CN112839039B

CN112839039B - Interactive automatic restoration method for network threat event attack scene

Info

Publication number: CN112839039B
Application number: CN202110006579.2A
Authority: CN
Inventors: 王俊峰; 唐宾徽; 葛文翰; 于忠坤; 陈柏翰; 余坚
Original assignee: Sichuan University
Current assignee: Sichuan University
Priority date: 2021-01-05
Filing date: 2021-01-05
Publication date: 2022-02-08
Anticipated expiration: 2041-01-05
Also published as: CN112839039A

Abstract

The invention discloses an interactive automatic restoration method of network threat event attack scenarios, which extracts key information points from various types of structured and unstructured data and builds a unified description frame of multi-dimensional threat event attack scenarios; the above description frame is enhanced Data mining depth, extract entities and entity relationships, form key information sequences, and classify them in a hierarchical and structured way; and use the hierarchical structure to build a logical space-time sequence threat event description model for the entire attack life cycle of a threat event; The above-mentioned threat event description model of spatiotemporal sequence can restore the attack scene in a visual and interactive way. The present invention can automatically, accurately and comprehensively present attack scenarios in the attack life cycle of network threat events, help timely identify attackers/attack organizations with malicious attack behaviors, and improve the efficiency and tracking of attack events by network threat analysts Accuracy of traceability.

Description

Interactive automatic restoration method for network threat event attack scene

Technical Field

The invention relates to the technical field of network security, in particular to an interactive automatic restoration method for an attack scene of a network threat event.

Background

Network defense and attack are also called network countermeasure. Network attack and network protection are combined. The network attack refers to the attack of comprehensively utilizing the loopholes and security defects existing in a target network to the hardware, software and data in the system of the network system, and mainly comprises the steps of stepping on points, scanning, obtaining access authority, authority promotion, control information, trace covering, backdoor creation and the like; the network protection means that the functions and technical means of the own network system are comprehensively utilized to protect the own network and equipment, so that information data is not intercepted, counterfeited, stolen, tampered or eliminated in the storage and transmission processes, and the network protection means comprises an encryption technology, an access control technology, a detection technology, a monitoring technology, an audit technology and the like. Network attacks and network protections are a pair of "spears" and "shields," with network attacks generally leading network protections.

In recent years, network attack and defense countermeasures are increasingly violent, network attack events are more and more, attack means are continuously evolving, and with diversification of attack means, an attack team is specialized and organized. Attack scene restoration is used as an important component of an industrial information security protection system, can provide powerful information support for security reinforcement, and has gradually become the research focus of scientific researchers. The attack and defense inequality is aggravated, a large number of traditional safety devices deployed by enterprise users are still difficult to effectively deal with the increasingly severe threat situation, and it is very difficult to trace and trace a certain attack event. The system not only needs a lot of professional safety analysis and operation and maintenance personnel to search and compare, but also has lower tracing efficiency and poorer accuracy.

Disclosure of Invention

In view of the above problems, an object of the present invention is to provide an interactive automatic reduction method for an attack scenario of a network threat event, which can accurately and comprehensively present an attack life cycle of the network threat event, can automatically reduce the attack scenario of the event from three dimensions of an object, a phase, and a behavior, and can improve the efficiency of a network threat analyst analyzing the attack event. The technical scheme is as follows:

an interactive automatic construction method for a network threat event attack scene comprises the following steps:

s1: key information key points are extracted from various types of structured and unstructured data, and a unified description framework of a multi-dimensional threat information attack scene is constructed;

s2: enhancing data mining depth for the description framework, automatically extracting key entities and entity relations from key information main points to form key information sequences, classifying according to a layering and structuring mode, and constructing an entity classification incidence relation network;

s3: constructing a logical space-time sequence threat event attack scene description model for the whole attack life cycle of the threat event by using the hierarchical structure of the entity classification relationship network;

s4: restoring the time-space sequence threat event description model to a threat event attack scene in an interactive visualization mode;

s5: and the attack scene restoration process of various network threat events is counted and evaluated, so that the similar events can be conveniently predicted and traced.

Further, the constructing a unified description framework of the multi-dimensional threat information attack scenario in S1 specifically includes: in the aspects of target objects and event attack steps of the threat events and the reflected attack behavior characteristics, the complex attack context information is subjected to unified structural description, an attack chain is integrated into the whole threat event, and then a multi-dimensional threat information attack scene unified description framework capable of effectively describing a complete attack period is constructed.

Further, in S2, the key entities and entity relationships are automatically extracted from the key information points to form a key information sequence, and classified according to a hierarchical and structured manner to construct an entity classification association relationship network, which specifically includes:

s21: cleaning various data, extracting entities and entity relations, and determining a core attack step of a threat event, a key technology and a hierarchical classification entity for realizing details;

s22: an entity analysis system is adopted to automatically extract key entities and entity relations, key information sequences are formed, and an entity classification association relation network is constructed;

s23: an expert system is utilized to assist in adjusting and optimizing the key information sequence, so that the key information sequence has hierarchical characteristics;

s24: and improving the entity analysis system by using the optimization result to achieve a better classification effect.

Further, the constructing a logical spatio-temporal sequence threat event attack scenario description model in S3 specifically includes:

s31: according to the attack steps and the attack mode, an attack life cycle framework of the threatening event is constructed by taking the space-time sequence relation as a main body;

s32: according to the attack life cycle model architecture, inputting entity and relationship attribute data, and constructing a threat event attack scene description model meeting a time-space sequence;

s33: and forming a threat event attack scene description model with a time-space sequence and an affiliation simultaneously according to the entity classification association relationship network.

Further, the method for restoring the attack scenario of the threat event in the S4 in an interactive visualization manner specifically includes:

s41: displaying a space-time sequence threat event attack scene description model by using a visualization means, supporting interaction between a user and the model to obtain deeper understanding, and simultaneously completing more detailed information;

s42: providing statistics and process analysis evaluation on event related information by adopting different visual data analysis modes according to requirements;

s43: and analyzing and evaluating the opinion according to the reduction process to optimize the attack scene description model.

Furthermore, the statistics and evaluation of the attack scenario restoration process of various network threat events include: the method comprises the steps of evaluating the rationality of a description frame, carrying out statistical analysis on the use frequency of an entity and a key information sequence to adjust the score, and evaluating and analyzing the applicability of the attack scene of the threat event, thereby facilitating the prediction and tracing of the similar event.

The invention has the beneficial effects that: the method can automatically restore the attack scene of the network threat event from three dimensions of an object, a behavior and a stage, accurately and comprehensively present the attack life cycle of the network threat event, and mainly aims to provide a key clue for tracing so as to improve the analysis efficiency, thereby solving the technical difficult problems of high manual analysis cost, low tracing efficiency, incapability of ensuring the tracing accuracy and the like caused by the traditional tracing mode at present; the method helps users to find attackers with malicious attack behaviors in time, and improves the efficiency of analyzing attack events by network threat analysts; and the system can help the user to find a network attack clue by automatically restoring the network attack scene into an interactive attack scene, so that the accuracy of tracing the source is improved.

Drawings

FIG. 1 is a flow diagram of an interactive automatic recovery method for a network threat event attack scenario according to the present invention.

FIG. 2 is a detailed flowchart of the interactive automatic recovery method for the attack scenario of the cyber threat event according to the present invention.

Fig. 3 is a result diagram of the interactive automatic restoration method for the attack scenario of the network threat event according to the present invention.

Fig. 4 is a reduction effect diagram of a threat event attack stage of the interactive automatic reduction method of the attack scene of the network threat event.

Fig. 5 is a diagram illustrating the effect of reducing the attack behavior of the network threat event by the interactive automatic reduction method for the attack scene of the network threat event.

Detailed Description

The invention is described in further detail below with reference to the figures and specific embodiments. The method aims at the technical difficult problems that the traditional tracing mode causes higher labor cost, lower tracing efficiency and can not ensure the tracing accuracy. The invention provides an interactive automatic construction method of a network threat event attack scene, which comprises the following steps: extracting information key points from various types of structured and unstructured data and constructing a multidimensional uniform threat information attack scene description framework; enhancing data mining depth of the description model, extracting entities and entity relations, and classifying according to a layering and structuring mode; constructing a space-time sequence threat event description model which accords with logic for the whole attack life cycle of the threat event by using the hierarchical structure; and carrying out scene restoration on the space-time sequence threat event description model in an interactive visualization mode.

The flow of the tracing method for the attack event of the invention is shown in fig. 1 and fig. 2, and the specific steps are as follows:

101. constructing a unified description framework of a multidimensional threat information attack scene: and extracting key information from multiple types of structured and unstructured data and constructing a unified threat information attack scene description framework.

The complex attack context information is subjected to unified structural description from multiple dimensions such as the object, behavior, stage (event attack step) and the like of the network threat event, an attack chain is integrated into the whole threat event, and then a unified threat information attack scene description framework capable of effectively depicting a complete attack sequence is constructed.

As shown in fig. 3, in this embodiment, the attack scene description framework is mainly composed of a plurality of different types of structured and unstructured data, such as open source intelligence data, network traffic data, malicious sample data, hidden channel data, system log data, and the like, and is used for extracting information points from multidimensional data and extracting key fields to describe various network threat events.

102. Forming an entity classification incidence relation network according to the threat information attack scene description framework: and enhancing data mining depth of the description framework, extracting entities and entity relations to form a key information sequence, and classifying according to a layering and structuring mode to form an entity classification incidence relation network.

In the embodiment, the data mining depth is enhanced for the description framework, the entity and the entity relation are cleaned and extracted for various data, and the core attack step, the key technology, the implementation detail and other hierarchical classification entities of each event are determined; automatically extracting entities and entity relations by utilizing an independently developed entity analysis system to form an entity classification incidence relation network; optimizing and adjusting the key information sequence by the aid of an expert system to enable the key information sequence to have a hierarchical entity classification effect; and inputting the improved analysis result into an automatic entity analysis system so as to achieve better entity classification effect through subsequent analysis. For example: the identification accuracy of the attack technology in open source intelligence data is improved.

103. Constructing a space-time sequence threat event attack scene description model: and constructing a logical space-time sequence threat event description model for the whole attack life cycle of the threat event by using the hierarchical structure of the entity classification relation network.

Because the attack mode of the network threat event has a space-time sequence relation, in the embodiment, an attack life cycle framework of the threat event is constructed by taking the space-time sequence relation as a main body according to the attack step and the attack mode; according to the attack life cycle model architecture, inputting entity and relationship data, and constructing a threat event attack scene description model meeting a time-space sequence; and forming a threat event description model simultaneously meeting the space-time sequence and the dependency relationship according to the entity classification incidence relation network.

For example: as shown in fig. 3, the cyber threat event object hierarchy is represented by the L0 hierarchy, which generally constitutes a key information sequence by an attacker/attack organization, a cyber threat event and an attack target/attack industry; the L1 level is the attack tactical layer, which generally constitutes the attack lifecycle of the threat event by the attack phase; the L2 level is an attack level, and each entity constitutes a corresponding attack within a threat event.

104. Constructing an interactive visual threat event scene restoration: and based on the space-time sequence threat event description model, carrying out threat event scene restoration on the threat event in an interactive visualization mode.

As shown in fig. 4, based on the attack phase corresponding to the attack chain, the attack life cycle of the threat event is restored in a time sequence mode, and each phase is identified by using a number and a name, so that the purpose achieved by each phase can be accurately described. In fig. 4, (a) is shown by numbering, and (b) is shown by name.

Fig. 5 is an effect diagram for restoring the attack behavior included in the attack phase of the threat event in the interactive automatic restoration method for the attack scenario of the network threat event according to the present invention. The time sequence relation of the attack behavior of the threat event is restored by using a visualization means, and the interaction between the user and the model is supported to obtain deeper understanding, and more detailed information can be supplemented; providing statistical display and process analysis evaluation of relevant information of the network threat event by adopting a visual analysis mode according to different requirements; and adjusting the scene restoration mode according to the process analysis evaluation opinion. For example, the whole network attack event is used as template data to construct the space-time sequence relation between nodes.

105. And (3) counting and evaluating the reduction process of the threat event: and the recovery process of various network threat events is counted and evaluated, so that the similar events can be conveniently predicted and traced.

Counting and evaluating the reduction process of each network threat event, wherein the reduction process comprises four aspects of description frame reasonability, entity effectiveness, attribute completeness, attack scene applicability and the like, and counting and analyzing the same event and cross events of the entities; performing statistical analysis on the entity use frequency and the key information sequence to adjust the score; the applicability of the attack scene of the network threat event is evaluated and analyzed, and the prediction and tracing of similar events are facilitated.

Through the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software. By applying the technical scheme of the application, the threat event is hierarchically associated with various feature information of the same or different dimensions extracted according to the attack life cycle, a visual attack scene is constructed according to the association relation, the attack scene reduction degree of the threat event is graded, the scene reduction condition of the same event is effectively improved according to the grading, the next attack mode of an attacker is effectively predicted, and finally the same attacker or attack organization can be traced according to the attack scene. Compared with the prior art, the method can save manual analysis cost, improve the efficiency and accuracy of tracing and tracing, and help to identify the attacker/attack organization with malicious attack behaviors in time.

By means of the technical scheme, the attack scene of the network threat event is automatically restored, the high-efficiency analysis premise is provided for tracing, the technical difficult problems that the labor cost is high, the tracing efficiency is low, the tracing accuracy cannot be guaranteed and the like caused by the traditional tracing mode at present are solved, and a user is helped to find an attacker with malicious attack behaviors in time.

Finally, it should be noted that: the accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. Although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that various changes, modifications, equivalents and substitutions may be made in the technical solutions described in the foregoing embodiments; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. a network threat event attack scenario interactive automatic restoration method, is characterized in that, comprises the following steps:

S1: Extract key information points from various types of structured and unstructured data, and build a unified description framework for multi-dimensional threat information attack scenarios;

The multi-dimensional threat information attack scenario unified description framework is constructed in the S1, which specifically includes: from the three aspects of the target object of the threat event, the event attack steps, and the reflected attack behavior characteristics, a unified structured description of the attack context information is carried out. , integrate the attack chain into the overall threat event, and then construct a unified description framework of multi-dimensional threat information attack scenarios that can effectively describe the complete attack cycle;

S2: Enhance the depth of data mining for the unified description framework, automatically extract key entities and entity relationships from key information points, form key information sequences, classify them in a hierarchical and structured manner, and build an entity classification association network;

In S2, key entities and entity relationships are automatically extracted from key information points to form key information sequences, which are classified according to a hierarchical and structured manner, and an entity classification association network is constructed, which specifically includes:

S21: Clean and extract entities and entity relationships from various types of data, and determine the core attack steps of the threat event, key technologies and hierarchical entities of implementation details;

S22: Use the entity analysis system to automatically extract key entities and entity relationships, form key information sequences, and build an entity classification association network;

S23: Use the expert system to assist in adjusting and optimizing the key information sequence to make it have hierarchical characteristics;

S24: Use the optimization result to improve the entity analysis system to achieve a better classification effect;

S3: Use the hierarchical structure of the entity classification association network to construct a logical time-space sequence threat event attack scenario description model for the entire attack life cycle of the threat event;

A logical time-space sequence threat event attack scenario description model is constructed in S3, which specifically includes:

S31: According to the attack steps and attack modes, with the spatiotemporal sequence relationship as the main body, construct the attack life cycle architecture of the threat event;

S32: According to the attack life cycle architecture, input entity and relationship attribute data to construct a description model of attack scenarios that satisfies the spatiotemporal sequence of threat events;

S33: According to the entity classification association network, a threat event attack scenario description model with both spatiotemporal sequence and affiliation is formed;

S4: The attack scenario description model of the above-mentioned time-space sequence threat event is used to restore the threat event attack scenario in an interactive visualization manner;

The method for restoring the threat event attack scenario in an interactive visual manner in the S4 specifically includes:

S41: Use visual means to display the attack scenario description model of time-space sequence threat events, and support users to interact with the model to gain a deeper understanding and complete more detailed information at the same time;

S42: Provide statistics and process analysis and evaluation of event-related information by using different visual data analysis methods according to requirements;

S43: Optimize the attack scenario description model of the spatiotemporal sequence threat event according to the analysis and evaluation opinion of the restoration process;

S5: Count and evaluate the attack scenario restoration process of various network threat events, so as to facilitate the prediction and source tracing of similar events.

2. The method for interactive automatic restoration of an attack scenario of a network threat event according to claim 1, characterized in that, performing statistics and evaluation on the restoration process of the attack scenario of various types of network threat events, comprising: describing the unified description framework Evaluate the rationality, conduct statistical analysis on entity usage frequency and key information sequence to adjust the score, and evaluate and analyze the applicability of threat event attack scenarios, which facilitates the prediction and source tracing of similar events.