Malicious behavior recognition method, system and storage medium for weighted heterogeneous graph

Abstract

The present invention discloses a malicious behavior identification method, system and storage medium oriented to weighted heterogeneous graphs. The method includes the following steps: constructing an inductive graph neural network model, and the inductive graph neural network model includes a subgraph extraction module, Multiple feature vector generation fusion module and classification learning module; train and learn the inductive graph neural network model, extract subgraphs, learn potential vector representations of nodes in subgraphs, obtain multiple subgraph feature vectors corresponding to subgraphs, and multiple subgraphs Graph feature vector fusion, the node feature vectors obtained by fusion are classified and learned in the classification learning module; the trained inductive graph neural network model is used to identify malicious behaviors. The present invention fully combines and utilizes rich topological feature information and attribute information contained in heterogeneous graphs, and on this basis, designs an inductive learning graph neural network model to complete feature extraction and representation learning in heterogeneous graphs, and finally realize malicious behavior recognition.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a malicious behavior identification method, system and storage medium oriented to weighted heterogeneous graphs. Background technique [0002] With the rapid development of the Internet, the technology of malicious software is constantly updated and iterated. The number of malicious software is increasing day by day, and the types and transmission methods are changing day by day. The threat to personal, enterprise and national security is increasing day by day. With the continuous confrontation and upgrading of malware attack and defense technologies, malware gradually tends to be multi-variant, high-concealment, large in number, and fast-updating. Facing this network security situation, both academia and industry are constantly looking for traditional malware The combination of detection technology and machine learning aims to prevent and detect a large numb...

AI Technical Summary

Problems solved by technology

[0006] The existing malicious behavior recognition technology based on NLP or image processing is mainly based on the self-attribute characteristics of a single sample for learning and recognition, ignoring the potential relationship between samples due to the same type or homology; although some studies have begun to use Relevant technologies in the graph field mine the feature information of these potential associations, but the graph structure they construct does not make full use of the relational properties of the graph structure, which may reduce the accuracy of malicious behavior recognition tasks; in addition, most of the existing technologies and system models belong to direct inference For new samples, it is often necessary to retrain the model parameters, which may lead to slow update speed and poor generalization ability of the model.

Images