WO2023151257A1 - Method and apparatus for simulating cyber kill chain, storage medium and electronic device - Google Patents

Method and apparatus for simulating cyber kill chain, storage medium and electronic device Download PDF

Info

Publication number
WO2023151257A1
WO2023151257A1 PCT/CN2022/113829 CN2022113829W WO2023151257A1 WO 2023151257 A1 WO2023151257 A1 WO 2023151257A1 CN 2022113829 W CN2022113829 W CN 2022113829W WO 2023151257 A1 WO2023151257 A1 WO 2023151257A1
Authority
WO
WIPO (PCT)
Prior art keywords
enterprise
kill chain
attack
learning model
information
Prior art date
Application number
PCT/CN2022/113829
Other languages
French (fr)
Chinese (zh)
Inventor
唐杰
吴龙平
莫建平
余凯
Original Assignee
三六零科技集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三六零科技集团有限公司 filed Critical 三六零科技集团有限公司
Publication of WO2023151257A1 publication Critical patent/WO2023151257A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • G06N5/022Knowledge engineering; Knowledge acquisition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Definitions

  • the invention relates to the technical field of security detection, in particular to a method, device, storage medium and electronic equipment for simulating an attack kill chain.
  • enterprise environment security detection and security device capability assessment are basically divided into two methods: manual penetration testing, automated intrusion and attack simulation (BAS).
  • manual penetration testing method can meet the short-term detection needs of enterprises, there are many deficiencies in familiarity with the enterprise environment, late delivery, work efficiency, standardization, behavior and data controllability.
  • Automated intrusion and attack simulation can perform full-volume vulnerability detection on the target environment, full-volume TTP content library, and set-up scenarios for automated simulated attacks, but even if relevant asset mapping has been done for the user environment, this method still has its own limitations
  • Limitations and disadvantages, such as asset attacks based on single points cannot simulate the attack kill chain that matches the real environment of the enterprise based on the degree of correlation between assets.
  • the purpose of the embodiments of the present invention is to provide a method, device, storage medium, and electronic device for simulating attack kill chains, which calculate the simulated attack kill chains in the enterprise environment through knowledge graphs, and adapt to different enterprise environments or adapt to the same enterprise environment ever-changing asset information.
  • one aspect of the present invention provides a method for simulating an attack kill chain, including:
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • the said historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  • the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
  • performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
  • the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
  • a data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  • the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
  • the acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
  • Another aspect of the present invention also provides a device for simulating the attack kill chain, including:
  • the knowledge map building block is used to obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model
  • the kill chain path generation module is used to obtain the target asset information of the enterprise, input it to the initial graph representation learning model for training, and generate the kill chain path model,
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  • the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
  • performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
  • the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
  • a data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  • the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
  • the acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
  • Another aspect of the present invention also provides a storage medium for storing a computer program for executing the above-mentioned intruder simulation attack detection method.
  • Another aspect of the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor, wherein the processor executes the computer program At the same time, the above-mentioned intruder simulation attack detection method is realized.
  • an initial graph representation learning Model displayed in the form of a knowledge graph. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security .
  • the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately infer the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information.
  • FIG. 1 is a schematic flow diagram of a method for simulating an attack kill chain provided by an embodiment of the present invention
  • Fig. 2 is the specific flowchart of step S1;
  • Fig. 3 is the specific flowchart of step S2;
  • Fig. 4 is a schematic diagram of the device structure of the simulated attack kill chain of the present invention.
  • Fig. 5 is a schematic structural diagram of an electronic device
  • 500-electronic equipment 500 500-electronic equipment
  • references in this specification to "one embodiment”, “embodiment”, “example embodiment” and the like mean that the described embodiment may include specific features, structures or characteristics, but not every Embodiments must include those specific features, structures or characteristics. Furthermore, such expressions are not referring to the same embodiment. Further, when specific features, structures or characteristics are described in conjunction with an embodiment, whether or not there is an explicit description, it has been indicated that it is within the knowledge of those skilled in the art to combine such features, structures or characteristics into other embodiments .
  • Embodiment 1 of the present invention provides a method for simulating an attack kill chain.
  • FIG. 1 shows a flow chart of steps in this embodiment
  • a method for simulating an attack kill chain may include the following steps:
  • Figure 2 is a specific flowchart corresponding to step S1, including:
  • the extracting attack knowledge from the historical attack events and associating with the kill chain includes: performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus;
  • the TTP information in the knowledge and the target asset information of the enterprise are regarded as entities, as a training set corpus, and a relationship is established with the kill chain.
  • S12. Represent the historical attack events associated with the kill chain in the form of graph data, construct an initial graph representation learning model, and define each node of the graph data to represent TTP information and the enterprise target asset information.
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • FIG. 3 is a specific flowchart corresponding to step S2, including:
  • the generated kill chain path model can be sent to the BAS intruder simulation system to evaluate the security in the user environment according to the attack result.
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed, using knowledge displayed in graph form. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security .
  • the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately infer the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information.
  • the method of simulating the kill chain of the present invention may have multiple combinations due to the combination of multiple assets in the timing analysis, it is far more efficient than blind enumeration and invalid association, and the kill chain is based on Constantly changing enterprise target asset information, such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
  • enterprise target asset information such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
  • Embodiment 2 of the present invention provides a method for simulating an attack kill chain, which may include the following steps:
  • Figure 2 is a specific flowchart corresponding to step S1, including:
  • the extracting attack knowledge from the historical attack events and associating with the kill chain includes: performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus;
  • the TTP information in the knowledge and the target asset information of the enterprise are regarded as entities, as a training set corpus, and a relationship is established with the kill chain.
  • the historical attack events include structured, semi-structured, and unstructured data structures.
  • training semantic analysis is performed on the historical attack events, including text preprocessing, deep Various data processing processes such as hierarchical sentence segmentation, target TTP language semantic dependency analysis, vocabulary tokenization, synonym expansion, and model training prediction, etc., extract attack knowledge from the historical attack events as a data set corpus;
  • TTP information the enterprise target asset information is used as an entity, as a training set corpus, and establishes a relationship with the kill chain.
  • text preprocessing is performed on the historical attack events to reduce input randomness and reduce algorithm input dimensions to improve performance.
  • the text of a certain historical attack event "A Trojan horse program, after it runs, it will release the normal Tencent TP program TPHelper.exe and the malicious TPHelperBase.dll in the %TEMP% directory to constitute dll hijacking.”
  • the It will be treated as "a Trojan horse program, which will release normal Tencent TP program EXE files and malicious DLL files in a specific directory after running to constitute dll hijacking.”
  • TTP information in the data set corpus and the target asset information of the enterprise are regarded as entities, as the training set corpus, and a relationship is established with the kill chain.
  • S12. Represent the historical attack events associated with the kill chain in the form of graph data, construct an initial graph representation learning model, and define each node of the graph data to represent TTP information and the enterprise target asset information.
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • FIG. 3 is a specific flowchart corresponding to step S2, including:
  • the enterprise target asset information mainly includes enterprise hardware configuration information, enterprise software configuration information, and/or industry information to which the enterprise belongs.
  • the enterprise hardware configuration information mainly includes all hardware equipment information such as servers, hosts, gateways, switches, routers in the DMZ area and office area, servers in the production area, industrial and control equipment, etc.
  • enterprise software configuration information mainly includes All software systems operated and used, such as business systems, OA systems, ERP systems, common tools for employees, etc., and all software systems and service systems installed in the above hardware to provide or support services.
  • the industry information of the enterprise is used to clarify the industry information of the enterprise, such as finance, tobacco, government and other industries, and the information is easy to know.
  • the enterprise hardware configuration information By sorting out the version information, security patch information, vulnerability information, port information, protocols, and industry information of the enterprise that exist or are involved in hardware and software services, the enterprise hardware configuration information, enterprise software configuration information, and/or The industry information of the enterprise is converted into the standard storage format of the knowledge graph, and enumerated and mapped with the entities representing the hardware configuration information of the enterprise, the software configuration information of the enterprise, and/or the industry information of the enterprise in the initial graph representation learning model.
  • the generated kill chain path model can be sent to the BAS intruder simulation system to evaluate the security in the user environment according to the attack result.
  • the foregoing embodiments of the present invention can be applied to terminal equipment with a simulated attack kill chain, and the terminal equipment can include palmtop computers, desktop computers, signature terminals that provide users with electronic signatures, mobile phones, PDAs (Personal Digital Assistant, personal digital assistants) ) and so on, which are not limited in this embodiment of the present invention.
  • the terminal can support Windows, Android (Android), IOS, WindowsPhone and other operating systems.
  • Figure 4 shows a device 400 for simulating an attack kill chain, which can be applied to terminal equipment such as computers, which can be implemented through the The method of simulating the attack kill chain includes at least a knowledge map building module 401 and a kill chain path generation module 402, specifically:
  • a device 400 for simulating an attack kill chain comprising:
  • the knowledge map construction module 401 is used to obtain historical attack events and represent them in the form of graph data to construct an initial graph representation learning model;
  • the kill chain path generation module 402 is used to obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  • the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
  • performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
  • sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text
  • a data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  • the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
  • the acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
  • the present invention also provides a storage medium for storing a computer program for executing the method for simulating an attack kill chain as described in FIGS. 1-3 .
  • computer program instructions when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer.
  • the program instructions for invoking the method of the present invention may be stored in a fixed or removable storage medium, and/or transmitted through broadcast or other data streams in signal-bearing media and/or stored in running storage medium.
  • an embodiment according to the present invention includes an electronic device 500 as shown in FIG. 5 , and in some implementations, includes a storage medium 501 for storing computer programs and a processor 502 for executing computer programs, wherein , when the computer program is executed by the processor, the electronic device is triggered to execute the methods and/or technical solutions based on the foregoing multiple embodiments, and the electronic device 500 may be a terminal device such as a mobile phone or a computer.
  • the software program of the present invention can be executed by a processor to realize the above steps or functions.
  • the software program (including associated data structures) of the present invention can be stored in a computer-readable recording medium such as RAM memory, magnetic or optical drive or floppy disk and the like.
  • the schedule reminding method according to the present invention can be implemented on a computer as a computer-implemented method, and the executable code or part thereof for the method according to the present invention can be stored on the computer program product.
  • Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, and the like.
  • a computer program product comprises non-transitory program code means stored on a computer readable medium for performing the method according to the invention when said program product is executed on a computer.
  • the method for simulating attack kill chains extracts attack knowledge from the historical attack events and associates them with the kill chains, and uses the historical attack events associated with the kill chains as graph data Formal representation of , build an initial graph representation learning model, and display it in the form of a knowledge graph. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security .
  • the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately reason out the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information.
  • the method of simulating the kill chain of the present invention may have multiple combinations due to the combination of multiple assets in the timing analysis, it is far more efficient than blind enumeration and invalid association, and the kill chain is based on Constantly changing enterprise target asset information, such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
  • enterprise target asset information such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
  • the present invention discloses A1, a method for simulating the attack kill chain, comprising:
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  • the attack knowledge is extracted from the historical attack events and associated with the kill chain, including:
  • the training semantic analysis is performed on the historical attack event, and the attack knowledge is extracted as a data set corpus, including:
  • the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
  • a data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  • the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
  • the acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
  • the present invention also discloses B7, a device for simulating an attack kill chain, including:
  • the knowledge map building block is used to obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model
  • the kill chain path generation module is used to obtain the target asset information of the enterprise, input it to the initial graph representation learning model for training, and generate a kill chain path model,
  • the kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  • the historical attack event is represented in the form of graph data, and an initial graph representation learning model is constructed, including:
  • the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  • the attack knowledge is extracted from the historical attack events and associated with the kill chain, including:
  • the training semantic analysis is performed on the historical attack events, and the attack knowledge is extracted as a data set corpus, including:
  • the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
  • a data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  • the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
  • the kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  • the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
  • the acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
  • the present invention also discloses C13, a storage medium for storing a computer program for executing the method for simulating an attack kill chain described in any one of A1 to A6.
  • the present invention also discloses D14, an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein when the processor executes the computer program A method for realizing the simulated attack kill chain described in any one of A1-A6.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method and apparatus for simulating a cyber kill chain, a storage medium and an electronic device. The method comprises: acquiring a historical cyberattack event, representing said event in a form of graph data, and constructing an initial graph representation learning model; and acquiring enterprise target asset information, inputting said information into the initial graph representation learning model for training, so as to generate a kill chain path model, the kill chain path model being used for being input to an intruder simulation system to evaluate the enterprise safety. The method calculates a simulation cyber kill chain in an enterprise environment by means of a knowledge graph, and is self-adaptive to different enterprise environments or self-adaptive to asset information which is increasingly changed in the same enterprise environment.

Description

模拟攻击杀伤链的方法、装置、存储介质及电子设备Method, device, storage medium and electronic equipment for simulating attack kill chain 技术领域technical field
本发明涉及安全性检测技术领域,尤其涉及一种模拟攻击杀伤链的方法、装置、存储介质及电子设备。The invention relates to the technical field of security detection, in particular to a method, device, storage medium and electronic equipment for simulating an attack kill chain.
背景技术Background technique
目前企业环境安全检测和安全设备能力评估基本分为人工渗透测试、自动化入侵和攻击模拟(BAS)两种方式。其中,人工渗透测试方式虽能达到企业短期的检测需求,但企业环境熟悉、后期交付、工作效率、标准化程度、行为及数据可控性都有非常多的不足。自动化入侵和攻击模拟(BAS)可以对目标环境进行全量漏洞探测、全量TTP内容库及设定好的场景进行自动化模拟攻击,但即使针对用户环境做过相关资产测绘,该方法依然存有自身的局限性和弊端,比如主要基于单点的资产攻击行为,无法根据资产间的关联度从而模拟出符合企业真实环境中的攻击杀伤链。At present, enterprise environment security detection and security device capability assessment are basically divided into two methods: manual penetration testing, automated intrusion and attack simulation (BAS). Among them, although the manual penetration testing method can meet the short-term detection needs of enterprises, there are many deficiencies in familiarity with the enterprise environment, late delivery, work efficiency, standardization, behavior and data controllability. Automated intrusion and attack simulation (BAS) can perform full-volume vulnerability detection on the target environment, full-volume TTP content library, and set-up scenarios for automated simulated attacks, but even if relevant asset mapping has been done for the user environment, this method still has its own limitations Limitations and disadvantages, such as asset attacks based on single points, cannot simulate the attack kill chain that matches the real environment of the enterprise based on the degree of correlation between assets.
发明内容Contents of the invention
本发明实施例的目的是提供一种模拟攻击杀伤链的方法、装置、存储介质及电子设备,其通过知识图谱计算企业环境中的模拟攻击杀伤链,自适应不同企业环境或者自适应同一企业环境中日益不断变化的资产信息。The purpose of the embodiments of the present invention is to provide a method, device, storage medium, and electronic device for simulating attack kill chains, which calculate the simulated attack kill chains in the enterprise environment through knowledge graphs, and adapt to different enterprise environments or adapt to the same enterprise environment ever-changing asset information.
为了实现上述目的,本发明一方面提供一种模拟攻击杀伤链的方法,包括:In order to achieve the above object, one aspect of the present invention provides a method for simulating an attack kill chain, including:
获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型;Obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model;
获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,Obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
可选的,所述将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:Optionally, the said historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
可选的,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:Optionally, the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
可选的,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,包括:Optionally, performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析;Using natural language processing technology, the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
可选的,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:Optionally, the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
可选的,所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息;Optionally, the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。Converting the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and representing the enterprise hardware configuration information, enterprise software configuration information, and /or the entity of the industry information of the enterprise is enumerated and mapped.
本发明另一方面还提供一种模拟攻击杀伤链的装置,包括:Another aspect of the present invention also provides a device for simulating the attack kill chain, including:
知识图谱构建模块,用于获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型;The knowledge map building block is used to obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model;
杀伤链路径生成模块,用于获取企业目标资产信息,输入至所述初始图表示 学习模型进行训练,生成杀伤链路径模型,The kill chain path generation module is used to obtain the target asset information of the enterprise, input it to the initial graph representation learning model for training, and generate the kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
可选的,将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:Optionally, the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
可选的,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:Optionally, the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
可选的,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,包括:Optionally, performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析;Using natural language processing technology, the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
可选的,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:Optionally, the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
可选的,所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息;Optionally, the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置 信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。Converting the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and representing the enterprise hardware configuration information, enterprise software configuration information, and /or the entity of the industry information of the enterprise is enumerated and mapped.
本发明另一方面还提供一种存储介质,用于存储一种用于执行上述的入侵者模拟攻击检测方法的计算机程序。Another aspect of the present invention also provides a storage medium for storing a computer program for executing the above-mentioned intruder simulation attack detection method.
本发明另一方面还提供一种电子设备,包括存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现上述的入侵者模拟攻击检测方法。Another aspect of the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor, wherein the processor executes the computer program At the same time, the above-mentioned intruder simulation attack detection method is realized.
在本发明实施例中,通过从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,并将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,以知识图谱的形式显示。然后针对不同的企业环境,获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,将所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。区别于现有技术中的自动攻击和模拟入侵相关产品只能够通过单点资产发生模拟攻击,或低效关联进行模拟攻击的方法,本发明的方法通过知识图谱计算企业环境中的模拟攻击杀伤链方法,能够精准的推理出可能会发生的攻击杀伤链路径,从而实现模拟入侵和攻击的智能化、提高模拟攻击的有效性,自适应不同企业环境,自适应同一企业环境中日益不断变化的资产信息。In the embodiment of the present invention, by extracting attack knowledge from the historical attack events, associating them with the kill chain, and representing the historical attack events associated with the kill chain in the form of graph data, an initial graph representation learning Model, displayed in the form of a knowledge graph. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security . Different from the automatic attack and simulated intrusion related products in the prior art, which can only simulate attacks through single-point assets, or inefficiently associate simulated attacks, the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately infer the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information.
附图说明Description of drawings
图1为本发明实施例提供的模拟攻击杀伤链的方法流程示意图;FIG. 1 is a schematic flow diagram of a method for simulating an attack kill chain provided by an embodiment of the present invention;
图2为步骤S1的具体流程图;Fig. 2 is the specific flowchart of step S1;
图3为步骤S2的具体流程图;Fig. 3 is the specific flowchart of step S2;
图4是本发明的模拟攻击杀伤链的装置结构示意图;Fig. 4 is a schematic diagram of the device structure of the simulated attack kill chain of the present invention;
其中:400-模拟攻击杀伤链的装置;Among them: 400 - devices that simulate the attack kill chain;
401-知识图谱构建模块;401-knowledge map building block;
402-杀伤链路径生成模块;402-kill chain path generation module;
图5是电子设备的结构示意图;Fig. 5 is a schematic structural diagram of an electronic device;
其中:500-电子设备500;Among them: 500-electronic equipment 500;
501-存储介质;501-storage medium;
502-处理器。502 - Processor.
具体实施方式Detailed ways
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.
需要说明的,本说明书中针对“一个实施例”、“实施例”、“示例实施例”等的引用,指的是描述的该实施例可包括特定的特征、结构或特性,但是不是每个实施例必须包含这些特定特征、结构或特性。此外,这样的表述并非指的是同一个实施例。进一步,在结合实施例描述特定的特征、结构或特性时,不管有没有明确的描述,已经表明将这样的特征、结构或特性结合到其它实施例中是在本领域技术人员的知识范围内的。It should be noted that references in this specification to "one embodiment", "embodiment", "example embodiment" and the like mean that the described embodiment may include specific features, structures or characteristics, but not every Embodiments must include those specific features, structures or characteristics. Furthermore, such expressions are not referring to the same embodiment. Further, when specific features, structures or characteristics are described in conjunction with an embodiment, whether or not there is an explicit description, it has been indicated that it is within the knowledge of those skilled in the art to combine such features, structures or characteristics into other embodiments .
此外,在说明书及后续的权利要求当中使用了某些词汇来指称特定组件或部件,所属领域中具有通常知识者应可理解,制造商可以用不同的名词或术语来称呼同一个组件或部件。本说明书及后续的权利要求并不以名称的差异来作为区分组件或部件的方式,而是以组件或部件在功能上的差异来作为区分的准则。在通篇说明书及后续的权利要求书中所提及的“包括”和“包含”为一开放式的用语,故应解释成“包含但不限定于”。In addition, some terms are used in the description and the following claims to refer to specific components or components, and those skilled in the art should understand that manufacturers may use different nouns or terms to refer to the same component or component. This description and the subsequent claims do not use the difference in names as a way to distinguish components or parts, but use the differences in functions of components or parts as a criterion for distinguishing. "Includes" and "comprises" mentioned throughout the specification and the following claims are open-ended terms, so they should be interpreted as "including but not limited to".
本发明实施例一提供了一种模拟攻击杀伤链的方法,参考图1,图1示出了本实施例的步骤流程图;Embodiment 1 of the present invention provides a method for simulating an attack kill chain. Referring to FIG. 1 , FIG. 1 shows a flow chart of steps in this embodiment;
一种模拟攻击杀伤链的方法,可以包括如下步骤:A method for simulating an attack kill chain may include the following steps:
S1、获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型。S1. Obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model.
在具体实现中,如图2所示,图2为步骤S1对应的具体流程图,包括:In a specific implementation, as shown in Figure 2, Figure 2 is a specific flowchart corresponding to step S1, including:
S11、从所述历史攻击事件中抽取攻击知识,并与杀伤链关联。S11. Extract attack knowledge from the historical attack events, and associate it with the kill chain.
在具体实现中,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为 训练集语料库,与杀伤链建立关系。In a specific implementation, the extracting attack knowledge from the historical attack events and associating with the kill chain includes: performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus; The TTP information in the knowledge and the target asset information of the enterprise are regarded as entities, as a training set corpus, and a relationship is established with the kill chain.
S12、将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,定义图数据的每一个节点用于表征TTP信息、所述企业目标资产信息。S12. Represent the historical attack events associated with the kill chain in the form of graph data, construct an initial graph representation learning model, and define each node of the graph data to represent TTP information and the enterprise target asset information.
S2、获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,S2. Obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
在具体实现中,如图3所示,图3为步骤S2对应的具体流程图,包括:In a specific implementation, as shown in FIG. 3, FIG. 3 is a specific flowchart corresponding to step S2, including:
S21、获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体;S21. Acquire enterprise target asset information, and map it to entities representing enterprise target asset information in the initial graph representation learning model;
S22、通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。S22. Through knowledge calculation, time series analysis is performed on the entity representing the TTP information in the initial graph representation learning model and the kill chain range where it is located, to generate the kill chain path model.
在本实施例中,生成杀伤链路径模型后续可以发送给BAS入侵者模拟系统,根据攻击结果评估用户环境中的安全性。In this embodiment, the generated kill chain path model can be sent to the BAS intruder simulation system to evaluate the security in the user environment according to the attack result.
本实施例中通过从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,以知识图谱的形式显示。然后针对不同的企业环境,获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,将所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。区别于现有技术中的自动攻击和模拟入侵相关产品只能够通过单点资产发生模拟攻击,或低效关联进行模拟攻击的方法,本发明的方法通过知识图谱计算企业环境中的模拟攻击杀伤链方法,能够精准的推理出可能会发生的攻击杀伤链路径,从而实现模拟入侵和攻击的智能化、提高模拟攻击的有效性,自适应不同企业环境,自适应同一企业环境中日益不断变化的资产信息。需要说明的是本发明的模拟杀伤链的方法虽然会因为时序分析中存在的多个资产之间的组合而存在多条,但远远比盲目的枚举和无效关联更高效,而且杀伤链基于不断变化的企业目标资产信息,如新的漏洞信息,新的攻击技战术及攻击实现(TTPs)的产生而不断演进迭代。In this embodiment, by extracting attack knowledge from the historical attack events and associating them with the kill chain, the historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed, using knowledge displayed in graph form. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security . Different from the automatic attack and simulated intrusion related products in the prior art, which can only simulate attacks through single-point assets, or inefficiently associate simulated attacks, the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately infer the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information. It should be noted that although the method of simulating the kill chain of the present invention may have multiple combinations due to the combination of multiple assets in the timing analysis, it is far more efficient than blind enumeration and invalid association, and the kill chain is based on Constantly changing enterprise target asset information, such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
本发明实施例二提供了一种模拟攻击杀伤链的方法,可以包括如下步骤:Embodiment 2 of the present invention provides a method for simulating an attack kill chain, which may include the following steps:
S1、获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模 型。S1. Obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model.
在具体实现中,如图2所示,图2为步骤S1对应的具体流程图,包括:In a specific implementation, as shown in Figure 2, Figure 2 is a specific flowchart corresponding to step S1, including:
S11、从所述历史攻击事件中抽取攻击知识,并与杀伤链关联。S11. Extract attack knowledge from the historical attack events, and associate it with the kill chain.
在具体实现中,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。In a specific implementation, the extracting attack knowledge from the historical attack events and associating with the kill chain includes: performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus; The TTP information in the knowledge and the target asset information of the enterprise are regarded as entities, as a training set corpus, and a relationship is established with the kill chain.
在具体实现中,所述历史攻击事件包括从结构化、半结构化和非结构化多种数据结构,本实施例中通过对所述历史攻击事件进行训练语义分析,具体包括文本预处理、深层次断句、目标TTP语语义依存分析、词汇标记化、同义词扩充、以及模型训练预测等多种数据处理过程,从所述历史攻击事件中抽取攻击知识,作为数据集语料库;将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。In a specific implementation, the historical attack events include structured, semi-structured, and unstructured data structures. In this embodiment, training semantic analysis is performed on the historical attack events, including text preprocessing, deep Various data processing processes such as hierarchical sentence segmentation, target TTP language semantic dependency analysis, vocabulary tokenization, synonym expansion, and model training prediction, etc., extract attack knowledge from the historical attack events as a data set corpus; Regarding the TTP information, the enterprise target asset information is used as an entity, as a training set corpus, and establishes a relationship with the kill chain.
本实施例中通过对所述历史攻击事件进行文本预处理,以降低输入随机性来降低算法输入维度,提供性能。如某一历史攻击事件文本“一种木马程序,它运行后会在%TEMP%目录下释放正常的腾讯TP程序TPHelper.exe和恶意的TPHelperBase.dll以构成dll劫持。”经过文本预处理,将会处理为“一种木马程序,它运行后会在特定目录下释放正常的腾讯TP程序EXE文件和恶意的DLL文件以构成dll劫持。”。然后对经过文本预处理后的所述历史攻击事件进行文本深层次断句处理,使每个文本深层次断句处理后的待分析的句子都独立的表达TTP信息,如具体可以根据文本中出现的表示中文语句结束的标点符号或者文本中出现的并列关系连词等进行断句处理。然后,通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析,将复杂多变的描述方式进行标准化、统一化,将涉及的攻击者所使用的工具、途径方法、空间位置、实施范围、达成效果进行标准化归位输出。对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识,并对数据集语料库中的高频关键词,进行同义词扩展,提高后续模型预测的召回率。如“木马搜集域内账户名。”经过同义词扩展后扩展为“木马收集域内用户名。”、“木马采集域内用户账户。”及“木马收割域内用户登录名。”等。最后,将数据集语料库中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与 杀伤链建立关系。In this embodiment, text preprocessing is performed on the historical attack events to reduce input randomness and reduce algorithm input dimensions to improve performance. For example, the text of a certain historical attack event "A Trojan horse program, after it runs, it will release the normal Tencent TP program TPHelper.exe and the malicious TPHelperBase.dll in the %TEMP% directory to constitute dll hijacking." After text preprocessing, the It will be treated as "a Trojan horse program, which will release normal Tencent TP program EXE files and malicious DLL files in a specific directory after running to constitute dll hijacking.". Then, carry out text deep-level sentence segmentation processing on the historical attack events after text preprocessing, so that the sentences to be analyzed after the deep-level sentence segmentation processing of each text can express TTP information independently. The punctuation marks at the end of Chinese sentences or the coordinating relative conjunctions that appear in the text are processed for sentence segmentation. Then, through the natural language processing technology, the sentence semantic dependency analysis of the historical attack events after the deep sentence segmentation of the text is carried out, the complex and changeable description methods are standardized and unified, and the tools used by the involved attackers, The method, spatial location, implementation scope, and achievement effect are standardized and output. Create a data set corpus for the historical attack events after sentence semantic dependency analysis, extract attack knowledge, and perform synonym expansion for high-frequency keywords in the data set corpus to improve the recall rate of subsequent model predictions. For example, "Trojan horse collects account names in the domain." After synonym expansion, it expands to "Trojan horse collects user names in the domain.", "Trojan horse collects user accounts in the domain." and "Trojan horse harvests user login names in the domain.", etc. Finally, the TTP information in the data set corpus and the target asset information of the enterprise are regarded as entities, as the training set corpus, and a relationship is established with the kill chain.
S12、将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,定义图数据的每一个节点用于表征TTP信息、所述企业目标资产信息。S12. Represent the historical attack events associated with the kill chain in the form of graph data, construct an initial graph representation learning model, and define each node of the graph data to represent TTP information and the enterprise target asset information.
S2、获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,S2. Obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
在具体实现中,如图3所示,图3为步骤S2对应的具体流程图,包括:In a specific implementation, as shown in FIG. 3, FIG. 3 is a specific flowchart corresponding to step S2, including:
S21、获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体。S21. Acquire enterprise target asset information, and map it to entities representing enterprise target asset information in the initial graph representation learning model.
在具体实现中,所述企业目标资产信息主要包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息等。其中,企业硬件配置信息主要包括DMZ区及办公区域中的服务器、主机、网关、交换机、路由器以及生产区中的服务器、工业和控制化设备等所有硬件设备信息;企业软件配置信息主要包括企业中运营和使用的所有软件系统,如业务系统、OA系统、ERP系统、员工常用工具等以及所有安装在上述硬件中提供或支撑服务的一切软件系统和服务系统。企业所属行业信息用于明确企业所属的行业信息,如金融、烟草、政府等行业,该信息很容易得知。通过梳理出硬件和软件服务存在或涉及到的版本信息、安全补丁信息、漏洞信息、端口信息、协议,以及企业所属行业信息等,将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。In a specific implementation, the enterprise target asset information mainly includes enterprise hardware configuration information, enterprise software configuration information, and/or industry information to which the enterprise belongs. Among them, the enterprise hardware configuration information mainly includes all hardware equipment information such as servers, hosts, gateways, switches, routers in the DMZ area and office area, servers in the production area, industrial and control equipment, etc.; enterprise software configuration information mainly includes All software systems operated and used, such as business systems, OA systems, ERP systems, common tools for employees, etc., and all software systems and service systems installed in the above hardware to provide or support services. The industry information of the enterprise is used to clarify the industry information of the enterprise, such as finance, tobacco, government and other industries, and the information is easy to know. By sorting out the version information, security patch information, vulnerability information, port information, protocols, and industry information of the enterprise that exist or are involved in hardware and software services, the enterprise hardware configuration information, enterprise software configuration information, and/or The industry information of the enterprise is converted into the standard storage format of the knowledge graph, and enumerated and mapped with the entities representing the hardware configuration information of the enterprise, the software configuration information of the enterprise, and/or the industry information of the enterprise in the initial graph representation learning model.
S22、通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。S22. Through knowledge calculation, time series analysis is performed on the entity representing the TTP information in the initial graph representation learning model and the kill chain range where it is located, to generate the kill chain path model.
在本实施例中,生成杀伤链路径模型后续可以发送给BAS入侵者模拟系统,根据攻击结果评估用户环境中的安全性。In this embodiment, the generated kill chain path model can be sent to the BAS intruder simulation system to evaluate the security in the user environment according to the attack result.
需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明实施例并不受所描述的动作顺序的限制,因为依据本发明实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技 术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本发明实施例所必须的。It should be noted that, for the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the embodiment of the present invention is not limited by the described action sequence, because According to the embodiment of the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.
本发明上述实施例可以应用于具有模拟攻击杀伤链的终端设备中,该终端设备可以包括掌上电脑、台式电脑、提供用户进行电子签名的签名终端,以及手机、PDA(Personal Digital Assistant,个人数字助理)等等,本发明实施例对此不加以限制。该终端可以支持Windows、Android(安卓)、IOS、WindowsPhone等操作系统。The foregoing embodiments of the present invention can be applied to terminal equipment with a simulated attack kill chain, and the terminal equipment can include palmtop computers, desktop computers, signature terminals that provide users with electronic signatures, mobile phones, PDAs (Personal Digital Assistant, personal digital assistants) ) and so on, which are not limited in this embodiment of the present invention. The terminal can support Windows, Android (Android), IOS, WindowsPhone and other operating systems.
参照图4,图4示出了一种模拟攻击杀伤链的装置400,所述模拟攻击杀伤链的装置400可应用于电脑等终端设备中,其可实现通过如图1-图3所示的模拟攻击杀伤链的方法,至少包括知识图谱构建模块401、杀伤链路径生成模块402,即具体为:Referring to Figure 4, Figure 4 shows a device 400 for simulating an attack kill chain, which can be applied to terminal equipment such as computers, which can be implemented through the The method of simulating the attack kill chain includes at least a knowledge map building module 401 and a kill chain path generation module 402, specifically:
一种模拟攻击杀伤链的装置400,包括:A device 400 for simulating an attack kill chain, comprising:
知识图谱构建模块401,用于获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型;The knowledge map construction module 401 is used to obtain historical attack events and represent them in the form of graph data to construct an initial graph representation learning model;
杀伤链路径生成模块402,用于获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,The kill chain path generation module 402 is used to obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
可选的,将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:Optionally, the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
可选的,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:Optionally, the extracting attack knowledge from the historical attack events and associating with the kill chain includes:
对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
可选的,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,包括:Optionally, performing training semantic analysis on the historical attack events to extract attack knowledge as a data set corpus includes:
对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行 语句语义依存分析;Through natural language processing technology, sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
可选的,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:Optionally, the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
可选的,所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息;Optionally, the enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。Converting the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and representing the enterprise hardware configuration information, enterprise software configuration information, and /or the entity of the industry information of the enterprise is enumerated and mapped.
本发明还提供一种存储介质,用于存储用于执行如图1-图3所述的模拟攻击杀伤链的方法的计算机程序。例如计算机程序指令,当其被计算机执行时,通过该计算机的操作,可以调用或提供根据本发明的方法和/或技术方案。而调用本发明的方法的程序指令,可能被存储在固定的或可移动的存储介质中,和/或通过广播或其他信号承载媒体中的数据流而被传输和/或被存储在根据程序指令运行的存储介质中。The present invention also provides a storage medium for storing a computer program for executing the method for simulating an attack kill chain as described in FIGS. 1-3 . For example, computer program instructions, when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. The program instructions for invoking the method of the present invention may be stored in a fixed or removable storage medium, and/or transmitted through broadcast or other data streams in signal-bearing media and/or stored in running storage medium.
在此,根据本发明的一个实施例包括一个如图5所示的电子设备500,在一些实施方式中,包括用于存储计算机程序的存储介质501和用于执行计算机程序的处理器502,其中,当该计算机程序被该处理器执行时,触发该电子设备执行基于前述多个实施例中的方法和/或技术方案,该电子设备500可以为手机、电脑等终端设备。Here, an embodiment according to the present invention includes an electronic device 500 as shown in FIG. 5 , and in some implementations, includes a storage medium 501 for storing computer programs and a processor 502 for executing computer programs, wherein , when the computer program is executed by the processor, the electronic device is triggered to execute the methods and/or technical solutions based on the foregoing multiple embodiments, and the electronic device 500 may be a terminal device such as a mobile phone or a computer.
需要注意的是,本发明的软件程序可以通过处理器执行以实现上文步骤或功能。同样地,本发明的软件程序(包括相关的数据结构)可以被存储到计算机可读记录介质中,例如,RAM存储器,磁或光驱动器或软磁盘及类似设备。根据本发明的日程提醒方法可以作为计算机实现方法在计算机上实现,用于根据本发明的方法的可执行代 码或其部分可以存储在计算机程序产品上。计算机程序产品的示例包括存储器设备、光学存储设备、集成电路、服务器、在线软件等。在一些实施方式中,计算机程序产品包括存储在计算机可读介质上以便当所述程序产品在计算机上执行时执行根据本发明的方法的非临时程序代码部件。It should be noted that the software program of the present invention can be executed by a processor to realize the above steps or functions. Likewise, the software program (including associated data structures) of the present invention can be stored in a computer-readable recording medium such as RAM memory, magnetic or optical drive or floppy disk and the like. The schedule reminding method according to the present invention can be implemented on a computer as a computer-implemented method, and the executable code or part thereof for the method according to the present invention can be stored on the computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, and the like. In some embodiments, a computer program product comprises non-transitory program code means stored on a computer readable medium for performing the method according to the invention when said program product is executed on a computer.
综上所述,本发明提供的模拟攻击杀伤链的方法,通过从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,并将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,以知识图谱的形式显示。然后针对不同的企业环境,获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,将所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。区别于现有技术中的自动攻击和模拟入侵相关产品只能够通过单点资产发生模拟攻击,或低效关联进行模拟攻击的方法,本发明的方法通过知识图谱计算企业环境中的模拟攻击杀伤链方法,能够精准的推理出可能会发生的攻击杀伤链路径,从而实现模拟入侵和攻击的智能化、提高模拟攻击的有效性,自适应不同企业环境,自适应同一企业环境中日益不断变化的资产信息。需要说明的是本发明的模拟杀伤链的方法虽然会因为时序分析中存在的多个资产之间的组合而存在多条,但远远比盲目的枚举和无效关联更高效,而且杀伤链基于不断变化的企业目标资产信息,如新的漏洞信息,新的攻击技战术及攻击实现(TTPs)的产生而不断演进迭代。To sum up, the method for simulating attack kill chains provided by the present invention extracts attack knowledge from the historical attack events and associates them with the kill chains, and uses the historical attack events associated with the kill chains as graph data Formal representation of , build an initial graph representation learning model, and display it in the form of a knowledge graph. Then, for different enterprise environments, obtain enterprise target asset information, input it into the initial graph representation learning model for training, generate a kill chain path model, and use the kill chain path model to input into the intruder simulation system to evaluate enterprise security . Different from the automatic attack and simulated intrusion related products in the prior art, which can only simulate attacks through single-point assets, or inefficiently associate simulated attacks, the method of the present invention calculates the simulated attack kill chain in the enterprise environment through knowledge graphs The method can accurately reason out the attack kill chain path that may occur, so as to realize the intelligence of simulated intrusion and attack, improve the effectiveness of simulated attack, adapt to different enterprise environments, and adapt to the ever-changing assets in the same enterprise environment information. It should be noted that although the method of simulating the kill chain of the present invention may have multiple combinations due to the combination of multiple assets in the timing analysis, it is far more efficient than blind enumeration and invalid association, and the kill chain is based on Constantly changing enterprise target asset information, such as new vulnerability information, new attack techniques and tactics, and attack implementations (TTPs) are constantly evolving and iterating.
当然,本发明还可有其它多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。Certainly, the present invention also can have other multiple embodiments, without departing from the spirit and essence of the present invention, those skilled in the art can make various corresponding changes and deformations according to the present invention, but these corresponding Changes and deformations should belong to the scope of protection of the appended claims of the present invention.
本发明公开A1、一种模拟攻击杀伤链的方法,包括:The present invention discloses A1, a method for simulating the attack kill chain, comprising:
获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型;Obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model;
获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,Obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
A2、根据A1所述的方法,将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:A2. According to the method described in A1, the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
A3、根据A2所述的方法,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:A3. According to the method described in A2, the attack knowledge is extracted from the historical attack events and associated with the kill chain, including:
对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
A4、根据A3所述的方法,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,包括:A4. According to the method described in A3, the training semantic analysis is performed on the historical attack event, and the attack knowledge is extracted as a data set corpus, including:
对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析;Using natural language processing technology, the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
A5、根据A3所述的方法,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:A5. According to the method described in A3, the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:The acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
A6、根据A5所述的方法,A6. According to the method described in A5,
所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息;The enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。Converting the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and representing the enterprise hardware configuration information, enterprise software configuration information, and /or the entity of the industry information of the enterprise is enumerated and mapped.
本发明还公开B7、一种模拟攻击杀伤链的装置,包括:The present invention also discloses B7, a device for simulating an attack kill chain, including:
知识图谱构建模块,用于获取历史攻击事件,并以图数据的形式表示,构建 初始图表示学习模型;The knowledge map building block is used to obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model;
杀伤链路径生成模块,用于获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,The kill chain path generation module is used to obtain the target asset information of the enterprise, input it to the initial graph representation learning model for training, and generate a kill chain path model,
所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
B8、根据B7所述的装置,将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:B8. According to the device described in B7, the historical attack event is represented in the form of graph data, and an initial graph representation learning model is constructed, including:
从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
B9、根据B8所述的装置,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,包括:B9. According to the device described in B8, the attack knowledge is extracted from the historical attack events and associated with the kill chain, including:
对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
B10、根据B9所述的装置,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,包括:B10. According to the device described in B9, the training semantic analysis is performed on the historical attack events, and the attack knowledge is extracted as a data set corpus, including:
对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析;Using natural language processing technology, the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
B11、根据B9所述的装置,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:B11. According to the device described in B9, the acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
B12、根据B7所述的装置,B12. The device according to B7,
所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息;The enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information;
所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息的实体进行枚举映射。Converting the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and representing the enterprise hardware configuration information, enterprise software configuration information, and /or the entity of the industry information of the enterprise is enumerated and mapped.
本发明还公开C13、一种存储介质,用于存储一种用于执行A1~A6中任一项所述的模拟攻击杀伤链的方法的计算机程序。The present invention also discloses C13, a storage medium for storing a computer program for executing the method for simulating an attack kill chain described in any one of A1 to A6.
本发明还公开D14、一种电子设备,包括存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现A1~A6中任一项所述的模拟攻击杀伤链的方法。The present invention also discloses D14, an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein when the processor executes the computer program A method for realizing the simulated attack kill chain described in any one of A1-A6.

Claims (10)

  1. 一种模拟攻击杀伤链的方法,其特征在于,包括:A method for simulating an attack kill chain, characterized by comprising:
    获取历史攻击事件,以图数据的形式表示,构建初始图表示学习模型;Obtain historical attack events, represent them in the form of graph data, and build an initial graph representation learning model;
    获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,Obtain the target asset information of the enterprise, input it into the initial graph representation learning model for training, and generate a kill chain path model,
    其中,所述杀伤链路径模型,用于输入至入侵者模拟系统评估企业安全性。Wherein, the kill chain path model is used to input into an intruder simulation system to evaluate enterprise security.
  2. 根据权利要求1所述的方法,其特征在于,所述将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:The method according to claim 1, wherein said historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, comprising:
    从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
    将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建所述初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and the initial graph representation learning model is constructed.
  3. 根据权利要求2所述的方法,其特征在于,所述从所述历史攻击事件中抽取攻击知识,并与杀伤链关联,又包括:The method according to claim 2, wherein said extracting attack knowledge from said historical attack events and associating with the kill chain further comprises:
    对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库;Perform training semantic analysis on the historical attack events, extract attack knowledge, and use it as a data set corpus;
    将所述攻击知识中关于TTP信息、所述企业目标资产信息作为实体,作为训练集语料库,与杀伤链建立关系。Taking the TTP information in the attack knowledge and the enterprise target asset information as entities, as a training set corpus, and establishing a relationship with the kill chain.
  4. 根据权利要求3所述的方法,其特征在于,所述对所述历史攻击事件进行训练语义分析,提取攻击知识,作为数据集语料库,又包括:The method according to claim 3, wherein said performing training semantic analysis on said historical attack events to extract attack knowledge as a data set corpus further includes:
    对所述历史攻击事件进行文本预处理以及文本深层次断句;Carry out text preprocessing and text deep-level sentence segmentation on the historical attack events;
    通过自然语言处理技术,对经过文本深层次断句后的所述历史攻击事件进行语句语义依存分析;Using natural language processing technology, the sentence semantic dependency analysis is performed on the historical attack events after the deep sentence segmentation of the text;
    对经过语句语义依存分析后的所述历史攻击事件制作数据集语料库,提取攻击知识。A data set corpus is prepared for the historical attack events after sentence semantic dependency analysis, and attack knowledge is extracted.
  5. 根据权利要求3所述的方法,其特征在于,所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,又包括:The method according to claim 3, characterized in that said obtaining enterprise target asset information, inputting it into said initial graph representation learning model for training, and generating a kill chain path model, further comprising:
    所述获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,包括:The acquisition of enterprise target asset information is input to the initial graph representation learning model for training to generate a kill chain path model, including:
    获取所述企业目标资产信息,并将其映射到所述初始图表示学习模型中表征所述企业目标资产信息的实体;Acquiring the target asset information of the enterprise, and mapping it to an entity representing the target asset information of the enterprise in the initial graph representation learning model;
    通过知识计算中对所述初始图表示学习模型中表征所述TTP信息的实体及其所在的杀伤链范围做时序分析,生成所述杀伤链路径模型。The kill chain path model is generated by performing time series analysis on the entity representing the TTP information in the initial graph representation learning model and the kill chain scope where it is located in the knowledge calculation.
  6. 根据权利要求5所述的方法,其特征在于,The method according to claim 5, characterized in that,
    所述企业目标资产信息包括企业硬件配置信息、企业软件配置信息和/或企业所属行业信息;The enterprise target asset information includes enterprise hardware configuration information, enterprise software configuration information and/or enterprise industry information;
    所述获取企业目标资产信息,并将其映射到所述初始图表示学习模型中表征企业目标资产信息的实体,包括:The acquiring the target asset information of the enterprise and mapping it to the entity representing the target asset information of the enterprise in the initial graph representation learning model includes:
    将所述企业硬件配置信息、企业软件配置信息、和/或企业所属行业信息转换为知识图谱标准存储格式,并与所述初始图表示学习模型中表征企业硬件配置信息、企业软件配置信息和/或企业所属行业信息的实体进行枚举映射。Convert the enterprise hardware configuration information, enterprise software configuration information, and/or enterprise industry information into a knowledge map standard storage format, and represent enterprise hardware configuration information, enterprise software configuration information and/or enterprise software configuration information in the initial graph representation learning model or the entity of the industry information of the enterprise to enumerate and map.
  7. 一种模拟攻击杀伤链的装置,其特征在于,包括:A device for simulating an attack kill chain, characterized by comprising:
    知识图谱构建模块,用于获取历史攻击事件,并以图数据的形式表示,构建初始图表示学习模型;The knowledge map building block is used to obtain historical attack events and represent them in the form of graph data to build an initial graph representation learning model;
    杀伤链路径生成模块,用于获取企业目标资产信息,输入至所述初始图表示学习模型进行训练,生成杀伤链路径模型,The kill chain path generation module is used to obtain the target asset information of the enterprise, input it to the initial graph representation learning model for training, and generate a kill chain path model,
    所述杀伤链路径模型用于输入至入侵者模拟系统评估企业安全性。The kill chain path model is used as input to an intruder simulation system to evaluate enterprise security.
  8. 根据权利要求7所述的装置,其特征在于,将所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型,包括:The device according to claim 7, wherein the historical attack events are represented in the form of graph data, and an initial graph representation learning model is constructed, including:
    从所述历史攻击事件中抽取攻击知识,并与杀伤链关联;Extract attack knowledge from the historical attack events and associate it with the kill chain;
    将与杀伤链关联后的所述历史攻击事件以图数据的形式表示,构建初始图表示学习模型。The historical attack events associated with the kill chain are represented in the form of graph data, and an initial graph representation learning model is constructed.
  9. 一种存储介质,其特征在于,用于存储一种用于执行权利要求1~6中任一项所述的模拟攻击杀伤链的方法的计算机程序。A storage medium, characterized by being used for storing a computer program for executing the method for simulating an attack kill chain according to any one of claims 1-6.
  10. 一种电子设备,包括存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1~6中任一项所述的模拟攻击杀伤链的方法。An electronic device, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that claims 1-6 are realized when the processor executes the computer program The method of simulating an attack kill chain described in any one of the above.
PCT/CN2022/113829 2022-02-11 2022-08-22 Method and apparatus for simulating cyber kill chain, storage medium and electronic device WO2023151257A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210127808.0 2022-02-11
CN202210127808.0A CN116633567A (en) 2022-02-11 2022-02-11 Method and device for simulating attack killing chain, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
WO2023151257A1 true WO2023151257A1 (en) 2023-08-17

Family

ID=87563504

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/113829 WO2023151257A1 (en) 2022-02-11 2022-08-22 Method and apparatus for simulating cyber kill chain, storage medium and electronic device

Country Status (2)

Country Link
CN (1) CN116633567A (en)
WO (1) WO2023151257A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117670264A (en) * 2024-02-01 2024-03-08 武汉软件工程职业学院(武汉开放大学) Automatic flow processing system and method for accounting data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018071356A1 (en) * 2016-10-13 2018-04-19 Nec Laboratories America, Inc. Graph-based attack chain discovery in enterprise security systems
CN111049680A (en) * 2019-12-05 2020-04-21 中国科学院信息工程研究所 Intranet transverse movement detection system and method based on graph representation learning
US20200143052A1 (en) * 2018-11-02 2020-05-07 Microsoft Technology Licensing, Llc Intelligent system for detecting multistage attacks
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
CN111552973A (en) * 2020-06-02 2020-08-18 奇安信科技集团股份有限公司 Method and device for risk assessment of equipment, electronic equipment and medium
CN113961759A (en) * 2021-10-22 2022-01-21 北京工业大学 Anomaly detection method based on attribute map representation learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018071356A1 (en) * 2016-10-13 2018-04-19 Nec Laboratories America, Inc. Graph-based attack chain discovery in enterprise security systems
US20200143052A1 (en) * 2018-11-02 2020-05-07 Microsoft Technology Licensing, Llc Intelligent system for detecting multistage attacks
CN111049680A (en) * 2019-12-05 2020-04-21 中国科学院信息工程研究所 Intranet transverse movement detection system and method based on graph representation learning
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
CN111552973A (en) * 2020-06-02 2020-08-18 奇安信科技集团股份有限公司 Method and device for risk assessment of equipment, electronic equipment and medium
CN113961759A (en) * 2021-10-22 2022-01-21 北京工业大学 Anomaly detection method based on attribute map representation learning

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117670264A (en) * 2024-02-01 2024-03-08 武汉软件工程职业学院(武汉开放大学) Automatic flow processing system and method for accounting data
CN117670264B (en) * 2024-02-01 2024-04-19 武汉软件工程职业学院(武汉开放大学) Automatic flow processing system and method for accounting data

Also Published As

Publication number Publication date
CN116633567A (en) 2023-08-22

Similar Documents

Publication Publication Date Title
US11961021B2 (en) Complex application attack quantification, testing, detection and prevention
US10873596B1 (en) Cybersecurity alert, assessment, and remediation engine
US11188650B2 (en) Detection of malware using feature hashing
US20140337974A1 (en) System and method for semantic integration of heterogeneous data sources for context aware intrusion detection
CN108090351B (en) Method and apparatus for processing request message
CN108228875B (en) Log analysis method and device based on perfect hash
CN111813960B (en) Knowledge graph-based data security audit model device, method and terminal equipment
US11886818B2 (en) Method and apparatus for detecting anomalies in mission critical environments
Yao et al. Analysis of a delayed Internet worm propagation model with impulsive quarantine strategy
WO2023151257A1 (en) Method and apparatus for simulating cyber kill chain, storage medium and electronic device
Wang et al. Performance analysis of email systems under three types of attacks
US20190372998A1 (en) Exchange-type attack simulation device, exchange-type attack simulation method, and computer readable medium
CN105468975A (en) Method, device and system for tracking malicious code misinformation
Abaimov et al. A survey on the application of deep learning for code injection detection
CN115860117B (en) MDTA knowledge extraction method and system based on attack and defense behaviors
US20240054210A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
Krstić et al. Machine learning applications in computer emergency response team operations
US11936686B2 (en) System, device and method for detecting social engineering attacks in digital communications
Purba et al. Extracting Actionable Cyber Threat Intelligence from Twitter Stream
Park Text-based phishing detection using a simulation model
US10121008B1 (en) Method and process for automatic discovery of zero-day vulnerabilities and expoits without source code access
Meyers et al. An automated post-mortem analysis of vulnerability relationships using natural language word embeddings
Luh et al. Advanced threat intelligence: detection and classification of anomalous behavior in system processes
Bhavitha et al. Continuous Digital System Analysis in different System Softwares Using Keyloggers to Validate the need of Security
Hance et al. Use of bash history novelty detection for identification of similar source attack generation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22925616

Country of ref document: EP

Kind code of ref document: A1