[go: up one dir, main page]

CN119324817A - Network security threat tracing method and system based on association analysis - Google Patents

Network security threat tracing method and system based on association analysis Download PDF

Info

Publication number
CN119324817A
CN119324817A CN202411446315.9A CN202411446315A CN119324817A CN 119324817 A CN119324817 A CN 119324817A CN 202411446315 A CN202411446315 A CN 202411446315A CN 119324817 A CN119324817 A CN 119324817A
Authority
CN
China
Prior art keywords
attack
network security
threat
path
association analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411446315.9A
Other languages
Chinese (zh)
Inventor
赖成宾
罗圣美
刘志远
彭远吉
张少校
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Nanjing Zhongfu Information Technology Co Ltd
Zhongfu Information Co Ltd
Zhongfu Safety Technology Co Ltd
Original Assignee
BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Nanjing Zhongfu Information Technology Co Ltd
Zhongfu Information Co Ltd
Zhongfu Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD, Nanjing Zhongfu Information Technology Co Ltd, Zhongfu Information Co Ltd, Zhongfu Safety Technology Co Ltd filed Critical BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Priority to CN202411446315.9A priority Critical patent/CN119324817A/en
Publication of CN119324817A publication Critical patent/CN119324817A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/10Pre-processing; Data cleansing
    • G06F18/15Statistical pre-processing, e.g. techniques for normalisation or restoring missing data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/253Fusion techniques of extracted features
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/042Knowledge-based neural networks; Logical representations of neural networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Mathematical Physics (AREA)
  • Molecular Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Technology Law (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明属于网络安全技术领域,提供了一种基于关联分析的网络安全威胁溯源方法及系统,其技术方案为:基于多源网络安全数据构建网络安全态势图,基于网络安全态势图,采用图挖掘算法对攻击要素进行关联分析得到关联分析结果,基于关联分析结果,利用多路径溯源策略对攻击进行溯源,确定攻击源头和传播路径,能够自动识别潜在威胁、评估风险并找出最优攻击路径,提高了威胁识别的准确性和溯源效率,为后续的防御和应对措施提供依据。

The present invention belongs to the field of network security technology, and provides a network security threat tracing method and system based on association analysis. The technical scheme is as follows: a network security situation map is constructed based on multi-source network security data, and based on the network security situation map, a graph mining algorithm is used to perform association analysis on attack elements to obtain association analysis results. Based on the association analysis results, a multi-path tracing strategy is used to trace the attack, and the attack source and propagation path are determined. The method can automatically identify potential threats, assess risks, and find the optimal attack path, thereby improving the accuracy of threat identification and tracing efficiency, and providing a basis for subsequent defense and response measures.

Description

Network security threat tracing method and system based on association analysis
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network security threat tracing method and system based on association analysis.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the rapid development of network technology, network security threats are increasingly complex and various, and traditional security defense means are difficult to meet actual demands. The situation awareness technology is used as an important branch in the field of network security, and helps users to discover and deal with security threats in time by monitoring and analyzing security data in a network environment in real time, and monitors network states in real time by collecting massive information in the network, including log data, flow information and alarm information. Abnormal behavior and potential security threats, such as intrusion attempts and malware propagation, are then identified using techniques such as data analysis and graph mining. Deep analysis of the data using these techniques reveals the behavioral patterns and attack strategies of the attacker.
The existing situation awareness scheme is difficult to keep pace with the change speed of real-time data in terms of data processing capacity, and the adopted algorithm is low in efficiency when complex data are processed. This results in a delay or hysteresis that may occur when the system is handling large-scale, high-speed network traffic, failing to reflect the latest situation of network security in time. In addition, the association analysis is too dependent on an expert knowledge base and a predefined rule set, so that the association relation between attack behaviors can not be accurately identified in the face of novel attack or variant attack, the traceability is generally weak, most systems can only sense the existence of the attack, and information such as specific sources of the attack, attack paths, attacker identities and the like can not be traced accurately.
Disclosure of Invention
In order to solve at least one technical problem in the background art, the invention provides a network security threat tracing method and system based on association analysis, which are used for realizing efficient identification, association analysis and attack tracing of network security threats by integrating various data sources and applying a graph mining algorithm, thereby effectively improving network defense capacity and security management level.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
the first aspect of the invention provides a network security threat tracing method based on association analysis, which comprises the following steps:
acquiring multi-source network security data;
Constructing a network security situation map based on the multi-source network security data;
Based on the network security situation map, carrying out association analysis on the attack elements by adopting a map mining algorithm to obtain association analysis results, wherein the association analysis results specifically comprise:
for the detection of known threats, matching network security data with the known threat modes in the established threat mode library to find potential threats and attack behaviors; for the detection of unknown threats, classifying and identifying nodes and edges in a network security situation map through a trained threat identification model, and finding potential threats and attack behaviors;
Performing risk assessment on potential threats and attack behaviors to obtain a risk assessment value;
analyzing the attack path by adopting depth-first search DFS to find an optimal attack path;
And tracing the attack by utilizing a multipath tracing strategy based on the correlation analysis result, and determining the attack source and the propagation path.
Further, the construction of the network security situation map based on the multi-source network security data comprises the steps of adopting a map model to extract the relation between entities in a network, constructing the network security situation map based on the relation between the entities, wherein nodes in the map represent hosts, servers and applications, edges represent communication and access control, and the weights of the edges are set according to the communication frequency and the access authority.
Further, for the detection of the known threat, a similarity calculation formula is adopted to calculate the similarity degree of the data to be evaluated and the threat mode so as to match the network security data with the known threat mode in an established threat mode library, and the threat mode library comprises an IP address black-and-white list, a traffic anomaly detection rule and a DDoS attack detection mode.
Further, for detection of unknown threats, the training process of the threat identification model includes:
Constructing a training dataset D, d= { (x 1,y1),(x2,y2),...,(xn,yn) }, where x i represents feature vectors of nodes or edges, and y i represents corresponding labels;
By training a machine learning model, a classification function f (x) is obtained and used for classifying and identifying newly input nodes or edges, when f (x) is greater than 0, the nodes or edges are judged to be abnormal and possibly have threat, and when f (x) is less than or equal to 0, the nodes or edges are judged to be normal and have no threat.
Further, the calculation formula of the risk evaluation value is:
Where R (t i) is the risk value for each threat t i, w j is the weight of the j-th index, i.e. the extent to which the respective index affects the final risk assessment, a ij represents the score of the i-th threat on the j-th factor.
Further, the analyzing the attack path by using the depth-first search DFS to find an optimal attack path includes:
Traversing the network situation map to obtain all possible attack path sets;
And comparing the weights of different attack paths with the attribute labels, and finding the optimal attack path from the attack path set according to the set target including the shortest path and the minimum weight path.
Further, the tracing the attack by using the multi-path tracing strategy based on the correlation analysis result, and determining the attack source and the propagation path includes:
constructing a time line analysis, arranging network security data according to time sequence to form a time line, and analyzing key events in the time line;
Constructing a behavior chain according to the attack behaviors in the time line, analyzing modes in the behavior chain, designing heuristic functions, and evaluating the possible distance or cost from the current node to the attack source;
Starting from an attack target node, using a heuristic search algorithm to reversely traverse the graph, selecting an optimal next node to access according to the value of a heuristic function in the traversing process, comprehensively judging according to the heuristic function, a time line and behavior chain information when encountering a branch node, selecting the most probable attack path to trace back, and recording path information until the attack source is traced back or a feasible path can not be found any more, thereby determining the source.
A second aspect of the present invention provides a cyber security threat traceability system based on association analysis, comprising:
The data acquisition module is used for acquiring multi-source network security data;
the diagram construction module is used for constructing a network security situation diagram based on the multi-source network security data;
the association analysis module is used for carrying out association analysis on the attack elements by adopting a graph mining algorithm based on the network security situation graph to obtain association analysis results, and specifically comprises the following steps:
For the detection of known threats, matching network security data with the known threat modes in the established threat mode library to find potential threats and attack behaviors; for the detection of unknown threats, classifying and identifying nodes and edges in a network security situation map through a trained threat identification model, and finding potential threats and attack behaviors; performing risk assessment on potential threats and attack behaviors to obtain a risk assessment value, analyzing the attack path by adopting depth-first search DFS, and finding an optimal attack path;
And the tracing module is used for tracing the attack by utilizing a multi-path tracing strategy based on the correlation analysis result and determining the attack source and the propagation path.
A third aspect of the present invention provides a computer-readable storage medium.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of a cyber security threat tracing method based on correlation analysis as described above.
A fourth aspect of the invention provides a computer device.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps in a cyber security threat tracing method based on association analysis as described above when the program is executed by the processor.
Compared with the prior art, the invention has the beneficial effects that:
1. The invention provides a correlation analysis algorithm based on machine learning and graph theory evaluation methods, a network security situation map is constructed based on multi-source network security data, and a graph mining algorithm is adopted to perform correlation analysis on attack elements to obtain a correlation analysis result based on the network security situation map, so that potential threats can be automatically identified, risks can be evaluated, optimal attack paths can be found, and threat identification accuracy and tracing efficiency are remarkably improved.
2. The invention introduces the graph mining technology into the field of network security situation awareness and attack traceability, and realizes comprehensive monitoring and deep analysis of network security threat by constructing a network situation graph and applying the efficient graph mining technology.
3. The invention provides a tracing mathematical model of a multipath tracing strategy determination algorithm, which can accurately determine the source and the propagation path of the attack, and the innovation point provides powerful support for tracing and defending network attacks.
4. According to the invention, the complex analysis result is presented in an intuitive and understandable form through a visualization technology, so that the innovation point is that the perception capability of a user on the network security situation and the understanding degree of attack tracing are improved, and the user experience and decision making efficiency are improved.
Additional aspects of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
FIG. 1 is a flowchart of a network security threat identification method based on association analysis and tracing provided by an embodiment of the invention;
FIG. 2 is a flowchart of a correlation analysis provided by an embodiment of the present invention;
Fig. 3 is a flowchart of tracing an attack by using a multi-path tracing policy according to an embodiment of the present invention.
Detailed Description
The invention will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present invention. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
Example 1
As shown in fig. 1, the present embodiment provides a network security threat identification method based on association analysis and tracing, which includes the following steps:
step 1, acquiring multi-source network security data;
In this embodiment, the multi-source network data includes network traffic data, a system log, an application log, a security event log, and the like. Specifically, a packet capturing tool is used for collecting network traffic data, logs generated by a server, an operating system, an application program and the like are collected through a system log collector, and a security event log is obtained from security equipment and software.
Step 2, preprocessing the acquired multi-source network security data;
the collected data is subjected to pretreatment, cleaning and normalization treatment so as to improve the accuracy and usability of the data. The data cleaning process comprises the steps of removing repeated, invalid and error data entries, and the data normalization involves the standardized processing of information such as time stamps, IP addresses, port numbers and the like.
Step 3, constructing a network security situation map based on the preprocessed multi-source network data;
In this embodiment, in the network security situation map, nodes in the map represent entities (such as hosts, servers, applications, etc.), edges represent relationships between the entities (such as communications, access control, etc.), and the weights of the edges may be set according to factors such as communications frequency, access rights, etc. To more intuitively represent the security state of the network, attribute tags such as security level, vulnerability information and the like can also be added to the nodes and edges.
In the embodiment, a graph model is adopted to extract the relation between entities in the network, a network security situation graph is constructed based on the relation between the entities, a subgraph mining algorithm in a graph mining technology is used to mine potential attack paths and modes, and the constructed graph reflects the actual structure and the security state of the network.
In this embodiment, the graph model selection graph convolution network (Graph Convolutional Networks, GCN) model is a deep learning model for processing graph data, which can effectively capture local and global features in the graph structure, and can expand convolution operation to the graph structure, and the conventional Convolutional Neural Network (CNN) is mainly used for processing regular data (such as pixel grids in an image), while the GCN can process irregular graph data (such as entities in the network and relationships thereof).
In the GCN, the feature vector of a node is combined with the features of neighboring nodes through the adjacency matrix of the graph to update the node representation. This process is performed by a multi-layer convolution operation so that each node can gradually aggregate the characteristic information of its neighbors to form a richer representation.
The forward propagation formula of the GCN model is as follows:
Wherein H (l) is the node feature matrix of the first layer, Is the adjacency matrix of the graph, plus identity matrix I represents the self-join,Is thatA degree matrix of the W (l) layer, sigma is an activation function, reLU;
the GCN enables each node to learn information from the whole graph through layer-by-layer convolution operation.
And 4, carrying out deep analysis on the situation map by using a map mining algorithm, and carrying out association analysis on hidden security threat and attack behavior elements, wherein the method specifically comprises the following steps of:
Step 401, matching the acquired data with the known threat modes in the database by establishing a threat mode database, and finding out potential threats and attack behaviors;
The threat mode library comprises an IP address black-and-white list, a traffic anomaly detection rule, a DDoS attack detection mode and the like. In the matching process, similarity calculation algorithms (such as cosine similarity, euclidean distance and the like) are adopted to evaluate the similarity degree of the data and the threat mode.
Threat assessment analysis adopts machine learning algorithms, such as Support Vector Machines (SVM) and Random Forest (Random Forest), to classify and identify nodes and edges in a network situation map.
Let the training dataset be D = { (x 1,y1),(x2,y2),...,(xn,yn) },
Where x i represents the feature vector of a node or edge and y i represents the corresponding label (normal or abnormal). By training the machine learning model, a classification function f (x) can be obtained for classifying and identifying newly entered nodes or edges. When f (x) >0, the system judges that the system is abnormal and possibly has threat, and when f (x) <0, the system judges that the system is normal and has no threat.
By combining similarity calculation and machine learning classification, the threat assessment algorithm can comprehensively utilize the detection capability of the known threat mode and the unknown threat, quickly identify the known threat mode by using a threat mode library and similarity calculation, and automatically learn and identify a new threat mode by a machine learning model (such as an SVM or random forest) for detecting the unknown threat. The combination mode can remarkably improve the comprehensiveness and accuracy of network security situation analysis, and realize more efficient and automatic threat detection and response.
Step 402, performing risk assessment on potential threats and attack behaviors;
After the threat is found, its potential impact on the user is evaluated. The risk assessment considers a plurality of factors such as the severity of the threat, the success rate of the attack, the possibility of being attacked and the like, adopts multi-attribute decision analysis to calculate the risk value of each threat, and generates a corresponding response scheme according to the risk value of the threat;
in this embodiment, risk assessment analysis adopts methods such as fuzzy comprehensive assessment or analytic hierarchy process, and the like, to perform risk assessment on the identified threat.
The risk set is set as T= { T 1,t2,...,tm }, the risk value of each threat T i is R (T i), each threat can be different types of attack behaviors such as DDoS attack, malicious software infection, data leakage and the like, and a risk assessment matrix A can be obtained by comprehensively considering various factors such as the severity, occurrence probability and influence range of the threat, wherein A ij represents the score of the ith threat on the jth factor. Then, the comprehensive score of each threat is calculated to obtain a risk value R (t i) of each threat, so that scientific basis is provided for network security defense, and the calculation formula of the risk value R (t i) of each threat is as follows:
Where w j is the weight of the j-th indicator, i.e., the extent to which each indicator affects the final risk assessment, A ij is the score of threat t i on that indicator;
The threats may be ranked and graded according to the calculated risk value R (t i). The higher the risk value, the greater the potential impact of the threat on network security, requiring priority handling.
Generating a corresponding response scheme according to the risk value of the danger, wherein the response scheme specifically comprises the following steps:
When the risk value R (t i) is greater than the set first threshold, the risk value R is a high-risk threat, and the corresponding defending scheme is as isolating the infected system, closing the suspicious port, etc.;
When the risk value R (t i) is larger than a set second threshold value, further monitoring and analyzing the risk threat and preparing an emergency plan;
When the risk value R (t i) is greater than the set third threshold, it is periodically checked to ensure that there is no evolution to a high risk for a low risk threat.
In this embodiment, the first threshold value > the second threshold value > the third threshold value, and the specific value may be selected according to the actual situation.
Step 403, analyzing the attack path by using depth-first search DFS based on graph traversal algorithm;
By analyzing data such as system logs, application logs, security event logs and the like, the mode and the way of an attacker entering the network are discovered. Analysis of the attack path helps the user to learn the general aspects of the attack and thus take more effective defensive measures.
The specific analysis process is that the starting node is s, the target node is t, and the objective of the attack path analysis algorithm is to find a shortest path from s to t. By traversing the network security posture graph, all possible path sets p= { P 1,p2,...,pk }, are obtained. And then, the optimal attack path is found out by comparing the weights of different paths with the attribute labels, so that a basis is provided for the establishment of the defense strategy.
The process of finding out the optimal attack path by comparing the weights of different paths with the attribute labels is as follows:
Firstly, calculating path weights and attributes, and calculating the total weight and other attributes (such as path length, passing node types and the like) of the paths for each path P i epsilon P, wherein the path weights can be calculated by accumulating the weights of all edges in the paths:
Then, an optimal path is selected, and according to a set target (such as a shortest path, a minimum weighted path, or a path meeting certain specific properties), an optimal path is selected from the path set P, and the optimal path P * can be selected by the following formula:
And analyzing the selected optimal attack path p * to know the specific steps and actions possibly taken by an attacker, and formulating a corresponding defense strategy according to the analysis result of the attack path. For example, the defense of critical nodes may be reinforced, the monitoring effort increased, or potential vulnerabilities repaired.
Step 5, tracing the attack by utilizing a multi-path tracing strategy based on the correlation analysis result, and determining the attack source and the propagation path;
In order to realize comprehensive backtracking of an attack path and improve the tracing speed and accuracy, a multi-path tracing strategy is designed, and the strategy combines time lines and behavior chain information, and optimizes the tracing process by utilizing a heuristic search algorithm. As shown in fig. 3, the specific steps are as follows:
Step 501, constructing a time line analysis, namely arranging collected logs, flow data and the like in time sequence to form a time line, analyzing key events in the time line, such as abnormal login, data leakage, malicious software installation and the like, and determining time nodes and sequences of attack behaviors;
Step 502, constructing a behavior chain, constructing the behavior chain according to the attack behaviors in the time line, displaying a series of ordered operations adopted by an attacker, analyzing modes in the behavior chain, identifying common methods and tools of the attacker and possible attack mode variants, designing heuristic functions, evaluating possible distances or costs from a current node to an attack source, and considering factors such as the degree of the node, the weight of the edge, the frequency of the attack behaviors and the like;
And 503, multi-path backtracking, namely starting from an attack target node, reversely traversing the graph by using a heuristic search algorithm, selecting the optimal next node to access according to the value of the heuristic function in the traversing process, comprehensively judging according to the heuristic function, a time line and behavior chain information when encountering a branch node, selecting the most probable attack path to backtrack, recording path information, and repeating the process until the most probable attack path is backtracked to an attack source or no feasible path can be found. And analyzing a plurality of paths obtained by backtracking, and determining the most probable attack path by combining the time line and the behavior chain information, thereby determining the source.
Step 6, displaying the analysis result to the user side in the forms of charts, images and the like;
and displaying the analysis result to the user in the forms of charts, images and the like, so that the user is helped to intuitively know the security situation and attack situation of the network. The visual content comprises information such as network traffic, system state, application program state, security event and the like which are monitored in real time, historical data analysis results, attack path diagrams and the like. Through the visual means, the user can more comprehensively master the security condition of the network and make correct security decisions in time.
Example two
The embodiment provides a network security threat traceability system based on association analysis, which comprises:
The data acquisition module is used for acquiring multi-source network security data;
the diagram construction module is used for constructing a network security situation diagram based on the multi-source network security data;
the association analysis module is used for carrying out association analysis on the attack elements by adopting a graph mining algorithm based on the network security situation graph to obtain association analysis results, and specifically comprises the following steps:
For the detection of known threats, matching network security data with the known threat modes in the established threat mode library to find potential threats and attack behaviors; for the detection of unknown threats, classifying and identifying nodes and edges in a network security situation map through a trained threat identification model, and finding potential threats and attack behaviors; performing risk assessment on potential threats and attack behaviors to obtain a risk assessment value, analyzing the attack path by adopting depth-first search DFS, and finding an optimal attack path;
And the tracing module is used for tracing the attack by utilizing a multi-path tracing strategy based on the correlation analysis result and determining the attack source and the propagation path.
Example III
The present embodiment provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs steps in a cyber security threat tracing method based on association analysis as described above.
Example IV
The embodiment provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the steps in the network security threat tracing method based on association analysis when executing the program.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a Random access Memory (Random AccessMemory, RAM), or the like.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A network security threat tracing method based on association analysis is characterized by comprising the following steps:
acquiring multi-source network security data;
Constructing a network security situation map based on the multi-source network security data;
Based on the network security situation map, carrying out association analysis on the attack elements by adopting a map mining algorithm to obtain association analysis results, wherein the association analysis results specifically comprise:
for the detection of known threats, matching network security data with the known threat modes in the established threat mode library to find potential threats and attack behaviors; for the detection of unknown threats, classifying and identifying nodes and edges in a network security situation map through a trained threat identification model, and finding potential threats and attack behaviors;
Performing risk assessment on potential threats and attack behaviors to obtain a risk assessment value;
analyzing the attack path by adopting depth-first search DFS to find an optimal attack path;
And tracing the attack by utilizing a multipath tracing strategy based on the correlation analysis result, and determining the attack source and the propagation path.
2. The network security threat traceability method based on association analysis of claim 1, wherein the constructing a network security posture graph based on multi-source network security data comprises extracting relationships between entities in a network by using a graph model, and constructing the network security posture graph based on the relationships between the entities, wherein nodes in the graph represent hosts, servers and applications, edges represent communication and access control, and weights of the edges are set according to communication frequency and access rights.
3. The network security threat traceability method based on association analysis according to claim 1, wherein for the detection of known threats, a similarity calculation formula is adopted to calculate the similarity degree of the data to be evaluated and the threat pattern so as to match the network security data with the known threat pattern in an established threat pattern library, and the threat pattern library comprises an IP address black-and-white list, a traffic abnormality detection rule and a DDoS attack detection pattern.
4. The cyber security threat traceability method based on association analysis of claim 1, wherein for detection of unknown threats, the training process of the threat identification model comprises:
Constructing a training dataset D, d= { (x 1,y1),(x2,y2),...,(xn,yn) }, where x i represents feature vectors of nodes or edges, and y i represents corresponding labels;
By training a machine learning model, a classification function f (x) is obtained and used for classifying and identifying newly input nodes or edges, when f (x) is greater than 0, the nodes or edges are judged to be abnormal and possibly have threat, and when f (x) is less than or equal to 0, the nodes or edges are judged to be normal and have no threat.
5. The network security threat traceability method based on association analysis of claim 1, wherein the calculation formula of the risk assessment value is:
Where R (t i) is the risk value for each threat t i, w j is the weight of the j-th index, i.e. the extent to which the respective index affects the final risk assessment, a ij represents the score of the i-th threat on the j-th factor.
6. The network security threat traceability method based on association analysis of claim 1, wherein the analyzing the attack path by using depth-first search DFS to find the optimal attack path comprises:
Traversing the network situation map to obtain all possible attack path sets;
And comparing the weights of different attack paths with the attribute labels, and finding the optimal attack path from the attack path set according to the set target including the shortest path and the minimum weight path.
7. The network security threat tracing method based on association analysis according to claim 1, wherein the tracing of the attack by using the multi-path tracing strategy based on the association analysis result, determining the attack source and the propagation path, comprises:
constructing a time line analysis, arranging network security data according to time sequence to form a time line, and analyzing key events in the time line;
Constructing a behavior chain according to the attack behaviors in the time line, analyzing modes in the behavior chain, designing heuristic functions, and evaluating the possible distance or cost from the current node to the attack source;
Starting from an attack target node, using a heuristic search algorithm to reversely traverse the graph, selecting an optimal next node to access according to the value of a heuristic function in the traversing process, comprehensively judging according to the heuristic function, a time line and behavior chain information when encountering a branch node, selecting the most probable attack path to trace back, and recording path information until the attack source is traced back or a feasible path can not be found any more, thereby determining the source.
8. The network security threat traceability system based on association analysis is characterized by comprising the following components:
The data acquisition module is used for acquiring multi-source network security data;
the diagram construction module is used for constructing a network security situation diagram based on the multi-source network security data;
the association analysis module is used for carrying out association analysis on the attack elements by adopting a graph mining algorithm based on the network security situation graph to obtain association analysis results, and specifically comprises the following steps:
For the detection of known threats, matching network security data with the known threat modes in the established threat mode library to find potential threats and attack behaviors; for the detection of unknown threats, classifying and identifying nodes and edges in a network security situation map through a trained threat identification model, and finding potential threats and attack behaviors; performing risk assessment on potential threats and attack behaviors to obtain a risk assessment value, analyzing the attack path by adopting depth-first search DFS, and finding an optimal attack path;
And the tracing module is used for tracing the attack by utilizing a multi-path tracing strategy based on the correlation analysis result and determining the attack source and the propagation path.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of a network security threat tracing method based on correlation analysis according to any one of claims 1-7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of a cyber security threat tracing method based on correlation analysis as claimed in any one of claims 1 to 7 when the program is executed by the processor.
CN202411446315.9A 2024-10-16 2024-10-16 Network security threat tracing method and system based on association analysis Pending CN119324817A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411446315.9A CN119324817A (en) 2024-10-16 2024-10-16 Network security threat tracing method and system based on association analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411446315.9A CN119324817A (en) 2024-10-16 2024-10-16 Network security threat tracing method and system based on association analysis

Publications (1)

Publication Number Publication Date
CN119324817A true CN119324817A (en) 2025-01-17

Family

ID=94229876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411446315.9A Pending CN119324817A (en) 2024-10-16 2024-10-16 Network security threat tracing method and system based on association analysis

Country Status (1)

Country Link
CN (1) CN119324817A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240205259A1 (en) * 2022-12-20 2024-06-20 Operant AI, Inc. Multi-layer application security graph for cloud-native applications using runtime application telemetry collected in real-time
CN119892516A (en) * 2025-03-27 2025-04-25 北京圣芯诺科技有限公司 Security situation awareness response platform and method in information creation environment
CN119996004A (en) * 2025-02-13 2025-05-13 北京赋乐科技有限公司 Network attack tracing method and device based on internal and external network topology node analysis
CN120050123A (en) * 2025-04-25 2025-05-27 江西省科技基础条件平台中心(江西省计算中心) Network security dynamic early warning method and device and electronic equipment
CN120337247A (en) * 2025-05-08 2025-07-18 江苏西里西科技有限公司 A data security management method and system based on cloud computing platform
CN120455117A (en) * 2025-05-28 2025-08-08 大道云科技发展(东莞市)有限公司 A communication security management method and system based on big data
CN120675823A (en) * 2025-08-22 2025-09-19 国网陕西省电力有限公司信息通信公司 Intelligent association and global situation risk monitoring method based on multi-source data

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240205259A1 (en) * 2022-12-20 2024-06-20 Operant AI, Inc. Multi-layer application security graph for cloud-native applications using runtime application telemetry collected in real-time
US12495063B2 (en) * 2022-12-20 2025-12-09 Operant AI, Inc. Multi-layer application security graph for cloud-native applications using runtime application telemetry collected in real-time
CN119996004A (en) * 2025-02-13 2025-05-13 北京赋乐科技有限公司 Network attack tracing method and device based on internal and external network topology node analysis
CN119996004B (en) * 2025-02-13 2025-10-24 北京赋乐科技有限公司 Network attack tracing method, device and storage medium based on internal and external network topology node analysis
CN119892516A (en) * 2025-03-27 2025-04-25 北京圣芯诺科技有限公司 Security situation awareness response platform and method in information creation environment
CN120050123A (en) * 2025-04-25 2025-05-27 江西省科技基础条件平台中心(江西省计算中心) Network security dynamic early warning method and device and electronic equipment
CN120337247A (en) * 2025-05-08 2025-07-18 江苏西里西科技有限公司 A data security management method and system based on cloud computing platform
CN120337247B (en) * 2025-05-08 2025-11-18 江苏西里西科技有限公司 Data security management method and system based on cloud computing platform
CN120455117A (en) * 2025-05-28 2025-08-08 大道云科技发展(东莞市)有限公司 A communication security management method and system based on big data
CN120675823A (en) * 2025-08-22 2025-09-19 国网陕西省电力有限公司信息通信公司 Intelligent association and global situation risk monitoring method based on multi-source data

Similar Documents

Publication Publication Date Title
CN113965404B (en) Network security situation self-adaptive active defense system and method
CN119324817A (en) Network security threat tracing method and system based on association analysis
CN117220978B (en) Quantitative evaluation system and evaluation method for network security operation model
Danish Enhancing cyber security through predictive analytics: Real-time threat detection and response
CN118784360B (en) Network security detection individual soldier system based on Bert
KR102592624B1 (en) Threat hunting system and method for against social issue-based advanced persistent threat using artificial intelligence
Kim et al. Cost-effective valuable data detection based on the reliability of artificial intelligence
CN111641634A (en) A honeynet-based active defense system and method for industrial control network
Meddeb et al. Anomaly-based behavioral detection in mobile Ad-Hoc networks
CN118138361A (en) Security policy making method and system based on autonomously evolutionary agent
CN118300889A (en) Network security defense method and system for autonomous recognition attack monitoring
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
CN119254507B (en) Cyberspace counter-mapping method, device, computer equipment and storage medium
CN119921976A (en) A method for intelligent identification of network security threats based on generative large models
KR102562671B1 (en) Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm
Bateni et al. Using Artificial Immune System and Fuzzy Logic for Alert Correlation.
CN120415882A (en) An active defense system for security management of distribution network of power monitoring system
Arbex et al. Iot ddos detection based on stream learning
CN118784281A (en) A multi-source heterogeneous log comprehensive analysis method, system, medium and processor
CN118890213B (en) A data asset security monitoring method
CN120850291A (en) A computer security protection system based on artificial intelligence
Li et al. An automated alert cross-verification system with graph neural networks for ids events
CN115085948A (en) Network security situation assessment method based on improved D-S evidence theory
CN118585656A (en) A knowledge base construction method for network security
CN118694575A (en) Intelligent identification system for SSL encrypted traffic attack behavior based on deep packet inspection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination