A method for identifying a cyber attack chain, a computer device and a storage medium
By collecting and analyzing security event logs generated by various devices, a directed acyclic anomaly graph is constructed to identify network attack chains. This solves the problems of single data and incomplete paths in traditional methods, and achieves accurate attack chain identification and risk assessment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHENZHEN METRO GROUP
- Filing Date
- 2022-12-26
- Publication Date
- 2026-07-03
AI Technical Summary
Traditional attack chain identification methods, when describing network attacks, analyze only single data elements, have incomplete paths, cannot combine link-layer security event data for comprehensive analysis, cannot identify long-term latent threats, ignore discrete attack behaviors, and cannot effectively identify the reconnaissance and penetration stages of multi-stage network attack behaviors.
By collecting security event logs generated by various devices, performing normalization processing and correlation analysis, constructing a directed acyclic anomaly graph, selecting the optimal security event chain sequence, mapping it to the attack stage, and constructing a complete attack chain.
It enables the construction of a relatively complete and accurate attack chain when a network security incident is alerted, supporting managers to effectively handle network attacks and providing attack paths and risk assessments.
Smart Images

Figure CN116318806B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a method for identifying network attack chains, a computer device, and a storage medium. Background Technology
[0002] With the rapid development of the internet, the types and number of cybersecurity incidents have also increased dramatically, attacks have become more diversified, and their true purposes have become more covert. Among these, the attack chain is a phase-based model used to describe the various stages of a cyberattack, which also helps to provide methods for preventing such attacks. The closer a cyberattack is to the starting point of the kill chain, the more likely it is to be stopped.
[0003] Traditional attack chains have the following shortcomings in describing network attacks: 1) Attack chain analysis based on network traffic results in limited data elements and incomplete attack chain paths; 2) Attack chains are constructed based on IP addresses, failing to integrate with link-layer security event data for comprehensive analysis; 3) Attack chains can only be constructed based on data from a period before and after an attack event, rendering them ineffective against long-term, slow-penetrating threats; 4) They neglect discrete attack behaviors and the reconnaissance and penetration phases of multi-stage network attack behaviors. Summary of the Invention
[0004] To address the aforementioned technical problems, this invention provides a method for identifying network attack chains, a computer device, and a storage medium. It analyzes security event logs generated by various devices based on different principles, taking assets as the object of analysis, and simultaneously analyzing long-term network security-related logs to solve the technical problems of current methods.
[0005] To achieve the above objectives, the embodiments of the present invention provide the following technical solutions:
[0006] In a first aspect, in one embodiment of the present invention, a method for identifying network attack chains is provided, comprising the following steps:
[0007] Collect log data of network security incidents and normalize the collected log data;
[0008] The security analysis engine detects whether real-time network security events match the correlation analysis rules.
[0009] If a correlation analysis rule is found, the security information will be completed by asset supplementation, event classification, and attack phase supplementation. The corresponding asset information set will be extracted based on the security event set, and network security behavior events related to the asset set within a certain period of time will be traced back.
[0010] All eligible cybersecurity incidents are categorized by source asset, affected asset, and earliest occurrence time to construct a directed acyclic anomaly graph. The optimal security incident chain sequence is selected as the attack phase chain, and the remaining security incidents are mapped to each attack phase.
[0011] As a further aspect of the present invention, the log data of the network security event is network security event log data generated by network security devices, wherein the network security devices include security devices, network devices, and terminal devices.
[0012] As a further aspect of the present invention, if a match is found to be found in the correlation analysis rule, it is determined that a network attack has been detected.
[0013] As a further aspect of the present invention, all eligible network security behavior events also include:
[0014] The attack sequence is constructed based on the earliest occurrence time of the abnormal event, and the matching degree of each attack sequence is calculated. The optimal security event link sequence is selected as the attack stage link, and the remaining security events are mapped to each attack stage.
[0015] As a further aspect of the present invention, the method for identifying network attack chains further includes converting abnormal events into attack chains during the attack chain identification process. The conversion of abnormal events into attack chains includes the following steps:
[0016] Construct an event classification-attack phase mapping table to convert security events into attack phases;
[0017] Construct an event precursor hazard table to calculate the hazard of events in the attack chain;
[0018] Based on the collected set of abnormal events, the data is aggregated according to source assets, affected assets, and event categories. The aggregated data is then used to construct a directed acyclic abnormal event graph in reverse order of the earliest occurrence time.
[0019] Using assets as points, attack events as lines, and the degree of harm as a weight, calculate the abnormal event link matching degree;
[0020] The matching degree of the event links is compared to see if it exceeds a threshold. If the matching degree exceeds the threshold, the link is taken as an attack sequence. If none of the links meet the threshold, the event link with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage through the built-in event classification-attack stage mapping table. The remaining aggregated events that are not in this link are converted into attack stages and added to the attack link to obtain a complete attack link.
[0021] As a further aspect of the present invention, the hazard level is obtained by querying the event precursor hazard level table through the current event classification and the precursor event classification. When there is no precursor event, the hazard level is 1 by default.
[0022] As a further aspect of the present invention, the abnormal event link matching degree ω is calculated. Among them, v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i Let m be the interval between the current event and the next event, and m be the maximum level in the directed graph.
[0023] As a further aspect of the present invention, the attack phase is divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action phase, and withdrawal phase.
[0024] In a second aspect, in yet another embodiment of the present invention, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor loads and executes the computer program to implement the steps of a method for identifying network attack chains.
[0025] Thirdly, in another embodiment of the present invention, a storage medium is provided storing a computer program, which, when loaded and executed by a processor, implements the steps of the network attack chain identification method.
[0026] The technical solution provided by this invention has the following beneficial effects:
[0027] The network attack chain identification method, computer equipment, and storage medium provided by this invention analyze security event logs generated by various devices based on different principles, taking assets as the object of analysis. At the same time, it analyzes long-term network security-related logs. When a network security incident alarm occurs, a relatively complete and accurate attack chain can be constructed to support management personnel in their handling work.
[0028] These or other aspects of the invention will become more apparent from the following description of embodiments. It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and are not intended to limit the invention. Attached Figure Description
[0029] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. In the drawings:
[0030] Figure 1 This is a flowchart illustrating a method for identifying network attack chains according to an embodiment of the present invention.
[0031] Figure 2 This is a flowchart illustrating the attack chain identification method in one embodiment of the present invention.
[0032] Figure 3 This is a flowchart illustrating the conversion of abnormal events into attack chains in a network attack chain identification method according to an embodiment of the present invention.
[0033] Figure 4 This is a schematic diagram illustrating the specific operation of converting abnormal events into attack chains in a network attack chain identification method according to an embodiment of the present invention.
[0034] Figure 5 This is a flowchart of the main attack chain in a network attack chain identification method according to an embodiment of the present invention.
[0035] Figure 6 This is a schematic representation of the severity of precursor events in an attack chain, as described in an embodiment of the present invention, for identifying network attack chains. Detailed Implementation
[0036] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.
[0037] In some of the processes described in the specification, claims, and accompanying drawings of this invention, multiple operations appearing in a specific order are included. However, it should be clearly understood that these operations may not be executed in the order they appear herein, or may be executed in parallel. The operation numbers, such as 101, 102, etc., are merely used to distinguish different operations and do not represent any execution order. Furthermore, these processes may include more or fewer operations, and these operations may be executed sequentially or in parallel. It should be noted that the descriptions such as "first," "second," etc., in this document are used to distinguish different messages, devices, modules, etc., and do not represent a sequential order, nor do they limit "first" and "second" to different types.
[0038] The technical solutions in the exemplary embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described exemplary embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0039] Traditional attack chains, when describing network attacks, analyze network traffic, resulting in limited data elements and incomplete attack chain paths. They are constructed based on IP addresses, failing to integrate link-layer security event data for comprehensive analysis. They can only construct attack chains based on data from a period before and after an attack event, rendering them ineffective against long-term, slow-penetrating threats. Furthermore, they neglect discrete attack behaviors and the reconnaissance and penetration phases of multi-stage network attacks.
[0040] Current technical solutions are based on analyzing network traffic to detect whether it contains attack events. If an attack event is found, the active window data associated with the attack event is acquired and saved at the attacking or victim end for a period of time before and after the attack event, and the attack chain is obtained based on the active window data.
[0041] In view of this, the present invention provides a method, computer device and storage medium for identifying network attack chains. It analyzes security event logs generated by various devices based on different principles, takes assets as the object of analysis, and analyzes long-term network security-related logs to solve the technical problems of current technical means.
[0042] The network security attack chain identification method of this invention is based on network security event log data generated from devices such as security devices, network devices, and terminal devices. The collected log data is normalized and detected by security analysis engines such as correlation analysis. If network attack behavior is detected, the security information is supplemented with asset information and event classification information. Based on the asset information related to the security event, all network security behavior events related to that asset set are traced back. Then, all eligible network security behavior events are used to construct a directed acyclic anomaly event graph according to the source asset, affected asset, and earliest occurrence time. The optimal security event chain sequence is selected as the attack stage chain, and the remaining security events are mapped to each attack stage.
[0043] Specifically, the embodiments of this application will be further described below with reference to the accompanying drawings.
[0044] See Figure 1 As shown, one embodiment of the present invention provides a method for identifying network attack chains, which specifically includes the following steps:
[0045] S10. Collect log data of network security incidents and standardize the collected log data.
[0046] In this embodiment, the log data of the network security event is network security event log data generated by network security devices, which include security devices, network devices, and terminal devices. That is, the collected log data is normalized based on the network security event log data generated from devices such as security devices, network devices, and terminal devices.
[0047] In this embodiment, normalization processing involves cleaning operations such as data de-privatization, standardization, filtering, and merging. Normalization processing is an existing processing technology and will not be described in detail here.
[0048] S20. The security analysis engine detects whether real-time network security events match the correlation analysis rules.
[0049] S30. If a correlation analysis rule is found, the security information will be completed by asset supplementation, event classification, and attack phase supplementation. The corresponding asset information set will be extracted based on the security event set, and network security behavior events related to the asset set within a certain period of time will be traced back.
[0050] If a rule for correlation analysis is found to be matched, it is determined that a network attack has been detected. Correlation analysis involves multi-dimensional and in-depth mining of related security events for model matching. If a match is found, an alarm event is generated.
[0051] S40. Construct a directed acyclic anomaly graph for all eligible cybersecurity behavior events by source asset, affected asset, and earliest occurrence time. Select the optimal security event chain sequence as the attack phase chain and map the remaining security events to each attack phase.
[0052] In this embodiment, the network attack chain identification method of the present invention analyzes security event logs generated by various devices based on different principles, takes assets as the object of analysis, and analyzes long-term network security-related logs. When a network security event alarm occurs, a relatively complete and accurate attack chain can be constructed to support the management personnel in their handling work.
[0053] In some embodiments of the present invention, all eligible network security behavior events further include: constructing an attack sequence based on the earliest occurrence time of the abnormal event, calculating the matching degree of each attack sequence, selecting the optimal security event link sequence as the attack stage link, and mapping the remaining security events to each attack stage.
[0054] See Figure 2As shown, the attack chain identification process is as follows: First, based on network security event log data generated from security devices, network devices, and terminal devices, the collected log data is normalized. For real-time events, security analysis engines such as correlation analysis are used to detect whether correlation analysis rules are met. If so, the security information is further supplemented with asset completion, event classification, and attack stage completion. Specifically, an event classification-attack stage mapping table is constructed. This mapping table, along with various cached data, corresponds to a set of asset information. Based on the security event set, the corresponding asset information set is extracted. Other network security behavior events related to this asset set are traced back over a period of time. Backtracking analysis is performed based on offline data to determine if historical data meets the criteria for abnormal behavior. If it does, it is added to the abnormal event set; otherwise, an attack sequence is constructed based on the abnormal behavior. The matching degree of each attack sequence is calculated based on the attack sequence set. The optimal security event chain sequence is selected as the attack stage chain, and the remaining security events are mapped to each attack stage.
[0055] In some embodiments, see Figure 3 As shown, the attack chain identification process also includes converting abnormal events into attack chains, which includes the following steps S101-S105:
[0056] Step S101: Construct an event classification-attack phase mapping table to convert security events into attack phases.
[0057] Step S102: Construct an event precursor hazard table to calculate the hazard of events in the attack chain.
[0058] In this embodiment, the hazard level is obtained by querying the event precursor hazard level table through the current event classification and the precursor event classification. When there is no precursor event, the hazard level is 1 by default.
[0059] Step S103: Based on the collected set of abnormal events, aggregate them by source asset, affected asset, and event category, and construct a directed acyclic abnormal event graph by reversing the order of the aggregated data according to the earliest occurrence time.
[0060] Step S104: Using assets as points, attack events as lines, and hazard level as weight, calculate the abnormal event link matching degree.
[0061] In this embodiment, the abnormal event link matching degree ω is calculated. Among them, v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. iLet m be the interval between the current event and the next event, and m be the maximum level in the directed graph.
[0062] Step S105: Compare whether the matching degree of the event link exceeds the threshold. When the matching degree exceeds the threshold, the link is taken as an attack sequence. When all links do not meet the threshold, select the event link with the highest matching degree. After finding a suitable attack sequence, convert the attack event into an attack stage through the built-in event classification-attack stage mapping table. After converting the remaining aggregated events that are not in this link into attack stages, they are added to the attack link to obtain a complete attack link.
[0063] In this embodiment, when the matching degree exceeds 0.5, the link is used as an attack sequence.
[0064] The attack phase is divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action phase, and withdrawal phase.
[0065] See Figure 4 The diagram illustrates the process of converting anomalous events into attack chains during attack chain identification. First, an event classification-attack stage mapping table is constructed to convert security events into attack stages. Then, an event precursor hazard table is constructed to calculate the hazard level of events in the attack chain. Next, based on the collected set of anomalous events, they are aggregated according to source asset, affected asset, and event classification. Finally, the aggregated data is used to construct a directed acyclic anomalous event graph in reverse order of its earliest occurrence time.
[0066] In this model, assets are represented as points, attack events as lines, and severity is the weight. The severity is determined by querying the preceding event severity table based on the current event category and the preceding event category; if no preceding event exists, the severity defaults to 1. Then, the abnormal event link matching degree is calculated. Among them, v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i is the time interval between the current event and the next event, and m is the maximum level in the directed graph.
[0067] Next, the matching degree of the event chain is compared to see if it exceeds a threshold. If the matching degree exceeds 0.5, the chain can be considered an attack sequence. If none of the chains meet the threshold, the event chain with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage using the built-in event classification-attack stage mapping table. The attack stages are divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action stage, and withdrawal stage. Then, other aggregated events not in this chain are also converted into attack stages and added to the attack chain. Finally, a complete attack chain is obtained.
[0068] In embodiments of the present invention, the network attack chain identification method is mainly used to analyze network security incidents. It can identify the current attack stage to help administrators assess the risk of the security incident; it can provide attack path information to help administrators understand the threat path of the security incident and take effective protective measures; it can also provide associated attack paths to help administrators discover other potentially affected assets.
[0069] It should be understood that although the above description follows a certain order, these steps are not necessarily executed in that order. Unless otherwise expressly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, some steps in this embodiment may include multiple steps or multiple stages, which are not necessarily completed at the same time, but may be executed at different times. The execution order of these steps or stages is not necessarily sequential, but may be performed alternately or in turn with other steps or at least a portion of the steps or stages in other steps.
[0070] For example, such as Figure 5 and Figure 6 As shown, the sample data has already undergone aggregation and other operations. Initially, the starting point is found from the abnormal data set, representing the last asset affected in the chain—the two assets in the diagram subjected to information compromise and distributed denial-of-service (DDoS) attacks. Next, the preceding events are searched in reverse order from the information compromised chain. According to the event precursor hazard table, when the preceding event of the information compromise event is an unauthorized attack, the hazard level is 0.8. This process of searching for precursors continues until a point without a precursor is found. The hazard level on the chain is then calculated using the formula, yielding a matching degree of 0.72. Similarly, the matching degree corresponding to the DDoS attack chain is calculated to be 0.675. Therefore, the chain corresponding to the information compromise is taken as the primary attack sequence, and the event classification is converted into the corresponding attack stage by querying the event classification-attack stage mapping table. This attack sequence is then used as the primary attack chain.
[0071] The network attack chain identification method of this invention can analyze log data generated by multiple devices, solving the problem of incomplete information from a single device. When tracing back related security events based on security incidents, filtering by asset ensures information integrity. Multiple attack sequences are constructed, and based on the matching degree of attack stages, the last attack sequence is selected as the primary attack chain, while the other attack sequences are designated as secondary attack paths.
[0072] An embodiment of the present invention provides a computer device including a memory and a processor. The memory stores a computer program, and the processor is configured to execute the computer program stored in the memory. The memory stores one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the attack chain identification flow step in the network attack chain identification method described in the above embodiment:
[0073] Based on network security event log data generated from security devices, network devices, and terminal devices, the collected log data is normalized and detected by security analysis engines such as correlation analysis. If a correlation analysis rule is found to be matched, the security information is supplemented with asset information, event classification, and attack phase completion. The corresponding asset information set is extracted from the security event set, and other network security behavior events related to this asset set within a certain period are traced back. Then, for all network security behavior events that meet the conditions, attack sequences are constructed based on the earliest occurrence time of the abnormal event, and the matching degree of each attack sequence is calculated. The optimal security event link sequence is selected as the attack phase link, and the remaining security events are mapped to each attack phase.
[0074] The process of converting anomalous events into attack chains during attack chain identification includes:
[0075] First, a mapping table for event classification and attack phase is constructed to convert security events into attack phases. Then, an event precursor hazard table is constructed to calculate the hazard of events in the attack chain.
[0076] Next, based on the collected set of abnormal events, the data is aggregated according to source assets, affected assets, and event categories, and the aggregated data is used to construct a directed acyclic abnormal event graph in reverse order of the earliest occurrence time.
[0077] In this system, assets are represented as points, attack events as lines, and severity is the weight. The severity is determined by querying the preceding event severity table based on the current event category and the preceding event category. If no preceding event exists, the severity defaults to 1.
[0078] Then we begin calculating the abnormal event link matching degree. Among them, v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i is the time interval between the current event and the next event, and m is the maximum level in the directed graph.
[0079] Next, the matching degree of the event link is compared to see if it exceeds a threshold. When the matching degree exceeds 0.5, the link can be used as an attack sequence. If none of the links meet the threshold, the event link with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage through the built-in event classification-attack stage mapping table. The attack stages are divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action stage, and withdrawal stage.
[0080] Next, other aggregated events not in this chain are also converted into attack phases and added to the attack chain. Finally, a complete attack chain is obtained.
[0081] In one embodiment of the present invention, a storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the steps in the above-described method embodiments:
[0082] Based on network security event log data generated from security devices, network devices, and terminal devices, the collected log data is normalized and detected by security analysis engines such as correlation analysis. If a correlation analysis rule is found to be matched, the security information is supplemented with asset information, event classification, and attack phase completion. The corresponding asset information set is extracted from the security event set, and other network security behavior events related to this asset set within a certain period are traced back. Then, for all network security behavior events that meet the conditions, attack sequences are constructed based on the earliest occurrence time of the abnormal event, and the matching degree of each attack sequence is calculated. The optimal security event link sequence is selected as the attack phase link, and the remaining security events are mapped to each attack phase.
[0083] The process of converting anomalous events into attack chains during attack chain identification includes:
[0084] First, a mapping table for event classification and attack phase is constructed to convert security events into attack phases. Then, an event precursor hazard table is constructed to calculate the hazard of events in the attack chain.
[0085] Next, based on the collected set of abnormal events, the data is aggregated according to source assets, affected assets, and event categories, and the aggregated data is used to construct a directed acyclic abnormal event graph in reverse order of the earliest occurrence time.
[0086] In this system, assets are represented as points, attack events as lines, and severity is the weight. The severity is determined by querying the preceding event severity table based on the current event category and the preceding event category. If no preceding event exists, the severity defaults to 1.
[0087] Then we begin calculating the abnormal event link matching degree. Among them, v i To calculate the degree of harm, min(t)i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i is the time interval between the current event and the next event, and m is the maximum level in the directed graph.
[0088] Next, the matching degree of the event link is compared to see if it exceeds a threshold. When the matching degree exceeds 0.5, the link can be used as an attack sequence. If none of the links meet the threshold, the event link with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage through the built-in event classification-attack stage mapping table. The attack stages are divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action stage, and withdrawal stage.
[0089] Next, other aggregated events not in this chain are also converted into attack phases and added to the attack chain. Finally, a complete attack chain is obtained.
[0090] The processor further executes one or more computer instructions to implement the steps in the above method embodiments:
[0091] Based on network security event log data generated from security devices, network devices, and terminal devices, the collected log data is normalized and detected by security analysis engines such as correlation analysis. If a correlation analysis rule is found to be matched, the security information is supplemented with asset information, event classification, and attack phase completion. The corresponding asset information set is extracted from the security event set, and other network security behavior events related to this asset set within a certain period are traced back. Then, for all network security behavior events that meet the conditions, attack sequences are constructed based on the earliest occurrence time of the abnormal event, and the matching degree of each attack sequence is calculated. The optimal security event link sequence is selected as the attack phase link, and the remaining security events are mapped to each attack phase.
[0092] The process of converting anomalous events into attack chains during attack chain identification includes:
[0093] First, a mapping table for event classification and attack phase is constructed to convert security events into attack phases. Then, an event precursor hazard table is constructed to calculate the hazard of events in the attack chain.
[0094] Next, based on the collected set of abnormal events, the data is aggregated according to source assets, affected assets, and event categories, and the aggregated data is used to construct a directed acyclic abnormal event graph in reverse order of the earliest occurrence time.
[0095] In this system, assets are represented as points, attack events as lines, and severity is the weight. The severity is determined by querying the preceding event severity table based on the current event category and the preceding event category. If no preceding event exists, the severity defaults to 1.
[0096] Then we begin calculating the abnormal event link matching degree. Among them, v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i is the time interval between the current event and the next event, and m is the maximum level in the directed graph.
[0097] Next, the matching degree of the event link is compared to see if it exceeds a threshold. When the matching degree exceeds 0.5, the link can be used as an attack sequence. If none of the links meet the threshold, the event link with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage through the built-in event classification-attack stage mapping table. The attack stages are divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action stage, and withdrawal stage.
[0098] Next, other aggregated events not in this chain are also converted into attack phases and added to the attack chain. Finally, a complete attack chain is obtained.
[0099] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium. When executed, the computer program can include the processes of the embodiments of the above methods. Furthermore, any references to memory, storage, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory.
[0100] In summary, the network attack chain identification method, computer equipment, and storage medium provided by this invention analyze security event logs generated by various devices based on different principles, taking assets as the object of analysis, and simultaneously analyzing long-term network security-related logs. When a network security incident alarm occurs, a relatively complete and accurate attack chain can be constructed to support management personnel in their handling work.
[0101] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A method for identifying network attack chains, characterized in that, The method for identifying the network attack chain includes the following steps: S10: Collect log data of network security incidents and normalize the collected log data; S20: Detect whether real-time network security events match the correlation analysis rules through the security analysis engine; S30: If a correlation analysis rule is found to be matched, the security information will be completed by asset supplementation, event classification, and attack phase supplementation. The corresponding asset set will be extracted based on the security event set, and network security behavior events related to the asset set within a certain period of time will be traced back. S40: Construct a directed acyclic anomaly graph for all eligible cybersecurity behavior events by source asset, affected asset, and earliest occurrence time; select the optimal security event chain sequence as the attack phase chain; and map the remaining security events to each attack phase. The attack chain identification method further includes converting abnormal events into attack chains, specifically including the following steps: S101: Construct an event classification-attack phase mapping table to convert security events into attack phases; S102: Construct an event precursor hazard table to calculate the hazard of events in the attack chain; The severity level is obtained by querying the event precursor severity level table based on the current event category and the precursor event category. If there is no precursor event, the severity level is 1 by default. S103: Based on the collected set of abnormal events, aggregate them by source asset, affected asset, and event category, and construct a directed acyclic abnormal event graph by reversing the order of the aggregated data according to the earliest occurrence time. S104: Using assets as points, attack events as lines, and severity as weights, calculate the abnormal event link matching degree; Calculate the link matching degree of abnormal events ; Abnormal event link matching degree, where v i To calculate the degree of harm, min(t) i ΔT represents the minimum time interval between the current event and the next event in the current link hierarchy. i The interval between the current event and the next event is denoted as m, where m is the maximum level in the directed graph. S105: Compare whether the matching degree of the event link exceeds the threshold. If the matching degree exceeds the threshold, the link is regarded as an attack sequence. When none of the links meet the requirements, the event link with the highest matching degree is selected. After finding a suitable attack sequence, the attack event is converted into an attack stage through the built-in event classification-attack stage mapping table. After converting the remaining aggregated events that are not in this chain into the attack phase, they are added to the attack chain to obtain a complete attack chain.
2. The method for identifying network attack chains as described in claim 1, characterized in that, The log data of the network security incidents are network security incident log data generated by network security devices, which include security devices, network devices, and terminal devices.
3. The method for identifying network attack chains as described in claim 2, characterized in that, If a rule matching the correlation analysis is found, then a network attack is detected.
4. The method for identifying network attack chains as described in claim 3, characterized in that, All eligible cybersecurity incidents also include: The attack sequence is constructed based on the earliest occurrence time of the abnormal event, and the matching degree of each attack sequence is calculated. The optimal security event link sequence is selected as the attack stage link, and the remaining security events are mapped to each attack stage.
5. The method for identifying network attack chains as described in claim 1 or 4, characterized in that, The severity level is obtained by querying the event precursor severity level table based on the current event category and the precursor event category. If there is no precursor event, the severity level is 1 by default.
6. The method for identifying network attack chains as described in claim 5, characterized in that, The attack phase is divided into target reconnaissance, attack intrusion, vulnerability exploitation, privilege escalation, lateral movement, action phase, and withdrawal phase.
7. A computer device, characterized in that, The computer device includes multiple computer devices, each computer device including a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, when the processors of the multiple computer devices execute the computer program, they jointly implement the steps of the network attack chain identification method according to any one of claims 1 to 6.
8. A storage medium, characterized in that, The device contains a computer program that, when loaded and executed by a processor, implements the steps of the method for identifying network attack chains according to any one of claims 1 to 6.