Furthermore, in the application process, the causal graph can be cleaned and arranged, and finally the entity set is extracted according to the cleaned and arranged causal graph, or the traceability graph is formed according to the cleaned and arranged causal graph conversion, and the embodiment of the application is not particularly limited.

Referring to fig. 16, in some embodiments, step S104 may further include steps S901 to S903:

step S901, acquiring a preset name mapping table;

step S902, mapping entity names in each entity sequence into a name mapping table, redefining the entity names in each entity sequence according to the mapping result of the name mapping table, and determining the entity sequence with the morphology restored according to the redetermined entity names;

and step S903, performing feature conversion on each entity sequence after morphological reduction to obtain corresponding feature vectors of each sequence.

Illustratively, as shown in FIG. 12, after a sequence is extracted, a morphological reduction of the sequence is required. An entity is typically a process or a file, in which the process is actually a file that is executed, so that there is a path for the process when describing the process, for example, we open an icon that software a is double-click a, and in which it is actually C_ser\desktop\a.exe, the code and data loaded by this file is loaded into memory, which is sought by an absolute path or a relative path. Therefore, the morphological restoration is to reduce the complexity of detection, and different names are uniformly mapped into the same name mapping table.

The name mapping table is a table pre-established in the embodiment of the application and used for performing morphological restoration, and the name mapping table is divided into three major classes of processes, files and events, wherein each major class is divided into a plurality of minor classes. For example:

the process comprises the following steps: system processes (system_process), library processes (lib_process), program processes (program_process), and user processes (user_process);

the file includes: system file (system_file), library file (lib_file), program file (program_file), user file (user_file), and combined file (combined_files);

the actions include: read, write, delete, execute, fork, request, reference, bind, receive, send, connect, ip connect, session connect, and resolve.

These types include almost all audit log events, sufficient to capture the context, semantic and syntactic similarity of entities in the causal graph, and relationships to other words. Therefore, it is necessary to map the entity names in each entity sequence to a name mapping table, redetermine the entity names in each entity sequence according to the mapping result of the name mapping table, determine the entity sequence after morphological restoration according to the redetermined entity names, and finally perform feature conversion on each entity sequence after morphological restoration to obtain the corresponding feature vector of each sequence.

For example, in the embodiment of the present application, each sequence is parsed, the entity names corresponding to the entities are found, and they are mapped to the corresponding vocabulary. For example, if an entity sequence generated as described above is: < C: \Windows\System32\cmd.exe, execution, C:_ser\desktop\engine >, which includes three entities, namely entity C: \Windows\System32\cmd exe, entity execution and entity C:_ser\desktop\engine, after conversion, the lexically reduced entity sequence is < system_process, execution, user_file >. If the results after mapping are the same, the actions are considered to be similar, and repeated sequences can be discarded.

By way of example, word shape reduction and word embedding are also required at the application stage in the embodiment of the present application, and the present application is not limited in particular.

Referring to fig. 17, in some embodiments, step S105 may further include steps S1001 to S1003:

step S1001, configuring corresponding weights for each edge according to causal relation or path length between nodes in the causal graph;

step S1002, selecting an ATT & CK node where any one ATT & CK entity is located as an initial node, selecting an ATT & CK node where any other ATT & CK entity is located as a target node, acquiring a shortest path between the initial node and the target node based on weight through a Di Jie St algorithm, and taking the shortest path as the target path;

Step S1003, reserving ATT & CK nodes and edges on the target path in the causal graph, deleting nodes and edges outside the target path, and taking the processed causal graph as the reconstructed attack traceability graph.

Illustratively, in the embodiment of the present application, a Dijkstra algorithm with a custom weight is used to find the shortest path from each ATT & CK node to an ATT & CK node that does not pass through, and the shortest path is used as the final target path.

Specifically, each ATT & CK node is used as a node in the graph, the connection between the nodes represents different association relations, and in the embodiment of the application, a directed weighted graph is constructed by configuring a corresponding weight for each edge according to the causal relation or path length between the nodes in the causal graph. Then, selecting any ATT & CK node where any ATT & CK entity is located as an initial node, selecting any ATT & CK node where another ATT & CK entity is located as a target node, acquiring the shortest path between the initial node and the target node based on weight through a Di Jie St-Law algorithm, and taking the shortest path as the target path. Finally, each entity ATT & CK entity needs to be linked to be the final output of the embodiment of the application, which can keep ATT & CK nodes and edges on the target path in the causal graph, delete nodes and edges outside the target path and take the processed causal graph as the reconstructed attack traceability graph.

Fig. 18 is a schematic diagram illustrating a complete flow of attack detection provided by the embodiment of the present application, in an application process, an audit log is executed, a causal graph is constructed after processing, a sequence is extracted, then after word shape reduction and word embedding, data is input into a trained attack recognition model for processing, and finally, nodes 1, 3, 5 and 8 in the graph can be determined to be ATT & CK nodes, so that the ATT & CK nodes and edges on a target path can be finally reserved, nodes and edges outside the target path are deleted, and the processed causal graph is used as a reconstructed attack tracing graph, thereby obtaining a final pruning result.

Fig. 19 is an optional flowchart of a training method of an attack recognition model according to an embodiment of the present application, where the method in fig. 2 may include, but is not limited to, steps S1101 to S1105.

Step S1101, obtaining a sample audit log of ATT & CK technical tactics;

step S1102, analyzing a sample audit log, extracting a plurality of sample entities and corresponding sample events from the sample audit log, and constructing a sample causal graph by taking the sample entities as nodes and the causal relationship among the entities represented by the sample events as edges;

Step S1103, extracting a set of sample entities from the sample causal graph, determining a plurality of sample ATT & CK entity subsets from the set of sample entities, and converting each sample ATT & CK entity subset into a corresponding each sample entity sequence according to causal relationships between the included entities, wherein at least one sample ATT & CK entity is included in the sample ATT & CK entity subsets;

step S1104, performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into an attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence;

step S1105, marking sample labels for the sample entity sequences according to the conditions of the contained sample ATT & CK entities, and adjusting parameters of the attack recognition model according to the sample labels and sample prediction results to obtain the trained attack recognition model.

Referring to fig. 20, the embodiment of the present application further provides a network attack reconstruction device, which may implement the above network attack reconstruction method, where the network attack reconstruction device includes:

a log obtaining module 2001, configured to obtain an audit log of execution of the ATT & CK technical tactics;

the causal graph construction module 2002 is configured to parse an execution audit log, extract a plurality of entities and corresponding events from the execution audit log, and construct a causal graph with the entities as nodes and the causal relationships between the entities represented by the events as edges;

the sequence extracting module 2003 is used for extracting a set of entities, dividing the set of entities into a plurality of entity subsets, and converting each entity subset into corresponding each entity sequence according to the causal relationship among the included entities;

the model prediction module 2004 is configured to perform feature conversion on each entity sequence to obtain corresponding feature vectors of each sequence, and input each feature vector of each sequence into a pre-trained attack recognition model, and predict to obtain a prediction result of each entity sequence;

the attack reconstruction module 2005 is configured to determine, according to a prediction result, an entity sequence marked as an ATT & CK behavior as a target sequence, determine that an entity in the target sequence is an ATT & CK entity, determine a target path between ATT & CK nodes where the ATT & CK entity is located in a causal graph, and convert the causal graph into a reconstructed attack tracing graph according to the target path and the ATT & CK nodes.

The network attack reconstruction device may execute the above network attack reconstruction method, and complete the construction of the attack tracing graph by acquiring the execution audit log of the ATT & CK technical tactics, where the entity extracted from the execution audit log is first required to be used as a node and an event to construct a causal graph, and the causal graph contains a large number of normal nodes, and is not determined which are ATT & CK nodes, and cannot be used as a final tracing graph, and further processing is required. Therefore, the embodiment of the application needs to extract the entity set, divide the entity set to obtain a plurality of entity subsets, convert the causal relationship among the entities contained in each entity subset to obtain corresponding entity sequences, contain different nodes through the sequences to process models, then input each entity sequence into a pre-trained attack recognition model after converting the characteristics of each entity sequence, predict to obtain the predicted result of each entity sequence, and then judge whether the entity in the sequence is an ATT & CK entity through the models, wherein the node corresponding to the ATT & CK entity is an ATT & CK node, so that the target path among the ATT & CK nodes can be determined in the causal graph, and finally convert the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK node. The embodiment of the application can complete the construction of the attack traceability graph only by acquiring the execution audit log of the ATT & CK technical tactics without adding extra workload, and can accurately determine the ATT & CK entity and the node and complete the construction of the attack traceability graph by storing the entity in the entity sequence to determine the attack sequence through the attack identification model, so that the embodiment of the application can improve the efficiency and the quality of network attack reconstruction.

The specific implementation of the network attack reconstruction device is basically the same as the specific embodiment of the network attack reconstruction method, and is not described herein. On the premise of meeting the requirements of the embodiment of the application, the network attack reconstruction device can also be provided with other functional modules so as to realize the network attack reconstruction method in the embodiment.

The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the network attack reconstruction method when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.

Referring to fig. 21, fig. 21 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:

the processor 2101 may be implemented by a general purpose CPU (central processing unit), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solution provided by the embodiments of the present application;

memory 2102 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM), among others. The memory 2102 may store an operating system and other application programs, and when the technical solution provided in the embodiments of the present disclosure is implemented by software or firmware, relevant program codes are stored in the memory 2102, and the processor 2101 invokes a training method for executing the network attack reconstruction method or the attack recognition model according to the embodiments of the present disclosure;

An input/output interface 2103 for implementing information input and output;

the communication interface 2104 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g., USB, network cable, etc.), or may implement communication in a wireless manner (e.g., mobile network, WIFI, bluetooth, etc.);

a bus 2105 for transferring information between components of the device (e.g., the processor 2101, memory 2102, input/output interfaces 2103, and communication interfaces 2104);

wherein the processor 2101, memory 2102, input/output interface 2103 and communication interface 2104 enable communication connections within the device between each other via bus 2105.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program which realizes the network attack reconstruction method or the training method of the attack recognition model when being executed by a processor.

The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

It will be appreciated by persons skilled in the art that the embodiments of the application are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps, apparatus, functional modules/units in the devices, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.

The terms "first," "second," "third," "fourth," and the like in the description of the application and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device.

It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another apparatus, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.

The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims

1. A method for reconstructing a network attack, the method comprising:

acquiring an execution audit log of ATT & CK technical tactics;

analyzing the execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges;

extracting the entity set, dividing the entity set into a plurality of entity subsets, and converting each entity subset into a corresponding entity sequence according to the causal relationship among the included entities;

performing feature conversion on each entity sequence to obtain corresponding sequence feature vectors, inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence;

determining the entity sequence marked as the ATT & CK action as a target sequence according to the prediction result, determining the entity in the target sequence as an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

2. The network attack reconstruction method according to claim 1, wherein the extracting the set of entities, dividing into a plurality of entity subsets according to the set of entities, includes:

extracting a set of entities from the causal graph, wherein the set of entities comprises all the entities in the causal graph;

and selecting any at least two entities from the entity set, and forming an entity subset by the selected any at least two entities to obtain a plurality of entity subsets.

3. The network attack reconstruction method according to claim 1, wherein the attack recognition model is provided with an encoder and a decoder;

inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a predicted result of each entity sequence, wherein the method comprises the following steps:

acquiring position information of each sequence feature vector in a sequence and model dimensions of the attack recognition model, establishing dimension indexes for each sequence feature vector, and calculating position codes of each sequence feature vector through the position information, the model dimensions and the dimension indexes;

Embedding each sequence feature vector into the corresponding position code, inputting the sequence feature vector into the encoder of the model, and obtaining the code feature vector corresponding to each sequence feature vector after the processing of a multi-head attention layer and a feedforward layer in the encoder;

and after the coding feature vectors are embedded into the corresponding position codes, inputting the position codes into the decoder of the model, and predicting to obtain a prediction result of each entity sequence after processing of a multi-head attention layer, a residual connection and layer normalization layer, a feedforward layer, a linear layer and a classification output layer which are covered in the decoder.

4. A network attack reconstruction method according to claim 1 or 3, wherein the attack recognition model is trained by the steps of:

acquiring a sample audit log of ATT & CK technical tactics;

analyzing the sample audit log, extracting a plurality of sample entities and corresponding sample events from the sample audit log, and constructing a sample causal graph by taking the sample entities as nodes and the causal relationship among the entities represented by the sample events as edges;

extracting a set of sample entities from the sample causal graph, determining a plurality of sample ATT & CK entity subsets from the set of sample entities, and converting each sample ATT & CK entity subset into corresponding each sample entity sequence according to causal relation among contained entities, wherein at least one sample ATT & CK entity is included in the sample ATT & CK entity subset;

Performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into the attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence;

marking sample labels for the sample entity sequences according to the included sample ATT & CK entity conditions, and adjusting parameters of the attack recognition model according to the sample labels and the sample prediction results to obtain the trained attack recognition model.

5. The method of claim 4, wherein said determining a plurality of sample ATT & CK entity subsets from said set of sample entities comprises:

determining at least one sample ATT & CK entity marked as ATT & CK behaviour from the set of sample entities and constructing at least one attack subset from at least one sample ATT & CK entity, wherein the entities in each attack subset are the sample ATT & CK entities and at least one of the sample ATT & CK entities is contained in the attack subset;

determining at least one sample normal entity marked as normal behavior from the set of sample entities, and adding any at least one sample normal entity for each attack subset to form at least one normal subset;

At least one of the attack subset and the normal subset is taken as a sample ATT & CK entity subset.

6. The network attack reconstruction method according to claim 5, wherein said sequentially inputting each of the sample sequence feature vectors into the attack recognition model comprises:

if the ratio of the number of the subsets between the normal subset and the attack subset is greater than a preset threshold, performing oversampling processing on the sample sequence feature vectors to increase the number of the sample sequence feature vectors corresponding to the attack subset, or performing undersampling processing on the sample sequence feature vectors to reduce the number of the sample sequence feature vectors corresponding to the normal subset;

and sequentially inputting the feature vectors of the sample sequences after the over-sampling or under-sampling treatment into the attack recognition model.

7. The method of claim 4, wherein constructing a sample causal graph with the sample entities as nodes and causal relationships between the entities characterized by the sample events as edges comprises:

constructing an initial causal graph by taking the sample entities as nodes and the causal relations among the entities characterized by the sample events as edges;

And cleaning and sorting nodes and edges in the initial causal graph to obtain a sample causal graph.

8. The method for reconstructing network attacks according to claim 7, wherein the step of cleaning and sorting nodes and edges in the initial causal graph to obtain a sample causal graph comprises:

determining a sample ATT & CK node marked as ATT & CK behaviors in the initial causal graph and a sample normal node marked as normal behaviors, deleting the sample normal node and a corresponding edge, which cannot reach the sample ATT & CK node, in the initial sample graph, and obtaining a sample causal graph;

determining repeated edges between any two nodes in the initial causal graph, and deleting the repeated edges to obtain the sample causal graph;

and determining different nodes of the same type of event in the initial causal graph, merging the different nodes into the same node, and reserving the same input and output edges to obtain the sample causal graph.

9. The method for reconstructing network attack according to claim 1, wherein said performing feature transformation on each of the entity sequences to obtain corresponding feature vectors of each sequence includes:

acquiring a preset name mapping table;

Mapping entity names in each entity sequence into the name mapping table, redefining the entity names in each entity sequence according to the mapping result of the name mapping table, and determining the entity sequence with the morphology restored according to the redetermined entity names;

and performing feature conversion on each entity sequence after morphological reduction to obtain corresponding feature vectors of each sequence.

10. The network attack reconstruction method according to claim 1, wherein the determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes, includes:

configuring corresponding weights for each edge according to the causal relation or path length between nodes in the causal graph;

selecting any ATT & CK node where any ATT & CK entity is located as an initial node, selecting any ATT & CK node where another ATT & CK entity is located as a target node, acquiring the shortest path between the initial node and the target node through a Di Jie St-Lag algorithm based on the weight, and taking the shortest path as a target path;

And reserving the ATT & CK nodes and the nodes and edges on the target path in the causal graph, deleting the nodes and edges outside the target path, and taking the processed causal graph as a reconstructed attack traceability graph.

11. A method for training an attack recognition model, the method comprising:

acquiring a sample audit log of ATT & CK technical tactics;

performing feature conversion on each sample entity sequence to obtain corresponding feature vectors of each sample sequence, sequentially inputting the feature vectors of each sample sequence into an attack recognition model, and predicting to obtain sample prediction results of each sample entity sequence;

12. A network attack reconstruction device, the device comprising:

the log acquisition module is used for acquiring an execution audit log of the ATT & CK technical strategy;

the causal graph construction module is used for analyzing the execution audit log, extracting a plurality of entities and corresponding events from the execution audit log, and constructing a causal graph by taking the entities as nodes and the causal relationship among the entities represented by the events as edges;

the sequence extraction module is used for extracting the set of the entities, dividing the set of the entities into a plurality of entity subsets, and converting each entity subset into corresponding each entity sequence according to the contained causal relationship among the entities;

the model prediction module is used for carrying out feature conversion on each entity sequence to obtain corresponding sequence feature vectors, inputting each sequence feature vector into a pre-trained attack recognition model, and predicting to obtain a prediction result of each entity sequence;

And the attack reconstruction module is used for determining the entity sequence marked as the ATT & CK action as a target sequence according to the prediction result, determining the entity in the target sequence as an ATT & CK entity, determining a target path between ATT & CK nodes where the ATT & CK entity is located in the causal graph, and converting the causal graph into a reconstructed attack traceability graph according to the target path and the ATT & CK nodes.

13. An electronic device comprising a memory and a processor, the memory storing a computer program, the processor implementing the network attack reconstruction method according to any one of claims 1 to 10 or the training method of the attack identification model according to claim 11 when the computer program is executed.

14. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the network attack reconstruction method according to any one of claims 1 to 10 or implements the training method of the attack identification model according to claim 11.