CN117834169A - Method and system for constructing attack graph of novel power system based on ATT and CK - Google Patents

Abstract

The invention discloses a method and a system for constructing an attack graph of a novel power system based on ATT and CK, wherein the method comprises the following steps: collecting safety data related to the safety of a novel power system, and acquiring an observation sequence; mapping each observation event in the observation sequence to a corresponding ATT and CK technique or tactic through a feature function, and establishing a conditional random field model; parallelizing the conditional random field model training, and updating model parameters; dividing the observation sequence into a plurality of blocks, and solving an optimal attack tactical sequence; mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models; an attack graph is constructed based on the location of each attack tactic in the ATT and CK models and the optimal attack tactic sequence. Helping to understand potential security threats and possible losses in new power systems, thereby providing effective security protection and countermeasures.

Description

Method and system for constructing attack graph of novel power system based on ATT and CK

Technical Field

The invention relates to the technical field of network attack, in particular to a method and a system for constructing an attack graph of a novel power system based on ATT and CK.

Background

The power system is one of the most important infrastructures in modern society, and provides electric energy required for people's daily life. With the rapid development of information technology and the construction of smart grids, power systems have evolved from traditional centralized systems to distributed, networked systems. The complexity and importance of new power systems makes them a potential target for attack. Traditional security analysis methods often cannot fully address the diverse threats faced by power systems.

In network security defense practices, attack graphs are widely recognized as an effective method and tool for better awareness of network attacks, particularly advanced sustainable network attacks. However, to generate an attack graph with a better fit, it is critical to accurately describe the attack patterns and formalized attack paths. At present, the following specific problems are faced:

(1) Utilization of huge threat intelligence: threat intelligence is an important source of information to identify and understand potential attacks. However, threat intelligence is a vast and constantly changing area that requires analysis and interpretation of large amounts of data and linking it to the specific environment and threat situation of the power system. Such as ATT and CK knowledge bases, provide a comprehensive reference to help security professionals understand and deal with various aggression, but how to combine knowledge bases with new power system domains remains a problem.

(2) Attack behavior pattern description: in order to generate an accurate attack graph, the behavior patterns of the attacker need to be accurately described. However, due to the complexity and diversity of attacker behavior, it is difficult to provide a complete and accurate description of the pattern of attack. Accurate description of patterns of attack behavior requires reliance on the experience and knowledge of field experts and security analysts, but this is often a tedious and difficult task.

(3) Attack path formalization: the attack path refers to technologies and methods adopted by an attacker in turn in the attack process. In order to generate an accurate attack graph, the attack path needs to be formally represented. However, formalized representation of attack paths presents problems such as how to identify and distinguish different attack paths, how to accurately represent dependencies in attack paths, and so forth.

(4) The attack means is a very infinite problem: with the rapid development of information technology, attackers continuously innovate and evolve their attack techniques and means. They may use advanced penetration testing tools, malware, or social engineering techniques to attack vulnerabilities in the power system to obtain sensitive information, interfere with, or disrupt the proper operation of the system. Especially advanced sustainable attacks, which are long in duration and hidden are more difficult to defend.

Disclosure of Invention

According to the invention, a method and a system for constructing an attack graph of a novel power system based on ATT and CK are provided, so that the technical problems of potential safety threat and possible loss in the power system are solved.

According to a first aspect of the present invention, there is provided a method for constructing an attack graph for a novel power system based on ATT and CK, comprising:

collecting safety data related to the safety of a novel power system, and acquiring an observation sequence;

mapping each observation event in the observation sequence to a corresponding ATT and CK technique or tactic through a feature function, and establishing a conditional random field model;

parallelizing the conditional random field model training, and updating model parameters;

dividing the observation sequence into a plurality of blocks, and solving an optimal attack tactical sequence;

mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models;

an attack graph is constructed based on the location of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

Optionally, safety data related to the safety of the novel power system is collected, an observation sequence is acquired,

Collecting and sorting security data related to the security of the novel power system, including attack events, behavior events and log records;

obtaining an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

Optionally, each observation event o in the observation sequence is determined by a feature function _i Mapping to corresponding ATT and CK techniques or tactics, and building a conditional random field model, comprising:

according to the ATT and CK model and the characteristics of the power system, each observation event o _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

establishing a conditional random field model, which is an undirected graph model and is expressed asWherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

Optionally, parallelizing the conditional random field model training, updating model parameters, including:

estimating the weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weight of the attack tactical sequence given the observation sequence, the logarithm log Z (X; lambda) of the normalization factor being used to calculate the probability distribution of the conditional random field;

dividing the training data into a plurality of batches, each batch being processed by a different computing unit, defining a log-likelihood function for each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed +.>Wherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively;

in the parallelization training process, the log-likelihood function of each batch is independently distributed to different computing units for computation, the gradient of the batch log-likelihood function is computed on each computing unit, and each computing unit is summarized to update the model parameters.

Optionally, dividing the observation sequence into a plurality of blocks, solving an optimal attack tactical sequence, including:

the observation sequence O is divided into K blocks, each block containing successive observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

assigning each block to a different processing unit or thread for parallel processing, and applying a sequence Viterbi algorithm within each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

Recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝argmax _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

wherein i is Index of attack tactical sequence, i _t Is a characteristic function of time t;

combining the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between adjacent blocks, and combining the second block to the last block;

updating the dynamic programming variable and the characteristic function according to the state transition relation of the adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝arg max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last moment of the previous block;

finding the end point of the overall maximum probability path according to the result of the last block:

for the time T < T between the other block and the last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

Optionally, mapping the solved optimal attack tactics sequence according to the feature function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models, including:

mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models through mapping;

When the conditional random field model identifies a series of attack tactics, the entries in the ATT and CK models are examined and the techniques associated with these tactics are found, marked in the ATT and CK models in the appropriate locations, indicating their existence and relationship throughout the model.

According to another aspect of the present invention, there is also provided a system for constructing an attack graph based on a novel power system of ATT and CK, including:

the observation sequence acquisition module is used for collecting safety data related to the safety of the novel power system and acquiring an observation sequence;

a conditional random field model module is established for mapping each observation event in the observation sequence to a corresponding ATT and CK technology or tactic through a characteristic function, and a conditional random field model is established;

the model parameter updating module is used for parallelizing the conditional random field model training and updating model parameters;

the optimal attack tactical sequence solving module is used for dividing the observation sequence into a plurality of blocks and solving the optimal attack tactical sequence;

the mapping ATT and CK model position module is used for solving an optimal attack tactics sequence module and mapping the solved optimal attack tactics sequence according to the characteristic function and the conditional random field model to determine the position of each attack tactics in the ATT and CK models;

And the attack graph constructing module is used for constructing an attack graph according to the position of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

Optionally, the obtaining an observation sequence module includes:

the safety data collecting sub-module is used for collecting and sorting safety data related to the safety of the novel power system, including attack events, behavior events and log records;

the observation sequence acquisition sub-module is used for acquiring an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

Optionally, building a conditional random field model module, comprising:

a mapping observation event sub-module for mapping each observation event o according to the ATT and CK models and the characteristics of the power system _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

A conditional random field model building sub-module for building a conditional random field model, which is an undirected graph model, expressed asWherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

Optionally, updating the model parameter module includes:

a weight parameter sub-module for estimating a conditional random field model for estimating a weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is special toCharacterization function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weights of the attack tactical sequence given the observation sequence, the logarithm log Z (X; lambda) of the normalization factor being used to calculate the probability distribution of the conditional random field;

a training data batching sub-module for dividing training data into a plurality of batches, each batch being processed by a different computing unit, defining a log likelihood function of each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions: Where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developedWherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively;

and the model parameter updating sub-module is used for independently distributing the log-likelihood function of each batch to different computing units for computation in the parallelization training process, computing the gradient of the batch log-likelihood function on each computing unit, and summarizing each computing unit to update the model parameters.

Optionally, the solving optimal attack tactical sequence module comprises:

the observation sequence partitioning sub-module is used for dividing the observation sequence O into K blocks, wherein each block contains continuous observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

parallel processing each block sub-module, which is used for distributing each block to different processing units or threads for parallel processing, and applying a sequence Viterbi algorithm in each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

The update variable submodule is used for recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝argmax _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t;

the adjacent block merging sub-module is used for merging the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between the adjacent blocks, and merging the second block to the last block;

the update dynamic programming variable submodule is used for updating dynamic programming variables and characteristic functions according to the state transition relation of adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝argmax _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

Wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last moment of the previous block;

an end point submodule for finding the maximum probability path is used for finding the end point of the whole maximum probability path according to the result of the last block:

obtaining each tactical label sub-module for time T < T between other block and last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

Optionally, the mapping ATT and CK model location module comprises:

the mapping ATT and CK model position sub-module is used for mapping the optimal attack tactics obtained by solving according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK model through mapping;

a labeling tactics and techniques sub-module for, when the conditional random field model identifies a series of attack tactics, examining entries in the ATT and CK models and finding techniques associated with those tactics, labeling those tactics and techniques in the ATT and CK models in place, indicating their existence and relationship throughout the model.

Thus, by collecting and collating data relating to the safety of the power system, an observation sequence is established. Each observation event is then mapped to a corresponding attack tactic according to the ATT and CK models, and feature functions are defined to represent the attack tactic that may occur. Next, a conditional random field model is constructed to describe the relationship between the observation sequence and the attack tactical sequence. Parallel training model parameters are estimated through improved maximum likelihood, and the attack tactical sequence with the highest probability is obtained through block parallel decoding. Then, the attack tactical sequence is mapped to the ATT and CK models, and an attack graph under the power system is constructed. The method helps to understand potential security threats and possible losses in the novel power system, thereby providing effective security protection and coping strategies.

Drawings

Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:

fig. 1 is a schematic flow chart of a method for constructing an attack graph of a novel power system based on ATT and CK according to the present embodiment;

fig. 2 is a schematic view of a tactical matrix in an industrial environment of ATT and CK according to the present embodiment;

fig. 3 is a schematic diagram of a system for constructing an attack graph of a novel power system based on ATT and CK according to the present embodiment.

Detailed Description

The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.

Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.

According to a first aspect of the present invention, there is provided a method 100 for constructing an attack graph for a novel power system based on ATT and CK, referring to fig. 1, the method 100 includes:

s101, collecting safety data related to safety of a novel power system, and acquiring an observation sequence;

s102, mapping each observation event in the observation sequence to a corresponding ATT and CK technology or tactics through a feature function, and establishing a conditional random field model;

s103, parallelizing the conditional random field model training and updating model parameters;

s104: dividing the observation sequence into a plurality of blocks, and solving an optimal attack tactical sequence;

s105, mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models;

s106, constructing an attack graph according to the position of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

Specifically, as shown in fig. 2, fig. 2 is a tactical matrix diagram of an industrial environment of ATT and CK.

Step S101: various data related to the safety of the novel power system are collected and arranged, including attack events, behavior events, log records and the like. Such data may originate from network security devices, intrusion detection systems, firewall logs, access control lists, system logs, and the like. Obtaining an observation sequence from the collected data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

Step S102: observation events in new power systems are considered. The observation time series may be the system's packet traffic and protocol, authorized access logs, critical device status monitoring, security event logs, threat intelligence data, and the like. The packet traffic and protocol are chosen so that the size, source and destination of the network traffic, and the type of protocol used, can be monitored. Abnormal packet traffic and unusual protocol usage may suggest potential attack behavior, such as large-scale DDoS attacks or use of unknown malicious protocols; by monitoring the authorized access log, unauthorized access behavior or authority abuse can be timely detected, so that the protection of sensitive resources is enhanced; the key equipment state monitoring is selected because the abnormal equipment state possibly indicates that the equipment is attacked or has hardware faults, and further damage can be avoided by timely detecting and taking measures; the security event log may provide clues to potential attack activity, helping to discover and handle security events in time. And according to threat information data, corresponding defending measures can be adopted in advance, so that the influence of potential attacks on the novel power system is reduced.

Step S103: estimating a weight parameter lambda of a model by maximizing a log likelihood function on training data _k . For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weights of the attack tactical sequence for a given observation sequence; the log-log Z (X; lambda) of the normalization factor is then used to calculate the probability distribution of the conditional random field.

Specifically, the training data is divided into a plurality of batches, each batch being processed by a different computing unit. Defining the log likelihood function of each batch as L _b (lambda), where b represents the index of the batch. The overall log-likelihood function is expressed as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed +.>Wherein Y is _i And X _i The actual attack tactical sequence and the observation sequence of the ith sample are represented, respectively. In the parallelization training process, eachThe log-likelihood functions of the batches are independently distributed to different computing units for computation. The gradients of the batch log likelihood functions are then calculated on each calculation unit and summed together to update the model parameters.

Step S104: the observation sequence O is divided into K blocks, each block containing successive observation data: o= { O ₁ ,O ₂ ,...,O _K }. The number and size of the blocks are adjusted according to the system requirements and computing resources. Each block is assigned to a different processing unit or thread, and the blocks are processed in parallel. A sequence Viterbi algorithm is applied inside each block to compute the most probable path and the optimal attack tactical sequence. First, the dynamic programming variables and feature functions are initialized for the first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path ending in the attack tactic j at time t of the first block. Definition psi _1,t (j) Which represents the index of the previous tactic in the most probable path ending with the attack tactic j at time t of the first block. For t=1, i.e. the initial time of the first block, δ is set _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of the attack tactics at the initial moment. Similarly, set ψ _1,1 (j) =0. Recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝argmax _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t.

The maximum probability path and the optimal tactical sequence for each block are merged according to the state transition relationship between neighboring blocks.

Updating the dynamic programming variable and the characteristic function according to the state transition relation of the adjacent blocks:

(1) The last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>

(2) Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝arg max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last time of the previous block.

This updating step is repeatedly performed for the second block to the last block.

The end point of the overall most probable path is then found from the result of the last block:for the time T < T between the other block and the last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

Step S105: the solved most probable attack tactical sequence is mapped according to the previously defined feature function and conditional random field model. The location of each attack tactic in the ATT and CK models is determined by mapping. When the conditional random field model identifies a series of attack strategies, such as "code execution", "lateral movement", and "rights promotion", etc., there are among others. Entries in the ATT and CK models can be examined and techniques related to these tactics found. These tactics and techniques are then marked in place in the ATT and CK models to indicate their existence and relationship throughout the model.

Step S106: and finally, connecting different attack steps and technologies according to the ATT and CK models and the attack tactic sequence obtained by solving, and constructing an attack graph under the power system.

Step 1: attack steps and technique determination:

attack step 1: obtaining login credentials

Technique 1: fishing mail

Technique 2: malware infection

Attack step 2: side channel attack

Technique 3: eavesdropping

Technique 4: side channel analysis

Attack step 3: control industrial control equipment

Technique 5: remote command execution

Technique 6: exploit exploitation

Step 2: relationship determination between attack steps:

attack step 1: obtaining login credentials- > attack step 2: side channel attack- > attack step 3: control industrial control equipment

Step 3: connection attack steps and techniques:

attack step 1 connects to technologies 1 and 2 using arrows

Attack step 2 connects to technologies 3 and 4 using arrows

Attack step 3 connects to technologies 5 and 6 using arrows

Step 4: adding other information:

attack step 1 description: the login credentials are obtained by sending phishing mail or infecting malware.

Description of technique 1: an attacker sends phishing mail disguised as legal mail, and attracts users to click malicious links or download malicious attachments.

Description of technique 2: an attacker obtains login credentials by infecting a computer or server in the power system.

Step 5: constructing an attack graph:

in fig. 2, three nodes represent the attack steps: obtaining login credentials, side channel attack and controlling industrial control equipment.

The various nodes are connected using arrows and the corresponding technology is indicated on the arrows.

The labels of the nodes and arrows are added, describing details of the attack steps and techniques.

Thus, by collecting and collating data relating to the safety of the power system, an observation sequence is established. Each observation event is then mapped to a corresponding attack tactic according to the ATT and CK models, and feature functions are defined to represent the attack tactic that may occur. Next, a conditional random field model is constructed to describe the relationship between the observation sequence and the attack tactical sequence. Parallel training model parameters are estimated through improved maximum likelihood, and the attack tactical sequence with the highest probability is obtained through block parallel decoding. Then, the attack tactical sequence is mapped to the ATT and CK models, and an attack graph under the power system is constructed. The method helps to understand potential security threats and possible losses in the novel power system, thereby providing effective security protection and coping strategies.

Optionally, safety data related to the safety of the novel power system is collected, an observation sequence is acquired,

collecting and sorting security data related to the security of the novel power system, including attack events, behavior events and log records;

obtaining an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

Optionally, each observation event o in the observation sequence is determined by a feature function _i Mapping to corresponding ATT and CK techniques or tactics, and building a conditional random field model, comprising:

according to the ATT and CK model and the characteristics of the power system, each observation event o _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

establishing a conditional random field model, which is an undirected graph model and is expressed as Wherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

Optionally, parallelizing the conditional random field model training, updating model parameters, including:

estimating the weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weights of the attack tactical sequence given the observation sequence, the logarithm log Z (X; lambda) of the normalization factor being used to calculate the probability distribution of the conditional random field;

dividing the training data into a plurality of batches, each batch being processed by a different computing unit, defining a log-likelihood function for each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed +.>Wherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively;

In the parallelization training process, the log-likelihood function of each batch is independently distributed to different computing units for computation, the gradient of the batch log-likelihood function is computed on each computing unit, and each computing unit is summarized to update the model parameters.

Optionally, dividing the observation sequence into a plurality of blocks, solving an optimal attack tactical sequence, including:

the observation sequence O is divided into K blocks, each block containing successive observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

assigning each block to a different processing unit or thread for parallel processing, and applying a sequence Viterbi algorithm within each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

Recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

ψ _1,t (j)＝argmax _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t;

combining the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between adjacent blocks, and combining the second block to the last block;

updating the dynamic programming variable and the characteristic function according to the state transition relation of the adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝argmax _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last moment of the previous block;

finding the end point of the overall maximum probability path according to the result of the last block:

for the time T < T between the other block and the last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

Optionally, mapping the solved optimal attack tactics sequence according to the feature function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models, including:

Mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models through mapping;

when the conditional random field model identifies a series of attack tactics, the entries in the ATT and CK models are examined and the techniques associated with these tactics are found, marked in the ATT and CK models in the appropriate locations, indicating their existence and relationship throughout the model.

Thus, the inference and recognition capability of attack tactics in the power system is improved: by mapping observation events to ATT and CK technologies or tactics, the possible attack tactics can be judged more accurately by utilizing a conditional random field model to infer and identify, so that the early warning and response capability to novel power system attacks is enhanced. The parallelization training process improves the efficiency: the training data is divided into a plurality of batches and distributed to different computing units for processing, and the gradient is calculated on each computing unit and model parameters are updated, so that the efficiency of the training process can be greatly improved, and the convergence speed of the model is accelerated. The blocking processing observation sequence improves the calculation speed: the observation sequence is segmented, and a parallel processing mode is adopted, so that the maximum probability path and the optimal attack tactic sequence are calculated by applying the sequence Viterbi algorithm in each block, the calculation process is more efficient, and the calculation complexity is reduced. Mapping the most probable attack tactical sequence determines position: mapping the solved maximum probability attack tactics according to the characteristic function and the conditional random field model defined previously, determining the position of each attack tactics in the ATT and CK models, helping to further analyze and study attack behaviors and taking corresponding defensive and countermeasures.

According to another aspect of the present invention, there is also provided a system 300 for constructing an attack graph for a novel power system based on ATT and CK, referring to fig. 3, the system 300 includes:

the observation sequence acquisition module 310 is configured to collect safety data related to safety of a novel power system, and acquire an observation sequence;

a conditional random field model building block 320 for mapping each observation event in the observation sequence to a corresponding ATT and CK technique or tactic by a feature function, and building a conditional random field model;

an update model parameter module 330, configured to parallelize the conditional random field model training and update model parameters;

the optimal attack tactical sequence solving module 340 is configured to divide the observation sequence into a plurality of blocks and solve an optimal attack tactical sequence;

the mapping ATT and CK model location module 350 is configured to solve an optimal attack tactics sequence module, and is configured to map the solved optimal attack tactics sequence according to the feature function and the conditional random field model, and determine a location of each attack tactic in the ATT and CK model;

an attack graph module 360 is constructed for constructing an attack graph based on the location of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

Optionally, the obtaining an observation sequence module includes:

the safety data collecting sub-module is used for collecting and sorting safety data related to the safety of the novel power system, including attack events, behavior events and log records;

the observation sequence acquisition sub-module is used for acquiring an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

Optionally, building a conditional random field model module, comprising:

a mapping observation event sub-module for mapping each observation event o according to the ATT and CK models and the characteristics of the power system _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

a conditional random field model building sub-module for building a conditional random field model, which is an undirected graph model, expressed as Wherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

Optionally, updating the model parameter module includes:

a weight parameter sub-module for estimating a conditional random field model for estimating a weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weights of the attack tactical sequence given the observation sequence, the logarithm log Z (X; lambda) of the normalization factor being used to calculate the probability distribution of the conditional random field;

a training data batching sub-module for dividing training data into a plurality of batches, each batch being processed by a different computing unit, defining a log likelihood function of each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed Wherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively; />

And the model parameter updating sub-module is used for independently distributing the log-likelihood function of each batch to different computing units for computation in the parallelization training process, computing the gradient of the batch log-likelihood function on each computing unit, and summarizing each computing unit to update the model parameters.

Optionally, the solving optimal attack tactical sequence module comprises:

the observation sequence partitioning sub-module is used for dividing the observation sequence O into K blocks, wherein each block contains continuous observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

parallel processing each block sub-module, which is used for distributing each block to different processing units or threads for parallel processing, and applying a sequence Viterbi algorithm in each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first in the first blockObservation data, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

The update variable submodule is used for recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝arg max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t;

the adjacent block merging sub-module is used for merging the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between the adjacent blocks, and merging the second block to the last block;

the update dynamic programming variable submodule is used for updating dynamic programming variables and characteristic functions according to the state transition relation of adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝arg max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last moment of the previous block;

an end point submodule for finding the maximum probability path is used for finding the end point of the whole maximum probability path according to the result of the last block:

Obtaining each tactical label sub-module for time T < T between other block and last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

Optionally, the mapping ATT and CK model location module comprises:

the mapping ATT and CK model position sub-module is used for mapping the optimal attack tactics obtained by solving according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK model through mapping;

a labeling tactics and techniques sub-module for, when the conditional random field model identifies a series of attack tactics, examining entries in the ATT and CK models and finding techniques associated with those tactics, labeling those tactics and techniques in the ATT and CK models in place, indicating their existence and relationship throughout the model.

The system 300 for constructing an attack graph by using a novel power system based on ATT and CK according to the embodiment of the present invention corresponds to the method 100 for constructing an attack graph by using a novel power system based on ATT and CK according to another embodiment of the present invention, and will not be described herein.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The solutions in the embodiments of the present application may be implemented in various computer languages, for example, object-oriented programming language Java, and an transliterated scripting language JavaScript, etc.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (12)

1. A method for constructing an attack graph of a novel power system based on ATT and CK, comprising:

Collecting safety data related to the safety of a novel power system, and acquiring an observation sequence;

mapping each observation event in the observation sequence to a corresponding ATT and CK technique or tactic through a feature function, and establishing a conditional random field model;

parallelizing the conditional random field model training, and updating model parameters;

dividing the observation sequence into a plurality of blocks, and solving an optimal attack tactical sequence;

mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models;

an attack graph is constructed based on the location of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

2. The method of claim 1, wherein safety data relating to safety of the novel power system is collected, an observation sequence is obtained,

collecting and sorting security data related to the security of the novel power system, including attack events, behavior events and log records;

obtaining an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

3. The method according to claim 1, characterized in that each observation event o in the observation sequence is determined by a feature function _i Mapping to corresponding ATT and CK techniques or tactics, and building a conditional random field model, comprising:

according to the ATT and CK model and the characteristics of the power system, each observation event o _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

establishing a conditional random field model, which is an undirected graph model and is expressed asWherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

4. The method according to claim 1, wherein parallelizing the conditional random field model training, updating model parameters, comprises:

estimating the weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weights of an attack tactical sequence given an observation sequenceThe log Z (X; lambda) of the normalization factor is used for calculating the probability distribution of the conditional random field;

dividing the training data into a plurality of batches, each batch being processed by a different computing unit, defining a log-likelihood function for each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed +.>Wherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively;

in the parallelization training process, the log-likelihood function of each batch is independently distributed to different computing units for computation, the gradient of the batch log-likelihood function is computed on each computing unit, and each computing unit is summarized to update the model parameters.

5. The method of claim 1, wherein dividing the observation sequence into a plurality of blocks, solving an optimal attack tactical sequence, comprises:

The observation sequence O is divided into K blocks, each block containing successive observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

assigning each block to a different processing unit or thread for parallel processing, and applying a sequence Viterbi algorithm within each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

Recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝arg max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t;

combining the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between adjacent blocks, and combining the second block to the last block;

Updating the dynamic programming variable and the characteristic function according to the state transition relation of the adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObservation sequence header added to current block +.>Updating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝arg max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the former oneThe last moment of the block;

finding the end point of the overall maximum probability path according to the result of the last block:

for the time T < T between the other block and the last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

6. The method of claim 1, wherein mapping the solved optimal attack tactics sequence based on the eigenfunctions and the conditional random field model to determine the location of each attack tactic in the ATT and CK models comprises:

mapping the solved optimal attack tactics according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK models through mapping;

when the conditional random field model identifies a series of attack tactics, the entries in the ATT and CK models are examined and the techniques associated with these tactics are found, marked in the ATT and CK models in the appropriate locations, indicating their existence and relationship throughout the model.

7. A system for constructing an attack graph for a novel power system based on ATT and CK, comprising:

the observation sequence acquisition module is used for collecting safety data related to the safety of the novel power system and acquiring an observation sequence;

a conditional random field model module is established for mapping each observation event in the observation sequence to a corresponding ATT and CK technology or tactic through a characteristic function, and a conditional random field model is established;

the model parameter updating module is used for parallelizing the conditional random field model training and updating model parameters;

the optimal attack tactical sequence solving module is used for dividing the observation sequence into a plurality of blocks and solving the optimal attack tactical sequence;

the mapping ATT and CK model position module is used for solving an optimal attack tactics sequence module and mapping the solved optimal attack tactics sequence according to the characteristic function and the conditional random field model to determine the position of each attack tactics in the ATT and CK models;

and the attack graph constructing module is used for constructing an attack graph according to the position of each attack tactic in the ATT and CK models and the optimal attack tactic sequence.

8. The system of claim 7, wherein the means for obtaining the observation sequence comprises:

The safety data collecting sub-module is used for collecting and sorting safety data related to the safety of the novel power system, including attack events, behavior events and log records;

the observation sequence acquisition sub-module is used for acquiring an observation sequence according to the safety data: o= { O ₁ ,o ₂ ,...,o _T Each observation event o _i Corresponds to a feature vector.

9. The system of claim 7, wherein establishing the conditional random field model module comprises:

a mapping observation event sub-module for mapping each observation event o according to the ATT and CK models and the characteristics of the power system _i Mapping to corresponding ATT and CK techniques or tactics, in particular by defining a characteristic function f (y _t-1 ,y _t ,o _t ) Implementation, wherein y _t Representing an attack tactical tag, y _t-1 Is the tag of the previous moment;

each observation event has some characteristic values, and the characteristic function considers characteristics of a plurality of aspects, including a source IP address, a destination IP address, an operation type, a time stamp and a protocol, and maps each observation event to one or more ATT and CK technologies or tactics by defining the characteristic function;

a conditional random field model building sub-module for building a conditional random field model, which is an undirected graph model, expressed as Wherein Y is the attack tactical sequence, X is the observation sequence, lambda _k Is a weight parameter of the model, t _k Is the corresponding characteristic function and Z (X) is the normalization factor.

10. The system of claim 7, wherein updating the model parameters module comprises:

a weight parameter sub-module for estimating a conditional random field model for estimating a weight parameter lambda of the conditional random field model by maximizing a log likelihood function on training data _k For a given observation sequence O and a real attack tactical sequence Y, the likelihood function may be expressed asWherein (1)>Is a characteristic function t _k (y _t-1 ,y _t ,o _t ) And parameter lambda _k Describing the characteristic weight of the attack tactical sequence given the observation sequence, the logarithm log Z (X; lambda) of the normalization factor being used to calculate the probability distribution of the conditional random field;

a training data batching sub-module for dividing training data into a plurality of batches, each batch being processed by a different computing unit, defining a log likelihood function of each batch as L _b (λ), where b represents the index of the batch, and the overall log-likelihood function is represented as the sum of all batch log-likelihood functions:where N represents the number of batches, M represents the sample size of each batch in which the log likelihood function can be further developed +. >Wherein Y is _i And X _i Representing the actual attack tactical sequence and the observation sequence of the ith sample, respectively;

and the model parameter updating sub-module is used for independently distributing the log-likelihood function of each batch to different computing units for computation in the parallelization training process, computing the gradient of the batch log-likelihood function on each computing unit, and summarizing each computing unit to update the model parameters.

11. The system of claim 7, wherein solving the optimal attack tactical sequence module comprises:

the observation sequence partitioning sub-module is used for dividing the observation sequence O into K blocks, wherein each block contains continuous observation data: o= { O ₁ ,O ₂ ,...,O _K The number and the size of the blocks are adjusted according to the system requirements and the computing resources;

parallel processing each block sub-module, which is used for distributing each block to different processing units or threads for parallel processing, and applying a sequence Viterbi algorithm in each block to calculate a maximum probability path and an optimal attack tactical sequence; initializing dynamic programming variables and feature functions for a first block O ₁ Definition of dynamic programming variable delta _1,t (j) Which represents the logarithmic probability of the most probable path at the end of attack tactics j at time t of the first block, defining ψ _1,t (j) Which means that in the most probable path ending with the attack tactic j at time t of the first block, the index of the previous tactic is set delta for t=1, i.e. the initial time of the first block _1,1 (j)＝λ _j i ₁ (j,o _1,t ) Wherein o _1,t Is the first observation in the first block, i ₁ Is a characteristic function of attack tactics at initial time, and as such, set psi _1,1 (j)＝0；

The update variable submodule is used for recursively calculating dynamic programming variables: for t > 1, the variables are updated using the following:

δ _1,t (j)＝max _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

ψ _1,t (j)＝argmax _i (δ _1,t-1 (i)+λ _j i _t (i,j,o _1,t ))

where i is the index of the attack tactical sequence, i _t Is a characteristic function of time t;

the adjacent block merging sub-module is used for merging the maximum probability path and the optimal tactical sequence of each block according to the state transition relation between the adjacent blocks, and merging the second block to the last block;

the update dynamic programming variable submodule is used for updating dynamic programming variables and characteristic functions according to the state transition relation of adjacent blocks: the last tactic of the optimal tactic sequence of adjacent blocksObserved sequence beginning added to current blockUpdating the dynamic programming variables:

δ _k,t (j)＝max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

ψ _k,t (j)＝arg max _i (δ _k,t-1 (i)+λ _j i _t (i,j,o _k,t ))

wherein o is _k,t Is the T observation data in the k block, T _k-1 Is the last moment of the previous block;

an end point submodule for finding the maximum probability path is used for finding the end point of the whole maximum probability path according to the result of the last block:

Obtaining each tactical label sub-module for time T < T between other block and last block _K By iteratively usingEach tactical tag that gets the overall maximum probability path +.>

12. The system of claim 7, wherein the map ATT and CK model location module comprises:

the mapping ATT and CK model position sub-module is used for mapping the optimal attack tactics obtained by solving according to the characteristic function and the conditional random field model, and determining the position of each attack tactic in the ATT and CK model through mapping;

a labeling tactics and techniques sub-module for, when the conditional random field model identifies a series of attack tactics, examining entries in the ATT and CK models and finding techniques associated with those tactics, labeling those tactics and techniques in the ATT and CK models in place, indicating their existence and relationship throughout the model.