CN116915450A - Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction - Google Patents

Abstract

The invention discloses a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which specifically comprises the following steps: step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges; step 2, preprocessing the Pcap data packet, and constructing an initial network topology graph G of the whole attack process for the data set _start Step 3, providing a model based on a convolutional neural network and a decision tree; step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the attack type and the attack mode for the second time, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally pruning the image, namely the reconstructed simplified multi-step network attack scene; according to the invention, an initial attack scene can be obtained through topology association analysis, a large amount of redundant information is further removed, and finally, the most simplified and closest topological graph of the attack scene is constructed.

Description

Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction

Technical Field

The invention relates to the technical field of network security, in particular to a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction.

Background

In recent years, with the global popularization of the internet, the relationship between personal information and a network is becoming more and more intimate. However, with the rapid development of information technology, network security problems become more prominent. The network attack means are increasingly complex, the phenomena of hacking attack, virus Trojan horse, fraud and the like are layered endlessly, various network attack events continuously occur, the attack modes are more complex and various, the characteristics of more concealment and greater harm are presented, and the network attack means are more difficult to discover and prevent. Thus, protection systems and data security have become a problem that businesses and individuals must face and solve.

A malicious attacker typically uses a combination of multiple steps and multiple vulnerabilities, and attack methods to penetrate the target system to achieve the undesirable goals of stealing data, controlling the system, or damaging services. This attack approach is often more complex and difficult to discover than a single attack, making traditional single security approaches difficult to deal with, and thus more threatening. The number of network attack organizations in 2019 of siamesed iron corporation, as described in the report of internet security threat, has shown a 25% increase in 2018, and these organizations have shown a high degree of organization and planning, and the attack steps are clear.

In addition, according to the report on global Advanced Persistent Threat (APT) research by 360 security companies, 2021, the global advanced persistent threat (Advanced Persistent Threat, APT) still brings a serious situation, and the number of reported APT attacks is significantly increased compared with the last year. By ending in the last half year, 492 APT attack reports have been publicly reported worldwide, 90 of which relate to APT organizations, the first disclosed organization number reaching 17, both the number of reports and the number of organizations having exceeded the last year. With the increase of years, the number of APT attacks is in an increasing trend year by year, and a plurality of attack targets are subjected to multi-level and staged attacks by adopting diversified means, so that the attack targets are difficult to detect. Therefore, the research on security situation awareness methods such as abnormal event exploration, attack event identification, plan attack prediction and the like is extremely necessary, and the method has an important role in suppressing complex and diverse network attack forms.

Denial of service attacks are a typical class of multi-step network attack events in which the attack proceeds in multiple steps. The distributed denial of service attack (Distributed Denial of Service, DDoS) is a special form based on the denial of service attack (Denial of Service, doS), and the DDoS becomes the most common attack form at present due to the characteristics of high success rate, short time consumption, high destructiveness, flexible and changeable attack technique of an attacker and the like. According to the DDoS attack report of third quarter of 2022 in Kaspersky laboratory, the first three most common DDoS types are still UDP flood attack, SYN flood attack and TCP flood attack by third quarter of 2022. Unlike before, the fraction of UDP flooding drops from 62.53% to 51.84%; in contrast, the second most common SYN flood increases its share to 26.96%; the TCP floods and twists the elaeagnus, the fluctuation range exceeds 4 percentage points, reaches 15.73%, and is stable in the third step; GRE flooding and HTTP flooding account for 3.70% and 1.77% of the total number of attacks, respectively.

The network attack is often gradually permeated and implemented by utilizing a plurality of nodes, and the multi-step network attack has more killing power and destructive power than the traditional single-step attack, because the attack process is more, the concealment is strong, and the attack means are flexible and changeable. However, most of the conventional intrusion detection systems can only identify single-step network attacks, and cannot capture a complete attack chain. Meanwhile, the conventional method for processing the multi-step attack focuses on directly correlating alarms extracted from the intrusion detection system, and the alarms can be detected only by largely relying on manual rules, so that many false alarms can be generated, and the whole multi-step network attack scene cannot be accurately constructed.

Aiming at the problems, how to identify and prune a multi-step network attack scene is discussed by taking the multi-step network attack as a research object, and a topological pruning optimization method based on multi-step network attack identification and scene reconstruction is provided. And finally reconstructing a multi-step attack scene to obtain a simplified multi-step attack chain.

Disclosure of Invention

The invention provides a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which solves the problems that the existing intrusion detection system cannot recognize multi-step network attack and cannot capture a complete attack chain.

The invention discloses a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which is implemented according to the following steps:

step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges;

step 2, preprocessing the Pcap data packet, wherein the preprocessing process comprises extraction of the data flow packet and remolding of the data flow tensor, generating a two-dimensional tensor, namely a data set, and constructing an initial network topology graph G of the whole attack process for the data set _start ，

Step 3, a model based on a convolutional neural network and a decision tree is provided, and the model is named as a CTree model;

step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the normal flow for the first time, obtaining the attack mode of the data flow based on the CTreee model in the step 3, pruning the attack type and the attack mode for the second time which are not matched, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally obtaining the pruned image which is the simplified multi-step network attack scene after reconstruction;

the step 1 is specifically implemented according to the following steps:

step 1.1, defining a directed graph g= (V, E), G representing a network state graph, V representing nodes in the network, E representing directed edges between hosts in the network; the node V and the directed edge E are unique, and the nodes are distinguished by IP addresses;

step 1.2, defining a data stream quintuple: the processing of the network dataset is according to five-tuple (host _s ,port _s ,host _e ,port _e Protocol), namely dividing all communication data packets of two hosts under two fixed ports into one stream according to five-tuple information; wherein host _s Representing the source IP address, host _e Representing destination IP address, port _s Representing source port, port _e A protocol represents a communication protocol used;

table 1 attributes of nodes and edges in directed graphs and corresponding detailed description

The step 2 is specifically implemented according to the following steps:

step 2.1, selecting a data set: the original data set trained by the model is DALPA 1999, the DALPA 2000 data set added with no-attack data is tested, the DALPA 1999 data set totally comprises 5 types of attacks, each type of attack comprises a plurality of different attack modes, and the total of the attack modes is 55;

step 2.2, data preprocessing: converting hexadecimal data in a data packet into decimal numbers according to a Tcpdump format data packet provided by a DARRA series data set;

step 2.3, data preprocessing: extracting a data stream with a fixed length from a network data packet, and converting the format and the dimension of the data stream to enable the data stream to be changed into a two-dimensional tensor with a consistent size for being input by a neural network model;

step 2.4, constructing an initial network topology graph G of the whole attack process aiming at the data flow based on the five-tuple partition in step 2.3 _start ；

Table 2 attack types and corresponding attack pattern table

The step 3 is specifically implemented according to the following steps:

step 3.1, automatically extracting hidden features in the data tensor by using a convolutional neural network technology, and classifying attack types through the hidden features;

step 3.2, constructing a decision tree based on convolutional neural network technology for further attack evaluation;

the step 4 is specifically implemented according to the following steps:

step 4.1, the input and output of the conceived algorithm are input as the initial network topology graph G in step 2.4 _start Output is a topology graph G reconstructed for attack scene _end ；

Step 4.2, find initial network topology graph G _start All nodes with zero degree of entry, and will initiate network topology graph G _start All nodes with zero degree are stored in a root node list root;

step 4.3, traversing each node in the root node list root, and obtaining a network topology graph G from the initial _start Deleting all edges taking the current node as a starting point, namely pruning operation, and displaying an attack scene reconstruction topological graph G after pruning operation _end 。

Preferably, the step 2.3 specifically includes:

(1) Dividing a network data packet into individual stream information by using five-tuple, wherein each five-tuple comprises n data packets from a network data packet Package1 to a network data packet Package, m bytes are extracted from each data packet, and the extraction position of the data packet starts from the 16 th byte, so that the interference information of the MAC address of a data link layer and the version number of the network layer in the data packet can be removed, and only important header information and information of the rest loads are contained;

(2) 0 filling is carried out on the data packet with the message length smaller than m+16 bytes, and interception is carried out when the message length is larger than m+16;

(3) Splicing the results of the step (2), namely splicing the head and tail of n data packets into a data stream with the length of n multiplied by m bytes;

(4) Finally, the n×m byte tensors are transformed into h×h two-dimensional tensors for the neural network to input.

Preferably, the step 2.4 specifically includes:

(1) Traversing each five-tuple, abstracting each IP address into nodes by looking up host contained in each five-tuple _s And host _e Whether the abstracted nodes are in the attack directed graph or not is determined, and gradually adding the nodes;

(2) Since each five tuple represents a set of communication data between designated nodes, the five tuple contains host _s And host _e The positive connection is established, and the directed edges are gradually added;

(3) A time attribute is added to the directed edge.

Preferably, the step 3.1 specifically includes:

(1) The data type tag includes 6 types, normal, IPsweep, probe, breakin, installation, action respectively; these labels are used to train neural network models for classification, where Normal represents Normal traffic and attach 1 through attach 5 represent various different types of attacks;

(2) Selecting a ResNet18 convolution structure as a main frame of the convolution neural network, wherein an optimizer is Adam, a loss function is Cross-Entropy, and an activation function is Softmax; the network layer depth of the ResNet18 model is 18 layers, and the ResNet18 model consists of 5 convolution layers, 5 global average pooling layers and the last 1 full connection layers, wherein the output of the full connection layers is of a normal type and five multi-step network attack types which need to be classified;

(3) Some parameters in the standard ResNet18 model were modified; specifically, the name of each layer, the output size, the convolution kernel size, the step size, and the width size parameters of pixels around the input data are modified.

TABLE 3 CNN model parameters

Preferably, each layer of parameters and meanings of the ResNet18 network model modified in the step (3) in the step (3.1) are specifically as follows:

(1) 3 x 3 convolutional layer

The convolution kernel size of the first convolution layer of the standard ResNet18 is 7 multiplied by 7, the step length is 2, the width of pixels around input data is 3, namely padding is 3, and the output channel is 64; modifying the convolution kernel size to be 3 multiplied by 3, the step length to be 1, the width of pixels around the input data to be 1, and calculating a formula according to the size after convolution:

the input size is W×W, the convolution kernel size is F×F, the width of the pixels around the input data is P, i.e. padding is P, the step size is S, and N is the output size;

(2) pooling layer

The size of the convolution kernel of the layer is 3 multiplied by 3 through a maximum pooling layer, the step length is 1, the width of pixels around input data is 1, namely padding is 1; pooling does not change the number of channels of data, but reduces the size of the data by half;

(3) first 3 x 3 convolutional layer

The first convolution layer, the convolution kernel size is 3×3, the step size is 1, the width of the pixels around the input data is 1, i.e. padding is 1; this layer does not change the size and number of channels of the data;

(4) second 3 x 3 convolutional layer

First, a 3 x 3 convolution layer is passed through and downsampled by; doubling the output channel, and reducing the output data size by half;

(5) third 3×3 convolutional layer

Also 3 x 3 convolutions, and downsampling; doubling the output channel, and reducing the output data size by half;

(6) fourth 3 x 3 convolutional layer

Doubling the output channel, and reducing the output data size by half;

(7) average pooling layer

Output data size

(8) Linear layer

And outputting the classified number.

Preferably, the step 3.2 specifically includes:

the step 3.2 specifically comprises the following steps:

(1) Extracting a weight matrix through a full connection layer of the CNN model;

(2) Obtaining a class activation diagram of the traffic sample under the corresponding class by carrying out weighted summation by using the weight matrix and the feature diagram output by the CNN model;

(3) Obtaining attack details of the abnormal stream by extracting corresponding position data of the original stream, the position of which is a highlight position of the CAM;

(4) Clustering the attack details according to each attack mode to obtain a plurality of attack clusters, wherein each attack mode has a corresponding attack cluster;

(5) The Euclidean distance between the attack details and the attack clustering center is calculated; and finally, inputting the Euclidean distance into a trained decision tree to obtain a corresponding attack mode.

Preferably, the detailed explanation of the weight matrix, the class activation graph, the attack details, the clusters and the final decision tree in the step 3.2 is specifically:

(1) a weight matrix; the full-connection layer calculates a feature map output by the last convolution layer, and generates corresponding classification probability; extracting parameters of the full-connection layer to obtain a corresponding scoring matrix as a weight matrix for analyzing more important feature images of a certain category; the weight matrix is shown in formula (2),

W _i,j ,i＝1,2,3,…,n,j＝1,2,…,m (2)

where i is the number of channels of the last layer convolution and m is the number of streams to be classified;

(2) class activation diagrams; the CAM is obtained by multiplying the weight coefficient in the weight matrix by the weight coefficient in the feature map, and is expressed by the formula (3):

wherein CAms is _label Class activation map representing positive sample image, label representing class corresponding to stream sample passing through convolution layer, W _i,lable Representing the weight matrix in step (2), feature _i An ith channel representing the feature map output by the last convolutional layer; the class activation map can extract the highlight position of the feature map in the classification task;

(3) attack details; CAM represents the focal region of the model during classification; thus, the classified related information is obtained by extracting the corresponding position data in the sample; acquiring attack details by extracting an intersection of the CAM and the original sample, as shown in formula (4); and, a threshold is set such that elements smaller than the threshold are replaced with 0 in the CAM; otherwise, replacing the element greater than or equal to the threshold value with 1 in the CAM; the extracted attack details are vectorized vec _x In order to improve the representation of the device,

Detail(i,j)＝Cams(i,j)×sample(i,j) (4)

where i=1, 2,3, …, h, j=1, 2,3, …, h, h is the original CNN input sample size, detail (i, j) represents attack details of the sample, cab (i, j) represents position data in the class activation map, and sample (i, j) represents sample position data;

(4) clustering; network attack has a looksClustering details according to each attack mode by using a corresponding attack category, so as to analyze a decision basis of CNN, and clustering the extracted attack details by using a K-Means clustering model to obtain a plurality of attack clusters AM _i I=1, 2, …, n, consistent with the number of attack modes, each attack mode having a corresponding attack cluster;

(5) constructing a decision tree; the decision tree added with priori knowledge is used for classifying the attack modes, the classified specific attack modes are corresponding to the attack types of ResNet classification, false alarm is reduced, and meanwhile the interpretability of CNN processing network flow data is improved; the distance vector Dis is used as the input of a decision tree, dis is determined by calculating Euclidean distance between attack details of samples and attack cluster centers, and is shown in a formula (5):

wherein Dis represents a distance vector, vec _x A vectorized representation of the details of the attack is represented,representing vectorization representation of attack cluster centers and EDis Euclidean distance; the decision tree is input as shown in formula (6):

Input＝{(Dis ₁ ,y ₁ ),(Dis ₂ ,y ₂ ),…,(Dis _n ,y _n )} (6)

wherein Input is the Input of the decision tree, y is the label of the sample attack mode, and n is the number of the sample attack modes;

a decision tree for performing an operation by using the coefficient of the radix key; the radix factor is used to describe the degree of confusion in evaluating the branch samples; the higher the coefficient of the radix, the higher the degree of confusion of the branch sample, namely the more impure, the decision tree division needs to be continued until the index value of the Gini branch node is smaller than a specified value; the construction of the decision number model selects a decision tree model in a machine learning library, wherein important parameters are criterion=gini, random_state=123, and the data set is divided by using a data set dividing method in a model selection and evaluation tool set sklearn.

Preferably, the step 4.2 specifically includes:

(1) Creates an empty root node list root and initializes a network topology graph G with the original _start All-zero-number groups visit with the same number of nodes;

(2) Cycling through an initial network topology graph G _start Setting a flag bit to indicate whether the node is traversed or not, and setting all initial nodes as false to indicate that the node is not accessed yet;

(3) Judging whether the degree of entering of the current node is zero or not; if yes, the node is indicated to have no dependency relationship, the node is regarded as a root node, and the current node is added into a root node list root.

Preferably, the pruning operation in the step 4.3 specifically includes:

(1) A function named prune is defined to complete three pruning operations, which accepts two parameters: graph G and current node curNode;

(2) Acquiring all adjacent nodes of the current node curNode, and storing the adjacent nodes in an adjacent node list nextNodes;

(3) Checking the size of the neighbor node list nextNodes, if zero, the current node has no neighbor nodes available for traversal, so the current node returns directly;

(4) Traversing each node in the adjacent node list nextNodes, acquiring all adjacent nodes of the current node, and storing the adjacent nodes in the nextNextNodes list;

(5) If the current node is not accessed, setting an access flag bit of the current node as true;

(6) Executing recursion call trunk function (G, node), and pruning adjacent nodes of the current node;

(7) Judging whether the traffic is normal, if so, deleting the directed edge between the current node curNode and the adjacent node next node;

(8) Judging whether the attack mode is matched with the attack type, if not, deleting the directed edge between the current node curNode and the adjacent node next node;

(9) If the time of the current step is longer than the time of the next step, deleting the directed edges between the adjacent node and the next subsequent node, and the directed edges between the current node curNode and the adjacent node;

preferably, the step 3.1 is a process of whether the flow type in the step (7) in the step 4.3 is a normal flow;

preferably, the attack type and attack pattern matching process in step (8) in step 4.3 is specifically:

identifying the attack type and the attack mode of the detected flow by using the CTreemodel constructed in the step 3, and evaluating whether the IDS marks the flow truly and effectively by matching the detected attack type and the mode according to the matching relation of the attack type and the attack mode; if the matching is successful, the IDS marks the flow as correct; otherwise, the IDS marks the inaccurate flow, if the flow belongs to the false report condition, the data flow should be directly pruned; therefore, the attack type and the attack mode are combined with each other, whether the attack information marked by the IDS is credible or not can be determined more accurately, and therefore certain false alarm information is removed, and the second pruning is completed.

Preferably, the time sequence association process in the step (9) in the step 4.3 is specifically:

the directed edges between the associated nodes in the constructed network topology graph are time-characterized; therefore, according to the time sequence correlation analysis, pruning is carried out for the third time, and the directed edges with time conflict are pruned; the time sequence relativity means that the network attack is often divided into different attack stages, and the successful occurrence of the attack in the former stage is the premise of the attack in the next stage, so that the time sequence among the attack stages has a fore-and-aft relationship;

(1) reading data of a network topological graph and node change data, constructing the network topological graph by using a network library NetworkX, and drawing the graph by using a drawing library Matplotlib;

(2) carrying out node change trend analysis by using a data analysis library Pandas, and drawing a node change graph by using a drawing library Matplotlib;

(3) and finally, eliminating the attack path or node which does not accord with the characteristics of the attack stage, thereby obtaining an image after pruning for three times, namely a simplified multi-step network attack scene after reconstruction.

Compared with the prior art, the invention has the following beneficial effects:

a topology pruning optimization method for multi-step network attack rapid identification and scene reconstruction aims at solving the problems that the existing intrusion detection system cannot identify multi-step network attack and cannot capture a complete attack chain. The invention identifies multi-step network attack by analyzing and processing the initial data in the Pcap data packet format, thereby being capable of reconstructing multi-step network attack scenes. Firstly, preprocessing a Pcap data packet, including extraction of a data traffic packet and remolding of a data traffic tensor, and generating a two-dimensional tensor. Then, an initial topological graph taking IP as a node, taking a timestamp and a port as an edge is constructed, and pruning is further carried out on the initial topological graph. Finally, the pruned image is the topological graph which is the most simplified and closest to the multi-step attack scene, and compared with the existing multi-step attack scene reconstruction method, the method is more concise, effective and has expandability, and finally, the multi-step network attack scene graph is restored.

Drawings

The technical scheme of the invention will be described in further detail below with reference to the accompanying drawings and examples.

FIG. 1 is a schematic diagram of a data preprocessing process in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction;

FIG. 2 is a CTreee model diagram in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to the present invention;

FIG. 3 is a schematic diagram of a LLDOS 1.0 network communication scenario including normal traffic in a topology pruning optimization method based on multi-step network attack recognition and scenario reconstruction according to the present invention;

FIG. 4 is a schematic diagram of a scene reconstruction of LLDOS 1.0 network communications including normal traffic in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to the present invention;

FIG. 5 is a communication diagram of a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction after pruning based on normal traffic;

FIG. 6 is a communication diagram of a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction after pruning based on mismatch of attack types and attack modes;

FIG. 7 is a communication diagram after pruning based on time sequence conflict in the topology pruning optimization method based on multi-step network attack identification and scene reconstruction according to the present invention;

FIG. 8 is a view of a multi-step attack scenario after pruning in the topology pruning optimization method based on multi-step network attack identification and scenario reconstruction of the present invention;

fig. 9 is a view of a reconstructed multi-step attack scenario in the topology pruning optimization method based on multi-step network attack identification and scenario reconstruction of the present invention.

Detailed Description

Various embodiments of the present invention are disclosed in the following drawings, which are presented in sufficient detail to provide a thorough understanding of the present invention. However, it should be understood that these physical details should not be used to limit the invention. That is, in some embodiments of the present invention, these physical details are not necessary. Moreover, for the sake of simplicity of illustration, some well-known and conventional structures and components are shown in the drawings in a simplified schematic manner.

In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention.

1-9, in order to verify the effectiveness of the proposed topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, an initial topological graph is firstly constructed, then a three-time pruning algorithm is carried out on the initial topological graph to delete unnecessary or redundant network connections, and finally the whole network multi-step attack scene is reconstructed.

(1) Constructing an initial network topology

An initial attack scenario diagram is constructed for the original data in step 2.1, and fig. 3 shows a network communication scenario based on the DARPA2000 dataset and a part of the non-attack dataset.

However, since the amount of data involved in this experiment is large, a large number of nodes are aggregated together as shown in the upper right of fig. 3. Thus, the graph can be reconstructed to better present the relevant information. FIG. 4 is a network communication scenario reconstructed according to FIG. 3, with a large aggregate set of points denoted by other.

(2) Pruning based on normal flow

The DALPA 2000 dataset added with no attack data is input into the ResNet18 model for classification by step 3.1. Based on the classification results, a large amount of normal traffic in the attack scenario represented in fig. 3 is removed, which is time-redundant for constructing the abnormal traffic communication graph. Similarly, a large aggregate set of points is represented by other, and the resulting reconstructed overall abnormal traffic communication graph is shown in FIG. 5. In fig. 5, various types of abnormal traffic and their network communication relationships and interactions can be seen, which can be further analyzed and processed.

(3) Matching pruning based on attack type and mode

According to the matching relationship between the attack type and the attack pattern shown in table 2, pruning is performed for the second time based on fig. 5, the path of the unmatched attack type and the unmatched attack model is removed, and the network topology diagram drawn by using network x and Matplotlib is shown in fig. 6.

(4) Pruning based on time sequence relevance

The directed edge with time conflict is pruned, and a network topology diagram drawn by using network X and Matplotlib is shown in figure 7.

Fig. 8 shows an overall multi-step network attack scenario for a dataset representation of LLDOS 1.0 after three pruning operations. An attacker of 202.77.162.213 enters the network to start network scanning, and sends a vulnerability query packet to an online host. Rights are then obtained using the vulnerabilities of hosts 172.16.112.10, 172.16.112.50, 172.16.115.20. The attacker uses them as springboards to implement the next attack activity. And injecting DDoS attack software into the three springboard hosts, and launching DDoS attack to the target host 131.84.1.31. Finally, a large number of false IP address malicious packets are sent to the target host 131.84.1.31 using hosts 172.16.112.10, 172.16.112.50, 172.16.115.20.

The multi-step attack scene after pruning is not very intuitive due to the large data volume. Therefore, the reconstruction is carried out on FIG. 8, a large number of aggregated point sets are represented by other, and a reconstructed multi-step attack scene diagram is shown in FIG. 9.

The foregoing description is only illustrative of the invention and is not to be construed as limiting the invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principle of the present invention, should be included in the scope of the claims of the present invention.

Claims (12)

1. The topological pruning optimization method based on multi-step network attack recognition and scene reconstruction is characterized by comprising the following steps of:

step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges;

step 2, preprocessing the Pcap data packet, wherein the preprocessing process comprises extraction of the data flow packet and remolding of the data flow tensor, generating a two-dimensional tensor, namely a data set, and constructing an initial network topology graph G of the whole attack process for the data set _start ，

Step 3, a model based on a convolutional neural network and a decision tree is provided, and the model is named as a CTree model;

step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the normal flow for the first time, obtaining the attack mode of the data flow based on the CTreee model in the step 3, pruning the attack type and the attack mode for the second time which are not matched, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally obtaining the pruned image which is the simplified multi-step network attack scene after reconstruction;

the step 1 is specifically implemented according to the following steps:

step 1.1, defining a directed graph g= (V, E), G representing a network state graph, V representing nodes in the network, E representing directed edges between hosts in the network; the node V and the directed edge E are unique, and the nodes are distinguished by IP addresses;

step 1.2, defining a data stream quintuple: the processing of the network dataset is according to five-tuple (host _s ,port _s ,host _e ,port _e Protocol), namely dividing all communication data packets of two hosts under two fixed ports into one stream according to five-tuple information; wherein host _s Representing the source IP address, host _e Representing destination IP address, port _s Representing source port, port _e A protocol represents a communication protocol used;

the step 2 is specifically implemented according to the following steps:

step 2.1, selecting a data set: the original data set trained by the model is DALPA 1999, the DALPA 2000 data set added with no-attack data is tested, the DALPA 1999 data set totally comprises 5 types of attacks, each type of attack comprises a plurality of different attack modes, and the total of the attack modes is 55;

step 2.2, data preprocessing: converting hexadecimal data in a data packet into decimal numbers according to a Tcpdump format data packet provided by a DARRA series data set;

step 2.3, data preprocessing: extracting a data stream with a fixed length from a network data packet, and converting the format and the dimension of the data stream to enable the data stream to be changed into a two-dimensional tensor with a consistent size for being input by a neural network model;

step 2.4, constructing an initial network topology graph G of the whole attack process aiming at the data flow based on the five-tuple partition in step 2.3 _start ；

The step 3 is specifically implemented according to the following steps:

step 3.1, automatically extracting hidden features in the data tensor by using a convolutional neural network technology, and classifying attack types through the hidden features;

step 3.2, constructing a decision tree based on convolutional neural network technology for further attack evaluation;

the step 4 is specifically implemented according to the following steps:

step 4.1, the input and output of the conceived algorithm are input as the initial network topology graph G in step 2.4 _start Output is a topology graph G reconstructed for attack scene _end ；

Step 4.2, find initial network topology graph G _start All nodes with zero degree of entry, and will initiate network topology graph G _start All nodes with zero degree are stored in a root node list root;

step 4.3, traversing each node in the root node list root, and obtaining a network topology graph G from the initial _start Deleting all edges taking the current node as a starting point, namely pruning operation, and displaying an attack scene reconstruction topological graph G after pruning operation _end 。

2. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 2.3 specifically comprises the following steps:

(1) Dividing a network data packet into individual stream information by using five-tuple, wherein each five-tuple comprises n data packets from a network data packet Package1 to a network data packet Package, m bytes are extracted from each data packet, and the extraction position of the data packet starts from the 16 th byte, so that the interference information of the MAC address of a data link layer and the version number of the network layer in the data packet can be removed, and only important header information and information of the rest loads are contained;

(2) 0 filling is carried out on the data packet with the message length smaller than m+16 bytes, and interception is carried out when the message length is larger than m+16;

(3) Splicing the results of the step (2), namely splicing the head and tail of n data packets into a data stream with the length of n multiplied by m bytes;

(4) Finally, the n×m byte tensors are transformed into h×h two-dimensional tensors for the neural network to input.

3. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 2.4 specifically comprises the following steps:

(1) Traversing each five-tuple, abstracting each IP address into nodes by looking up host contained in each five-tuple _s And host _e Whether the abstracted nodes are in the attack directed graph or not is determined, and gradually adding the nodes;

(2) Since each five tuple represents a set of communication data between designated nodes, the five tuple contains host _s And host _e The positive connection is established, and the directed edges are gradually added;

(3) A time attribute is added to the directed edge.

4. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 3.1 specifically comprises the following steps:

(1) The data type tag includes 6 types, normal, IPsweep, probe, breakin, installation, action respectively; these labels are used to train neural network models for classification, where Normal represents Normal traffic and attach 1 through attach 5 represent various different types of attacks;

(2) Selecting a ResNet18 convolution structure as a main frame of the convolution neural network, wherein an optimizer is Adam, a loss function is Cross-Entropy, and an activation function is Softmax; the network layer depth of the ResNet18 model is 18 layers, and the ResNet18 model consists of 5 convolution layers, 5 global average pooling layers and the last 1 full connection layers, wherein the output of the full connection layers is of a normal type and five multi-step network attack types which need to be classified;

(3) Some parameters in the standard ResNet18 model were modified; specifically, the name of each layer, the output size, the convolution kernel size, the step size, and the width size parameters of pixels around the input data are modified.

5. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the step 3.2 is specifically:

(1) Extracting a weight matrix through a full connection layer of the CNN model;

(2) Obtaining a class activation diagram of the traffic sample under the corresponding class by carrying out weighted summation by using the weight matrix and the feature diagram output by the CNN model;

(3) Obtaining attack details of the abnormal stream by extracting corresponding position data of the original stream, the position of which is a highlight position of the CAM;

(4) Clustering the attack details according to each attack mode to obtain a plurality of attack clusters, wherein each attack mode has a corresponding attack cluster;

(5) The Euclidean distance between the attack details and the attack clustering center is calculated; and finally, inputting the Euclidean distance into a trained decision tree to obtain a corresponding attack mode.

6. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the step 4.2 is specifically:

(1) Creates an empty root node list root and initializes a network topology graph G with the original _start All-zero-number groups visit with the same number of nodes;

(2) Cycling through an initial network topology graph G _start Setting a flag bit to indicate whether the node is traversed or not, and setting all initial nodes as false to indicate that the node is not accessed yet;

(3) Judging whether the degree of entering of the current node is zero or not; if yes, the node is indicated to have no dependency relationship, the node is regarded as a root node, and the current node is added into a root node list root.

7. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the pruning operation in step 4.3 is specifically:

(1) A function named prune is defined to complete three pruning operations, which accepts two parameters: graph G and current node curNode;

(2) Acquiring all adjacent nodes of the current node curNode, and storing the adjacent nodes in an adjacent node list nextNodes;

(3) Checking the size of the neighbor node list nextNodes, if zero, the current node has no neighbor nodes available for traversal, so the current node returns directly;

(4) Traversing each node in the adjacent node list nextNodes, acquiring all adjacent nodes of the current node, and storing the adjacent nodes in the nextNextNodes list;

(5) If the current node is not accessed, setting an access flag bit of the current node as true;

(6) Executing recursion call trunk function (G, node), and pruning adjacent nodes of the current node;

(7) Judging whether the traffic is normal, if so, deleting the directed edge between the current node curNode and the adjacent node next node;

(8) Judging whether the attack mode is matched with the attack type, if not, deleting the directed edge between the current node curNode and the adjacent node next node;

(9) If the time of the current step is greater than the time of the next step, deleting the directed edges between the adjacent node and the next following node, and the directed edges between the current node curNode and the adjacent node.

8. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 4, wherein each layer of parameters and meanings of the ResNet18 network model modified in the step (3) in the step 3.1 are specifically as follows:

(1) 3 x 3 convolutional layer

The convolution kernel size of the first convolution layer of the standard ResNet18 is 7 multiplied by 7, the step length is 2, the width of pixels around input data is 3, namely padding is 3, and the output channel is 64; modifying the convolution kernel size to be 3 multiplied by 3, the step length to be 1, the width of pixels around the input data to be 1, and calculating a formula according to the size after convolution:

the input size is W×W, the convolution kernel size is F×F, the width of the pixels around the input data is P, i.e. padding is P, the step size is S, and N is the output size;

(2) pooling layer

The size of the convolution kernel of the layer is 3 multiplied by 3 through a maximum pooling layer, the step length is 1, the width of pixels around input data is 1, namely padding is 1; pooling does not change the number of channels of data, but reduces the size of the data by half;

(3) first 3 x 3 convolutional layer

The first convolution layer, the convolution kernel size is 3×3, the step size is 1, the width of the pixels around the input data is 1, i.e. padding is 1; this layer does not change the size and number of channels of the data;

(4) second 3 x 3 convolutional layer

First, a 3 x 3 convolution layer is passed through and downsampled by; doubling the output channel, and reducing the output data size by half;

(5) third 3×3 convolutional layer

Also 3 x 3 convolutions, and downsampling; doubling the output channel, and reducing the output data size by half;

(6) fourth 3 x 3 convolutional layer

Doubling the output channel, and reducing the output data size by half;

(7) average pooling layer

Output data size

(8) Linear layer

And outputting the classified number.

9. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 5, wherein the detailed explanation of the weight matrix, class activation graph, attack details, clusters and final decision tree in step 3.2 is specifically:

(1) a weight matrix; the full-connection layer calculates a feature map output by the last convolution layer, and generates corresponding classification probability; extracting parameters of the full-connection layer to obtain a corresponding scoring matrix as a weight matrix for analyzing more important feature images of a certain category; the weight matrix is shown in formula (2),

W _i,j ,i＝1,2,3,…,n,j＝1,2,…,m (2)

where i is the number of channels of the last layer convolution and m is the number of streams to be classified;

(2) class activation diagrams; the CAM is obtained by multiplying the weight coefficient in the weight matrix by the weight coefficient in the feature map, and is expressed by the formula (3):

wherein CAms is _label Class activation map representing positive sample image, label representing class corresponding to stream sample passing through convolution layer, W _i,lable Representing the weight matrix in step (2), feature _i An ith channel representing the feature map output by the last convolutional layer; the class activation map can extract the highlight position of the feature map in the classification task;

(3) attack details; CAM represents the focal region of the model during classification; thus, the classified related information is obtained by extracting the corresponding position data in the sample; acquiring attack details by extracting an intersection of the CAM and the original sample, as shown in formula (4); and, a threshold is set such that elements smaller than the threshold are replaced with 0 in the CAM; otherwise, replacing the element greater than or equal to the threshold value with 1 in the CAM; the extracted attack details are vectorized vec _x In order to improve the representation of the device,

Detail(i,j)＝Cams(i,j)×sample(i,j) (4)

where i=1, 2,3, …, h, j=1, 2,3, …, h, h is the original CNN input sample size, detail (i, j) represents attack details of the sample, cab (i, j) represents position data in the class activation map, and sample (i, j) represents sample position data;

(4) clustering; the network attacks have corresponding attack categories, details are clustered according to each attack mode, a decision basis of CNN is analyzed, and the extracted attack details are clustered by using a K-Means clustering model to obtain a plurality of attack clusters AM _i I=1, 2, …, n, consistent with the number of attack modes, each attack mode having a corresponding attack cluster;

(5) constructing a decision tree; the decision tree added with priori knowledge is used for classifying the attack modes, the classified specific attack modes are corresponding to the attack types of ResNet classification, false alarm is reduced, and meanwhile the interpretability of CNN processing network flow data is improved; the distance vector Dis is used as the input of a decision tree, dis is determined by calculating Euclidean distance between attack details of samples and attack cluster centers, and is shown in a formula (5):

wherein Dis represents a distance vector, vec _x A vectorized representation of the details of the attack is represented,representing vectorization representation of attack cluster centers and EDis Euclidean distance; the decision tree is input as shown in formula (6):

Input＝{(Dis ₁ ,y ₁ ),(Dis ₂ ,y ₂ ),…,(Dis _n ,y _n )} (6)

wherein Input is the Input of the decision tree, y is the label of the sample attack mode, and n is the number of the sample attack modes;

a decision tree for performing an operation by using the coefficient of the radix key; the radix factor is used to describe the degree of confusion in evaluating the branch samples; the higher the coefficient of the radix, the higher the degree of confusion of the branch sample, namely the more impure, the decision tree division needs to be continued until the index value of the Gini branch node is smaller than a specified value; the construction of the decision number model selects a decision tree model in a machine learning library, wherein important parameters are criterion=gini, random_state=123, and the data set is divided by using a data set dividing method in a model selection and evaluation tool set sklearn.

10. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the process of whether the traffic type in the step (7) in the step 4.3 is a normal flow is step 3.1.

11. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the attack type and attack pattern matching process in step (8) in step 4.3 is specifically:

identifying the attack type and the attack mode of the detected flow by using the CTreemodel constructed in the step 3, and evaluating whether the IDS marks the flow truly and effectively by matching the detected attack type and the mode according to the matching relation of the attack type and the attack mode; if the matching is successful, the IDS marks the flow as correct; otherwise, the IDS marks the inaccurate flow, if the flow belongs to the false report condition, the data flow should be directly pruned; therefore, the attack type and the attack mode are combined with each other, whether the attack information marked by the IDS is credible or not can be determined more accurately, and therefore certain false alarm information is removed, and the second pruning is completed.

12. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the time sequence correlation process in step (9) in step 4.3 is specifically:

the directed edges between the associated nodes in the constructed network topology graph are time-characterized; therefore, according to the time sequence correlation analysis, pruning is carried out for the third time, and the directed edges with time conflict are pruned; the time sequence relativity means that the network attack is often divided into different attack stages, and the successful occurrence of the attack in the former stage is the premise of the attack in the next stage, so that the time sequence among the attack stages has a fore-and-aft relationship;

(1) reading data of a network topological graph and node change data, constructing the network topological graph by using a network library NetworkX, and drawing the graph by using a drawing library Matplotlib;

(2) carrying out node change trend analysis by using a data analysis library Pandas, and drawing a node change graph by using a drawing library Matplotlib;

(3) and finally, eliminating the attack path or node which does not accord with the characteristics of the attack stage, thereby obtaining an image after pruning for three times, namely a simplified multi-step network attack scene after reconstruction.