Metaverse threat tracing method, device and system based on association traces

By receiving and analyzing trace information in the metaverse network, the problem of trace information being tampered with is solved, the security of the metaverse network is improved, and the leakage of user privacy information is prevented.

CN116260624BActive Publication Date: 2026-07-07SHANGHAI NEWDON TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHANGHAI NEWDON TECH CO LTD
Filing Date
2022-12-30
Publication Date
2026-07-07

Smart Images

  • Figure CN116260624B_ABST
    Figure CN116260624B_ABST
Patent Text Reader

Abstract

The application provides a meta-universe threat tracing method, device and system based on associated traces, and relates to the technical field of meta-universe security. The processing method comprises the following steps: receiving trace information in a meta-universe network; determining an object subject that interacts with the user according to the trace information; obtaining trace information that is determined to be abnormal, and setting it as abnormal associated trace information; tracing the threat source information of the user and / or the object subject in the meta-universe network based on the trace information and the abnormal associated trace information. The application finds the abnormal associated trace information of the user and / or the object subject through the trace information of the user in the meta-universe network, thereby determining the threat source information of the user and / or the object subject in the meta-universe network, and improving the security tracing capability of the meta-universe network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of metaverse security technology, and in particular to a metaverse threat tracing method based on correlation traces. Background Technology

[0002] The behavioral records left by users after they have been active in the metaverse network space are also known as trace information. Trace information can be used to record users' historical behavior in the metaverse network and record it in the form of trace information.

[0003] The standard procedure for cleaning up historical traces typically involves the following steps: First, determining the necessity of cleaning; second, identifying the traces that need cleaning; and third, cleaning the traces. During this process, new trace information is generated to record the actions taken to clean up historical traces.

[0004] However, the current problem is that much of the processing of trace information is due to cyberattacks from hackers or cyber threats from insiders. For example, after hackers steal a user's identity, they steal the user's private information, intimate photos, company documents, and other private data. Furthermore, hackers or insiders may delete, modify, or tamper with the trace information they have recorded under the user's account, using the control of the trace information to cover up the effects of their actions by controlling the user's account.

[0005] Another possibility is that when a user's device is used by their family members or colleagues in the real world, it may be subjected to a cyberattack by a hacker or a cyber threat from an insider, resulting in the deletion, modification, or tampering of the corresponding information recording the user's behavior.

[0006] Furthermore, some users driven by curiosity enjoy browsing illegal content on metaverse web pages, such as pornographic advertisements and gambling information. This browsing preference can lead to the theft of users' personal information by hackers, or the hacking or threat to users' devices, further resulting in the theft of more users' personal privacy information, such as photos, documents, and chat logs with friends.

[0007] It is important to emphasize that any operation leaves a trace. Therefore, even if a user is attacked and clears previous traces, the record of clearing the previous traces will still be retained in the new traces.

[0008] Therefore, it is necessary to analyze and trace the aforementioned trace information in order to prevent hackers from further harming users' personal interests through threats, extortion, photos, or other means.

[0009] To address this, the present invention proposes a metaverse threat tracing method, device, and system based on correlation traces. By using trace information, it finds abnormal correlation trace information between users and objects, and further finds the threat source information of users and administrators being threatened in the metaverse network. This is a technical problem that urgently needs to be solved. Summary of the Invention

[0010] The purpose of this invention is to overcome the shortcomings of the prior art and provide a method, device and system for tracing threats in the metaverse based on correlation traces. This invention can find abnormal correlation traces of users and / or objects through the trace information of users in the metaverse network, thereby determining the threat source information of users and / or objects in the metaverse network and improving the security tracing capability of the metaverse network.

[0011] To address the existing technical problems, the present invention provides the following technical solution:

[0012] A metaverse threat tracing method based on correlation traces, the method comprising the following steps:

[0013] Receive trace information from the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information is obtained by the user after browsing the aforementioned data information and / or log information;

[0014] Based on the aforementioned trace information, the objects that interacted with the aforementioned user were identified, including other users, the aforementioned data information, and the aforementioned log information;

[0015] Obtain trace information that is judged to be abnormal from the trace information and set it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, trace the threat source information of the user and / or object in the metaverse network, wherein the threat source information includes the attack source information of the user being attacked in the metaverse network.

[0016] Furthermore, the data information includes at least one or more of the following: user ID, user security level, device ID and access permissions, user chat history, file information, and personal privacy information obtainable in the metaverse network; wherein, the file information includes at least one or more of the following: file name, file size, file type, file location, creation time, number of modifications, access path, access permissions, file security level, and file modification details; the log information includes user log information, application and service log information, security logs, and system log information.

[0017] Furthermore, the trace information also includes log information recording that previous logs were deleted and / or tampered with.

[0018] Furthermore, the interaction includes an access operation, which includes access and operation, wherein the operation includes at least one of modification, alteration, replacement, overwrite, deletion, and editing.

[0019] Furthermore, the steps for determining abnormal trace information are as follows:

[0020] The system identifies trace information that can be judged as normal when the target object interacts with the aforementioned user; and sets a fault tolerance threshold range for the aforementioned trace information that can be judged as normal.

[0021] Based on the chronological order, the browsing paths and / or access operation paths of users to the aforementioned objects are filtered out, and the trace information recorded on the aforementioned browsing paths and / or access operation paths is matched with the fault tolerance threshold range set for normal trace information.

[0022] When a mismatch is determined, the trace information recorded by the interaction between the aforementioned object and the aforementioned user is judged as abnormal trace information;

[0023] The matching includes matching the trace information recorded on the aforementioned browsing path and / or access operation path with the fault tolerance threshold range set for normal trace information one by one, random matching, matching based on a preset time period, and / or matching based on a preset access operation node.

[0024] Furthermore, the tracing process includes the following steps:

[0025] Corresponding to the various attack stages of the attacker in the metaverse network, the trace information of the user on the attacked node in the previous attack stage of the current attack stage is obtained, and the trace information of the user in the attack stage before the aforementioned previous attack stage is determined based on the trace information. The trace information in the attack stage before the aforementioned previous attack stage includes trace information other than the aforementioned attack node. The previous step is repeatedly executed until the threat source information is determined.

[0026] Furthermore, the threat source information includes initial threat information issued by the attacker in the metaverse network at each stage of the attack.

[0027] A metaverse threat tracing device based on correlation traces includes a trace management device, which has the following structure:

[0028] An information receiving unit is used to receive trace information in the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information being obtained by the user after browsing the aforementioned data information and / or log information;

[0029] The information determination unit is used to determine the object that interacts with the aforementioned user based on the aforementioned trace information, wherein the object includes other users, the aforementioned data information, and the aforementioned log information;

[0030] The information processing unit is used to acquire trace information that is judged to be abnormal from the trace information and set it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, it traces the threat source information of the user and / or object in the metaverse network, wherein the threat source information includes the attack source information of the user being attacked in the metaverse network.

[0031] A metaverse threat tracing system based on correlation traces includes:

[0032] Metaverse nodes are used for sending and receiving data;

[0033] The Metaverse Secure Interaction Module is used to enable secure information interaction for users.

[0034] System server, which connects the metaverse node and the metaverse secure interaction module;

[0035] The system server is configured to: receive trace information from the metaverse network via a trace management device; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information being obtained by the user after browsing the aforementioned data information and / or log information; the trace management device, based on the aforementioned trace information, determines the object interacting with the aforementioned user, the object including other users, the aforementioned data information, and the aforementioned log information; the trace management device acquires trace information judged as abnormal from the trace information and sets it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, traces the threat source information of the user and / or object in the metaverse network, the threat source information including attack source information of the user being attacked in the metaverse network.

[0036] A computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the metaverse threat tracing method based on correlation traces described above.

[0037] Based on the above advantages and positive effects, the advantages of this invention are: by tracing the trace information, it is possible to find abnormal correlation trace information between the object and the user's interaction, and further find the threat source information at each stage of the user being threatened by the attacker, thereby tracing the security threats in the metaverse. Attached Figure Description

[0038] Figure 1This is a flowchart provided for an embodiment of the present invention.

[0039] Figure 2 This is a schematic diagram of the device provided in an embodiment of the present invention.

[0040] Figure 3 This is a schematic diagram of the system provided in an embodiment of the present invention.

[0041] Explanation of reference numerals in the attached figures:

[0042] Device 200, information receiving unit 201, information determining unit 202, information processing unit 203;

[0043] System 300, Metaverse Node 301, Metaverse Security Interaction Module 302, System Server 303. Detailed Implementation

[0044] The following detailed description, in conjunction with the accompanying drawings and specific embodiments, provides a method, apparatus, and system for tracing metaverse threats based on correlation traces disclosed in this invention. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be considered isolated; they can be combined to achieve better technical effects. In the accompanying drawings of the following embodiments, the same reference numerals in each drawing represent the same features or components, which can be applied to different embodiments. Therefore, once an item is defined in one drawing, it does not need to be further discussed in subsequent drawings.

[0045] It should be noted that the structures, proportions, sizes, etc., illustrated in the accompanying drawings are merely for illustrative purposes and to aid those skilled in the art in understanding and reading the invention. They are not intended to limit the conditions under which the invention can be implemented. Any modifications to the structure, changes in proportions, or adjustments to size, provided they do not affect the effectiveness or purpose of the invention, should fall within the scope of the technical content disclosed in the invention. The scope of the preferred embodiments of the present invention includes other implementations, wherein functions may be performed not in the order stated or discussed, including substantially simultaneously or in reverse order, depending on the functions involved. This should be understood by those skilled in the art to which the embodiments of the present invention pertain.

[0046] Techniques, methods, and apparatus known to those skilled in the art may not be discussed in detail, but where appropriate, such techniques, methods, and apparatus should be considered part of the specification. In all examples shown and discussed herein, any specific values ​​should be interpreted as merely exemplary and not as limitations. Therefore, other examples of exemplary embodiments may have different values. Example

[0047] In the existing metaverse network, user and administrator actions are stored in a trace management system as log information. Similarly, attacker actions are also stored as log information. When an attacker threatens a target user, the operation information on the target user's device is also recorded as log information and stored in a log management system. However, cunning and sophisticated attackers usually erase the trace information they leave behind after the intrusion to prevent it from being discovered by users and administrators.

[0048] In this embodiment, the metaverse network includes, but is not limited to, at least one of the following: metaverse game environment, metaverse conference environment, metaverse social environment, metaverse teaching environment, and metaverse entertainment environment.

[0049] Based on this, see Figure 1 The diagram shown is a flowchart provided by the present invention. The implementation steps S100 of the method are as follows:

[0050] S101, receive trace information from the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information is obtained by the user after browsing the aforementioned data information and / or log information.

[0051] The trace information can be divided into different types based on the user's operation type.

[0052] As an example and not a limitation, the trace information can be categorized into different types based on the type of data information browsed by the user in the metaverse network. When the type of data information is categorized into tabular data, HTML web page files, XML files, RDF (Resource Description Framework) data, text data, graph data, multimedia data (audio / video / images), etc., the trace information can be categorized accordingly into tabular trace information, HTML web page file trace information, XML file trace information, RDF data trace information, text data trace information, graph data trace information, multimedia data (audio / video / images) trace information, etc.

[0053] In addition, the trace information can also be divided into different types of trace information based on the different types of log information generated after browsing the aforementioned data information.

[0054] The types of log information include, but are not limited to, user log information, application and service log information, security logs, and system log information.

[0055] The user log information is used to record business-related processes and events of business terminal users.

[0056] The application and service log information contains events recorded by the application or program. For example, a database program may log file errors in the application log, and the program developers decide which events to log.

[0057] The security log information includes events such as valid and invalid login attempts, as well as resource usage-related events such as creating, opening, or deleting files or other objects. Administrators can specify which events are logged in the security log. For example, if login auditing is enabled, login attempts to the system will be logged in the security log.

[0058] The system log information includes events recorded by system components. For example, a failure to load a driver or other system component during startup will be logged in the system log. The types of events logged in the system log can be preset.

[0059] Corresponding to the above types of log information, the trace information can be divided into user trace information, application and service trace information, security trace information, and system trace information, etc.

[0060] In this embodiment, browsing refers to the user's operation of viewing on the Metaverse website page. Each time a user views a webpage, one page view is recorded. For example, if there are two images on the Metaverse website page, and the user clicks on the website page once, the server will display three clicks: one for the website page and the other two for the two images on the website page. Each image here is an independent file on the webpage.

[0061] It should be emphasized that, in this embodiment, browsing is different from accessing. When accessing, the user needs to send an access request to the object to be accessed and obtain the consent of the object before the user can access it. After accessing, the user can perform corresponding operations on the object according to their own operation permissions.

[0062] Browsing, on the other hand, can simply involve viewing the aforementioned objects. During browsing, users can view only the index information of the objects, or the objects can be pre-defined areas that users are allowed to view. In this case, the object can be a page for users to preview, and the screen displaying this page when it is loaded and rendered by the browser can be recorded as trace information.

[0063] S102, based on the aforementioned trace information, determine the object that interacted with the aforementioned user, the object including other users, the aforementioned data information and the aforementioned log information.

[0064] The data information includes, but is not limited to, at least one or more of the following: user ID, user security level, device ID and access permissions, user chat history, file information, personal privacy information, web pages to be browsed, and links to be accessed, all obtainable in the metaverse network; the file information includes, but is not limited to, at least one or more of the following: file name, file size, file type, file location, creation time, number of modifications, access path, access permissions, file security level, and file modification details.

[0065] In this embodiment, it should be emphasized that the other users include, but are not limited to, all users who have registered accounts in the metaverse network other than the user. The other users can also be administrators of registered accounts in the metaverse network, attackers who impersonate or steal user accounts.

[0066] As an example rather than a limitation, in the metaverse network, a user may have multiple accounts and manage each account to varying degrees. This results in different activity levels for the user's clones using different accounts in the metaverse network.

[0067] Similarly, attackers in the metaverse network will also, based on the above considerations, preferentially select the weakest managed accounts from the aforementioned accounts as a breakthrough point, thereby impersonating or stealing one or more of the user's accounts. Through the user's clone, they can obtain data and personal privacy information from the user's devices or even stored in the cloud within the metaverse network. This allows attackers to use the obtained information to carry out cyber threats against the user, extort money, or carry out more malicious operations.

[0068] S103, acquire trace information that is judged to be abnormal from the trace information and set it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, trace the threat source information of the user and / or object in the metaverse network, the threat source information including the attack source information of the user being attacked in the metaverse network.

[0069] Based on the preset trace management database, trace information that is judged to be abnormal when the object interacts with the aforementioned user can be obtained.

[0070] These traces that are judged as abnormal, namely abnormal associated traces, may be due to user misoperation in the metaverse network, such as due to low webpage refresh rate, or low sensitivity settings of the hardware configuration of the user's device, or the possibility that the user misoperated due to unfamiliarity with the operation.

[0071] However, the aforementioned abnormal correlation traces are more likely related to security threats users face within the metaverse network during interaction, such as Trojans, botnets, and phishing websites. These threats make users easily vulnerable to Trojans, botnets, and / or phishing websites during interaction, allowing them to be exploited by attackers who design such programs. The most common method is for attackers (also called threat actors) to steal users' personal information for extortion.

[0072] Once an attacker gains control of the aforementioned user, they can freely browse the user's personal privacy information and data. Furthermore, after obtaining the user's personal privacy information and data, the attacker can delete or tamper with the log information generated from their browsing and acquisition, thereby concealing their past actions.

[0073] Considering that when the object interacts with the aforementioned user, the trace information corresponding to the corresponding operations in the above situations will often be identified as abnormal trace information by the trace management device, the trace information generated based on the above situations when the object interacts with the aforementioned user is judged as abnormal trace information and set as abnormal associated trace information, so as to facilitate the acquisition of trace information that is associated due to abnormality in the trace information.

[0074] Based on this, and based on the aforementioned trace information and abnormal correlation trace information, it is possible to trace the threat source information of users and / or objects in the metaverse network.

[0075] Considering that trace information and anomaly-related trace information both include, but are not limited to, log information, especially log information that records previous logs being deleted and / or tampered with.

[0076] Each log entry specifies the transaction execution time, executor information, execution reason, and executed object. Therefore, by tracing the source, we can find the trace information of the user's interaction at the very beginning. Corresponding to the aforementioned trace information, we can determine the threat source information of the user and / or object in the metaverse network.

[0077] The threat source information includes, but is not limited to, threat type information, threat time information, threat object information, and threat level information. The object in the threat object information can be the threatened user and / or the target object.

[0078] It is important to emphasize that the threat source information also includes attack source information indicating that the user was attacked within the metaverse network. This attack source information includes, but is not limited to, attack type information, attack time information, attack target information, and attack level information. The target information can include the attacked user and / or the target object.

[0079] In this embodiment, it should also be noted that, because in the metaverse network, a certain proportion of threatened users and / or objects are attacked while being threatened, and conversely, threatened users and / or objects may not necessarily be attacked, the threat source information may also include attack source information indicating that a user was attacked in the metaverse network.

[0080] Preferably, the data information includes at least one or more of the following: user ID, user security level, device ID and access permissions, user chat history, file information, and personal privacy information obtainable in the metaverse network; wherein, the file information includes at least one or more of the following: file name, file size, file type, file location, creation time, number of modifications, access path, access permissions, file security level, and file modification details; and the log information includes user log information, application and service log information, security logs, and system log information.

[0081] Preferably, the trace information also includes log information recording that previous logs were deleted and / or tampered with.

[0082] In a preferred embodiment of this example, when determining the object interacting with the aforementioned user based on the aforementioned trace information, log information showing previous deletions and / or alterations is preferentially selected as the aforementioned trace information. The advantage is that when the user and / or object are under security threats in the metaverse network, especially when controlled by an attacker, log information showing the corresponding operations performed by the user and / or object will be preferentially deleted and / or altered by the attacker. Therefore, this operation needs to be given priority and analyzed to quickly find the source of the threat to the user and / or object.

[0083] Preferably, the interaction includes an access operation, which includes access and operation, wherein the operation includes at least one of modification, alteration, replacement, overwrite, deletion, and editing.

[0084] Preferably, the steps for determining abnormal trace information are as follows:

[0085] S111, a preset object is identified as normal trace information when interacting with the aforementioned user; and a fault tolerance threshold range is set for the aforementioned trace information that can be identified as normal.

[0086] The fault tolerance threshold range refers to the maximum range within which the trace information judged as normal is allowed to have errors without being evaluated as abnormal. The fault tolerance threshold range can be customized, especially by the administrator based on experience.

[0087] S112, according to the chronological order, filter out the user's browsing path and / or access operation path of the aforementioned object, and match the trace information recorded on the aforementioned browsing path and / or access operation path with the fault tolerance threshold range set for normal trace information.

[0088] The matching includes matching the trace information recorded on the aforementioned browsing path and / or access operation path with the fault tolerance threshold range set for normal trace information one by one, random matching, matching based on a preset time period, and / or matching based on a preset access operation node.

[0089] S113, when a mismatch is determined, the trace information recorded by the interaction between the aforementioned object and the aforementioned user is determined to be abnormal trace information.

[0090] The advantage of the judgment operation is that it can select the trace information that is closest to the aforementioned fault tolerance threshold range from the aforementioned trace information for matching.

[0091] Preferably, the tracing includes the following steps:

[0092] S121 corresponds to each attack stage of the attacker in the metaverse network. It obtains the user's trace information on the attacked node in the previous attack stage of the current attack stage, and determines the user's trace information in the attack stage before the aforementioned previous attack stage based on the trace information. The trace information in the attack stage before the aforementioned previous attack stage includes trace information other than that on the attacked node.

[0093] S122, repeat the previous step until the threat source information is determined.

[0094] Considering that sophisticated and cunning attackers will lay out a lot of plans in the early stages of an attack or threat, and then launch a large number of frequent attacks when the time is right, such as APT attacks and botnets.

[0095] Furthermore, the attacker's operation can involve multiple stages, such as dividing the stages into the attack initiation stage, the attack effect stage, and the attack result stage as needed.

[0096] The attack initiation phase refers to the preparation phase for an attack. During the attack initiation phase, attackers prepare for the attack, such as determining the type of operating system and application platform to be targeted, and identifying exploitable vulnerabilities in these systems and applications.

[0097] The attack execution phase refers to the stage in which the attack is carried out. After the attack initiation phase determines the metaverse network platform and the vulnerabilities to be exploited, the attack enters the execution phase. In this phase, the attacker selects target objects as attack targets, and the attacker can attack multiple target objects simultaneously.

[0098] The attack result phase refers to the stage where the attack causes consequences to the target object. The attack result phase is mainly manifested in the impact on the normal operation of the target object within the metaverse network. For example, the attacker may have adversely affected the software and hardware resources, information, and services provided by the target object's device, such as illegal collection, destruction, malicious occupation, or unauthorized use.

[0099] In the process of tracing the source, as an example rather than a limitation, we assume that the user encountered an attack in three stages: attack initiation stage 1, attack effect stage 2, and attack result stage 3.

[0100] When the current attack phase is attack result phase 3, the previous attack phase is attack action phase 2, and the previous attack phase before that is attack initiation phase 1.

[0101] Further, through the attack result stage 3, the user's trace information on the attacked node in the previous attack stage (i.e., attack action stage 2) of the current attack stage (i.e., attack result stage 3) is obtained, and the user's trace information in the previous attack stage (i.e., attack initiation stage 1) is determined based on the trace information.

[0102] Since attack initiation phase 1 is already the initial attack phase, the threat source information can be determined through the chronological order and abnormal correlation trace information during this phase.

[0103] Preferably, the threat source information includes initial threat information issued by the attacker in the metaverse network at each stage of the attack.

[0104] Other technical features are described in the previous embodiments and will not be repeated here.

[0105] See Figure 2 As shown, the present invention also provides an embodiment of a metaverse threat tracing device 200 based on correlation traces, including a trace management device.

[0106] In this embodiment, the trace management device is able to receive trace information from the metaverse network and store the aforementioned trace information in a specified path.

[0107] The trace management device has a trace management system that can store trace information generated by interactions in the metaverse network in real time and perform real-time analysis on this trace information.

[0108] The trace management device includes the following structure:

[0109] The information receiving unit 201 is used to receive trace information in the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information being obtained by the user after browsing the aforementioned data information and / or log information.

[0110] Information determination unit 202 is used to determine the object that interacts with the aforementioned user based on the aforementioned trace information, wherein the object includes other users, the aforementioned data information and the aforementioned log information.

[0111] Information processing unit 203 is used to acquire trace information that is judged to be abnormal from the trace information and set it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, it traces the threat source information of users and / or objects in the metaverse network, wherein the threat source information includes attack source information of users being attacked in the metaverse network.

[0112] In addition, see Figure 3 As shown, the present invention also provides an embodiment of a metaverse threat tracing system 300 based on correlation traces, comprising:

[0113] Metaverse node 301 is used for sending and receiving data;

[0114] The Metaverse Security Interaction Module 302 is used to enable secure information interaction for users.

[0115] System server 303, which is connected to metaverse node 301 and metaverse security interaction module 302.

[0116] The system server 303 is configured to: receive trace information from the metaverse network via a trace management device; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information being obtained by the user after browsing the aforementioned data information and / or log information; the trace management device, based on the aforementioned trace information, determines the object interacting with the aforementioned user, the object including other users, the aforementioned data information, and the aforementioned log information; the trace management device acquires trace information judged as abnormal from the trace information and sets it as abnormal associated trace information; based on the aforementioned trace information and abnormal associated trace information, traces the threat source information of the user and / or object in the metaverse network, the threat source information including attack source information of the user being attacked in the metaverse network.

[0117] Other technical features are described in the previous embodiments and will not be repeated here.

[0118] Furthermore, embodiments of the present invention also provide a computer-readable storage medium storing a computer program for use in the aforementioned metaverse threat tracing device based on correlation traces. When the computer program is executed by a processor, it implements the steps of any of the aforementioned metaverse threat tracing methods based on correlation traces.

[0119] Other technical features are described in the previous embodiments and will not be repeated here.

[0120] In the foregoing description, within the scope of this disclosure, components may be selectively and operationally incorporated in any number. Furthermore, terms such as “comprising,” “encompassing,” and “having” should be interpreted by default as inclusive or open-ended, rather than exclusive or closed, unless explicitly defined as such. All technical, scientific, or other terms shall be interpreted as understood by one of those skilled in the art, unless explicitly defined as such. Public terms found in dictionaries should not be interpreted in a too idealistic or impractical manner in the context of the relevant technical documentation, unless explicitly defined as such in this disclosure.

[0121] While exemplary aspects of this disclosure have been described for illustrative purposes, those skilled in the art will recognize that the foregoing description is merely a description of preferred embodiments of the invention and is not intended to limit the scope of the invention in any way. The scope of the preferred embodiments of the invention includes other implementations in which functions may be performed in a different order than those described or discussed. Any modifications or alterations made by those skilled in the art based on the foregoing disclosure are within the scope of the claims.

Claims

1. A method for tracing the origins of metaverse threats based on correlation traces, the method comprising the following steps: Receive trace information from the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information is obtained by the user after browsing the aforementioned data information and / or log information; Based on the aforementioned trace information, the objects that interacted with the aforementioned user were identified, including other users, the aforementioned data information, and the aforementioned log information; The process involves acquiring trace information identified as abnormal and setting it as abnormal associated trace information. The steps for identifying abnormal trace information are as follows: First, pre-defined trace information that can be judged as normal when an object interacts with the aforementioned user. Then, a tolerance threshold range is set for this normal trace information. Next, the user's browsing path and / or access operation path to the aforementioned object is filtered out in chronological order. The trace information recorded on these browsing and / or access operation paths is matched against the tolerance threshold range set for normal trace information. If a mismatch is found, the trace information recorded during the interaction between the aforementioned object and the aforementioned user is identified as abnormal trace information. This matching includes matching the trace information recorded on the aforementioned browsing and / or access operation paths against the tolerance threshold range set for normal trace information one-to-one, random, based on a preset time period, and / or based on a preset access operation node. Based on the aforementioned trace information and abnormal associated trace information, the threat source information of the user and / or object in the metaverse network is traced. This threat source information includes attack source information indicating that the user has been attacked in the metaverse network.

2. The method according to claim 1, characterized in that, The data information includes at least one or more of the following: user ID, user security level, device ID and access permissions, user chat history, file information and personal privacy information obtainable in the metaverse network; wherein, the file information includes at least one or more of the following: file name, file size, file type, file location, creation time, number of modifications, access path, access permissions, file security level and file modification details; The types of log information include user log information, application and service log information, security log information, and system log information.

3. The method according to claim 1, characterized in that, The trace information also includes log information recording that previous logs were deleted and / or tampered with.

4. The method according to claim 1, characterized in that, The interaction includes access operations, which include access and operations, wherein the operations include at least one of modification, tampering, replacement, overwrite, deletion and editing.

5. The method according to claim 1, characterized in that, The source tracing includes the following steps: Corresponding to each attack stage of the attacker in the metaverse network, the trace information of the user on the attacked node in the previous attack stage of the current attack stage is obtained, and the trace information of the user in the attack stage before the aforementioned previous attack stage is determined based on the trace information. The trace information in the attack stage before the aforementioned previous attack stage includes the trace information on the attacked node other than the aforementioned trace information. Repeat the previous step until the source of the threat is identified.

6. The method according to claim 1, characterized in that, The threat source information includes the initial threat information issued by the attacker in each stage of the attack within the metaverse network.

7. A metaverse threat tracing device based on correlation traces, used to implement the method as described in any one of claims 1-6, characterized in that, The device includes a trace management system, which has the following structure: An information receiving unit is used to receive trace information in the metaverse network; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, the trace information being obtained by the user after browsing the aforementioned data information and / or log information; The information determination unit is used to determine the object that interacts with the aforementioned user based on the aforementioned trace information, wherein the object includes other users, the aforementioned data information, and the aforementioned log information; An information processing unit is used to acquire trace information identified as abnormal from the trace information and set it as abnormal associated trace information. The steps for identifying abnormal trace information are as follows: Pre-defined trace information that can be identified as normal when an object interacts with the aforementioned user; and setting a tolerance threshold range for the aforementioned trace information that can be identified as normal; filtering out the user's browsing path and / or access operation path for the aforementioned object in chronological order, and matching the trace information recorded on the aforementioned browsing path and / or access operation path with the tolerance threshold range set for normal trace information; if a mismatch is determined... The trace information recorded during the interaction between the aforementioned object and the aforementioned user is judged as abnormal trace information; wherein, the matching includes matching the trace information recorded on the aforementioned browsing path and / or access operation path with the fault tolerance threshold range set for normal trace information one by one, random matching, matching based on a preset time period, and / or matching based on a preset access operation node; based on the aforementioned trace information and abnormal associated trace information, the threat source information of the user and / or object in the metaverse network is traced, and the threat source information includes the attack source information of the user being attacked in the metaverse network.

8. A metaverse threat tracing system based on correlation traces, characterized in that... include: Metaverse nodes are used for sending and receiving data; The Metaverse Secure Interaction Module is used to enable secure information interaction for users. System server, which connects the metaverse node and the metaverse secure interaction module; The system server is configured to receive trace information from the metaverse network via a trace management device; the trace information includes data information browsed by the user in the metaverse network, and log information generated after browsing the aforementioned data information, wherein the trace information is obtained by the user after browsing the aforementioned data information and / or log information; The trace management device determines the object that interacted with the aforementioned user based on the aforementioned trace information. The object includes other users, the aforementioned data information, and the aforementioned log information. The trace management device acquires trace information that is judged to be abnormal from the trace information and sets it as abnormal associated trace information. The steps for judging abnormal trace information are as follows: Pre-set trace information that can be judged as normal when the object interacts with the aforementioned user; and set a fault tolerance threshold range for the aforementioned trace information that can be judged as normal; and filter out the user's browsing path and / or access operation path for the aforementioned object in chronological order, corresponding to the trace information recorded on the aforementioned browsing path and / or access operation path. The system matches the data against the tolerance threshold range set for normal trace information. If a mismatch is found, the trace information recorded during the interaction between the aforementioned object and the aforementioned user is judged as abnormal trace information. The matching includes matching the trace information recorded on the aforementioned browsing path and / or access operation path against the tolerance threshold range set for normal trace information one-to-one, random, based on a preset time period, and / or based on a preset access operation node. Based on the aforementioned trace information and abnormal associated trace information, the system traces the threat source information of the user and / or object in the metaverse network, including attack source information indicating that the user has been attacked in the metaverse network.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-6.