An APT traffic detection method based on a knowledge graph
By constructing a network traffic knowledge graph and utilizing a graph neural network model, the problem of detecting unknown APT attacks was solved, enabling flexible and accurate detection of network data streams and adapting to the diversity and changes of APT attacks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ZHEJIANG UNIV
- Filing Date
- 2022-10-18
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies are insufficient to effectively detect network traffic from unknown Advanced Persistent Threat (APT) attacks. Traditional methods cannot adapt to the changes in APT attacks and are difficult to flexibly detect their characteristics.
By constructing a network traffic knowledge graph and using graph neural networks to analyze network data flows, an APT attack behavior data flow knowledge graph classifier model is generated. This allows for in-depth analysis of network data flow characteristics and determination of whether the behavior constitutes an APT attack.
It enables flexible and accurate detection of network data traffic under unknown APT attacks, and can identify attack behavior at the network level, adapting to the diversity and changes of APT attacks.
Smart Images

Figure CN115694933B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, specifically the field of knowledge graphs, and specifically relates to an APT traffic detection method based on knowledge graphs. Background Technology
[0002] With the continuous development of network technology, network systems are being applied to various important facilities and systems. This has also attracted the attention of attackers. To carry out Advanced Persistent Threat (APT) attacks, or to achieve certain specific purposes, attackers have established specialized organizations to launch APT attacks. APT attacks are characterized by high stealth, long duration, and strong targeting. Compared to traditional attacks, APT attacks are more difficult to defend against and detect.
[0003] Unlike traditional network defense methods, the knowledge graph generation and detection method based on APT traffic constructs a more flexible network data flow knowledge graph, which can flexibly and clearly represent the relationships between network data flow features. It can adapt to various forms of network traffic data and reduce the loss of data information during the data normalization process.
[0004] As APT attack techniques and tools are constantly evolving, detecting unknown APT attack network traffic remains a challenge in APT attack defense. Therefore, simply using blacklists for network traffic matching is insufficient. It is necessary to deeply analyze the internal relationships and characteristics between APT attack network traffic features and construct a new APT traffic detection method that can detect unknown APT attack network traffic to a certain extent. Summary of the Invention
[0005] The purpose of this invention is to address the shortcomings of existing technologies by providing an APT traffic detection method based on knowledge graphs.
[0006] The objective of this invention is achieved through the following technical solution: an APT traffic detection method based on knowledge graphs, characterized by comprising the following steps:
[0007] (1) Analyze the network data packets, obtain multiple network data streams based on the identifiers of the network data packets, generate multiple NetFlow data, and determine whether the NetFlow data is APT attack behavior data;
[0008] (2) Construct a network traffic knowledge graph based on the characteristics of the NetFlow data;
[0009] (3) Using the network traffic knowledge graph as the input of the graph neural network, and using whether the knowledge graph is an APT attack behavior data flow knowledge graph as the output of the graph neural network, the graph neural network is trained together based on the input and output to obtain the APT attack behavior data flow knowledge graph classifier model;
[0010] (4) Run the APT attack behavior data flow knowledge graph classifier model to analyze the unknown network data flow in order to determine whether the unknown network data flow is an APT attack behavior data flow.
[0011] Furthermore, the identifier includes the source IP address, source port number, destination IP address, destination port number, connection establishment, and connection termination.
[0012] Further, step (1) includes the following sub-steps:
[0013] (1.1) Perform preliminary analysis on network data packets, obtain multiple network data streams based on the identifiers of the network data packets, and use network devices to generate multiple NetFlow data of multiple network data streams in the network to obtain the feature values of the NetFlow data;
[0014] (1.2) Convert the non-decimal numeric feature values that appear in the feature values of the NetFlow data into decimal numeric feature values; encode the non-numeric feature values in the feature values of the NetFlow data starting from 0 and convert them into integers; convert all feature values of the NetFlow data into floating-point numbers and generate a list of floating-point numbers;
[0015] (1.3) Based on the known information, classify the NetFlow data in the form of a floating-point number list to determine whether the NetFlow data is APT attack behavior data; the types of NetFlow data include APT attack behavior NetFlow data and non-APT attack behavior NetFlow data.
[0016] Furthermore, the characteristic values of the NetFlow data include at least one of the following: data flow duration, protocol type, source port number, data flow direction, destination port number, status, source service bytes, destination service bytes, total number of data packets, total number of transmitted bytes, and number of transmitted bytes at the source address.
[0017] Furthermore, step (2) includes the following sub-steps:
[0018] (2.1) Construct a blank knowledge graph for the NetFlow data, and establish a central node in the blank knowledge graph to assist in the establishment of edges between nodes in the NetFlow knowledge graph. The central node is represented as X0.
[0019] (2.2) The NetFlow data has N feature values. In the NetFlow knowledge graph, N nodes are established that correspond one-to-one with the N feature values. The N nodes are represented as X1, X2, ..., XN, and the value of the node is the value of its corresponding feature value.
[0020] (2.3) Establish N edges from the central node X0 to the N nodes to construct the NetFlow knowledge graph;
[0021] (2.4) Repeat steps (2.1) to (2.3) to construct a NetFlow knowledge graph for all NetFlow data to obtain a network traffic knowledge graph.
[0022] Furthermore, step (4) includes the following sub-steps:
[0023] (4.1) Construct a network traffic knowledge graph for network data packets of unknown network data streams based on steps (1.1), (1.2), and (2);
[0024] (4.2) Input the network traffic knowledge graph obtained in step (4.1) into the APT attack behavior data flow knowledge graph classifier model obtained in step (3) for analysis, and output whether the current knowledge graph is an APT attack behavior data flow knowledge graph, so as to determine whether the unknown network data flow is an APT attack behavior network data flow.
[0025] The beneficial effects of this invention are that it integrates network data into a data stream form and transforms it into a knowledge graph. Unlike existing methods, this invention deeply analyzes the characteristics of different network data streams and uses knowledge graph technology to represent them. By employing and training a graph neural network model, it establishes the relationship between each node in the network data stream knowledge graph and whether the network data stream is an APT attack network data stream. This enables the detection of unknown APT attack network data traffic, facilitating flexible and accurate detection of APT attack traffic in the network and detecting the attack behavior of APT organizations at the network level. Attached Figure Description
[0026] Figure 1 This is a flowchart of the APT traffic knowledge graph generation and detection method;
[0027] Figure 2 It is a NetFlow knowledge graph of a network data stream with only 7 features. Detailed Implementation
[0028] The following is based on Figures 1-2 This invention will be described in detail.
[0029] This invention provides a knowledge graph-based APT traffic detection method. It involves segmenting network data streams into NetFlow, converting NetFlow into a knowledge graph using knowledge graph generation technology, and then using graph neural network technology to detect APT attack behavior network traffic within the knowledge graph.
[0030] like Figure 1 As shown, the specific steps include:
[0031] (1) Analyze network packets, obtain multiple network data streams based on the identifiers of the network packets, generate multiple NetFlow data, and determine whether the NetFlow data is APT attack data. The identifiers include source IP address, source port number, destination IP address, destination port number, connection establishment and termination.
[0032] (1.1) Perform preliminary analysis on network data packets, obtain multiple network data streams based on the identifiers of the network data packets, and use network devices to generate multiple NetFlow data of multiple network data streams in the network to obtain the feature values of the NetFlow data.
[0033] It should be understood that network devices include, but are not limited to: routers, switches, firewalls, and virtual network devices.
[0034] In this embodiment, network devices such as routers, switches, and virtual network devices can be used to collect some network data packets from virtual networks, subnets, test ranges, or real networks containing APT attacks. The collected network data packets should include data packets generated by APT attacks in the network, and then these network data packets are preliminarily analyzed.
[0035] The characteristics of NetFlow data include at least one of the following: data flow duration, protocol type, source port number, data flow direction, destination port number, status, source service bytes, destination service bytes, total number of data packets, total number of bytes transmitted, and number of bytes transmitted to the source address.
[0036] (1.2) Convert the non-decimal numeric feature values in the NetFlow data into decimal numeric feature values; encode the non-numeric feature values in the NetFlow data starting from 0 and convert them into integers; convert all feature values in the NetFlow data into floating-point numbers and generate a list of floating-point numbers.
[0037] Specifically, for example, the feature value of the source port number is 0x0303, which is converted to decimal, i.e., 771. Another example is the feature value of the protocol type, which might be: "ARP", "ESP", "ICMP", "IGMP", "IPv6", "IPv6-ICMP", "IPX / SPX", "PIM", "RTCP", "RTP", "TCP", "UDP", "UDT". These 13 feature values are encoded starting from 0 and converted to integers: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12. Then, all feature values of the NetFlow data are converted to floating-point numbers, and a list of floating-point numbers is generated accordingly.
[0038] (1.3) Based on the known information, classify the NetFlow data in the form of floating-point number lists to determine whether the NetFlow data is APT attack data. The types of NetFlow data include APT attack NetFlow data and non-APT attack NetFlow data.
[0039] It should be understood that the purpose of this step is mainly to manually classify the network data streams collected in various ways. The data can be collected by manually simulating APT attacks and then generating network data traffic, which will facilitate the training of the model in subsequent steps.
[0040] The known information includes the identifier of the network data packet, the method of generating the data packet, the purpose of the network data flow, whether the network data flow is a network data flow generated by simulating an APT attack, and APT network traffic tracing reports. Based on this known information, all NetFlow data in the form of floating-point number lists can be classified into APT attack behavior NetFlow data or non-APT attack behavior NetFlow data.
[0041] (2) Construct a network traffic knowledge graph based on the characteristics of NetFlow data.
[0042] (2.1) Construct a blank knowledge graph for NetFlow data and establish a central node in the blank knowledge graph to assist in the establishment of edges between nodes in the NetFlow knowledge graph. The central node is represented as X0.
[0043] (2.2) The NetFlow data has N feature values. In the NetFlow knowledge graph, N nodes are established that correspond one-to-one with the N feature values. The N nodes are represented as X1, X2, ..., XN, and the value of the node is the value of its corresponding feature value.
[0044] It should be understood that the N feature values are limited to some or all of the feature values listed in step (1.1). For example, if the protocol type of a network data stream is "ARP", this network data stream does not have the four features of source port number, destination port number, source service bytes, and destination service bytes. It only contains seven features: data stream duration, protocol type, data flow direction, status, total number of data packets, total number of transmitted bytes, and number of bytes transmitted at the source address. Therefore, N is 7.
[0045] (2.3) Establish N edges from the central node X0 to the N nodes to construct the NetFlow knowledge graph. For example... Figure 2 As shown, this is a NetFlow knowledge graph for a network data stream with only 7 features.
[0046] (2.4) Repeat steps (2.1)-(2.3) to construct a NetFlow knowledge graph for all NetFlow data to obtain a network traffic knowledge graph.
[0047] It should be understood that step (1) generates multiple NetFlow data, which can be a single NetFlow data or multiple NetFlow data. If it is a single NetFlow data, then step (2.4) is not needed, and the NetFlow knowledge graph obtained in step (2.3) is the network traffic knowledge graph. If it is multiple NetFlow data, then step (2.4) is needed to construct a NetFlow knowledge graph for all NetFlow data, and all NetFlow knowledge graphs are the network traffic knowledge graph.
[0048] (3) Using the network traffic knowledge graph as the input of the graph neural network and whether the knowledge graph is an APT attack behavior data flow knowledge graph as the output of the graph neural network, the graph neural network is trained together with the input and output to obtain the APT attack behavior data flow knowledge graph classifier model.
[0049] (4) Run the APT attack behavior data flow knowledge graph classifier model obtained in step (3) to analyze the unknown network data flow and determine whether the unknown network data flow is an APT attack behavior data flow.
[0050] (4.1) Construct a network traffic knowledge graph for network data packets of unknown network data streams based on steps (1.1)-(1.2) and steps (2.1)-(2.4).
[0051] (4.2) Input the network traffic knowledge graph obtained in step (4.1) into the APT attack behavior data flow knowledge graph classifier model obtained in step (3) for analysis, and output whether the current knowledge graph is an APT attack behavior data flow knowledge graph, so as to determine whether the unknown network data flow is an APT attack behavior network data flow.
[0052] Specifically, if the knowledge graph is classified by the graph neural network as a knowledge graph of APT attack behavior network data flow, then the network data flow is an APT attack data flow; if the knowledge graph is classified by the graph neural network as a knowledge graph of non-APT attack behavior network data flow, then the network data flow is a non-APT attack data flow.
[0053] In addition, step (4.2) needs to be repeated as needed until all NetFlow knowledge graphs have been evaluated.
[0054] The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit it. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not deviate from the scope of the technical solutions of the embodiments of the present invention in essence.
Claims
1. A knowledge graph-based APT traffic detection method, characterized in that, Includes the following steps: (1) Analyze the network data packets, obtain multiple network data streams based on the identifier of the network data packets, generate multiple NetFlow data, and determine whether the NetFlow data is APT attack behavior data; (2) Construct a network traffic knowledge graph based on the characteristics of the NetFlow data; step (2) includes the following sub-steps: (2.1) Construct a blank knowledge graph for the NetFlow data, and establish a central node in the blank knowledge graph to assist in the establishment of edges between nodes in the NetFlow knowledge graph. The central node is represented as X0. (2.2) The NetFlow data has N feature values. In the NetFlow knowledge graph, N nodes are established that correspond one-to-one with the N feature values. The N nodes are represented as X1, X2, ..., XN respectively. The value of the node is the value of its corresponding feature value. (2.3) Establish N edges from the central node X0 to the N nodes to construct the NetFlow knowledge graph; (2.4) Repeat steps (2.1) to (2.3) to construct a NetFlow knowledge graph for all NetFlow data to obtain a network traffic knowledge graph; (3) Using the network traffic knowledge graph as the input of the graph neural network, and using whether the knowledge graph is an APT attack behavior data flow knowledge graph as the output of the graph neural network, the graph neural network is trained together based on the input and output to obtain an APT attack behavior data flow knowledge graph classifier model; (4) Run the APT attack behavior data flow knowledge graph classifier model to analyze the unknown network data flow in order to determine whether the unknown network data flow is an APT attack behavior data flow.
2. The APT traffic detection method based on knowledge graphs according to claim 1, characterized in that, The identifier includes the source IP address, source port number, destination IP address, destination port number, connection establishment, and connection termination.
3. The APT traffic detection method based on knowledge graphs according to claim 1, characterized in that, Step (1) includes the following sub-steps: (1.1) Perform preliminary analysis on network data packets, obtain multiple network data streams based on the identifiers of the network data packets, and use network devices to generate multiple NetFlow data of multiple network data streams in the network to obtain the feature values of the NetFlow data; (1.2) Convert the non-decimal numeric feature values that appear in the feature values of the NetFlow data into decimal numeric feature values; encode the non-numeric feature values in the feature values of the NetFlow data starting from 0 and convert them into integers; convert all feature values of the NetFlow data into floating-point numbers and generate a list of floating-point numbers; (1.3) Based on the known information, classify the NetFlow data in the form of a floating-point number list to determine whether the NetFlow data is APT attack behavior data; the types of NetFlow data include APT attack behavior NetFlow data and non-APT attack behavior NetFlow data; the known information includes the identifier of the network data packet, the generation method of the data packet, the purpose of the network data stream, whether the network data stream is a network data stream generated by simulating an APT attack, and the APT network traffic tracing report.
4. The APT traffic detection method based on knowledge graphs according to claim 3, characterized in that, The NetFlow data features include at least one of the following: data flow duration, protocol type, source port number, data flow direction, destination port number, status, source service bytes, destination service bytes, total number of data packets, total number of transmitted bytes, and number of bytes transmitted at the source address.
5. The APT traffic detection method based on knowledge graphs according to claim 4, characterized in that, Step (4) includes the following sub-steps: (4.1) Construct a network traffic knowledge graph for network data packets of unknown network data streams based on steps (1.1), (1.2), and (2); (4.2) Input the network traffic knowledge graph obtained in step (4.1) into the APT attack behavior data flow knowledge graph classifier model obtained in step (3) for analysis, and output whether the current knowledge graph is an APT attack behavior data flow knowledge graph, so as to determine whether the unknown network data flow is an APT attack behavior network data flow.