Map generation methods, attack testing methods, devices, equipment, and media

CN116610812BActive Publication Date: 2026-06-30PENG CHENG LAB +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
PENG CHENG LAB
Filing Date
2023-04-23
Publication Date
2026-06-30

Smart Images

  • Figure CN116610812B_ABST
    Figure CN116610812B_ABST
Patent Text Reader

Abstract

This invention provides a network attack rule graph generation method, attack testing method, apparatus, device, and medium, relating to the field of network security technology. The graph generation method acquires at least one network attack rule, parses it to obtain attack parameter entities and attack parameter relationships, and constructs a first representation graph representing spatial information based on these entities and relationships. Simultaneously, it extracts attack temporal entities and attack temporal relationships, constructs a second representation graph representing temporal information based on these entities and relationships, and combines the first and second representation graphs to obtain a network attack rule graph. By generating attack parameter entities and attack temporal entities for network attack rules, and representing attack parameters, spatial features, and temporal features in the same-level network attack rule graph, the knowledge representation process is more intuitive. The resulting network attack rule graph can be quickly queried or predicted during use, improving the application efficiency of the network attack rule graph.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to methods for generating attack maps, attack testing methods, apparatus, devices, and media. Background Technology

[0002] With the ever-expanding scale of network applications, cybersecurity vulnerabilities have emerged accordingly. In recent years, cyberattacks have occurred frequently in the internet industry, making cybersecurity a major concern. Addressing cybersecurity issues requires analyzing and predicting the current state and trends of cybersecurity based on cyberspace security data to determine the types of attacks. Among cyberattacks, Advanced Persistent Threats (APTs) are among the most complex and challenging. APTs refer to persistent and effective attack activities launched by an organization against a specific target. They are complex, targeted threat attacks with strong stealth and specificity, typically utilizing various infected media to deliver advanced, persistent, and effective threats and attacks.

[0003] To defend against cyberattacks, it is necessary to acquire the knowledge contained within complex cyberattacks, and then use this information to review, predict, and deduce attack behavior. Related technologies utilize knowledge graphs to represent complex cyberattacks. A knowledge graph is a graph database that uses the relationships between nodes to represent the knowledge information of complex cyberattacks. However, most knowledge graphs in related technologies can only represent static knowledge and cannot represent the temporal and spatial characteristics between entities. Even if some knowledge graphs contain spatiotemporal features, these features cannot be intuitively represented in the knowledge graph, resulting in the generated knowledge graph not being able to quickly match attack rules. Summary of the Invention

[0004] The main objective of this application is to propose a network attack rule graph generation method, attack testing method, apparatus, device, and medium that can intuitively display time characteristics in the network attack rule graph and improve the application efficiency of the network attack rule graph.

[0005] To achieve the above objectives, a first aspect of this application proposes a method for generating a network attack rule graph, comprising:

[0006] Obtain at least one network attack rule; the network attack rule includes time and space information of the network attack.

[0007] The attack parameter entities and attack parameter relationships of the network attack rules are extracted by parsing the network attack rules, and a first representation graph is constructed based on the attack parameter entities and attack parameter relationships; the first representation graph represents the spatial information of the network attack.

[0008] The network attack rules are parsed to extract the attack timing entities and attack timing relationships of the network attack rules, and a second representation graph is constructed based on the attack timing entities and attack timing relationships; the second representation graph represents the time information of the network attack.

[0009] The network attack rule graph is obtained by combining the first representation graph and the second representation graph.

[0010] In some embodiments, the network attack rule includes: at least one attack step; parsing the network attack rule to extract the attack parameter entities and attack parameter relationships of the network attack rule includes:

[0011] Each attack step is parsed to obtain the attack address parameters of the attack step; the attack address parameters include the attack source address and the attack destination address of the attack step;

[0012] A step entity is generated based on the attack steps, a source address entity is generated based on the attack source address, and a destination address entity is generated based on the attack destination address; the attack parameter entity includes the step entity, the destination address entity, and the source address entity;

[0013] The attack parameter relationship is generated based on the attack address parameter.

[0014] In some embodiments, generating a step entity based on the attack steps includes:

[0015] Obtain the attack steps for each of the aforementioned network attack rules;

[0016] Obtain the attack tag for each of the attack steps;

[0017] The step entity is generated based on the deduplicated attack tags.

[0018] In some embodiments, constructing the first representation graph based on the attack parameter entities and the attack parameter relationships includes:

[0019] Entity information for constructing the first representation graph is built based on each of the attack parameter entities;

[0020] The relational information of the first representation graph is constructed using a first directed relational line characterizing the relationship between the attack parameters;

[0021] The first representation graph is constructed based on the entity information and the relationship information.

[0022] In some embodiments, the attack steps are divided into a first step and a second step, where the attack source address of the first step is a first source address, the attack destination address of the first step is a first destination address, and the attack source address of the second step is a second source address, and the attack destination address of the second step is a second destination address; generating the attack parameter relationship based on the attack address parameters includes:

[0023] If the first source address is the same as the second source address, then the attack parameter relationship is a first address relationship; if the first source address is the same as the second destination address, then the attack parameter relationship is a second address relationship; if the first destination address is the same as the second destination address, then the attack parameter relationship is a third address relationship; if the first destination address is the same as the second source address, then the attack parameter relationship is a fourth address relationship.

[0024] In some embodiments, constructing the relational information of the first representation graph using a first directed relational line characterizing the relationship between the attack parameters includes:

[0025] When the attack parameter relationship is a first address relationship, a first directed relationship line is constructed from the source address entity corresponding to the first source address to the source address entity corresponding to the second source address;

[0026] When the attack parameter relationship is the second address relationship, a first directed relationship line is constructed from the source address entity corresponding to the first source address to the destination address entity corresponding to the second destination address entity;

[0027] When the attack parameter relationship is a third address relationship, a first directed relationship line is constructed from the destination address entity corresponding to the first destination address entity to the destination address entity corresponding to the second destination address entity;

[0028] When the attack parameter relationship is the fourth address relationship, a first directed relationship line is constructed from the destination address entity corresponding to the first destination address entity to the source address entity corresponding to the second source address.

[0029] In some embodiments, the step of parsing the network attack rules to extract the attack timing entities and attack timing relationships of the network attack rules includes:

[0030] The attack time for each attack step is obtained by analyzing the attack steps.

[0031] The execution order of the attack steps in the network attack rule is generated based on the attack time, and the attack timing relationship is generated based on the execution order.

[0032] Construct the attack timing entity and store the attack timing relationship in the attack timing entity.

[0033] In some embodiments, constructing the second representation graph based on the attack temporal entities and the attack temporal relationships includes:

[0034] A second directed relation line is generated by the step entity pointing to the attack timing entity;

[0035] The second directed relation line is used to represent the relational information of the second representation graph;

[0036] The second representation graph is constructed based on the attack time sequence entity and the relationship information.

[0037] In some embodiments, constructing the attack timing entity and storing the attack timing relationship in the attack timing entity includes:

[0038] For each of the network attack rules, an attack sequence entity is constructed, and the attack sequence relationship of the network attack rules is stored in the attack sequence entity;

[0039] Alternatively, the N network attack rules can be grouped into a rule group; a shared attack timing entity can be generated for the rule group, and the attack timing relationship of the network attack rules in the rule group can be stored as an element value in the attack timing entity. The number of element values ​​in the attack timing entity is N, where N is an integer greater than 1.

[0040] In some embodiments, if the attack source address is used as attribute information of the attack step, then the step entity and the source address entity are the same entity.

[0041] To achieve the above objectives, a second aspect of this application proposes an attack testing method based on a network attack rule graph, the method comprising:

[0042] Obtain the network data packets to be tested;

[0043] Extract the step information, time information, and spatial information from the network data packets;

[0044] A first entity node to be tested is constructed based on the step information, time information, and spatial information. The first entity node includes a step entity related to the step information, a first time entity related to the time information, and a first spatial entity related to the spatial information.

[0045] The first entity node is matched with entity nodes in the network attack rule graph; the network attack rule graph is generated using the network attack rule graph generation method as described in any of the first aspects. Based on the matching results, it is determined whether the network data packet is a network attack.

[0046] In some embodiments, the method further includes:

[0047] When the first entity node is successfully matched with an entity node in the network attack rule graph, the next entity node whose time relationship follows that entity node is found based on the successfully matched entity node in the network attack rule graph.

[0048] Based on the identified entity nodes, predict the next cyberattack behavior.

[0049] To achieve the above objectives, a third aspect of this application provides a network attack rule graph generation apparatus, comprising:

[0050] Network attack rule acquisition module: used to acquire at least one network attack rule; the network attack rule includes time information and spatial information of the network attack;

[0051] The first representation graph generation module is used to parse the network attack rules to extract the attack parameter entities and attack parameter relationships of the network attack rules, and to construct a first representation graph based on the attack parameter entities and attack parameter relationships; the first representation graph represents the spatial information of the network attack.

[0052] The second representation graph generation module is used to parse the network attack rules to extract the attack time sequence entities and attack time sequence relationships of the network attack rules, and to construct a second representation graph based on the attack time sequence entities and attack time sequence relationships; the second representation graph represents the time information of the network attack.

[0053] Network attack rule graph generation module: used to combine the first representation graph and the second representation graph to obtain the network attack rule graph.

[0054] To achieve the above objectives, a fourth aspect of this application proposes an attack testing apparatus based on a network attack rule graph, comprising:

[0055] The acquisition module is used to acquire network data packets to be tested;

[0056] The information extraction module is used to extract step information, time information, and spatial information from the network data packets;

[0057] An entity node generation module is used to construct a first entity node to be tested based on the step information, time information and spatial information. The first entity node includes a step entity related to the step information, a first time entity related to the time information and a first spatial entity related to the spatial information.

[0058] The rule matching module is used to match the first entity node with entity nodes in the network attack rule graph; the network attack rule graph is generated using the network attack rule graph generation method as described in any of the first aspects.

[0059] The result judgment module is used to determine whether the network data packet is a network attack based on the matching result.

[0060] To achieve the above objectives, a fifth aspect of the present application provides an electronic device, the electronic device including a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the method described in the first or second aspect above.

[0061] To achieve the above objectives, a sixth aspect of the present application provides a storage medium, which is a computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described in the first or second aspect.

[0062] The network attack rule graph generation method, attack testing method, apparatus, device, and medium proposed in this application acquire at least one network attack rule containing temporal and spatial information of the network attack, parse it to obtain attack parameter entities and attack parameter relationships, and construct a first representation graph representing spatial information based on the attack parameter entities and attack parameter relationships; simultaneously, extract attack temporal entities and attack temporal relationships, and construct a second representation graph representing temporal information based on the attack temporal entities and attack temporal relationships; finally, combine the first and second representation graphs to obtain a network attack rule graph. This application generates attack parameter entities and attack temporal entities for network attack rules, representing attack parameters, spatial features, and temporal features in the same-level network attack rule graph. The knowledge representation process is more intuitive, and the obtained network attack rule graph can be quickly queried or predicted during use, improving the application efficiency of the network attack rule graph. Attached Figure Description

[0063] Figure 1 This is a flowchart of the network attack rule graph generation method provided in the embodiments of the present invention.

[0064] Figure 2 yes Figure 1 The flowchart for step S120.

[0065] Figure 3 yes Figure 2 The flowchart for step S122.

[0066] Figure 4 yes Figure 2 The flowchart for step S123.

[0067] Figures 5a-5d This is a schematic diagram of the attack parameter relationships in the network attack rule graph generation method provided in this embodiment of the invention.

[0068] Figure 6 yes Figure 1 Another flowchart of step S120 in the process.

[0069] Figure 7 yes Figure 6 The flowchart for step S620 in the process.

[0070] Figure 8 This is a schematic diagram of network attack rules for the network attack rule graph generation method provided in this embodiment of the invention.

[0071] Figure 9 This is a schematic diagram of the first representation of the network attack rule graph generation method provided in the embodiments of the present invention.

[0072] Figure 10 yes Figure 1 The flowchart of step S130.

[0073] Figure 11 yes Figure 9 The flowchart for step S133.

[0074] Figure 12 yes Figure 1 Another flowchart of step S130 in the process.

[0075] Figure 13 This is a schematic diagram of the second representation of the network attack rule graph generation method provided in the embodiments of the present invention.

[0076] Figure 14 This is a schematic diagram of the network attack rule graph generation method provided in the embodiments of the present invention.

[0077] Figure 15 This is an overall flowchart of a network attack rule graph generation method provided in another embodiment of the present invention.

[0078] Figure 16 This is a structural block diagram of a network attack rule graph generation device provided in another embodiment of the present invention.

[0079] Figure 17This is a schematic diagram of the hardware structure of the electronic device provided in an embodiment of the present invention. Detailed Implementation

[0080] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.

[0081] It should be noted that although functional modules are divided in the device schematic diagram and the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than the module division in the device or the order in the flowchart.

[0082] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to limit the invention.

[0083] First, let's clarify some of the terms used in this invention:

[0084] Knowledge Graph: A knowledge graph is essentially a semantic network, a graph-based data structure composed of nodes (Points) and edges (Edges). In a knowledge graph, each node represents an "entity" that exists in the real world, and each edge represents a "relationship" between entities. Binary relations in a knowledge graph are usually represented as triples, namely (head entity, relation, tail entity).

[0085] With the ever-expanding scale of network applications, cybersecurity vulnerabilities have emerged accordingly. In recent years, cyberattacks have occurred frequently in the internet industry, making cybersecurity a major concern. Addressing cybersecurity issues requires analyzing and predicting the current state and trends of cybersecurity based on cyberspace security data to determine the types of attacks. Among cyberattacks, Advanced Persistent Threats (APTs) are among the most complex and challenging. APTs refer to persistent and effective attack activities launched by an organization against a specific target. They are complex, targeted threat attacks with strong stealth and specificity, typically utilizing various infected media to deliver advanced, persistent, and effective threats and attacks.

[0086] To defend against cyberattacks, it is necessary to acquire the knowledge contained within complex cyberattacks, and then use this information to review, predict, and deduce attack behavior. Related technologies utilize knowledge graphs to represent complex cyberattacks. A knowledge graph is a graph database that uses the relationships between nodes to represent the knowledge information of complex cyberattacks. However, most knowledge graphs in related technologies can only represent static knowledge and cannot represent the temporal and spatial characteristics between entities. Even if some knowledge graphs contain spatiotemporal features, these features cannot be intuitively represented in the knowledge graph, resulting in the generated knowledge graph not being able to quickly match attack rules.

[0087] Based on this, embodiments of the present invention provide a network attack rule graph generation method, attack testing method, apparatus, device, and medium. By generating attack parameter entities and attack time sequence entities of network attack rules, attack parameters, spatial features, and temporal features are represented in the same level of network attack rule graph. The knowledge representation process is more intuitive, and the obtained network attack rule graph can be quickly queried or predicted when used, thereby improving the application efficiency of the network attack rule graph.

[0088] This invention provides a network attack rule graph generation method, an attack testing method, an apparatus, a device, and a medium, which are specifically described through the following embodiments. First, the network attack rule graph generation method in this invention is described.

[0089] The network attack rule graph generation method provided in this invention relates to the field of network security technology, and particularly to the field of network attack and defense technology. This method can be applied to a terminal, a server, or a computer program running on either the terminal or the server. For example, the computer program can be a native program or software module in an operating system; it can be a native application (APP), i.e., a program that needs to be installed in the operating system to run, such as a client that supports network attack rule graph generation, i.e., a program that only needs to be downloaded to a browser environment to run. In short, the above-mentioned computer program can be any form of application, module, or plugin. The terminal communicates with the server via a network. This network attack rule graph generation method can be executed by the terminal or the server, or by the terminal and the server working together.

[0090] In some embodiments, the terminal can be a smartphone, tablet, laptop, desktop computer, or smartwatch, etc. The server can be a standalone server, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDNs), and big data and artificial intelligence platforms; it can also be a service node in a blockchain system, where the service nodes form a peer-to-peer (P2P) network. The P2P protocol is an application layer protocol running on top of the Transmission Control Protocol (TCP). A server-side application for a network attack rule graph generation system can be installed on the server, allowing interaction with the terminal. This can be achieved by installing corresponding software on the server, such as an application implementing the network attack rule graph generation method, but not limited to these forms. The terminal and server can connect via Bluetooth, USB (Universal Serial Bus), or a network, etc., and this embodiment does not impose any limitations on these connections.

[0091] This invention can be used in a wide variety of general-purpose or special-purpose computer system environments or configurations. Examples include: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, and distributed computing environments including any of the above systems or devices. This invention can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform specific tasks or implement specific abstract data types. This invention can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.

[0092] The following describes the network attack rule graph generation method in an embodiment of the present invention.

[0093] Figure 1 This is an optional flowchart of the network attack rule graph generation method provided in the embodiments of the present invention. Figure 1 The method may include, but is not limited to, steps S110 to S140. It is also understood that this embodiment... Figure 1The order of steps S110 to S140 is not specifically limited, and the order of steps can be adjusted or some steps can be reduced or added according to actual needs.

[0094] Step S110: Obtain at least one network attack rule.

[0095] In one embodiment, a large amount of cybersecurity-related knowledge is actually published on the Internet every day, and various knowledge bases established by many organizations and institutions can effectively manage knowledge of attacks and vulnerabilities, such as Common Vulnerabilities & Exposures (CVE) and Common Weakness Enumeration (CWE) databases. Therefore, this embodiment obtains cyberattack information such as security reports, vulnerability databases, and security forum news by crawling websites or directly obtaining data from public databases using web crawling technology. Then, it parses this cyberattack information to obtain multiple cyberattack rules. Here, cyberattack rules refer to information such as APT attack events and the attack methods used in the corresponding attack events.

[0096] In this embodiment, the network attack rules include temporal and spatial information of the network attack. The temporal information refers to the execution order of each attack step in the attack event, and the spatial information is the IP address information of each attack step. In this embodiment, network attack rules can be retrieved by writing web crawler software from publicly available APT-related websites. These websites could include public databases of network security vendors. The crawler software can obtain structured or unstructured information, which can then be parsed to obtain the required network attack rules. Alternatively, publicly available APT reports from security vendors can be parsed. For example, Kaspersky and the Thai Computer Security Coordination Center (ThaiCERT) publish corresponding APT reports, and the required network attack rules can be obtained by parsing these reports.

[0097] In the above embodiments, the parsing process completes the information extraction function. The parsing process includes data cleaning and knowledge fusion. Data cleaning includes common data cleaning operations such as deleting duplicates, handling missing values, removing garbled characters and punctuation, and processing non-English text. Knowledge fusion includes common operations such as entity alignment and paragraph text similarity matching. It should be noted that the embodiments of this application do not specifically limit the method of obtaining network attack rules.

[0098] After obtaining network attack rules in the above embodiments, to facilitate the learning of these rules, they are represented using a knowledge graph, enabling better utilization of the rules for attack prediction and identification. However, traditional knowledge graph models in related technologies are mainly used to represent static knowledge. In network attack scenarios, entities and relationships between entities change over time, and traditional knowledge graphs struggle to represent dynamic knowledge, especially dynamic knowledge that changes with time and space factors. Therefore, they are not well-suited for the field of network security. Another related technology, temporal knowledge graphs that incorporate spatiotemporal attributes, adds time and space information as attributes to the original traditional knowledge graph. However, storing this time and space information as attribute information of relationships or entities is not intuitive for network attack rules. Since network attack rules consist of a series of logically related basic attack behaviors, meaning that complex attacks also have spatial characteristics, storing only time and space information as attributes in the knowledge graph can lead to excessively long matching times for subsequent network attack rules and unintuitive spatiotemporal information representation in the matching conclusions. Therefore, knowledge graphs in related technologies are not well-suited for network attack rules. This application proposes a novel method for generating network attack rule graphs to address the specific characteristics of network attack rules, thereby reducing time complexity and improving attack detection efficiency. The process of establishing the knowledge graph in this application is described below.

[0099] Step S120: Parse the network attack rules to extract the attack parameter entities and attack parameter relationships of the network attack rules, and construct a first representation graph based on the attack parameter entities and attack parameter relationships.

[0100] In one embodiment, since the network attack rule includes at least one attack step, and each attack step involves changes in IP address information, unlike related technologies where spatial information represents real physical space information, this embodiment extracts the source and destination addresses of each network attack step based on the network attack scenario. This facilitates the determination of the target address selection tendency of each attack step during attack prediction, thereby enabling targeted defense operations. It also facilitates the analysis of attack paths and causes during post-attack analysis, allowing for strengthened defenses against vulnerable hosts. Therefore, this embodiment uses the IP address information of the attack steps as the spatial information of the network attack, and utilizes a first representation graph to characterize the spatial information of the network attack.

[0101] In one embodiment, reference is made to Figure 2 Parsing network attack rules to extract attack parameter entities and attack parameter relationships involves the following steps:

[0102] Step S121: Parse each attack step to obtain the attack address parameters of the attack step.

[0103] In one embodiment, according to the network kill chain model, an APT attack mainly includes two parts: a preparation phase and an attack phase. The preparation phase includes reconnaissance and tracking, and weapon construction. The attack phase includes intrusion, presence, and harvesting phases. It is understood that the phase division is not unique; the number of phases may differ depending on the division method, and the different execution steps contained in each phase may also lead to different divisions of the execution steps.

[0104] In the above embodiments, the preparation phase mainly refers to the process by which attackers, after selecting a target, collect information about the target's network system and personnel to prepare for entering the target's network system. Simultaneously, attackers comprehensively consider various factors such as the target's defense and detection capabilities, target value, etc., developing customized attack tools and malware, searching for exploitable vulnerabilities, and selecting attack springboards and target servers to provide technical and tool support for the subsequent intrusion phase. The intelligence gathered here can be collected from aspects such as comprehensive target information, employee information, network architecture information, and security defenses. Since information gathering includes direct and indirect information gathering, typical methods of direct information gathering include port scanning, vulnerability scanning, service scanning, host scanning, and path guessing. Typical methods of indirect information gathering include using search engines and advanced web crawlers or data leaks from third-party websites. Information gathering provides intelligence support for the subsequent attack phase. It is understandable that, for network attack rules, because the preparation phase is relatively covert and difficult to trace, the attack steps of the network attack rules may only be steps in the attack phase.

[0105] In the above embodiments, the intrusion phase of the attack phase mainly involves attack injection, which can be categorized into spear-phishing attacks, watering hole attacks, or zero-day vulnerabilities. Spear-phishing attacks involve carefully crafting and delivering malicious emails containing malicious URLs or attachments; watering hole attacks involve attacking frequently visited websites, deploying malicious code on these sites, and automatically downloading malicious software when the target visits them; zero-day vulnerabilities directly attack the target server, forcing the download of malicious software. The execution tag for the attack steps in this phase can be something like "compromise the web server."

[0106] In the above embodiments, once an attacker successfully infiltrates the target network, the attack phase enters the residency phase. The attacker attempts to locate nodes residing in the network, including computer terminals, mobile phones, servers, routers, switches, etc. During the residency phase, the attacker needs to obtain detailed information about the target system and network. Therefore, they need to understand the target system's operating environment and configuration information through scanning and probes, and by using attack breakthroughs. Based on the scanning results, they identify vulnerable or sensitive hosts, porting malicious programs and code to the weakest host. Then, they establish tunnels to access other hosts within the target system, ensuring that the malicious programs and code can secretly reside in the target system and continuously migrate laterally within the target network, infiltrating surrounding hosts and systems. On the other hand, to gain free access to the target network and a detailed understanding of its topology and the distribution of high-value data, the attacker also uses various attack methods such as privilege escalation and remote control. The attacker installs remote control tools to control remote control software on the target system to execute arbitrary code and any instructions. Therefore, the execution labels for the attack steps during the residency phase can be: "scanning and probes," "attack breakthroughs," "privilege escalation," and "remote control," etc.

[0107] In the above embodiments, after the dwell phase, the attacker needs to acquire data to enter the harvest phase. In this phase, the attacker sends back the necessary key information, then clears all attack traces and destroys attack evidence. Specifically, during the data return process, the attacker uses techniques such as encrypted communication, anonymous communication, and covert communication to hide their actions. Encrypted communication makes the communication content imperceptible, anonymous communication hides the communication relationship, making the communicating parties unaware of each other, and covert communication places the Trojan traffic within normal traffic, hiding the communication within normal traffic and making the overall communication behavior imperceptible. After the data return is completed, the attacker needs to clean up the attack records to conceal themselves. Since operating system audit logs, application software logs, network security audit device logs, system monitoring data, and alarm logs may all reflect their attack records, the attacker will clear different types of log files from the operation period to achieve the purpose of concealing their tracks. Therefore, the execution tags for the attack steps in the harvest phase can be: "data return," "encrypted communication," "anonymous communication," "covert communication," or "log cleanup," etc.

[0108] It is understood that the attack steps at different stages in the above embodiments are merely illustrative and do not represent a limitation of the embodiments of this application. In one embodiment, for example, it is found that there are M types of attack steps in the intrusion stage, and each attack step is assigned a corresponding attack label to distinguish each attack step. The M attack labels are all different. For different network attack rules, although their attack steps are different, the attack steps of each network attack rule can be obtained by combining multiple different attack labels selected from the above M attack labels.

[0109] Since each attack step may contain IP address information, in one embodiment, the attack address parameter can be obtained by extracting the attack source address and attack destination address of each attack step from the network attack rules. It is understood that for each attack step, the IP address of its executor can be obtained as the attack source address, and the IP address of the target host can be obtained as the attack destination address. If some execution steps require spoofing IP addresses, then the obtained attack source address or attack destination address will be the spoofed IP address. It is understood that if the attack address parameter for a certain attack step cannot be obtained, its attack address parameter can be set to a default value or a virtual IP address can be generated for it.

[0110] Step S122: Generate a step entity based on the attack steps, a source address entity based on the attack source address, and a destination address entity based on the attack destination address.

[0111] In one embodiment, an entity refers to a distinguishable and independently existing node in a network attack rule graph. It is the most basic element in the network attack rule graph, and different entities have different relationships. The network attack rule graph can be characterized by utilizing entities and the relationships between entities. In this embodiment, attack parameter entities include step entities, destination address entities, and source address entities.

[0112] For the step entity, in one embodiment, refer to Figure 3 The process of generating step entities based on attack steps includes the following steps:

[0113] Step S310: Obtain the attack steps for each network attack rule.

[0114] Step S320: Obtain the attack tag for each attack step.

[0115] Step S330: Generate a step entity based on the deduplicated attack tags.

[0116] In one embodiment, each attack step of each network attack rule involved in the drawing is extracted, and then the corresponding attack step is represented by an attack tag, thus obtaining all attack tags corresponding to the network attack rule. It is understood that network attack rules can be represented by different attack tags, but different network attack rules may contain duplicate attack tags, such as all containing the attack tag "log cleanup." Therefore, this embodiment deduplicates all obtained attack tags to obtain distinct attack tags. Each deduplicated attack tag is treated as an entity, thus obtaining the step entity.

[0117] After obtaining the step entities as described above, for each step entity in the network attack rules, the attack address parameter is obtained based on the IP address association information between the attack steps. Then, the attack address parameter is represented as an entity at the same level as the step entity. Specifically, a source address entity is generated based on the attack source address, and a destination address entity is generated based on the attack destination address.

[0118] It is understandable that in the network attack rule graph, the above-mentioned step entity, destination address entity, and source address entity all exist in the form of nodes. The content of the node can represent the corresponding specific information. For example, the content of the node of the step entity can indicate the execution step, and the content of the nodes of the destination address entity and the source address entity can represent the corresponding IP address, respectively.

[0119] In one embodiment, since the focus of a network attack is on the target object of each attack step, and for the purpose of simplifying the network attack rule graph, the attack source address can be used as the attribute information of the attack step, and then the step entity and the source address entity can be merged into one entity.

[0120] Step S123: Generate attack parameter relationships based on attack address parameters.

[0121] In one embodiment, the attack steps are divided into two steps according to their temporal sequence: a first step and a second step. The attack source address in the first step is denoted as the first source address, and the attack destination address in the first step is denoted as the first destination address. The attack source address in the second step is denoted as the second source address, and the attack destination address in the second step is denoted as the second destination address. It should be understood that the terms "first step" and "second step" are used for ease of description only and do not represent a difference in the nature of the steps. (Refer to...) Figure 4 Step S123, generating the attack parameter relationship based on the attack address parameters, includes the following steps:

[0122] Step S1231: If the first source address and the second source address are the same, then the attack parameter relationship is the first address relationship.

[0123] Step S1232: If the first source address and the second destination address are the same, then the attack parameter relationship is the second address relationship.

[0124] Step S1233: If the first destination address is the same as the second destination address, then the attack parameter relationship is the third address relationship.

[0125] Step S1234: If the first destination address is the same as the second source address, then the attack parameter relationship is the fourth address relationship.

[0126] In one embodiment, reference is made to Figures 5a-5d Suppose there are two execution steps: step A and step B. In step A, the attack source address is y1A and the attack destination address is y2A. In step B, the attack source address is y1B and the attack destination address is y2B. If we consider step A as the first step and step B as the second step, then the first source address is y1A, the first destination address is y2A, the second source address is y1B, and the second destination address is y2B. We can represent steps A, steps B, the first source address y1A, the first destination address y2A, the second source address y1B, and the second destination address y2B as entity nodes. Each entity node includes a step entity, a source address entity, and a destination address entity. The step entities are connected by directed lines to their corresponding source and destination address entities.

[0127] Figure 5a This is used to indicate the case where the attack parameter relationship is the first address relationship. If the first source address y1A and the second source address y1B are the same, then the connection line is used to point from the first source address y1A to the second source address y1B. Figure 5b This is used to represent the case where the attack parameter relationship is the second address relationship. If the first source address y1A and the second destination address y2B are the same, then the first source address y1A is connected to the second destination address y2B through a directed connection line. Figure 5c This is used to represent the case where the attack parameter relationship is a third address relationship. If the first destination address y2A is the same as the second source address y1B, then a directed connection is made from the first destination address y2A to the second source address y1B. Figure 5d This is used to represent the fourth address relationship of the attack parameters. If the first destination address is y2A and the second destination address is y2B, ​​then a directed connection is made from the first destination address y2A to the second destination address y2B.

[0128] In one embodiment, the above process yields attack parameter entities including step entities, destination address entities, and source address entities, as well as attack parameter relationships between these entities. Therefore, a first representation graph can be generated using the attack parameter entities and their corresponding attack parameter relationships. (Refer to...) Figure 6 The process of constructing the first representation graph based on the attacked parameter entity and the relationship between the attack parameters includes the following steps:

[0129] Step S610: Construct entity information for the first representation graph based on each attack parameter entity.

[0130] Step S620: Construct relation information of the first representation graph using the first directed relation line representing the relationship between attack parameters.

[0131] In one embodiment, the first directed relation line is the line segment with the arrow in the figure, referring to... Figure 7 The first representation graph is constructed using the first directed relation line representing the relationship between attack parameters, including the following steps:

[0132] Step S6210: When the attack parameter relationship is the first address relationship, construct the first directed relationship line from the source address entity corresponding to the first source address to the source address entity corresponding to the second source address.

[0133] Step S6220: When the attack parameter relationship is the second address relationship, construct the first directed relationship line from the source address entity corresponding to the first source address to the destination address entity corresponding to the second destination address entity.

[0134] Step S6230: When the attack parameter relationship is the third address relationship, construct the first directed relationship line from the destination address entity corresponding to the first destination address entity to the destination address entity corresponding to the second destination address entity.

[0135] Step S6240: When the attack parameter relationship is the fourth address relationship, construct the first directed relationship line from the destination address entity corresponding to the first destination address entity to the source address entity corresponding to the second source address.

[0136] The first directed relationship line mentioned above can be understood in conjunction with the example in Figure 5.

[0137] Step S630: Construct the first representation graph based on entity information and relationship information.

[0138] In one embodiment, nodes of the step entity, destination address entity, and source address entity are drawn in the first representation graph, and then, referring to FIG5, a first directed relation line representing the attack parameter relationship is drawn next to the different entity nodes.

[0139] The process of drawing the first representation map described above will be illustrated below through a specific embodiment. Figure 8 This diagram illustrates a network attack rule specific to the "Night Dragon" APT. It includes three host servers: the attacker, the web server, and the sensitive host. The attack rule comprises five attack steps:

[0140] Step 1: Compromise the web server – using an SQL injection attack;

[0141] Step 2: Scan and probe – Scan sensitive hosts and servers;

[0142] Step 3: Attack and Breakthrough – Use weak passwords to launch an attack and crack the password;

[0143] Step 4: Install Control – Install remote control tools;

[0144] Step 5: Resource theft – sending back a large number of sensitive files.

[0145] The spatial information obtained by parsing network attack rules is as follows:

[0146] The attack source address IP11 in step 1 equals the attack source address IP21 in step 2; the attack destination address IP12 in step 1 equals the attack destination address IP22 in step 2; the attack destination address IP22 in step 2 equals the attack source address IP31 in step 3; the attack destination address IP32 in step 3 equals the attack source address IP41 in step 4; the attack source address IP41 in step 4 equals the attack destination address IP42 in step 4; the attack destination address IP42 in step 4 equals the attack source address IP51 in step 5; and the attack destination address IP52 in step 5 equals the attack source address IP11 in step 1. It is understandable that some of the above IP addresses may be spoofed.

[0147] Reference Figure 9 For the above Figure 8 The first representation diagram of the embodiment is shown below. Each attack step and its associated IP address are represented using nodes. Five step entities are drawn for steps 1, 2, 3, 4, and 5, each representing a basic attack action. Then, for each attack step, a destination address entity and a source address entity are constructed for the attack source address and attack destination address. Attack parameter relationships are then generated according to the above spatial information, and these relationships are represented as a first directed relationship line and drawn... Figure 8 For example, the attack source address IP11 in step 1 points to the attack source address IP21 in step 2, the attack destination address IP12 in step 1 points to the attack destination address IP22 in step 2, and the attack destination address IP22 in step 2 points to the attack source address IP31 in step 3, etc.

[0148] This yields a first representation map, used to characterize the spatial information of a cyberattack. Next, a second representation map is drawn, used to characterize the temporal information of a cyberattack.

[0149] Step S130: Parse the network attack rules to extract the attack timing entities and attack timing relationships of the network attack rules, and construct a second representation graph based on the attack timing entities and attack timing relationships.

[0150] In one embodiment, reference is made to Figure 10 The process of parsing network attack rules to extract the attack timing entities and attack timing relationships of network attack rules includes the following steps:

[0151] Step S131: Analyze the attack steps to obtain the attack time for each attack step.

[0152] Step S132: Generate the execution order between attack steps in the network attack rules based on the attack time, and generate the attack timing relationship based on the execution order.

[0153] Step S133: Construct an attack sequence entity and store the attack sequence relationship in the attack sequence entity.

[0154] In one embodiment, reference is made to Figure 11 Step S133 constructs an attack timing entity and stores the attack timing relationship in the attack timing entity, including:

[0155] Step S1331: Construct an attack sequence entity for each network attack rule and store the attack sequence relationship of the network attack rules in the attack sequence entity.

[0156] Alternatively, step S1332: group the N network attack rules into rule groups; generate a shared attack timing entity for the rule groups, and store the attack timing relationship of the network attack rules in the rule groups as element values ​​in the attack timing entity. The number of element values ​​in the attack timing entity is N, where N is an integer greater than 1.

[0157] It is understandable that steps S1331 or S1332 are parallel solutions. Step S1331 refers to setting an attack timing entity for each network attack rule, which is used to store the attack timing information of the corresponding network attack rule. Step S1332 refers to reducing the number of attack timing entities. Multiple network attack rules can be grouped into a rule group, and an attack timing entity can be generated for each rule group. This attack timing entity is used to store the attack timing information of each network attack rule in the corresponding rule group. The attack timing relationship of the network attack rules in the rule group is stored as element values ​​in the attack timing entity. Here, the element values ​​can be stored one by one in the attack timing entity in the form of an array.

[0158] It is important to note that the number of network attack rules in the rule group is N, where N is an integer greater than 1. Here, N can be the total number of all network attack rules participating in the graph. In other words, the network attack rule graph can contain only one attack sequence entity.

[0159] In one embodiment, each attack step of a network attack rule has sequential constraints; for example, data backhaul cannot occur before the intrusion phase. Therefore, this embodiment generates the execution order of attack steps in the network attack rule based on the attack time of each attack step obtained from parsing, and then represents the execution order as a temporal relationship. For example... Figure 8 Step 1 executes earliest, followed by step 2, and so on up to step 5. The temporal order of these five attack steps is: Step 1 < Step 2 < Step 3 < Step 4 < Step 5. After obtaining the temporal order, an attack temporal entity is constructed to store the attack temporal order of this network attack rule.

[0160] In one embodiment, after obtaining the attack timing entities and attack timing relationships, a second representation graph of network attack rules can be generated, referring to... Figure 12 The process of constructing a second representation graph based on attack temporal entities and attack temporal relationships includes the following steps:

[0161] Step S134: Generate a second directed relation line from the step entity to the attack sequence entity.

[0162] Step S135: Use the second directed relation line to represent the relation information of the second representation graph.

[0163] Step S136: Construct a second representation graph based on attack sequence entity and relationship information.

[0164] In one embodiment, the second representation graph is constructed by pointing all step entities in a network attack rule to attack sequence entities through a second directed relation line, and forming a second representation graph based on the second directed relation lines between all step entities and attack sequence entities.

[0165] In one embodiment, reference is made to Figure 13 ,draw Figure 8 The second representation graph corresponding to the network attack rules is constructed. First, a second directed relation line is drawn between the step entities of the five attack steps and the attack sequence entity. Then, the attack sequence relationship of the five attack steps, since step 1 < step 2 < step 3 < step 4 < step 5, can be stored as a string array {step 1, step 2, step 3, step 4, step 5} in the attack sequence entity. In one embodiment, the attack sequence relationship can be stored as a string using network attack rule numbers and step numbers, for example: {ID1 / S1, ID1 / S2, ID1 / S3, ID1 / S4, ID1 / S5}, where ID1 / S2 represents step 2 of the network attack rule numbered ID1, and so on.

[0166] After obtaining the first and second representation maps through the above process, combining the two yields the network attack rule map. This embodiment generates the first representation map representing spatial information and the second representation map representing temporal relationships separately. This allows for the elimination of the need to generate a separate map when only spatial or temporal relationships need to be analyzed in certain special scenarios, thereby improving the efficiency of map generation.

[0167] Step S140: Combine the first representation graph and the second representation graph to obtain the network attack rule graph.

[0168] In one embodiment, reference is made to Figure 14 , combined Figure 9 and Figure 12 get Figure 8 The network attack rule graph corresponds to the network attack rules. This network attack rule graph can represent complex network attack rules and can be used in application scenarios such as attack detection. At the same time, when drawing the network attack rule graph, time and space information are taken into account. Therefore, it can better utilize the time and space characteristics of complex network attacks, thereby improving the efficiency and accuracy of attack detection.

[0169] In one embodiment, reference is made to Figure 15 The above is an overall flowchart of the network attack rule graph generation method according to an embodiment of this application. First, step entities of attack steps are generated for the network attack rules. Then, destination address entities and source address entities of the attack steps are generated. Spatial information between different execution steps is obtained to obtain the attack parameter relationship, and a first representation graph is drawn. A second representation graph is constructed based on the attack timing information of different execution steps. A network attack rule graph is generated based on the first and second representation graphs.

[0170] The technical solution provided by this invention involves acquiring at least one network attack rule containing temporal and spatial information of the network attack, parsing it to obtain attack parameter entities and attack parameter relationships, and constructing a first representation graph representing spatial information based on the attack parameter entities and attack parameter relationships. Simultaneously, attack temporal entities and attack temporal relationships are extracted, and a second representation graph representing temporal information is constructed based on the attack temporal entities and attack temporal relationships. Finally, the first and second representation graphs are combined to obtain a network attack rule graph. This embodiment generates attack parameter entities and attack temporal entities for network attack rules, representing attack parameters, spatial features, and temporal features in a network attack rule graph at the same level. This makes the knowledge representation process more intuitive, and the obtained network attack rule graph can be quickly queried or predicted during use, improving the application efficiency of the network attack rule graph.

[0171] This invention also provides a network attack rule graph generation device, which can implement the above-described network attack rule graph generation method, see reference. Figure 16 The device includes:

[0172] Network attack rule acquisition module 1610: used to acquire at least one network attack rule; the network attack rule contains the time information and spatial information of the network attack.

[0173] The first representation graph generation module 1620 is used to parse network attack rules to extract attack parameter entities and attack parameter relationships of network attack rules, and construct a first representation graph based on attack parameter entities and attack parameter relationships; the first representation graph represents the spatial information of network attacks.

[0174] The second representation graph generation module 1630 is used to parse network attack rules to extract the attack timing entities and attack timing relationships of the network attack rules, and to construct a second representation graph based on the attack timing entities and attack timing relationships; the second representation graph represents the time information of the network attack.

[0175] Network attack rule graph generation module 1640: used to combine the first representation graph and the second representation graph to obtain the network attack rule graph.

[0176] The specific implementation of the network attack rule graph generation device in this embodiment is basically the same as the specific implementation of the network attack rule graph generation method described above, and will not be repeated here.

[0177] This invention also provides an attack testing method based on a network attack rule graph, which involves: acquiring network data packets to be tested; extracting step information, time information, and spatial information from the network data packets; constructing a first entity node to be tested based on the step information, time information, and spatial information, wherein the first entity node includes a step entity corresponding to the step information, a first time entity corresponding to the time information, and a first spatial entity corresponding to the spatial information; matching the first entity node with entity nodes in the network attack rule graph; and determining whether the network data packet constitutes a network attack based on the matching result. The network attack rule graph is generated using the network attack rule graph generation method described in any of the above embodiments.

[0178] In another embodiment, the attack testing method based on network attack rule graphs further includes:

[0179] When the first entity node successfully matches an entity node in the network attack rule graph, the next entity node that follows that entity node in terms of time relationship is found based on the matched entity node in the network attack rule graph. Based on the found entity node, the next network attack behavior is predicted. It can be understood that the next network attack behavior is derived from the topological information of the attack steps, time information, and spatial information corresponding to the next entity node.

[0180] Therefore, once the network attack rule graph is obtained, the corresponding network attack rules can be found or predicted in attack and defense scenarios through graph computing, thereby determining the next network attack behavior that is most likely to occur, which is conducive to targeted defense.

[0181] This invention also provides an attack testing device based on a network attack rule graph, which can implement the above-mentioned attack testing method based on a network attack rule graph. The device includes:

[0182] The acquisition module is used to acquire network data packets to be tested;

[0183] The information extraction module is used to extract step information, time information, and spatial information from network data packets;

[0184] The entity node generation module is used to construct the first entity node to be tested based on step information, time information and spatial information. The first entity node includes a step entity with step information, a first time entity with time information and a first spatial entity with spatial information.

[0185] The rule matching module is used to match the first entity node with the entity nodes in the network attack rule graph; the network attack rule graph is generated using the network attack rule graph generation method as described in any of the above embodiments.

[0186] The result judgment module is used to determine whether a network data packet constitutes a network attack based on the matching results.

[0187] The specific implementation of the attack testing device based on network attack rule graphs in this embodiment is basically the same as the specific implementation of the attack testing method based on network attack rule graphs described above, and will not be repeated here.

[0188] This invention also provides an electronic device, comprising:

[0189] At least one memory;

[0190] At least one processor;

[0191] At least one program;

[0192] The program is stored in a memory, and the processor executes the at least one program to implement the network attack rule graph generation method described above. The electronic device can be any smart terminal, including mobile phones, tablets, personal digital assistants (PDAs), and in-vehicle computers.

[0193] Please see Figure 17 , Figure 17The hardware structure of an electronic device according to another embodiment is illustrated. The electronic device includes:

[0194] The processor 1701 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of the present invention.

[0195] The memory 1702 can be implemented in the form of ROM (Read-Only Memory), static storage device, dynamic storage device, or RAM (Random Access Memory). The memory 1702 can store the operating system and other application programs. When the technical solutions provided in the embodiments of this specification are implemented through software or firmware, the relevant program code is stored in the memory 1702 and is called and executed by the processor 1701 to execute the network attack rule graph generation method of the embodiments of this invention.

[0196] The input / output interface 1703 is used to implement information input and output;

[0197] Communication interface 1704 is used to enable communication and interaction between this device and other devices. Communication can be achieved via wired means (e.g., USB, Ethernet cable) or wireless means (e.g., mobile network, Wi-Fi, Bluetooth).

[0198] Bus 1705 transmits information between various components of the device (e.g., processor 1701, memory 1702, input / output interface 1703, and communication interface 1704);

[0199] The processor 1701, memory 1702, input / output interface 1703 and communication interface 1704 are connected to each other within the device via bus 1705.

[0200] This application embodiment also provides a storage medium, which is a computer-readable storage medium, storing a computer program that, when executed by a processor, implements the above-described network attack rule graph generation method.

[0201] Memory, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs and non-transitory computer-executable programs. Furthermore, memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, memory may optionally include memory remotely located relative to the processor, and these remote memories can be connected to the processor via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

[0202] The network attack rule graph generation method, device, electronic device, and storage medium proposed in this invention acquire at least one network attack rule containing temporal and spatial information of the network attack, parse it to obtain attack parameter entities and attack parameter relationships, and construct a first representation graph representing spatial information based on the attack parameter entities and attack parameter relationships; simultaneously, extract attack temporal entities and attack temporal relationships, and construct a second representation graph representing temporal information based on the attack temporal entities and attack temporal relationships; finally, combine the first and second representation graphs to obtain the network attack rule graph. This embodiment generates attack parameter entities and attack temporal entities for network attack rules, representing attack parameters, spatial features, and temporal features in the same level of the network attack rule graph. The knowledge representation process is more intuitive, and the obtained network attack rule graph can be quickly queried or predicted during use, improving the application efficiency of the network attack rule graph.

[0203] The embodiments described in this application are for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions provided by the embodiments of this application. As those skilled in the art will know, with the evolution of technology and the emergence of new application scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.

[0204] Those skilled in the art will understand that the technical solutions shown in the figures do not constitute a limitation on the embodiments of this application, and may include more or fewer steps than shown, or combine certain steps, or different steps.

[0205] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.

[0206] Those skilled in the art will understand that all or some of the steps in the methods disclosed above, as well as the functional modules / units in the systems and devices, can be implemented as software, firmware, hardware, or suitable combinations thereof.

[0207] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in the specification and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0208] It should be understood that in this application, "at least one (item)" means one or more, and "more than" means two or more. "And / or" is used to describe the relationship between related objects, indicating that three relationships can exist. For example, "A and / or B" can represent three cases: only A exists, only B exists, and both A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one (item) of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one (item) of a, b, or c can represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.

[0209] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of the units described above is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0210] The units described above as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0211] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0212] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes multiple instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this application. The aforementioned storage medium includes various media capable of storing programs, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0213] The preferred embodiments of the present application have been described above with reference to the accompanying drawings, but this does not limit the scope of the claims of the present application. Any modifications, equivalent substitutions, and improvements made by those skilled in the art without departing from the scope and substance of the embodiments of the present application shall be within the scope of the claims of the present application.

Claims

1. A method for generating a network attack rule graph, characterized in that, include: Obtain at least one network attack rule; the network attack rule includes time information and spatial information of the network attack, and the network attack rule includes: at least one attack step, the attack step is divided into a first step and a second step, the attack source address of the first step is a first source address, the attack destination address of the first step is a first destination address, the attack source address of the second step is a second source address, and the attack destination address of the second step is a second destination address. Each attack step is parsed to obtain the attack address parameters of that attack step; the attack address parameters include the attack source address and the attack destination address of that attack step; a step entity is generated based on the attack step, a source address entity is generated based on the attack source address, and a destination address entity is generated based on the attack destination address; the attack parameter entity includes the step entity, the destination address entity, and the source address entity; if the first source address and the second source address are the same, the attack parameter relationship is a first address relationship; if the first source address and the second destination address are the same, the attack parameter relationship is a second address relationship; if the first destination address and the second destination address are the same, the attack parameter relationship is a third address relationship; if the first destination address and the second source address are the same, the attack parameter relationship is a fourth address relationship, and a first representation graph is constructed based on the attack parameter entities and the attack parameter relationships; the first representation graph represents the spatial information of the network attack; The network attack rules are parsed to extract the attack timing entities and attack timing relationships of the network attack rules, and a second representation graph is constructed based on the attack timing entities and attack timing relationships; the second representation graph represents the time information of the network attack. The network attack rule graph is obtained by combining the first representation graph and the second representation graph.

2. The network attack rule graph generation method according to claim 1, characterized in that, The step entity generation based on the attack steps includes: Obtain the attack steps for each of the aforementioned network attack rules; Obtain the attack tag for each of the attack steps; The step entity is generated based on the deduplicated attack tags.

3. The network attack rule graph generation method according to claim 2, characterized in that, The construction of the first representation graph based on the attack parameter entities and the attack parameter relationships includes: Entity information for constructing the first representation graph is built based on each of the attack parameter entities; The relational information of the first representation graph is constructed using a first directed relational line characterizing the relationship between the attack parameters; The first representation graph is constructed based on the entity information and the relationship information.

4. The network attack rule graph generation method according to claim 1, characterized in that, Constructing relational information for the first representation graph using a first directed relational line characterizing the relationship between the attack parameters includes: When the attack parameter relationship is a first address relationship, a first directed relationship line is constructed from the source address entity corresponding to the first source address to the source address entity corresponding to the second source address; When the attack parameter relationship is the second address relationship, a first directed relationship line is constructed from the source address entity corresponding to the first source address to the destination address entity corresponding to the second destination address entity; When the attack parameter relationship is a third address relationship, a first directed relationship line is constructed from the destination address entity corresponding to the first destination address entity to the destination address entity corresponding to the second destination address entity; When the attack parameter relationship is the fourth address relationship, a first directed relationship line is constructed from the destination address entity corresponding to the first destination address entity to the source address entity corresponding to the second source address.

5. The method for generating network attack rule graphs according to claim 1, characterized in that, The process of parsing the network attack rules to extract the attack timing entities and attack timing relationships of the network attack rules includes: The attack time for each attack step is obtained by analyzing the attack steps. The execution order of the attack steps in the network attack rule is generated based on the attack time, and the attack timing relationship is generated based on the execution order; Construct the attack timing entity and store the attack timing relationship in the attack timing entity.

6. The network attack rule graph generation method according to claim 5, characterized in that, The construction of the second representation graph based on the attack timing entities and the attack timing relationships includes: A second directed relation line is generated by the step entity pointing to the attack timing entity; The second directed relation line is used to represent the relational information of the second representation graph; The second representation graph is constructed based on the attack time sequence entity and the relationship information.

7. The method for generating network attack rule graphs according to claim 6, characterized in that, The step of constructing the attack timing entity and storing the attack timing relationship in the attack timing entity includes: For each of the network attack rules, an attack sequence entity is constructed, and the attack sequence relationship of the network attack rules is stored in the attack sequence entity; Alternatively, the N network attack rules can be grouped into a rule group; a shared attack timing entity can be generated for the rule group, and the attack timing relationship of the network attack rules in the rule group can be stored as an element value in the attack timing entity. The number of element values ​​in the attack timing entity is N, where N is an integer greater than 1.

8. The method for generating network attack rule graphs according to claim 1, characterized in that, If the attack source address is used as attribute information of the attack step, then the step entity and the source address entity are the same entity.

9. An attack testing method based on network attack rule graphs, characterized in that, The method includes: Obtain the network data packets to be tested; Extract the step information, time information, and spatial information from the network data packets; A first entity node to be tested is constructed based on the step information, time information, and spatial information. The first entity node includes a step entity related to the step information, a first time entity related to the time information, and a first spatial entity related to the spatial information. The first entity node is matched with entity nodes in the network attack rule graph; the network attack rule graph is generated using the network attack rule graph generation method as described in any one of claims 1 to 8. Based on the matching results, determine whether the network data packet constitutes a network attack.

10. The attack testing method based on network attack rule graphs according to claim 9, characterized in that, The method further includes: When the first entity node is successfully matched with an entity node in the network attack rule graph, the next entity node whose time relationship follows that entity node is found based on the successfully matched entity node in the network attack rule graph. Based on the identified entity nodes, predict the next cyberattack behavior.

11. A network attack rule graph generation device, characterized in that, include: Network attack rule acquisition module: used to acquire at least one network attack rule; the network attack rule includes time information and spatial information of the network attack, and the network attack rule includes: at least one attack step, the attack step is divided into a first step and a second step, the attack source address of the first step is a first source address, the attack destination address of the first step is a first destination address, the attack source address of the second step is a second source address, and the attack destination address of the second step is a second destination address. The first representation graph generation module is used to parse each attack step to obtain the attack address parameters of the attack step; the attack address parameters include the attack source address and the attack destination address of the attack step; generate a step entity based on the attack step, a source address entity based on the attack source address, and a destination address entity based on the attack destination address; the attack parameter entity includes the step entity, the destination address entity, and the source address entity; if the first source address and the second source address are the same, the attack parameter relationship is a first address relationship; if the first source address and the second destination address are the same, the attack parameter relationship is a second address relationship; if the first destination address and the second destination address are the same, the attack parameter relationship is a third address relationship; if the first destination address and the second source address are the same, the attack parameter relationship is a fourth address relationship, and construct a first representation graph based on the attack parameter entities and the attack parameter relationships; the first representation graph represents the spatial information of the network attack; The second representation graph generation module is used to parse the network attack rules to extract the attack time sequence entities and attack time sequence relationships of the network attack rules, and to construct a second representation graph based on the attack time sequence entities and attack time sequence relationships; the second representation graph represents the time information of the network attack. Network attack rule graph generation module: used to combine the first representation graph and the second representation graph to obtain the network attack rule graph.

12. An attack testing device based on network attack rule graphs, characterized in that, include: The acquisition module is used to acquire network data packets to be tested; The information extraction module is used to extract step information, time information, and spatial information from the network data packets; An entity node generation module is used to construct a first entity node to be tested based on the step information, time information and spatial information. The first entity node includes a step entity related to the step information, a first time entity related to the time information and a first spatial entity related to the spatial information. The rule matching module is used to match the first entity node with entity nodes in the network attack rule graph; the network attack rule graph is generated using the network attack rule graph generation method as described in any one of claims 1 to 8. The result judgment module is used to determine whether the network data packet is a network attack based on the matching result.

13. An electronic device, characterized in that, The electronic device includes a memory and a processor. The memory stores a computer program, and when the processor executes the computer program, it implements the network attack rule graph generation method according to any one of claims 1 to 8, or the attack testing method based on the network attack rule graph according to any one of claims 9 to 10.

14. A computer-readable storage medium storing a computer program, characterized in that, When the computer program is executed by the processor, it implements the network attack rule graph generation method according to any one of claims 1 to 8, or the attack testing method based on the network attack rule graph according to any one of claims 9 to 10.