Threat behavior spectrum representation method and apparatus
By combining clustering and graph embedding spectral representation algorithms with GNN models and unsupervised learning, the problems of low efficiency in identifying malicious network behaviors and fragmented data management are solved, achieving efficient and unified representation of threat behaviors.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING UNIV OF POSTS & TELECOMM
- Filing Date
- 2023-03-09
- Publication Date
- 2026-06-05
AI Technical Summary
In existing technologies, the identification efficiency of malicious network behaviors is low, the model structure is huge and the robustness is poor, making it difficult to apply to terminal devices with limited computing resources. Furthermore, threat data analysis is scattered and cannot be managed in a unified manner, lacking an effective threat behavior representation system.
Clustering algorithms are used to cluster network attack and vulnerability sample datasets. The network element information of the overall feature space is extracted using the GNN model and mapped to threat behavior spectrum through graph embedding spectrum representation algorithm. Unsupervised learning and long short-term memory networks are then used for unified management.
It improves the efficiency of identifying malicious network behaviors, simplifies the model structure, enhances the model's practicality, and enables unified management and comprehensive representation of malicious network behaviors.
Smart Images

Figure CN116506149B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of cybersecurity, and in particular to a method and apparatus for representing threat behavior spectrum. Background Technology
[0002] Threat behavior spectrum representation is designed for complex enterprise environments. It utilizes collected logs or device alerts to construct a relevant threat graph, characterizing attacks and attack sources in a spectral format. Then, methods based on this spectral representation are used to assess the risk and threat to the attack sources and the enterprise's operating environment. To combat cyber threats, enterprises typically deploy multiple detection devices. Due to the sensitivity of detection device rules, enterprise security operations face a massive volume of threat alert correlation analysis daily, far exceeding the event investigation capabilities of operations personnel. Current attack detection devices lack the ability to analyze such event correlations, leading to high false positive rates. Alert logs generated by detection devices are often low-level and isolated, requiring security operations personnel to possess extensive security knowledge and experience to make relevant judgments, further increasing the challenges of enterprise security operations. Therefore, in the context of the emergence of security big data and the fight against advanced threats, applying threat behavior spectrum representation to enterprise intelligent security operations plays a crucial role in improving the automation level of security operations and reducing the time required for threat analysis and response.
[0003] The drawbacks of existing technologies are twofold. First, the model structures are typically very large, leading to low efficiency and poor robustness in identifying malicious network behaviors, making them difficult to apply to scenarios requiring high identification speed or to deploy on handheld devices with limited computing resources. Second, the analysis of malicious network behaviors is isolated, resulting in fragmented threat data with inconsistent formats, making unified management impossible and hindering the formation of an effective and standardized threat behavior representation system for malicious network behaviors. Summary of the Invention
[0004] In view of this, embodiments of this application provide a method and apparatus for representing a threat behavior spectrum, so as to eliminate or improve one or more defects existing in the prior art.
[0005] One aspect of this application provides a method for representing a threat behavior spectrum, the method comprising:
[0006] The network attack and vulnerability sample dataset is clustered according to the clustering algorithm to obtain multiple unknown threat clusters. The network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships.
[0007] Each of the unknown threat clusters is input into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters.
[0008] The network element information of each element in the overall feature space is mapped to a threat behavior spectrum based on the graph embedding spectral representation algorithm.
[0009] In some embodiments of this application, the step of clustering the network attack and vulnerability sample dataset according to a clustering algorithm to obtain multiple unknown threat clusters includes:
[0010] The network attack and vulnerability sample dataset is clustered into attack class clusters corresponding to each of the unknown threat clusters;
[0011] Each of the aforementioned attack clusters is subjected to a corresponding preset round of aggregation steps to obtain each of the aforementioned unknown threat clusters.
[0012] In some embodiments of this application, before inputting each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model extracts the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters, the method further includes:
[0013] Obtain a dataset of historical network attack and vulnerability samples;
[0014] The historical network attack and vulnerability sample dataset is clustered according to the clustering algorithm to obtain various historical unknown threat clusters. The historical network attack and vulnerability sample dataset includes multiple historical network attack and vulnerability sample datasets with overlapping relationships and multiple historical network attack and vulnerability sample datasets without overlapping relationships.
[0015] Each of the historical unknown threat clusters is input into a multilayer sensing network, and the overall feature space corresponding to each historical unknown threat cluster is transformed according to the linear function in the multilayer sensing network to obtain numerical data of multiple points and multiple edges.
[0016] The negative values of each point and each edge are removed by the activation function to obtain the positive values of each point and each edge, thereby training a multi-layer perception layer.
[0017] A fully connected layer is constructed based on the positive values of each point and each edge, thereby training the GNN model based on the multi-layer perceptual layer and the fully connected layer.
[0018] In some embodiments of this application, mapping the network element information of each of the overall feature spaces to a threat behavior spectrum according to the graph embedding spectral representation algorithm includes:
[0019] An unsupervised representation learning algorithm is used to convert the network element information of each element in the overall feature space into corresponding multidimensional vectors.
[0020] Each of the multidimensional vectors is trained using a long short-term memory network to obtain the corresponding global information;
[0021] The threat behavior spectrum is mapped based on the various global information.
[0022] In some embodiments of this application, the aggregation step includes:
[0023] The feature spaces uniquely corresponding to all samples of each attack cluster in each attack cluster set are merged into an overall feature space to obtain the overall feature space set corresponding to each attack cluster set;
[0024] Calculate the distance between any two attack clusters in the attack cluster set that are uniquely corresponding to each of the overall feature space sets, and merge the two corresponding attack clusters into an aggregate cluster when the distance reaches the minimum value;
[0025] Each of the aforementioned aggregated clusters is updated with its unique corresponding attack cluster set to obtain a new attack cluster set.
[0026] In some embodiments of this application, constructing a fully connected layer based on the positive values of each of the points and the positive values of each of the edges includes:
[0027] The positive data of each point and the positive data of each edge are reduced in dimensionality using a pooling layer and a dropout function to obtain the fully connected layer.
[0028] In some embodiments of this application, mapping the threat behavior spectrum based on the various global information includes:
[0029] The first-order approximation is obtained by performing a first-order approximation calculation on the multi-dimensional vector that uniquely corresponds to each of the global information.
[0030] The corresponding second-order approximation is obtained by performing second-order approximation calculations on each of the first-order approximations;
[0031] Based on the respective second-order approximations, the vertices in the corresponding network element information are mapped to a threat behavior spectrum.
[0032] Another aspect of this application provides a threat behavior spectrum representation apparatus, the apparatus comprising:
[0033] The clustering module is used to cluster the network attack and vulnerability sample dataset according to the clustering algorithm to obtain multiple unknown threat clusters. The network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships.
[0034] The model building module is used to input each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters.
[0035] The mapping module is used to map the network element information of each of the overall feature spaces into a threat behavior spectrum according to the graph embedding spectrum representation algorithm.
[0036] A third aspect of this application provides an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the threat behavior spectrum representation method described in the first aspect above.
[0037] A fourth aspect of this application provides a computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the threat behavior spectrum representation method described in the first aspect above.
[0038] This application provides a method and apparatus for representing threat behavior spectra. The method includes: clustering a network attack and vulnerability sample dataset using a clustering algorithm to obtain multiple unknown threat clusters, wherein the network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross-relationships and multiple network attack and vulnerability sample data without cross-relationships; inputting each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model extracts network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters; and mapping the network element information of each of the overall feature spaces into a threat behavior spectrum using a graph embedding spectral representation algorithm. This application can improve the efficiency of network malicious behavior identification, simplify the model structure, and improve the practicality of the model, while also enabling unified management of network malicious behavior to improve the comprehensiveness of network malicious behavior representation.
[0039] Additional advantages, objectives, and features of this application will be set forth in part in the description which follows, and will in part become apparent to those skilled in the art upon review of the following description, or may be learned by practice of the application. The objectives and other advantages of this application can be realized and obtained by means of the structures specifically pointed out in the specification and drawings.
[0040] Those skilled in the art will understand that the purposes and advantages that can be achieved with this application are not limited to those specifically described above, and that the above and other purposes that this application can achieve will be more clearly understood from the following detailed description. Attached Figure Description
[0041] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, do not constitute a limitation thereof. The components in the drawings are not drawn to scale but are merely for illustrating the principles of this application. For ease of illustration and description of certain parts of this application, corresponding portions in the drawings may be enlarged, i.e., may appear larger relative to other components in an exemplary device actually manufactured according to this application. In the drawings:
[0042] Figure 1 This is a flowchart illustrating a threat behavior spectrum representation method in one embodiment of this application.
[0043] Figure 2 This is a schematic diagram of the threat behavior spectrum representation device in another embodiment of this application.
[0044] Figure 3 This is a diagram illustrating the overall system architecture of the threat behavior spectrum in this application.
[0045] Figure 4 This is a general framework diagram representing the threat behavior spectrum of this application. Detailed Implementation
[0046] To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the embodiments and accompanying drawings. Here, the illustrative embodiments and their descriptions are used to explain this application, but are not intended to limit it.
[0047] It should also be noted that, in order to avoid obscuring this application with unnecessary details, only the structures and / or processing steps closely related to the solution according to this application are shown in the accompanying drawings, while other details that are not closely related to this application are omitted.
[0048] It should be emphasized that the term "including / comprises" as used herein refers to the presence of a feature, element, step, or component, but does not exclude the presence or addition of one or more other features, elements, steps, or components.
[0049] It should also be noted that, unless otherwise specified, the term "connection" in this article can refer not only to a direct connection, but also to an indirect connection involving an intermediary.
[0050] In the following description, embodiments of the present application will be illustrated with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar parts, or the same or similar steps.
[0051] The following examples will provide a detailed description.
[0052] This application provides a threat behavior spectrum representation method that can be executed by a threat behavior spectrum representation device. See [link to relevant documentation]. Figure 1 The threat behavior spectrum representation method specifically includes the following:
[0053] Step 110: Cluster the network attack and vulnerability sample dataset according to the clustering algorithm to obtain multiple unknown threat clusters, wherein the network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships;
[0054] Step 120: Input each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters;
[0055] Step 130: Map the network element information of each of the overall feature spaces into a threat behavior spectrum according to the graph embedding spectrum representation algorithm.
[0056] Specifically, see Figure 3 The client first clusters the network attack and vulnerability sample dataset using a clustering algorithm to obtain multiple unknown threat clusters. Then, each unknown threat cluster is input into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each unknown threat cluster. Finally, the network element information of each overall feature space is mapped to a threat behavior spectrum using a graph embedding spectral representation algorithm. This can improve the efficiency of network malicious behavior identification, simplify the model structure, and improve the model's practicality. At the same time, it can uniformly manage network malicious behavior to improve the comprehensiveness of network malicious behavior representation.
[0057] The network attack and vulnerability sample dataset (i.e., network attack and vulnerability samples from different data sources) includes multiple network attack and vulnerability sample datasets with overlapping relationships (i.e., extended datasets, which can be regarded as descriptions of the same problem from different perspectives) and multiple network attack and vulnerability sample datasets without overlapping relationships; the unknown threat cluster includes categories such as self-deformation, parasitic camouflage, external object occlusion, and spatiotemporal mitigation. The clustering algorithm can be k-means, FCM, or DBSCAN clustering algorithm.
[0058] To further improve the efficiency of identifying malicious network behavior, simplify the model structure, and enhance the model's practicality, step 110 includes:
[0059] Step 111: Cluster the network attack and vulnerability sample dataset into attack class clusters corresponding to each of the unknown threat clusters;
[0060] Step 112: Perform the corresponding preset rounds of aggregation steps on each of the attack type clusters to obtain each of the unknown threat clusters.
[0061] Specifically, the client clusters the network attack and vulnerability sample dataset into attack class clusters corresponding to each unknown threat cluster; and performs a preset number of aggregation steps on each attack class cluster to obtain each unknown threat cluster, thereby further improving the efficiency of network malicious behavior identification and simplifying the model.
[0062] To simplify the model structure, the following is included before step 120:
[0063] Step 121: Obtain a dataset of historical network attack and vulnerability samples;
[0064] Step 122: Cluster the historical network attack and vulnerability sample dataset according to the clustering algorithm to obtain each historical unknown threat cluster, wherein the historical network attack and vulnerability sample dataset includes multiple historical network attack and vulnerability sample datasets with overlapping relationships and multiple historical network attack and vulnerability sample datasets without overlapping relationships.
[0065] Step 123: Input each of the historical unknown threat clusters into the multilayer sensing network, and transform the overall feature space corresponding to each of the historical unknown threat clusters according to the linear function in the multilayer sensing network to obtain numerical data of multiple points and multiple edges;
[0066] Step 124: Remove the negative data from each point and each edge according to the activation function to obtain the positive data of each point and each edge, thereby training a multilayer perceptron layer;
[0067] Step 125: Construct a fully connected layer based on the positive values of each point and each edge, thereby training the GNN model based on the multi-layer perceptual layer and the fully connected layer.
[0068] Specifically, the client acquires a dataset of historical network attacks and vulnerabilities; clusters the dataset using a clustering algorithm to obtain clusters of historical unknown threats; inputs each cluster into a multilayer perceptron (MLP), transforms the overall feature space of each cluster using a linear function to obtain numerical data for multiple points and edges; removes negative values from each point and edge using an activation function to obtain positive values for each point and edge, thereby training the multilayer perceptron layer; constructs a fully connected layer based on the positive values of each point and edge, and trains a GNN model based on the multilayer perceptron layer and the fully connected layer, thus effectively simplifying the model structure.
[0069] The historical network attack and vulnerability sample dataset includes multiple historical network attack and vulnerability sample datasets with cross-relationships and multiple historical network attack and vulnerability sample datasets without cross-relationships. In the multilayer perceptron network, each layer (composed of a linear function and a BatchNorm function) is a recursive neighborhood aggregation scheme, where the feature vector of each node v∈G is calculated by aggregating the features of its neighbors. The feature vector hv can store the feature information of neighboring nodes in the graph. The linear function in each layer performs a linear transformation on the unknown threat cluster, and learns the weights and biases during the learning process (the weights and biases are the preset parameters during the training of the GNN model). The BatchNorm function in each layer is used to ensure that the input of each layer of the MLP has the same distribution during the training process. At the same time, the dropout function is used to avoid overfitting when each layer propagates forward to the next layer. Specifically, the dropout function avoids overfitting by ignoring a certain number of neurons. Meanwhile, in the GNN model, the cross-entropy function is used as the loss function as shown in Equation (1), where p represents the distribution of the true labels and q is the distribution of the predicted labels of the trained model. The loss function is used to estimate the degree of inconsistency between the model's predictions and the true values, and the model is trained through backpropagation. In the multi-class classification scenario of this invention, it exhibits better convergence characteristics than the mean squared error (MSE) loss function. The Adam optimizer is employed; Adam is a stepwise optimization algorithm based on adaptive low-order moment estimation of a stochastic objective function. It is an efficient stochastic optimization method requiring only first-order gradients and a small amount of memory. The Adam optimizer calculates the exponential moving average of the squared gradient and updates the correction parameters, while also calculating the adaptive learning rate for each parameter.
[0070]
[0071] In order to further unify the management of malicious online behavior and improve the comprehensiveness of its representation, step 130 includes:
[0072] Step 131: Use an unsupervised representation learning algorithm to convert the network element information of each of the overall feature spaces into corresponding multidimensional vectors;
[0073] Step 132: Train each of the multidimensional vectors according to the Long Short-Term Memory network to obtain the corresponding global information;
[0074] Step 133: Map the threat behavior spectrum based on the various global information.
[0075] Specifically, see Figure 4 The client employs an unsupervised representation learning algorithm to convert the network element information of each overall feature space into corresponding multi-dimensional vectors; it trains each multi-dimensional vector according to the Long Short-Term Memory network to obtain the corresponding global information; and it maps the threat behavior spectrum according to each global information, thereby enabling more unified management of network malicious behavior and improving the comprehensiveness of network malicious behavior representation.
[0076] Network element information includes node information and edge information in the overall feature space.
[0077] To further obtain unknown threat clusters, the aggregation step in step 112 includes:
[0078] The feature spaces uniquely corresponding to all samples of each attack cluster in each attack cluster set are merged into an overall feature space to obtain the overall feature space set corresponding to each attack cluster set;
[0079] Calculate the distance between any two attack clusters in the attack cluster set that are uniquely corresponding to each of the overall feature space sets, and merge the two corresponding attack clusters into an aggregate cluster when the distance reaches the minimum value;
[0080] Each of the aforementioned aggregated clusters is updated with its unique corresponding attack cluster set to obtain a new attack cluster set.
[0081] Specifically, the client merges the unique feature spaces of all samples in each attack cluster set into a unified feature space to obtain the unified feature space set corresponding to each attack cluster set; calculates the distance between any two attack clusters in each unique attack cluster set based on each unified feature space set, and merges the corresponding two attack clusters into an aggregated cluster when the distance reaches the minimum value; updates the unique attack cluster set of each aggregated cluster to obtain the corresponding new attack cluster set, thereby further obtaining unknown threat clusters.
[0082] To further obtain a fully connected layer, step 125 includes:
[0083] The positive data of each point and the positive data of each edge are reduced in dimensionality using a pooling layer and a dropout function to obtain the fully connected layer.
[0084] Specifically, the client uses a pooling layer and a dropout function to reduce the dimensionality of the positive data of each point and each edge to obtain the fully connected layer, thereby further obtaining the fully connected layer.
[0085] To further obtain the spectrum of threat behaviors, step 133 includes:
[0086] The first-order approximation is obtained by performing a first-order approximation calculation on the multi-dimensional vector that uniquely corresponds to each of the global information.
[0087] The corresponding second-order approximation is obtained by performing second-order approximation calculations on each of the first-order approximations;
[0088] Based on the respective second-order approximations, the vertices in the corresponding network element information are mapped to a threat behavior spectrum.
[0089] Specifically, the client performs first-order approximation calculations on the uniquely corresponding multi-dimensional vectors of each global information to obtain the corresponding first-order approximation; performs second-order approximation calculations on each first-order approximation to obtain the corresponding second-order approximation; and maps the vertices in each network element information to a threat behavior spectrum based on each second-order approximation, thereby further obtaining the threat behavior spectrum.
[0090] From a software perspective, this application also provides a threat behavior spectrum representation apparatus for performing all or part of the aforementioned threat behavior spectrum representation method, see [link to relevant documentation]. Figure 4 The threat behavior spectrum representation device specifically includes the following components:
[0091] Clustering module 10 is used to cluster the network attack and vulnerability sample dataset according to the clustering algorithm to obtain multiple unknown threat clusters, wherein the network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships.
[0092] The model building module 20 is used to input each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters.
[0093] The mapping module 30 is used to map the network element information of each of the overall feature spaces into a threat behavior spectrum according to the graph embedding spectrum representation algorithm.
[0094] The embodiments of the threat behavior spectrum representation device provided in this application can be used to execute the processing flow of the embodiment of the threat behavior spectrum representation method in the above embodiments. Its functions will not be repeated here, but can be referred to the detailed description of the embodiment of the threat behavior spectrum representation method in the above embodiments.
[0095] This application provides a method and apparatus for representing threat behavior spectra. The method includes: clustering a network attack and vulnerability sample dataset using a clustering algorithm to obtain multiple unknown threat clusters, wherein the network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross-relationships and multiple network attack and vulnerability sample data without cross-relationships; inputting each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model extracts network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters; and mapping the network element information of each of the overall feature spaces into a threat behavior spectrum using a graph embedding spectral representation algorithm. This application can improve the efficiency of network malicious behavior identification, simplify the model structure, and improve the practicality of the model, while also enabling unified management of network malicious behavior to improve the comprehensiveness of network malicious behavior representation.
[0096] This application also provides an electronic device, such as a central server, which may include a processor, a memory, a receiver, and a transmitter. The processor is used to execute the threat behavior spectrum representation method mentioned in the above embodiments. The processor and memory can be connected via a bus or other means, taking a bus connection as an example. The receiver can be connected to the processor and memory via wired or wireless means.
[0097] The processor can be a central processing unit (CPU). The processor can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above types of chips.
[0098] Memory, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as the program instructions / modules corresponding to the threat behavior spectrum representation method in the embodiments of this application. The processor executes various functional applications and data processing by running the non-transitory software programs, instructions, and modules stored in the memory, thereby implementing the threat behavior spectrum representation method in the above method embodiments.
[0099] The memory may include a program storage area and a data storage area. The program storage area may store the operating system and applications required for at least one function; the data storage area may store data created by the processor, etc. Furthermore, the memory may include high-speed random access memory and non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory may optionally include memory remotely located relative to the processor, which can be connected to the processor via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
[0100] The one or more modules are stored in the memory, and when executed by the processor, the threat behavior spectrum representation method in the embodiment is executed.
[0101] In some embodiments of this application, the user equipment may include a processor, a memory, and a transceiver unit. The transceiver unit may include a receiver and a transmitter. The processor, memory, receiver, and transmitter may be connected via a bus system. The memory is used to store computer instructions, and the processor is used to execute the computer instructions stored in the memory to control the transceiver unit to send and receive signals.
[0102] As one implementation method, the functions of the receiver and transmitter in this application can be implemented by transceiver circuits or dedicated transceiver chips, and the processor can be implemented by dedicated processing chips, processing circuits or general-purpose chips.
[0103] As another implementation approach, the server provided in this application embodiment can be implemented using a general-purpose computer. That is, the program code implementing the processor, receiver, and transmitter functions is stored in memory, and the general-purpose processor implements the processor, receiver, and transmitter functions by executing the code in memory.
[0104] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the steps of the aforementioned threat behavior spectrum representation method. The computer-readable storage medium may be a tangible storage medium, such as random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, register, floppy disk, hard disk, removable storage disk, CD-ROM, or any other form of storage medium known in the art.
[0105] Those skilled in the art will understand that the exemplary components, systems, and methods described in conjunction with the embodiments disclosed herein can be implemented in hardware, software, or a combination of both. Whether implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application. When implemented in hardware, it can be, for example, electronic circuits, application-specific integrated circuits (ASICs), appropriate firmware, plug-ins, function cards, etc. When implemented in software, the elements of this application are programs or code segments used to perform the required tasks. The programs or code segments can be stored in a machine-readable medium or transmitted over a transmission medium or communication link via data signals carried on a carrier wave.
[0106] It should be clarified that this application is not limited to the specific configurations and processes described above and shown in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of this application is not limited to the specific steps described and shown. Those skilled in the art can make various changes, modifications, and additions, or change the order of steps, after understanding the spirit of this application.
[0107] In this application, features described and / or illustrated for one embodiment may be used in the same or similar manner in one or more other embodiments, and / or combined with or in place of features of other embodiments.
[0108] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to the embodiments of this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.
Claims
1. A method for representing a threat behavior spectrum, characterized in that, The method includes: The network attack and vulnerability sample dataset is clustered according to the clustering algorithm to obtain multiple unknown threat clusters. The network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships. Each of the unknown threat clusters is input into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters. The network element information of each of the overall feature spaces is mapped to a threat behavior spectrum according to the graph embedding spectral representation algorithm; wherein, the mapping of the network element information of each of the overall feature spaces to a threat behavior spectrum according to the graph embedding spectral representation algorithm includes: using an unsupervised representation learning algorithm to convert the network element information of each of the overall feature spaces into corresponding multi-dimensional vectors; training each of the multi-dimensional vectors according to a long short-term memory network to obtain corresponding global information; and mapping the threat behavior spectrum according to each of the global information.
2. The threat behavior spectrum representation method according to claim 1, characterized in that, The clustering algorithm is used to cluster the network attack and vulnerability sample dataset to obtain multiple unknown threat clusters, including: The network attack and vulnerability sample dataset is clustered into attack class clusters corresponding to each of the unknown threat clusters; Each of the aforementioned attack clusters is subjected to a corresponding preset round of aggregation steps to obtain each of the aforementioned unknown threat clusters.
3. The threat behavior spectrum representation method according to claim 1, characterized in that, Before inputting each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model extracts the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters, the method further includes: Obtain a dataset of historical network attack and vulnerability samples; The historical network attack and vulnerability sample dataset is clustered according to the clustering algorithm to obtain various historical unknown threat clusters. The historical network attack and vulnerability sample dataset includes multiple historical network attack and vulnerability sample datasets with overlapping relationships and multiple historical network attack and vulnerability sample datasets without overlapping relationships. Each of the historical unknown threat clusters is input into a multilayer sensing network, and the overall feature space corresponding to each historical unknown threat cluster is transformed according to the linear function in the multilayer sensing network to obtain numerical data of multiple points and multiple edges. The negative values of each point and each edge are removed by the activation function to obtain the positive values of each point and each edge, thereby training a multi-layer perception layer. A fully connected layer is constructed based on the positive values of each point and each edge, thereby training the GNN model based on the multi-layer perceptual layer and the fully connected layer.
4. The threat behavior spectrum representation method according to claim 2, characterized in that, The polymerization step includes: The feature spaces uniquely corresponding to all samples of each attack cluster in each attack cluster set are merged into an overall feature space to obtain the overall feature space set corresponding to each attack cluster set; Calculate the distance between any two attack clusters in the attack cluster set that are uniquely corresponding to each of the overall feature space sets, and merge the two corresponding attack clusters into an aggregate cluster when the distance reaches the minimum value; Each of the aforementioned aggregated clusters is updated with its unique corresponding attack cluster set to obtain a new attack cluster set.
5. The threat behavior spectrum representation method according to claim 3, characterized in that, The step of constructing a fully connected layer based on the positive values of each of the points and each of the edges includes: The positive data of each point and the positive data of each edge are reduced in dimensionality using a pooling layer and a dropout function to obtain the fully connected layer.
6. The threat behavior spectrum representation method according to claim 1, characterized in that, The step of mapping the threat behavior spectrum based on the various global information includes: The first-order approximation is obtained by performing a first-order approximation calculation on the multi-dimensional vector that uniquely corresponds to each of the global information. The corresponding second-order approximation is obtained by performing second-order approximation calculations on each of the first-order approximations; Based on the respective second-order approximations, the vertices in the corresponding network element information are mapped to a threat behavior spectrum.
7. A threat behavior spectrum representation device, characterized in that, include: The clustering module is used to cluster the network attack and vulnerability sample dataset according to the clustering algorithm to obtain multiple unknown threat clusters. The network attack and vulnerability sample dataset includes multiple network attack and vulnerability sample data with cross relationships and multiple network attack and vulnerability sample data without cross relationships. The model building module is used to input each of the unknown threat clusters into a GNN model pre-trained based on multiple historical unknown threat clusters, so that the GNN model can extract the network element information of the overall feature space uniquely corresponding to each of the unknown threat clusters. The mapping module is used to map the network element information of each of the overall feature spaces into a threat behavior spectrum according to a graph embedding spectral representation algorithm; wherein, the step of mapping the network element information of each of the overall feature spaces into a threat behavior spectrum according to the graph embedding spectral representation algorithm includes: using an unsupervised representation learning algorithm to convert the network element information of each of the overall feature spaces into corresponding multi-dimensional vectors; training each of the multi-dimensional vectors according to a long short-term memory network to obtain corresponding global information; and mapping the threat behavior spectrum according to each of the global information.
8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the threat behavior spectrum representation method as described in any one of claims 1 to 6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the threat behavior spectrum representation method as described in any one of claims 1 to 6.