CN117240572A - Intention prediction method, device and medium based on network threat knowledge graph - Google Patents
Intention prediction method, device and medium based on network threat knowledge graph Download PDFInfo
- Publication number
- CN117240572A CN117240572A CN202311283687.XA CN202311283687A CN117240572A CN 117240572 A CN117240572 A CN 117240572A CN 202311283687 A CN202311283687 A CN 202311283687A CN 117240572 A CN117240572 A CN 117240572A
- Authority
- CN
- China
- Prior art keywords
- attack
- intention
- event
- knowledge graph
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 239000013598 vector Substances 0.000 claims abstract description 60
- 230000002776 aggregation Effects 0.000 claims abstract description 26
- 238000004220 aggregation Methods 0.000 claims abstract description 26
- 238000013528 artificial neural network Methods 0.000 claims abstract description 20
- 238000004364 calculation method Methods 0.000 claims abstract description 20
- 230000000694 effects Effects 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 20
- 238000000605 extraction Methods 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 8
- 125000000205 L-threonino group Chemical group [H]OC(=O)[C@@]([H])(N([H])[*])[C@](C([H])([H])[H])([H])O[H] 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 230000004931 aggregating effect Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 8
- 230000008520 organization Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001149 cognitive effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an intention prediction method, device, equipment and medium based on a network threat knowledge graph, wherein the method comprises the steps of collecting heterogeneous information related to attack activities in an attack event based on an ATT & CK framework knowledge ontology, and constructing the network threat knowledge graph ontology; extracting a specific event in a preset time range in the network threat knowledge graph, de-duplicating the specific event, and extracting the main body intention of an attack main body in the specific event; based on the body structure of the network threat knowledge graph, generating a sequence consisting of event, key and value by the main intention, and constructing a corresponding feature vector; calculating a feature vector of the main body intention of the attack main body by utilizing the heterogeneous graph neural network coding, obtaining a heterogeneous graph aggregation calculation result, and generating an intention ordering vector; according to the intention ordering vector, the attack direction of the next stage is predicted, and the problem of link tracing, attack intention and attack direction prediction of an attacker is solved.
Description
Technical Field
The invention relates to the technical field of network threats, in particular to an intention prediction method, device, equipment and medium based on a network threat knowledge graph.
Background
With google pushing out knowledge-based search engine services, the data-graph system has become a brand new infrastructure of information systems. Driven by the linked data concept, the knowledge graph can extract high-quality knowledge with structural property and high relevance from a large amount of unstructured and unconnected coarse data.
The large-scale popularization of the Internet is greatly convenient for people to live, however, the network threat problem accompanying the Internet is also more serious. An attacker in the network can utilize the loopholes existing in the target network to launch a series of ordered attack behaviors, and finally the attack targets are realized. The threat knowledge graph is taken as a special knowledge graph in the threat field, is a key for realizing the cognitive intelligence of the network threat, and is also a technical basis for coping with advanced, continuous and complex threats and risks of the network space, so that the application of the threat knowledge graph is more and more extensive and is focused and valued by people.
The construction method is as follows: methods of constructing the network knowledge graph include rule-based methods, machine learning-based methods, and hybrid method-based methods. Current research focuses on how to automatically construct a network threat knowledge graph using these methods, and to improve the efficiency and accuracy of the construction. In terms of knowledge representation: the knowledge representation of the network threat knowledge graph includes entities, relationships, and attributes. Current research focuses mainly on how to select an appropriate knowledge representation and how to map threat intelligence data into a knowledge graph. In terms of application scenarios: the network threat knowledge graph can be applied to the fields of threat information sharing, attack detection and response, threat vulnerability management and the like. The current research mainly focuses on how to apply the network threat knowledge graph to the actual scene and improve the practicability and benefit thereof. Aiming at how to construct a network threat knowledge graph, the problems of tracing an attack link of an attacker, knowing the attack intention and the attack direction of the attacker and the like are not deeply studied.
Disclosure of Invention
In order to overcome the problems in the related art, the present disclosure provides an intention prediction method, device, equipment and medium based on a network threat knowledge graph, so as to solve the technical problems of strong timeliness required by event analysis and behavior prediction in the threat field in the related art, and the problems of large object hiding performance, difficult discovery, uncertain behavior and the like, which cause difficult description of object intention and the like.
In a first aspect, one or more embodiments of the present disclosure provide a method for predicting intent based on a network threat knowledge graph, including the steps of:
step S1: based on an ATT & CK framework knowledge body, acquiring information related to attack activities in the occurred attack event, and constructing a network threat knowledge graph body;
step S2: extracting a specific event in a preset time range from the network threat knowledge graph, de-duplicating the specific event, and extracting main body intention characteristics of an attack main body in the specific event;
step S3: generating a sequence consisting of event, key and value according to the main intention characteristics based on the network threat knowledge graph body, and constructing a characteristic vector for each sequence, wherein the event is an event main ID, the key is an attack main ID, and the value is a characteristic list corresponding to the attack main intention;
step S4: calculating a feature vector corresponding to the attack subject by utilizing heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
step S5: and predicting the attack direction of the next stage according to the intention ordering vector.
Further, in step S2, the extracting the specific event within the preset time range in the network threat knowledge graph is implemented by the following formula, specifically,
E ′ ={e|e∈E and start_date≤d(e)≤end_date};
e is a series of events contained in the knowledge graph, wherein each event E has an occurrence date d corresponding to the event E, and E' represents a specific event set in a preset time range.
Further, in step S2, the performing deduplication on the specific event includes setting a metric function sim (e 1, e 2) for returning the similarity between the specific events e1 and e2, where the specific event deduplication is implemented by the following formula: :
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
Further, in step S2, feature extraction is performed on the attack subject in the specific event, including extracting main intentions and semantic features in the same specific event set in the attack subject, and setting a function f (a) for returning a feature list of the attack subject a, expressed as:
F={e:a:f(a),|,a∈A(e),|,e∈E ″ }
wherein F represents a dictionary, which is a dictionary of all attack subjects and the features in the specific event set.
Further, in step S4, the feature vector is calculated through heterogeneous graph neural network coding, a corresponding graph structure is generated, the graph structure is coded to include node features, side features and hidden states of relationships between nodes and sides, and aggregation functions including summation, average and maximum are adopted to aggregate the hidden states, so that aggregation of hidden states of all nodes is obtained;
obtaining an intention ordering vector according to aggregation of the hidden states through a softmax function;
and predicting the attack direction of the next stage according to the intent sequence vector by using an argmax function.
In a second aspect, the present invention provides an intention prediction apparatus based on a network threat knowledge graph, including:
the network threat knowledge graph construction module is used for acquiring heterogeneous information related to attack activities in the occurred attack event based on the ATT & CK framework knowledge graph body and constructing the network threat knowledge graph body;
the main body intention extracting module is used for extracting specific events in a preset time range in the network threat knowledge graph, de-duplicating the specific events and extracting main body intention characteristics of an attack main body in the specific events;
the feature vector construction module is used for generating sequences consisting of event, key and value according to the main intention features based on the network threat knowledge graph body, and constructing feature vectors for each sequence; the event is an event main body ID, the key is an attack main body ID, and the value is a feature list corresponding to the intention of the attack main body;
the intention ordering module is used for calculating the feature vector corresponding to the attack subject by utilizing the heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
and the prediction module is used for predicting the attack direction of the next stage according to the intention ordering vector.
Further, the main body intention extraction module is configured to extract a specific event within a preset time range in the network threat knowledge graph, and specifically implement the following formula:
E ′ ={e|e∈Eandstart_date≤d(e)≤end_date};
e is a series of events contained in the knowledge graph, wherein each event E has an occurrence date d corresponding to the event E, and E' represents a specific event set in a preset time range.
Further, the de-duplication of the specific event in the main body intention extraction module is specifically as follows:
a metric function sim (e 1, e 2) is set for returning the similarity of the specific events e1 and e2, and the specific event deduplication is achieved by the following formula:
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
In a third aspect, the present invention provides a computer device comprising: the system comprises a memory and a processor, wherein the memory is used for storing one or more computer instructions, and the intention prediction method based on the network threat knowledge graph is realized when the one or more computer instructions are executed by the processor.
In a fourth aspect, the present invention provides a storage medium comprising: a readable storage medium and a computer program for implementing the above-described intention prediction method based on a network threat knowledge graph.
The invention discloses an intention prediction method, a device, equipment and a medium based on a network threat knowledge graph, which are used for acquiring heterogeneous information related to attack activities in an attack event based on an ATT & CK framework knowledge ontology, constructing the network threat knowledge graph ontology, analyzing and matching each stage of a network attack life cycle model aiming at the event of the same target asset by analyzing a plurality of security events in a certain period, and generating an attack chain aiming at the attack event; extracting a specific event with a preset time range from the network threat knowledge graph, de-duplicating the specific event, and extracting characteristics of an attack subject in the specific event, thereby overcoming the problems of high threat subject hiding performance, limited observable state resources and the like in a complex network security event and providing accurate data support for target intention depiction; generating event-key-value sequences based on the network threat knowledge graph body, constructing a feature vector for each sequence, and obtaining an intention sequence of a threat subject through association calculation; and coding the feature vector corresponding to the attack subject by using the graph neural network to obtain a heterogeneous graph aggregation calculation result, generating an intention ordering vector, associating the attack chain with the knowledge of the network threat knowledge graph to obtain attack scene information, and ordering the intention of the coded attack subject based on the graph neural network so as to predict the attack intention of the threat subject.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description that follow are only some of the embodiments described in the description, from which, for a person skilled in the art, other drawings can be obtained without inventive faculty.
FIG. 1 is a flow diagram of a method for intent prediction based on network threat knowledge-graph provided in one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of attack target intent encoding and prediction of an intent prediction method based on network threat knowledge graph according to one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram of intent prediction of an attack organization APT28 according to one or more embodiments of the present disclosure;
FIG. 4 is a schematic structural diagram of an intent prediction device based on a network threat knowledge graph according to one or more embodiments of the present disclosure;
fig. 5 is a schematic structural diagram of a computer according to one or more embodiments of the present disclosure.
Detailed Description
In order to enable a person skilled in the art to better understand the technical solutions in one or more embodiments of the present specification, the technical solutions in one or more embodiments of the present specification will be clearly and completely described below with reference to the drawings in one or more embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one or more embodiments of the present disclosure without inventive faculty, are intended to be within the scope of the present disclosure.
The invention is described in detail below with reference to the detailed description and the accompanying drawings.
Method embodiment
According to an embodiment of the present invention, as shown in fig. 1, a method for predicting intent based on a network threat knowledge graph is provided, which is a flowchart of the method for predicting intent based on a network threat knowledge graph according to one or more embodiments of the present disclosure, and includes the following steps:
step S1: based on an ATT & CK framework knowledge body, acquiring information related to attack activities in the occurred attack event, and constructing a network threat knowledge graph body;
step S2: extracting a specific event in a preset time range from the network threat knowledge graph, de-duplicating the specific event, and extracting the main body intention of an attack main body in the specific event;
step S3: based on the network threat knowledge graph body, generating sequences formed by event, key and value by the main intention, and constructing a feature vector for each sequence; the event is an event main body ID, the key is an attack main body ID, and the value is a feature list corresponding to the intention of the attack main body;
step S4: calculating the feature vector of the main body intention of the attack main body by utilizing the heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
step S5: and predicting the attack direction of the next stage according to the intention ordering vector.
In the embodiment of the invention, the network threat knowledge graph is constructed through the attack scene and the attack direction, the accurate data support is provided for the target intention depiction, the attack chain of the attack event is generated, the attack chain is associated with the knowledge of the network threat knowledge graph, the attack scene information is obtained, and the intention ordering of the coding attack main body based on the graph neural network is used for predicting the intention of the threat main body.
Fig. 2 is a schematic diagram of attack target intent coding and prediction provided in the present embodiment.
In step S1 of the present embodiment, knowledge bodies and information of different patterns in an attack event are collected, and an attack scene and an attack direction in the attack event are constructed according to the essence of an attack technique, so as to construct a network threat knowledge graph.
Specifically, knowledge and information in a large number of heterogeneous data sources in an attack event are fully mined based on ATT & CK framework knowledge by utilizing information which is summarized into the knowledge graph, an attack scene and a target trend in the attack event are built according to the essence of an attack technology, network threat knowledge graph data are modeled, high-level progressive knowledge centering on an attack organization is generated, and accurate data support is provided for upper-layer application of the knowledge graph.
In step S2 of this embodiment, the specific event within the preset time range in the network threat knowledge graph is extracted, specifically, the upper and lower Wen Yuyi of the related event within the specific period in the network threat knowledge graph is extracted, after duplication removal is performed according to the event granularity, the main intention of the extracted attack subject and the semantic features thereof are cached in the form of event-key-value, where event is an event subject ID, key is an attack subject ID, and value is a feature list corresponding to the intention of the attack subject.
In this embodiment, in the knowledge graph, a specific event is selected according to a time range, and it is assumed that a series of events are included in the knowledge graph by using E, where each event E has an occurrence date d corresponding to the event E, and the step of extracting the specific event may be expressed as:
E ′ ={e|e∈Eandstart_date≤d(e)≤end_date};
wherein E' represents a specific set of events for a preset time range.
In step S2 of the present embodiment, the specific event is de-duplicated, where the de-duplication process determines whether two events are the same event according to Jaccard similarity, including setting a metric function sim (e 1, e 2) for returning the similarity of the specific events e1 and e2, where the de-duplication of the specific event can be expressed as:
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
In step S2 of this embodiment, feature extraction is performed on the attack subject in the specific event, where feature extraction is extracting the main intention and semantic feature of the attack subject in the event, and includes extracting the main intention and semantic feature in the same specific event set in the attack subject, setting a function f (a) for returning to the feature list of the attack subject a, where feature extraction of the specific event can be expressed as:
F={e:a:f(a),|,a∈A(e),|,e∈E ″ };
wherein F represents a dictionary, which is a dictionary of all attack subjects and the features in the specific event set.
In step S3 of the present invention, the body structure of the cyber-threat knowledge graph includes a body structure of the cyber-threat knowledge graph provided with i concept entity classes, where the body structure expresses a vector O:
O=[O 1 ,O 2 ,...,O i ];
wherein O is i Is the i-th conceptual entity class.
In one embodiment, each sequence S is a tuple consisting of event, key, value, we can express that it is: s= (Event, key, value), a feature vector V is constructed for each sequence S. The length of the feature vector V is equal to the length of the body structure, and each dimension corresponds to a conceptual entity class of the map body. If a conceptual entity class appears in the sequence S, the corresponding position of the feature vector V is 1, otherwise 0. For example, in one specific embodiment, 11 concept entity classes are set in the ontology structure of the network threat knowledge graph, and 4 classes appear in the event-key-value sequence in one attack event, then the feature vector may be as follows: [1,1,1,0,0,1,0,0,0,0,0].
In step S4 of the present embodiment, the feature vector is calculated through heterogeneous graph neural network encoding, a corresponding graph structure is generated, the graph structure is encoded to include node features, side features and hidden states of relationships between nodes and sides, and aggregation functions including summation, average and maximum are adopted to aggregate the hidden states, so as to obtain aggregation of hidden states of all nodes;
obtaining an intention ordering vector according to aggregation of the hidden states through a softmax function;
and predicting the attack direction of the next stage according to the intent sequence vector by using an argmax function.
Specifically, the feature vector corresponding to the attack subject is encoded by using a heterogeneous graph neural network, wherein the heterogeneous graph neural network is referred as follows: let G be the graph of the input, V be the node set in the graph, E be the edge set in the graph, in the graph neural network, the hidden state of node i at step tCan be expressed as:
wherein X is i Representing characteristics of node i, E ij Representing the characteristics of the edge between node i and node j.
Preferably, the heterogeneous graphic neural network may include R-GCN, HAN, GAT.
And S3, obtaining an abstract representation which reflects the information of the whole graph, wherein the information comprises the type of the node, the type of the edge, the characteristics of the node, the characteristics of the edge and the relation between the node and the edge, and the obtained abstract heterogeneous graph aggregate calculation result can break through the information loss caused by single dependency information.
In step S4 of the present embodiment, the heterogeneous map aggregate calculation result is expressed asIs the aggregation of the final hidden states of all nodes, where AGG is an aggregation function, including summation, averaging, maximum.
Outputting a sorting vector reflecting the priorities of the different graphs through the step S4, and generating an intention sorting vector P reflecting the priorities of different intents according to the output G' of the graph neural network through the step S5:
P=softmax(W p G′+b p );
wherein W is p And b p Is a learned parameter, softmax is a function that converts a real vector into a probability distribution. As shown in fig. 2.
In one embodiment of the present invention, the attack direction of the next stage is predicted according to the intention order vector P in step S5:
next_attack=argmax(P);
wherein argmax represents the aggregate set of attack directions.
The invention is illustrated below by way of specific examples;
referring to fig. 3, fig. 3 is a schematic diagram of intent prediction of an attack organization APT28 provided in this embodiment, and in the process of APT attack, an attack target (target reconnaissance) is first determined. The APT organization can detect the target before attack and acquire the information of the target system so as to find potential loopholes or weaknesses. Next, the APT organization begins weapon production, creating a specialized attack load (payload) for delivery to the target system. Attacks (exploits) may be made with known vulnerabilities, such as techniques for buffer overflows. The APT organization delivers attack loads to the target system through a specific delivery means (delivery). This may involve the use of malicious IP addresses (malicious IP features) for virus transmission or the use of remote control servers (remote servers Sofacy) or the like. Once the attack load is successfully delivered to the target system, the malware begins executing (task execution). Malware activity communications such as process injection (Process Injection), registry startup and startup file deletion (Registry Run Keys/Startup Folder File Deletion) may occur. Based on the information provided, this APT attack is associated with APT28 with a correlation probability of 90%. APT28 is a known APT organization, also known as Sofacy. It uses a remote server to deliver malware. The attack target may suffer from suspected sag (suspected sag), which requires further investigation and attack tracing. Finally, the analysis of static features and dynamic features is carried out on the sample (sample static features and sample dynamic features), the attack mode (attack mode) is inferred through semantic reasoning (semantic reasoning), and the types of the malicious software, such as Trojan and backdoor, are determined. At the same time, correlation analysis with APT tissue is also required to confirm whether it is related to APT28 (Sofacy).
By combining the above information, we firstly construct a network threat knowledge graph through the information related to the attack activities in the attack event, then extract the specific event with the preset time range in the network threat knowledge graph, de-duplicate the specific event, perform feature extraction on the attack subject in the specific event, generate an event-subject-intention sequence, construct a feature vector for each sequence, encode the feature vector corresponding to the attack subject by using the heterogram neural network, obtain the heterogeneous graph aggregation calculation result, generate the intention ordering vector, infer that the attack may involve the technologies of process injection, registry starting item, starting file deletion, and the like, and then infer that the attack mode is Trojan and backdor according to the static features, dynamic features and semantic reasoning of the sample, and further calculate the probability of 90% of correlation between the attack and APT28 (Sofacy).
The invention provides an attack target intention coding and predicting method for a large-scale complex heterogeneous network threat knowledge graph, which relies on a unified knowledge migration system and a multi-channel and multi-layer semantic analysis mechanism, fully considers the uncertain behavior of a target, reserves the possibility of switching between different states and the uncertainty of final decision, and overcomes the bottleneck problems of high threat main body hiding performance, limited observable state resources, difficult target intention depiction and the like in a complex network threat event.
Device embodiment
According to an embodiment of the present invention, as shown in fig. 4, an intention prediction device based on a network threat knowledge graph is provided, which is a schematic structural diagram of the intention prediction device based on the network threat knowledge graph and includes:
the network threat knowledge graph construction module 41 is configured to collect heterogeneous information related to an attack activity in an attack event that has occurred based on the ATT & CK framework knowledge graph body, and construct a network threat knowledge graph body;
the main body intention extracting module 42 is configured to extract a specific event in a preset time range in the network threat knowledge graph, de-duplicate the specific event, and extract a main body intention of an attack main body in the specific event;
the feature vector construction module 43 is configured to, based on the network threat knowledge graph ontology, intents the subject to generate sequences composed of event, key and value, and construct a feature vector for each sequence; the event is an event main body ID, the key is an attack main body ID, and the value is a feature list corresponding to the intention of the attack main body;
the intention ordering module 44 is configured to encode and calculate a feature vector of the main intention of the attack main body by using a heterogeneous graph neural network to obtain a heterogeneous graph aggregate calculation result, and generate an intention ordering vector from the heterogeneous graph aggregate calculation result;
and the prediction module 45 is used for predicting the attack direction of the next stage according to the intention ordering vector.
In one embodiment, the subject intent extraction module 42 is configured to extract a specific event within a preset time range in a network threat knowledge graph, specifically, a series of events are represented by E in the knowledge graph, where each event E has an occurrence date d corresponding to the event E, and extract a specific event to be expressed as:
E ′ ={e|e∈Eandstart_date≤d(e)≤end_date};
wherein E' represents a specific set of events for a preset time range.
In one embodiment, the de-duplication of the specific event in the subject intent extraction module 42 is specifically:
setting a measurement function sim (e 1, e 2) for returning the similarity of the specific events e1 and e2, and implementing the event deduplication by the following formula:
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
As shown in fig. 5, the present invention further provides a computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the method for predicting intent based on a network threat knowledge graph in the above embodiment, or which when executed by a processor implements the method for predicting intent based on a network threat knowledge graph in the above embodiment, the computer program when executed by the processor implements the following method steps:
step S1: based on an ATT & CK framework knowledge body, acquiring information related to attack activities in the occurred attack event, and constructing a network threat knowledge graph body;
step S2: extracting a specific event in a preset time range from the network threat knowledge graph, de-duplicating the specific event, and extracting main body intention characteristics of an attack main body in the specific event;
step S3: generating sequences consisting of event, key and value by the main intention characteristics based on the network threat knowledge graph body, and constructing a characteristic vector for each sequence; the event is an event main body ID, the key is an attack main body ID, and the value is a feature list corresponding to the intention of the attack main body;
step S4: calculating the feature vector of the main body intention of the attack main body by utilizing the heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
step S5: and predicting the attack direction of the next stage according to the intention ordering vector.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, with reference to the description of method embodiments in part. The apparatus and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention and are not specifically described in the present specification and will be apparent to those skilled in the art from the scope of the present invention.
Claims (10)
1. The intention prediction method based on the network threat knowledge graph is characterized by comprising the following steps of:
step S1: based on an ATT & CK framework knowledge ontology, collecting heterogeneous information related to attack activities in the occurred attack event, and constructing a network threat knowledge graph ontology;
step S2: extracting a specific event in a preset time range from the network threat knowledge graph, de-duplicating the specific event, and extracting main body intention characteristics of an attack main body in the specific event;
step S3: generating a sequence consisting of event, key and value according to the main intention characteristics based on the network threat knowledge graph body, and constructing a characteristic vector for each sequence, wherein the event is an event main ID, the key is an attack main ID, and the value is a characteristic list corresponding to the attack main intention;
step S4: calculating a feature vector corresponding to the attack subject by utilizing heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
step S5: and predicting the attack direction of the next stage according to the intention ordering vector.
2. The method for predicting intention based on network threat knowledge graph according to claim 1, wherein in step S2, the specific event of extracting the preset time range in the network threat knowledge graph is implemented by the following formula:
E ′ ={e|e∈Eandstart_date≤d(e)≤end_date};
e is a series of events contained in the knowledge graph, wherein each event E has an occurrence date d corresponding to the event E, and E' represents a specific event set in a preset time range.
3. The method for predicting intention based on network threat knowledge graph according to claim 2, wherein the step S2 of de-duplicating the specific event specifically comprises:
a metric function sim (e 1, e 2) is set for returning the similarity of the specific events e1 and e2, and the specific event deduplication is achieved by the following formula:
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
4. The method for predicting intent based on network threat knowledge graph as claimed in claim 3, wherein in step S2, feature extraction is performed on the attack subject in the specific event, specifically:
extracting main intentions and semantic features in the same specific event set in the attack main body, and setting a function f (a) for returning a feature list of the attack main body a, wherein the feature list is expressed as follows:
F={e:a:f(a),|,a∈A(e),|,e∈E ″ };
wherein F represents a dictionary of all attack subjects and the features in the set for the particular event.
5. The method for predicting intention based on network threat knowledge graph according to claim 1, wherein the step S4 comprises:
calculating the feature vector through heterogeneous graph neural network coding to generate a corresponding graph structure, coding the graph structure into a hidden state containing node features, edge features and relations between nodes and edges, and aggregating the hidden state by adopting an aggregation function comprising summation, average and maximum values to obtain aggregation of hidden states of all nodes;
obtaining an intention ordering vector according to aggregation of the hidden states through a softmax function;
and predicting the attack direction of the next stage according to the intent sequence vector by using an argmax function.
6. An intention prediction device based on a network threat knowledge graph, which is characterized by comprising:
the network threat knowledge graph construction module is used for acquiring heterogeneous information related to attack activities in the occurred attack event based on the ATT & CK framework knowledge graph body and constructing the network threat knowledge graph body;
the main body intention extracting module is used for extracting specific events in a preset time range in the network threat knowledge graph, de-duplicating the specific events and extracting main body intention characteristics of an attack main body in the specific events;
the feature vector construction module is used for generating sequences consisting of event, key and value according to the main intention features based on the network threat knowledge graph body, and constructing feature vectors for each sequence; the event is an event main body ID, the key is an attack main body ID, and the value is a feature list corresponding to the intention of the attack main body;
the intention ordering module is used for calculating the feature vector corresponding to the attack subject by utilizing the heterogeneous graph neural network coding to obtain a heterogeneous graph aggregation calculation result, and generating an intention ordering vector from the heterogeneous graph aggregation calculation result;
and the prediction module is used for predicting the attack direction of the next stage according to the intention ordering vector.
7. The network threat knowledge graph-based intent prediction apparatus of claim 6, wherein the subject intent extraction module is configured to extract a specific event within a preset time range in the network threat knowledge graph, specifically by:
E ′ ={e|e∈Eandstart_date≤d(e)≤end_date};
e is a series of events contained in the knowledge graph, wherein each event E has an occurrence date d corresponding to the event E, and E' represents a specific event set in a preset time range.
8. The network threat knowledge graph-based intent prediction method of claim 6, wherein the de-duplication of the specific event in the subject intent extraction module is specifically:
a metric function sim (e 1, e 2) is set for returning the similarity of the specific events e1 and e2, and the specific event deduplication is achieved by the following formula:
wherein E is ″ Representing the same specific set of events in the attack body, thres represents a preset threshold.
9. A computer device, comprising: a memory and a processor for storing one or more computer instructions, wherein the one or more computer instructions when executed by the processor implement the network threat knowledge-graph-based intent prediction method as claimed in any one of claims 1 to 5.
10. A storage medium, comprising: a readable storage medium and a computer program for implementing the network threat knowledge-graph-based intent prediction method of any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311283687.XA CN117240572A (en) | 2023-09-28 | 2023-09-28 | Intention prediction method, device and medium based on network threat knowledge graph |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311283687.XA CN117240572A (en) | 2023-09-28 | 2023-09-28 | Intention prediction method, device and medium based on network threat knowledge graph |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117240572A true CN117240572A (en) | 2023-12-15 |
Family
ID=89089301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311283687.XA Pending CN117240572A (en) | 2023-09-28 | 2023-09-28 | Intention prediction method, device and medium based on network threat knowledge graph |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117240572A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117560223A (en) * | 2024-01-08 | 2024-02-13 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
-
2023
- 2023-09-28 CN CN202311283687.XA patent/CN117240572A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117560223A (en) * | 2024-01-08 | 2024-02-13 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
CN117560223B (en) * | 2024-01-08 | 2024-04-16 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhou et al. | Hierarchical adversarial attacks against graph-neural-network-based IoT network intrusion detection system | |
US10855706B2 (en) | System and methods for automated detection, reasoning and recommendations for resilient cyber systems | |
US11973774B2 (en) | Multi-stage anomaly detection for process chains in multi-host environments | |
Zhu et al. | DTOF-ANN: an artificial neural network phishing detection model based on decision tree and optimal features | |
Do et al. | Deep learning for phishing detection: Taxonomy, current challenges and future directions | |
Danezis et al. | Sybilinfer: Detecting sybil nodes using social networks. | |
US7530105B2 (en) | Tactical and strategic attack detection and prediction | |
Lin et al. | Adversarial attacks on link prediction algorithms based on graph neural networks | |
Thuraisingham et al. | A data driven approach for the science of cyber security: Challenges and directions | |
Hussain | Network Intrusion Detection for Distributed Denial-of-Service (DDoS) Attacks using Machine Learning Classification Techniques | |
CN117240572A (en) | Intention prediction method, device and medium based on network threat knowledge graph | |
Li et al. | Learning to attack federated learning: A model-based reinforcement learning attack framework | |
Islam et al. | SmartValidator: A framework for automatic identification and classification of cyber threat data | |
Alam et al. | Looking beyond IoCs: Automatically extracting attack patterns from external CTI | |
Al-Saraireh | A novel approach for detecting advanced persistent threats | |
Tang et al. | Advanced Persistent Threat intelligent profiling technique: A survey | |
Dong et al. | Towards fast network intrusion detection based on efficiency-preserving federated learning | |
US20240061937A1 (en) | Anti-malware behavioral graph engines, systems and methods | |
US20230396635A1 (en) | Adaptive system for network and security management | |
CN116737850A (en) | Graph neural network model training method for APT entity relation prediction | |
Li et al. | Few-shot multi-domain knowledge rearming for context-aware defence against advanced persistent threats | |
Zhang et al. | SAM: Query-efficient Adversarial Attacks against Graph Neural Networks | |
Patil et al. | E-Audit: Distinguishing and investigating suspicious events for APTs attack detection | |
Liu et al. | A Survey of Cyber Security Approaches for Prediction | |
Bhaskara et al. | Causal effect analysis-based intrusion detection system for IoT applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |