CN117081798A - Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph - Google Patents
Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph Download PDFInfo
- Publication number
- CN117081798A CN117081798A CN202311015511.6A CN202311015511A CN117081798A CN 117081798 A CN117081798 A CN 117081798A CN 202311015511 A CN202311015511 A CN 202311015511A CN 117081798 A CN117081798 A CN 117081798A
- Authority
- CN
- China
- Prior art keywords
- alarm
- graph
- threat
- directed
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000001514 detection method Methods 0.000 claims abstract description 49
- 238000012545 processing Methods 0.000 claims abstract description 35
- 238000012549 training Methods 0.000 claims abstract description 24
- 238000012550 audit Methods 0.000 claims abstract description 23
- 230000003993 interaction Effects 0.000 claims abstract description 14
- 238000004458 analytical method Methods 0.000 claims description 13
- 238000007781 pre-processing Methods 0.000 claims description 12
- 230000007474 system interaction Effects 0.000 claims description 11
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000013528 artificial neural network Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 claims description 4
- 239000011159 matrix material Substances 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 claims description 3
- 230000017105 transposition Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims 2
- 238000002372 labelling Methods 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 11
- 239000000284 extract Substances 0.000 abstract description 2
- 238000012795 verification Methods 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- ODCKICSDIPVTRM-UHFFFAOYSA-N [4-[2-hydroxy-3-(propan-2-ylazaniumyl)propoxy]naphthalen-1-yl] sulfate Chemical compound C1=CC=C2C(OCC(O)CNC(C)C)=CC=C(OS(O)(=O)=O)C2=C1 ODCKICSDIPVTRM-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 125000002015 acyclic group Chemical group 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a real threat warning system and a real threat warning method based on ATT_CK and a directed warning graph, wherein the method comprises the following steps: 1) The log processing module processes the original audit record of the system, and extracts entities and interactions in the log processing module to form a system traceability graph; 2) The alarm generation module generates threat detection rules by maintaining an ATT_CK knowledge base, obtains a threat detection rule base and matches an initial alarm through rules; 3) After the alarm processing module acquires threat alarms, a directed alarm map is generated, the directed alarm map is used as a training set to train a GAT model, the result is compared with a verification set, weight parameters are updated, and the trained model is obtained through iterative updating; 4) The real alarm generation module is responsible for carrying out embedded coding on alarm nodes in the newly generated directed alarm graph by using the model, predicting the category, splicing the alarm nodes to obtain the embedded coding of the alarm graph after carrying out embedded coding on the alarm nodes, and finally outputting the alarm nodes with the predicted category as the real alarm.
Description
Technical Field
The invention relates to the technical field of network security and graphic neural networks, in particular to a real threat warning method based on ATT_CK and a directed warning graph.
Background
In various network attacks, an Advanced Persistent Threat (APT) attack method is advanced, the duration is long, the damage range is large, and the APT attack method becomes one of main precautionary objects of users and enterprises.
The prior art uses endpoint detection and response techniques to detect host activity continuously and formulate threat detection rules, and when the host activity matches the threat rules, a threat alert is issued. ATT_CK is a public TTP (Tactics, techniques and Procedures) knowledge base facing network threat, and can help the existing persistence detection technology to know the attack method of an attacker and define threat detection rules.
However, the prior art has the problems of a large number of false positives, low prediction accuracy, large data storage amount and the like, and although some technologies are dedicated to improving threat detection technology based on EDR, the problems cannot be completely solved. For example, chinese patent application publication No. CN114117432a [ an APT attack chain restoration system based on data trace-source diagram, shanghai university of transportation, CN114117432a ] takes the trace-source diagram of the system as the original input, compresses the trace-source diagram into an acyclic diagram, marks the infection point, and searches for a match as a base point to obtain a complete APT attack chain. However, the system traceability graph used in the method at a certain period is often incomplete, only comprises a certain number of steps in the attack chain, and the complete APT attack chain cannot be obtained by matching by using depth-first search. The chinese invention patent with publication number CN115396169a [ TTP-based multi-step attack detection and scene restoration method and system, university of Shanghai traffic, CN115396169a. ] uses Bi-LSTM neural network model to process serialization information to process the attack technical sequence extracted from the attack report, and uses the trained model to correlate alarms generated by EDR system to restore the attack scene. However, the method is limited by the type of the attack sequence obtained in the attack report, the alarm correlation is difficult to be carried out aiming at the attack mode which does not exist in the model training stage, the embedded coding is carried out only for the alarm sequence, and the graph structure information among the system alarms is ignored, so that the embedded effect is reduced, and the attack detection accuracy is reduced. The Chinese invention patent with publication number of CN115378670A [ an APT attack identification method, device, electronic equipment and medium, beijing Yongxin to Chengzhi Co., ltd., CN115378670A. ] carries out feature detection, behavior detection and machine learning detection on APT attack, improves detection efficiency and reduces false alarm. But this approach requires the use of long-term system log support detection, which incurs significant log storage costs.
Disclosure of Invention
The invention marks the alarm in the system tracing graph, and pruning the tracing graph according to the alarm position to obtain the directed alarm graph. And learning and processing the directed alarm graph by using a graph-annotating-force neural network, combining 7 attack stages given by a network null-killing chain, dynamically adjusting the receptive field and the attention weight of each node according to the class of the killing chain stage to which the node belongs, obtaining better node embedding representation, and predicting whether the node is a real alarm or not. Compared with the existing research, the method does not depend on the integrity of expert knowledge in the model training stage, can fully utilize the node and structure information of the system traceability graph, obtains better node embedded representation, and improves the real threat detection effect.
On one hand, the invention provides a real threat warning system based on ATT_CK and a directed warning graph, which is realized by the following technical scheme:
a real threat alert system based on att_ck and a directed alert graph, comprising: the system comprises a log processing module, an alarm generating module, an alarm processing module and a real alarm generating module, wherein the log processing module is connected with the alarm generating module, the alarm generating module is connected with the alarm processing module, and the alarm processing module is connected with the real alarm generating module.
Preferably, the log processing module comprises an audit record acquisition module and a traceability graph generation module, wherein the audit record acquisition module is used for acquiring audit records in the system, for example, processing unstructured audit records in the audit records into structured data; the traceability graph generation module is used for extracting system interaction and interaction entities in the audit record, taking the entities of the interaction parties as nodes of the graph, taking the interaction as edges of the graph, and combining the system traceability graph reflecting the system information.
Preferably, the alarm generation module comprises an att_ck library maintenance module, a threat detection rule generation module, a threat detection rule library and a threat rule matching module, wherein the att_ck library maintenance module is used for storing and updating an att_ck knowledge library; the threat detection rule generation module is used for extracting information from the ATT_CK knowledge base and obtaining detection rules corresponding to attack modes, and the threat detection rule generation module supports automatic rule extraction and manually setting threat detection rules; the threat detection rule base is used for storing and maintaining attack detection rules; the threat rule matching module is used for searching in the system traceability graph according to the attack detection rule and acquiring system interaction matched with the threat detection rule.
Preferably, the alarm processing module comprises a threat alarm acquisition module, a directed alarm map generation module, a directed alarm map storage module and a GAT training module, wherein the threat alarm acquisition module is used for acquiring all matched threat alarms and marking threat interactions in a tracing map, and the directed alarm map generation module generates a directed alarm map according to the tracing map and the alarm position; the directed alarm map storage module is used for storing the generated directed alarm map and continuously increasing the system alarm along with the continuous occurrence of system interaction, so that the stored directed alarm map is continuously increased and used as a data source for system behavior evidence collection analysis; the GAT training module is used for training a GAT model.
Preferably, the real alarm generation module comprises a node type prediction module and a real threat alarm module, wherein the node type prediction module is used for acquiring the embedding of each alarm node in the updated directed alarm graph by using a trained GAT model and predicting the category of each node when the system is interactively updated; the real threat warning module is used for outputting the warning nodes with the real predicted categories to related operators as real threat warning.
The GAT training module firstly calculates attribute similarity e of a node i and a node j ij :
e ij = T ([ 1 h i || 1 h j ])
Wherein w is 1 Is a trainable transformation matrix, h i Attribute vector, h, representing node i j Representing the attribute vector of node i, α representing the shared trainable attention vector, T representing the transpose; after transposition, the node high-dimensional characteristics of the spliced i and j are mapped to a real number e ij And (3) upper part.
Preferably, the rules for generating the directed alarm map are as follows:
firstly, searching and finding all alarms according to the occurrence position and time of each alarm, deleting nodes irrelevant to the alarms, directly connecting the alarms, and finishing preprocessing of a tracing map; secondly, combining the connected alarms into an alarm map, marking the direction for each side according to the time sequence, forming a directed alarm map, and completing the generation of the directed alarm map; a directed alarm graph represents one possible APT attack event.
In another aspect of the present invention, there is provided a real threat alert method based on att_ck and a directed alert graph, comprising the steps of:
s101: analyzing a system log to generate a system traceability map;
s102: formulating and setting a system alarm rule according to the ATT_CK attack tactics knowledge base, identifying threat events, and identifying in a system traceability graph;
s103: preprocessing a system traceability graph, and deleting nodes which are not directly related to the alarm;
s104: further reducing a system tracing image to obtain a directed alarm image;
s105: identifying a killing chain sequence number and a receptive field size for the nodes of the directed alarm graph;
s106: training a GAT model;
s107: obtaining node embedding in a new directed alarm graph by using the trained GAT model;
s108: classifying the nodes by using the trained GAT model;
s109: and feeding back the result of the classification prediction to related operators as an alarm node of the real alarm.
Compared with the prior art, the invention has the following advantages:
1) And (3) false alarm is reduced: the conventional threat alarm system based on the TTP knowledge base often classifies common system operation as abnormal operation and alarms related operators, which brings about a large number of false positives. The invention prepares a great number of false alarms and real alarms, obtains an alarm sequence, combines the alarm sequence into a directed alarm graph, and combines a killing chain for analysis. Because most attack flows accord with the link of the killing chain, most false alarms can be filtered through the analysis process, the real alarm proportion is improved, false alarms are reduced, and the working pressure of an analyst is reduced;
2) And 3, improving the prediction precision: existing security analysis methods require an analyst to analyze a series of individual alarms, find a specific network attack, are overly dependent on the analyst's level, and place tremendous analysis stress on the analyst. In the process of preprocessing the alarms, a directed alarm graph is constructed to connect the related alarms on the system traceability graph, and automatic analysis is performed by combining an ATT_CK technical library and a killing chain, so that the hidden association between the alarms is mined, more accurate graph node embedding is obtained, and the prediction precision of the real alarms is improved;
3) The storage cost is reduced: because the system logs are generated in a large amount and the APT attack latency is long, a large amount of system logs must be stored for detecting and analyzing the APT attack, which brings about huge storage cost. According to the invention, the log and the alarm are converted into the directed alarm map for analysis and processing, so that a large number of original logs are not required to be stored for a long time, and the system storage cost is reduced.
Drawings
The invention will be further described with reference to the accompanying drawings, in which embodiments do not constitute any limitation of the invention, and other drawings can be obtained by one of ordinary skill in the art without inventive effort from the following drawings.
FIG. 1 is a system framework diagram of a real threat alert method based on ATT_CK and directed alert graph of the present invention;
FIG. 2 is a flow chart of an implementation of a real threat alert method based on ATT_CK and directed alert graph of the present invention;
fig. 3 is a schematic diagram of a preferred embodiment of the present invention.
Detailed Description
A real threat alert method based on att_ck and directed alert graph is described in further detail below in connection with specific embodiments, which are for comparison and explanation purposes only, and the present invention is not limited to these embodiments.
On the one hand, as shown in fig. 1, the invention provides a real threat alert system based on att_ck and a directed alert graph, which is realized by the following technical scheme:
a real threat alert system based on att_ck and a directed alert graph, comprising: the system comprises a log processing module, an alarm generating module, an alarm processing module and a real alarm generating module, wherein the log processing module is connected with the alarm generating module, the alarm generating module is connected with the alarm processing module, and the alarm processing module is connected with the real alarm generating module.
Preferably, the log processing module comprises an audit record acquisition module and a traceability graph generation module, wherein the audit record acquisition module is used for acquiring audit records in the system, for example, processing unstructured audit records in the audit records into structured data; the traceability graph generation module is used for extracting system interaction and interaction entities in the audit record, taking the entities of the interaction parties as nodes of the graph, taking the interaction as edges of the graph, and combining the system traceability graph reflecting the system information.
Preferably, the alarm generation module comprises an att_ck library maintenance module, a threat detection rule generation module, a threat detection rule library and a threat rule matching module, wherein the att_ck library maintenance module is used for storing and updating an att_ck knowledge library, maintaining the knowledge library and guaranteeing timeliness of the knowledge library; the threat detection rule generation module is used for extracting information from the ATT_CK knowledge base and obtaining detection rules corresponding to attack modes, and the threat detection rule generation module supports automatic rule extraction and manually setting threat detection rules; the threat detection rule base is used for storing and maintaining attack detection rules; the threat rule matching module is used for searching in the system traceability graph according to the attack detection rule and acquiring system interaction matched with the threat detection rule.
Preferably, the alarm processing module comprises a threat alarm acquisition module, a directed alarm map generation module, a directed alarm map storage module and a GAT training module, wherein the threat alarm acquisition module is used for acquiring all matched threat alarms and marking threat interactions in a tracing map, and the directed alarm map generation module generates a directed alarm map according to the tracing map and the alarm position; the directed alarm map storage module is used for storing the generated directed alarm map and continuously increasing the system alarm along with the continuous occurrence of system interaction, so that the stored directed alarm map is continuously increased and used as a data source for system behavior evidence collection analysis; the GAT training module is used for training a GAT model.
Preferably, the real alarm generation module comprises a node type prediction module and a real threat alarm module, wherein the node type prediction module is used for acquiring the embedding of each alarm node in the updated directed alarm graph by using a trained GAT model and predicting the category of each node when the system is interactively updated; the real threat warning module is used for outputting the warning nodes with the real predicted categories to related operators as real threat warning.
The GAT training module firstly calculates attribute similarity e of a node i and a node j ij :
e ij = T ([ 1 h i || 1 h j ])
Wherein w is 1 Is a trainable transformation matrix, h i Attribute vector, h, representing node i j Representing the attribute vector of node i, α representing the shared trainable attention vector, T representing the transpose; after transposition, the node high-dimensional characteristics of the spliced i and j are mapped to a real number e ij And (3) upper part.
Calculating the attention weight bias term s of the alarm node j j ,s j Is a real number, and its size is determined by the location structure of the node and the semantic information of the node itself. Determining a weight bias term s j The basic principle of (2) is as follows:
(1) For forward reverse order, backward order alert nodes,if a certain alarm node belongs to a killing chain and has a position 5, and a neighbor alarm node with a position 4 points to the same, and the neighbor alarm node with a position 6 points to another neighbor alarm node, namely a directed node sequence with a position of 4-5-6 exists, the three nodes have higher s in information transmission j ;
(2) For alert nodes with small degree of sequential or reverse order hops,if the position of the killing chain to which a certain alarm node belongs is 4, the next alarm node with the pointing position of 6, namely 4 to 6, and the other alarm node belongs to the killing chain with the position of 4, the next alarm node with the pointing position of 7, namely 4 to 7, then the former has higher s in information transmission j ;
(3) For alert nodes that evaluate a threat in ATT _ CK,if the action to which a certain alarm node belongs is considered extremely dangerous in the ATT_CK technical library, the node is given a higher s j 。
Wherein,to->The method can be used as a parameter for training, and different calculation rules can be customized according to the attack modes commonly occurring in an actual system.
Attribute similarity e for k nodes to capture information each time information propagation is performed and node information is updated ij And an attention weight bias term s j Regularization is carried out:
wherein a is ij I.e. the attention weight between the final calculated node i and node j, p being a trainable weight fractionA value parameter; leakyRelu is a generic activation function.
The range of k nodes to be captured is determined by the acquired receptive field of the node i to be calculated, e.g. the receptive field of a certain alarm node is 4, then only the information from all k neighbors of its 1 to 4 hops is collected. The process of node feature update through information propagation can be expressed as:
wherein σ is the activation function, W 2 Is a matrix of parameters that can be learned. After GAT training, the embedding of each alert node is obtained. The embedded input uses a hidden layer activated by Relu, sigmoid is used for classifying alarm nodes, and the loss is calculated by comparing whether the alarm nodes in the training set are tags of real alarms or not, wherein the loss function is binary cross entropy:
where n is the number of nodes, y i Is the true tag value of the i-th node, p (y i ) Is the predictive label value for the i-th node. Updating the trainable value according to the loss value, updating each alarm node to be embedded, and repeating training until the loss is smaller than a preset threshold value, and finishing training; at the same time, the multi-head attention mechanism can be used to train for multiple times according to the same process to obtain multiple groups of trainable parameters (such as alpha, W 1 ,W 2 Etc.), and splice, accumulate, or average the embedded results of the nodes to enhance model stability.
Preferably, the rules for generating the directed alarm map are as follows:
firstly, searching and finding all alarms according to the occurrence position and time of each alarm, deleting nodes irrelevant to the alarms, directly connecting the alarms, and finishing preprocessing of a tracing map; secondly, combining the connected alarms into an alarm map, marking the direction for each side according to the time sequence, forming a directed alarm map, and completing the generation of the directed alarm map; a directed alarm graph represents one possible APT attack event.
The specific generation method of the directed alarm map comprises the following steps:
the nodes in the traceability graph are marked as n i I.e. the ith node in the traceability graph; the edge between nodes is denoted as e ij I.e., the edge between the i-th node and the j-th node. Node n i S-order neighbors of (2) are noted asSimultaneously define: the neighbors of the edge are other edges connected with the starting node or the ending node of the edge, then the edge e ij The s-order neighbor of (2) can be noted +.>The node set of the tracing graph is marked as N, the edge set is marked as E, and the alarm edge set is marked as E W The w-th alarm edge is marked as +.>Then:
the trace-source graph preprocessing process can be expressed as:
e delate =e mn (m=d or n=d,e delate ∈E delate )
G pre-processing =G init -N delate -N delate
wherein G pre-preprocessing represents a preprocessed tracing image, G init represents an original tracing image,
the directed alert graph generation process may be expressed as:
e′ ii =n′ i →n′ j (n′ j =n′ i (1) or n′ j =n′ i (2) ,e′ ij ∈E′)
G warning =N′+E′
where G warning represents the generated directed alert graph.
The receptive field of each alert node is calculated and stored as one of the alert node's information. Because each alarm occurs in different stages, the receptive field (accuracy is increased) of the node is adaptively adjusted according to the position of the ATT_CK tactics corresponding to the alarms in the killing chain, and the receptive field is distributed according to a backward search principle, wherein the formula is as follows:
Receptive Field=Length(Kill Chain)-Length(Warning)
for example, the alarm belongs to link 3 in the killer chain (i.e., payload delivery), the length of the killer chain is 7, and the receptive field is 4.
In another aspect of the present invention, as shown in fig. 2, there is provided a real threat alert method based on att_ck and a directed alert map, comprising the steps of:
s101: analyzing a system log to generate a system traceability map;
s102: formulating and setting a system alarm rule according to the ATT_CK attack tactics knowledge base, identifying threat events, and identifying in a system traceability graph;
s103: preprocessing a system traceability graph, and deleting nodes which are not directly related to the alarm;
s104: further reducing a system tracing image to obtain a directed alarm image;
s105: identifying a killing chain sequence number and a receptive field size for the nodes of the directed alarm graph;
s106: training a GAT model;
s107: obtaining node embedding in a new directed alarm graph by using the trained GAT model;
s108: classifying the nodes by using the trained GAT model;
s109: and feeding back the result of the classification prediction to related operators as an alarm node of the real alarm.
As shown in FIG. 3, a specific embodiment of a real threat alert method based on ATT_CK and directed alert graph defaults to audit records extracted from the host as structured data and can be converted directly into a system trace-source graph using existing tools. Attack detection rules based on the att_ck knowledge base have been extracted. The GAT model has been trained and has been embedded with different lengths of killing chains predicted from the GAT model. The specific flow of the invention applied in this case is as follows:
1) Extracting a structured audit record from a host;
2) Converting audit records into a system traceability graph, marking part of system interactions as alarms by utilizing the existing attack detection rules, and representing the system interactions by thick arrows and normal interactions by thin arrows;
3) Preprocessing a system traceability graph, deleting nodes irrelevant to alarms in the system traceability graph, and marking the serial number of a corresponding tactic in a killing chain for each alarm;
4) Connecting the connected alarms to generate a directed alarm map;
5) Predicting categories of nodes in a directed alert graph using trained GATs
6) And feeding back the alarm nodes classified into real alarms to related operators for subsequent processing.
Wherein the output real alarm corresponds to an alarm graph composed of a plurality of alarm nodes instead of a single alarm node. Similarly, the comparison object of the similarity comparison module is also the embedding of the alarm map and the killing chain.
The invention can process a large number of false alarms brought by the existing method, in the existing threat alarm method, the computer activity is continuously detected, threat detection rules are set according to the TTP knowledge base to match the threat, and a large number of false alarms are brought. The invention firstly preprocesses a large number of alarms sent by the existing method, captures an alarm sequence, embeds and represents alarm nodes based on 7 attack stages (scout tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement) of a network space killing chain, predicts real alarms and reports the real alarms to related operators, thereby greatly reducing the false alarm number of the system.
The invention also improves the prediction accuracy of the real alarm,
the existing method uses manpower to analyze alarm data to obtain real alarms, consumes huge labor cost and has low accuracy. According to the invention, the warning data is analyzed by using the graph annotation neural network, more accurate graph embedding is obtained by a carefully designed weight distribution mode and a self-adaptive node receptive field, and a real warning is obtained by using the graph embedding. The analysis process does not need to be manually participated, and the prediction accuracy of the real alarm is improved.
The invention also reduces the amount of data that needs to be stored for long-term threat analysis.
The existing method needs to store long-term audit records for continuous APT attack detection of the system, which brings huge data storage cost. The invention extracts the alarm data and combines the alarm data into the directed alarm map for storage and analysis processing, does not need to store a large number of original audit records for a long time, and greatly reduces the storage cost required by threat analysis.
Finally, it should be noted that the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the scope of the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (9)
1. The real threat warning system based on the public network threat-oriented knowledge base ATT_CK and the directed warning graph is characterized by comprising a log processing module, a warning generating module, a warning processing module and a real warning generating module, wherein the log processing module is connected with the warning generating module, the warning generating module is connected with the warning processing module, and the warning processing module is connected with the real warning generating module;
the log processing module is used for analyzing the system log and generating a system traceability graph;
the alarm generation module is used for formulating and setting a system alarm rule according to the ATT_CK attack technical and tactics knowledge base and identifying a threat event;
the alarm processing module is used for marking in a system traceability graph; preprocessing a system traceability graph, and deleting nodes which are not directly related to the alarm; reducing a system tracing image to obtain a directed alarm image; identifying a killing chain sequence number and a receptive field size for the nodes of the directed alarm graph, and training a graph attention neural network GAT model; obtaining node embedding in a new directed alarm graph by using the trained model, and classifying the nodes by using the trained model;
the real alarm generation module is used for feeding back alarm nodes with prediction categories of real alarms to related operators.
2. The true threat alert system based on the public network threat knowledge base att_ck and the directed alert graph according to claim 1, wherein the log processing module comprises an audit record acquisition module and a traceability graph generation module, the audit record acquisition module is used for acquiring audit records in the system and processing unstructured audit records therein into structured data; the traceability graph generation module is used for extracting system interaction and interaction entities in the audit record, taking the entities of the interaction parties as nodes of the graph, taking the interaction as edges of the graph, and combining the system traceability graph reflecting the system information.
3. The true threat alert system based on a public network-oriented threat knowledge base att_ck and a directed alert graph of claim 1, wherein the alert generation module comprises an att_ck library maintenance module, a threat detection rule generation module, a threat detection rule library, and a threat rule matching module, the att_ck library maintenance module being configured to store and update the att_ck knowledge base; the threat detection rule generation module is used for extracting information from the ATT_CK knowledge base and obtaining detection rules corresponding to attack modes, and the threat detection rule generation module supports automatic rule extraction and manually setting threat detection rules; the threat detection rule base is used for storing and maintaining attack detection rules; the threat rule matching module is used for searching in the system traceability graph according to the attack detection rule and acquiring system interaction matched with the threat detection rule.
4. The real threat alert system based on the public network-oriented threat knowledge base att_ck and the directed alert graph according to claim 1, wherein the alert processing module comprises a threat alert acquisition module, a directed alert graph generation module, a directed alert graph storage module and a GAT training module, the threat alert acquisition module is used for acquiring all matched threat alerts and labeling threat interactions in the tracing graph, and the directed alert graph generation module generates the directed alert graph according to the tracing graph and the alert position; the directed alarm map storage module is used for storing the generated directed alarm map and continuously increasing the system alarm along with the continuous occurrence of system interaction, so that the stored directed alarm map is continuously increased and used as a data source for system behavior evidence collection analysis; the GAT training module is used for training a GAT model.
5. The real threat alert system based on the public network threat knowledge base att_ck and the directed alert graph according to claim 1, wherein the real alert generation module comprises a node type prediction module and a real threat alert module, the node type prediction module is used for acquiring the embedding of each alert node in the updated directed alert graph by using a trained GAT model and predicting the category of each node when the system is interactively updated; the real threat warning module is used for outputting the warning nodes with the real predicted categories to related operators as real threat warning.
6. The real threat alert system based on the public network threat-oriented knowledge base att_ck and the directed alert graph of claim 4, wherein the GAT training module first calculates the attribute similarity e of node i and node j ij :
e ij =α T ([W 1 h i ||W 1 h j ])
Wherein W is 1 Is a trainable transformation matrix, h i Attribute vector, h, representing node i j Representing the attribute vector of node i, α representing the shared trainable attention vector, T representing the transpose; after transposition, the node high-dimensional characteristics of the spliced i and j are mapped to a real number e ij And (3) upper part.
7. The real threat alert system based on a public network threat oriented knowledge base att_ck and a directed alert graph of claim 5, wherein the rules for generating the directed alert graph are as follows:
searching and finding all alarms according to the occurrence position and time of each alarm, deleting nodes irrelevant to the alarms, directly connecting the alarms, and finishing preprocessing of a tracing map; combining the connected alarms into an alarm map, marking the direction for each side according to the time sequence, forming a directed alarm map, and completing the generation of the directed alarm map; a directed alarm graph represents one possible APT attack event.
8. The real threat warning method based on the public network threat-oriented knowledge base ATT_CK and the directed warning graph is characterized by comprising the following steps:
s101: analyzing a system log through a log processing module to generate a system traceability map;
s102: formulating and setting a system alarm rule according to an ATT_CK attack technical and tactics knowledge base through an alarm generation module, and identifying a threat event;
s103: marking in a system traceability graph through an alarm processing module; preprocessing a system traceability graph, and deleting nodes which are not directly related to the alarm; reducing a system tracing image to obtain a directed alarm image; the method comprises the steps of training a GAT model by marking a killing chain sequence number and a receptive field size for nodes of a directed alarm map; obtaining node embedding in a new directed alarm graph by using the trained model, and classifying the nodes by using the trained model;
s104: reducing a system tracing image through a real alarm generation module to obtain a directed alarm image;
and related operators.
9. A computer-readable storage medium, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the real threat alert method based on att_ck and directed alert graph as recited in claim 8 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311015511.6A CN117081798A (en) | 2023-08-11 | 2023-08-11 | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311015511.6A CN117081798A (en) | 2023-08-11 | 2023-08-11 | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117081798A true CN117081798A (en) | 2023-11-17 |
Family
ID=88714561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311015511.6A Pending CN117081798A (en) | 2023-08-11 | 2023-08-11 | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081798A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117544421A (en) * | 2024-01-08 | 2024-02-09 | 广州大学 | Network threat detection method, device, medium and electronic equipment |
-
2023
- 2023-08-11 CN CN202311015511.6A patent/CN117081798A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117544421A (en) * | 2024-01-08 | 2024-02-09 | 广州大学 | Network threat detection method, device, medium and electronic equipment |
| CN117544421B (en) * | 2024-01-08 | 2024-03-26 | 广州大学 | Network threat detection method, device, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Can multi-label classification networks know what they don’t know? | |
| CN111475804B (en) | Alarm prediction method and system | |
| CN108718310B (en) | Deep learning-based multilevel attack feature extraction and malicious behavior identification method | |
| Ourston et al. | Applications of hidden markov models to detecting multi-stage network attacks | |
| CN106790256B (en) | Active machine learning system for dangerous host supervision | |
| Ektefa et al. | Intrusion detection using data mining techniques | |
| WO2018148628A1 (en) | Detection of risky objects in image frames | |
| CN113806746B (en) | Malicious code detection method based on improved CNN (CNN) network | |
| CN116305168B (en) | Multi-dimensional information security risk assessment method, system and storage medium | |
| CN115134160B (en) | Attack detection method and system based on attack migration | |
| CN111914778A (en) | Video behavior positioning method based on weak supervised learning | |
| CN117081798A (en) | Real threat alert system, method and computer readable storage medium based on ATT_CK and directed alert graph | |
| Onik et al. | An analytical comparison on filter feature extraction method in data mining using J48 classifier | |
| Molaei et al. | An analytical review for event prediction system on time series | |
| CN111143838A (en) | Database user abnormal behavior detection method | |
| CN115396204A (en) | Industrial control network flow abnormity detection method and device based on sequence prediction | |
| CN112039906A (en) | Cloud computing-oriented network flow anomaly detection system and method | |
| CN116684128A (en) | Alarm noise reduction method and system based on network attack behavior self-adaptive classification | |
| CN114124447B (en) | Intrusion detection method and device based on Modbus data packet reorganization | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| CN117351334A (en) | Image auditing method and related equipment | |
| CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
| KR102562671B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm | |
| CN115473667A (en) | APT attack sequence detection method based on subgraph matching | |
| Punjabi et al. | Forensic Intelligence-Combining Artificial Intelligence with Digital Forensics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |