An automatic attack tracing method, a terminal device and a storage medium

By using an automated attack attribution method and constructing a causal graph with synchronous federated learning and the BERT model, the problem of low efficiency in attack attribution in existing technologies is solved, achieving efficient attack detection and story reconstruction while protecting data privacy.

CN118764280BActive Publication Date: 2026-07-03XIAMEN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIAMEN UNIV
Filing Date
2024-07-19
Publication Date
2026-07-03

Smart Images

  • Figure CN118764280B_ABST
    Figure CN118764280B_ABST
Patent Text Reader

Abstract

The application relates to an automatic attack tracing method, a terminal device and a storage medium, the method comprising the following steps: receiving logs of different sources and classifying and sorting the logs; after word-level splitting of log entries, obtaining tokenized log entries; constructing an abnormal log identification model, the model comprising an embedding extraction module and a classification module, all the tokenized log entries are taken as a training set, and the model is trained in a form of synchronous federated learning; when receiving a log to be traced, firstly tokenizing the log, then inputting the tokenized log entry into the trained model to obtain an abnormal log entry identification result; taking an event type corresponding to the abnormal log entry as a suspicious event; constructing an independent causal graph corresponding to each suspicious event, fusing the independent causal graphs of all the suspicious events, and reconstructing an attack story based on the fused causal graph. The application can detect attacks and track attack links, and efficiently reconstruct an attack story.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network communication security, and in particular to an automatic attack tracing method, terminal device, and storage medium. Background Technology

[0002] Existing attack attribution methods employ various graph optimization techniques, but these graphs remain very large, incurring significant overhead and being difficult to interpret in practice. Furthermore, they require substantial human intervention to label the data. Consequently, current work has not yet been able to efficiently reconstruct attack stories. Summary of the Invention

[0003] To address the aforementioned issues, this invention proposes an automatic attack tracing method, a terminal device, and a storage medium.

[0004] The specific plan is as follows:

[0005] An automated attack attribution method includes the following steps:

[0006] S1: Receive logs from different sources, classify all log entries in the logs according to event type, and sort all log entries corresponding to each event type according to time.

[0007] S2: After splitting the log entries into words, use the resulting words as tags to obtain tokenized log entries;

[0008] S3: Construct an abnormal log recognition model. The model includes an embedding extraction module and a classification module. All labeled log entries are used as the training set. The model is trained in the form of synchronous federated learning to obtain the trained abnormal log recognition model.

[0009] S4: When a log to be traced is received, first, all log entries included in the log to be traced are marked according to steps S1 and S2. Then, the marked log entries are input into the trained model to obtain the abnormal log entry identification results.

[0010] S5: Treat the event type corresponding to the identified abnormal log entries as a suspicious event;

[0011] S6: Construct an independent causal graph for each suspicious event, merge the independent causal graphs of all suspicious events, and reconstruct the attack story based on the merged causal graph.

[0012] Furthermore, after receiving logs from different sources, the process also includes preprocessing the received logs; the preprocessing includes removing non-language symbols and stop words, and splitting compound words into individual words.

[0013] Furthermore, the method for splitting log entries is as follows: first, the content of the log entries is split according to the field type, and then the split content is split into words at the corresponding domain level using the corresponding domain splitting algorithm.

[0014] Furthermore, the embedding extraction module adopts BERT based on bidirectional Transformer, and its input embedding consists of token embedding, segment embedding and position embedding. In the segment embedding, each event is regarded as a unit, and all tokens belonging to the same event are set to have the same segment embedding.

[0015] Furthermore, the classification module employs a single-class support vector machine.

[0016] Furthermore, the process of merging the independent causal graphs of all suspicious events includes: first, expanding each independent causal graph by identifying nodes adjacent to other independent causal graphs in the original log text to construct expanded nodes for the independent causal graphs; then, merging expanded nodes with the same content from two different independent causal graphs into a shared node.

[0017] An automated attack tracing terminal device includes a processor, a memory, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the steps of the method described above in the embodiments of the present invention.

[0018] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the method described above in the embodiments of the present invention.

[0019] The present invention employs the above technical solution, which can detect attacks and trace attack chains, and efficiently reconstruct the attack story. Attached Figure Description

[0020] Figure 1 The diagram shown is a flowchart of a method according to an embodiment of the present invention.

[0021] Figure 2 The diagram shown is a comparison of the existing markers in this embodiment with the method of this embodiment.

[0022] Figure 3 The figure shown is an example diagram of BERT embedding in this embodiment.

[0023] Figure 4 The diagram shows different training tasks in BERT in this embodiment.

[0024] Figure 5 The diagram shown illustrates the training and testing of the classification task in this embodiment.

[0025] Figure 6 The image shows a visual representation of the causal graph reconstruction process in this embodiment.

[0026] Figure 7 The diagram shown is a schematic representation of the experimental results in this embodiment.

[0027] Figure 8 The image shown is a case study of attack attribution in this embodiment. Detailed Implementation

[0028] To further illustrate the various embodiments, the present invention provides accompanying drawings. These drawings are part of the disclosure of the present invention, primarily used to illustrate the embodiments, and can be used in conjunction with the relevant descriptions in the specification to explain the operating principles of the embodiments. With reference to these drawings, those skilled in the art should be able to understand other possible implementations and the advantages of the present invention.

[0029] The present invention will now be further described in conjunction with the accompanying drawings and specific embodiments.

[0030] Example 1:

[0031] This invention provides an automatic attack tracing method, such as... Figure 1 As shown, the method includes the following steps:

[0032] S1: Receive logs from different sources, classify all log entries in the logs according to event type, and sort all log entries corresponding to each event type according to time.

[0033] In this embodiment, after receiving the log, it is further preprocessed, specifically including removing non-language symbols and stop words, and splitting compound words into individual words.

[0034] The received logs include multiple log entries, each with a corresponding timestamp. In this embodiment, the log entries are first categorized according to event type (such as upload, download, etc.). Categories like DNS, Firefox, and syslog can help capture causal relationships between log entries exhibiting the same behavior. Then, for each type of log entry, they are sorted chronologically to facilitate better tracing later.

[0035] S2: After splitting the log entries at the word level, the resulting words are used as tags to obtain tokenized log entries.

[0036] Tokenization is the process of dividing text data into smaller units called tokens. This embodiment designs a new tokenizer based on the specific semantics of log text. The tokenizer first uses a tokenizer to segment the text using predefined characters (such as ".", " / / "), specifically by scanning the content of each field in each log entry (e.g., searching for a URL). If a URL is found, it is segmented (e.g., extracting the URL from the log entry text). When a log entry contains multiple fields, multiple segmentations are required. After the tokenizer's segmentation, based on the segmented content, a segmentation algorithm corresponding to its domain (an existing algorithm is acceptable) is used for word-level splitting. The domains corresponding to the segmented content mainly include paths, URLs, IP addresses, and temporary filenames. Different domains correspond to different segmentation algorithms. Through this segmentation algorithm, the segmented content can be further divided into smaller units (i.e., word-level segmentation).

[0037] Figure 2 The comparison between the existing tokenizer and the tokenizer used in this embodiment is shown. Compared to traditional tokenizers that split all text at once, the tokenizer used in this embodiment can achieve more fine-grained word segmentation. For example, the path C:\host\abc is segmented into tokens [C:], [host], and [abc] by recognizing special slashes, while C:\host\ccd is segmented into tokens [C:], [host], and [ccd], which implies the directory structure. URLs can be viewed as a combination of network protocols, domain names, ports, and paths. For example, https: / / c.gov uses https, c, and gov as its domain name. For IP addresses, this embodiment directly uses dots to separate them, and the model can learn IPs within the same subnet. For temporary files like Firefox.xxx, they are segmented into Firefox and xxx, making it easier to associate files with the corresponding processes.

[0038] S3: Construct an anomaly log identification model, which includes an embedding extraction module and a classification module. Use all labeled log entries as the training set and train the model in the form of synchronous federated learning to obtain the trained anomaly log identification model.

[0039] (1) Embedded extraction module

[0040] The embedding extraction module uses the pre-trained BERT based on bidirectional Transformer provided by the official website as the initial network structure, and retrains it using the unlabeled (normal or abnormal) log entry data (training set) obtained through steps S1 and S2 above in the form of synchronous federated learning.

[0041] This embodiment uses synchronous federated learning to train the embeddings, constructing three key embedding layers. For example... Figure 3 As shown, the final input embedding is composed of token embedding, segment embedding, and position embedding. In BERT, each sentence is considered a segment, meaning that tokens within the same sentence have the same segment embedding, also known as sentence embedding. However, the application scenario in this embodiment differs from traditional sentences, so the concept of a sentence does not exist. Therefore, this embodiment treats each event as a unit, and all tokens belonging to the same event have the same segment embedding.

[0042] The embedding extraction module includes masked language units and next sentence prediction units (or next segment / event prediction units).

[0043] The core idea of ​​masked language units is to replace tags or segments in the log with special placeholder tags [MASK], and during training, to predict the specific value of [MASK] using contextual information, such as surrounding tags and segments. In this way, it is possible to learn the encoding of each word and segment from the context to reflect its semantics. Figure 4 This section presents illustrations of different training tasks in BERT. Figure 4 Taking the log example in the example, we label 192.abc in the request tag as [MASK], and then try to predict the exact content of [MASK] using 192.abc[MASK]152.abc. This masked language model prediction captures the relationship between 192.abc and 152.abc.

[0044] The next-sentence prediction unit is used to predict whether the second sentence in a given sentence pair is a follow-up sentence to the first sentence. For example... Figure 4 As shown, BERT takes the pairs of sentences A: 192.abc request 152.abc and B: 152.abc response 192.abc as input and predicts the result as True, indicating that sentence B is the next sentence after sentence A. In practical applications, the next sentence can be a combination of multiple log entries / sentences within a window, not just a single time-sequential log entry. Therefore, BERT is able to capture complex relationships between multiple contextual entries.

[0045] (2) Classification Module

[0046] Because the available dataset for the classification task in this embodiment is imbalanced, consisting mainly of or containing only benign patterns, training a classifier that effectively distinguishes different behavioral patterns is challenging. Therefore, this embodiment employs a single-class classification technique, namely, a single-class support vector machine (OC-SVM). The OC-SVM classifier aims to learn benign patterns and classify samples that are significantly different from benign patterns as suspicious samples. OC-SVM learns benign behavior from unlabeled log entries, i.e., benign training data, and strives to find a decision boundary suitable for the training data. During anomalous log identification, OC-SVM classifies input data falling outside the decision boundary as malicious input. In addition to training on benign data, OC-SVM can also be trained on datasets that are not completely clean, as long as most of the data is benign. Since OC-SVM learns the patterns of most activities, once the model converges, it will naturally filter out the very few malicious activities.

[0047] Figure 5 The diagram illustrates the training and testing of the classification task, with black nodes representing benign nodes and white nodes representing malicious nodes. After training, the model has learned to analyze causal relationships between different source log tags and can be used for various downstream tasks.

[0048] S4: When a log to be traced is received, first, all log entries included in the log to be traced are marked according to steps S1 and S2. Then, the marked log entries are input into the trained model to obtain the abnormal log entry identification results.

[0049] S5: Treat the event type corresponding to the identified abnormal log entries as suspicious events.

[0050] S6: Construct an independent causal graph for each suspicious event, merge the independent causal graphs of all suspicious events, and reconstruct the attack story based on the merged causal graph.

[0051] Because traditional causal graph construction only considers individual events rooted in log text, the initial causal graph may result in independent graph components with no connections between them. To construct a seamless and comprehensive causal graph encompassing all potential events, this embodiment first expands each independent causal graph by identifying nodes in the original log text that are adjacent to other independent causal graphs. Then, expanded nodes with identical content from two different independent causal graphs are merged into a single shared node. This embodiment expands the coverage of each independent causal graph through expanded nodes. Notably, during the merging of shared nodes, the focus is on identifying the first matching event between any two disjoint graph components. This approach simplifies the construction process, requiring only one initial graph creation and connecting each pair of disjoint components only once, eliminating the need to rebuild redundant graphs.

[0052] Figure 6 A visual representation of the causal graph reconstruction process is presented. Figure 6 The first image shows the independent cause-effect graphs corresponding to each event. The second image shows the generation of extended nodes and the merging of extended nodes into shared nodes, where the dotted nodes are shared nodes and the white nodes are extended nodes.

[0053] Figure 7 Experimental results comparing to the baseline are shown, where the baseline model's results are referenced from AirTag. Overall results of model comparisons on the same dataset are as follows. Figure 7 As shown, compared to the centralized model AirTag, the TPR and FPR of the method in this embodiment (hereinafter referred to as FedTa) are comparable to AirTag. Specifically, for single-host data S1-S6, the federated approach shows a decrease of less than 1%, with the TNR of S2 reaching 100%, higher than AirTag. For multi-host data M1-M6, the federated approach shows a decrease of only about 1%. However, compared to centralized anomaly detection, FedTag protects the privacy of each client's log data while detecting log anomalies, which is something that centralized learning cannot achieve.

[0054] Figure 8 This document demonstrates an attack attribution case implemented using the method described in this embodiment. Black represents the attack chain, and the added edges indicate that they were added by connecting disconnected components during graph reconstruction. During the construction of the causal graph, the original attack subgraph was manually simplified due to its large size, showing only the key attack steps and omitting many other false positives.

[0055] Case 1: This attack exploits CVE-2015-5122. The vulnerability allows a remote attacker to execute arbitrary code or cause a denial-of-service attack (memory corruption) via a crafted link. During the attack, the user runs a process and clicks a link that redirects to a malicious website resolved by 192.bcd. The attacker can execute arbitrary code or cause a denial-of-service attack (memory corruption). The attacker exploited the CVE-2015-5122 vulnerability through this link, corrupting browser plugins and writing a payload program, payload.exe, on the victim's computer. The process Payload1, spawned by this program, scans files on the victim's system, establishes a connection with the attacker, and uploads all PDF files.

[0056] Case 2: This attack exploits the CVE-2015-3105 vulnerability, which is similar to the vulnerability in Case 1 and allows attackers to execute arbitrary code or cause a denial-of-service attack (memory corruption) via an unspecified vector.

[0057] Case 3: This attack exploits the CVE-2017-11882 vulnerability. This vulnerability allows attackers to exploit objects in memory that cannot be properly processed. In this attack, a user opens a malicious email containing a link to a malicious website, which is resolved by 192.bcd. The user requests and downloads the malicious file msf.rtf, which is read using Winword 18. msf.rtf then constructs msf 1, which writes the payload program payload.exe and replaces the benign website page on the victim's host with the malicious index.html. The attacker executes payload.exe, initializes payload 1, scans for PDF files, and receives the PDF files.

[0058] Case 4: This attack exploits the CVE-2017-0199 vulnerability. When a user opens a document containing exploit code for this vulnerability, the malicious code downloads and executes a Visual Basic script containing PowerShell commands.

[0059] The embodiments of the present invention have the following beneficial effects:

[0060] (1) The analysis data integrates data from multiple sources, making the detection more accurate;

[0061] (2) Train the BERT model based on synchronous federated learning;

[0062] (3) It can detect attacks and trace attack chains, and efficiently reconstruct the attack story.

[0063] Example 2:

[0064] The present invention also provides an automatic attack tracing terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the steps in the method embodiment described above in Embodiment 1 of the present invention.

[0065] Furthermore, as an executable solution, the automated attack tracing terminal device can be a computing device such as a desktop computer, laptop, handheld computer, or cloud server. The automated attack tracing terminal device may include, but is not limited to, a processor and memory. Those skilled in the art will understand that the above-described structure of the automated attack tracing terminal device is merely an example and does not constitute a limitation on the device. It may include more or fewer components, or combine certain components, or different components. For example, the automated attack tracing terminal device may also include input / output devices, network access devices, buses, etc., and this embodiment of the invention does not limit this.

[0066] Furthermore, as an executable solution, the processor can be a Central Processing Unit (CPU) or other general-purpose processors. The general-purpose processor can be a microprocessor or any conventional processor, etc. This processor is the control center of the automated attack tracing terminal device, connecting all parts of the device via various interfaces and lines.

[0067] The memory can be used to store the computer programs and / or modules. The processor implements various functions of the automatic attack tracing terminal device by running or executing the computer programs and / or modules stored in the memory and calling data stored in the memory. The memory may mainly include a program storage area and a data storage area. The program storage area may store the operating system and at least one application program required for a function; the data storage area may store data created based on the use of the mobile phone, etc. In addition, the memory may include high-speed random access memory and non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other volatile solid-state storage device.

[0068] The present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the method described in the embodiments of the present invention.

[0069] If the modules / units integrated into the automated attack tracing terminal device are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying the computer program code, recording media, USB flash drives, portable hard drives, magnetic disks, optical disks, computer memory, read-only memory (ROM), random access memory (RAM), and software distribution media, etc.

[0070] Although the invention has been specifically shown and described in conjunction with preferred embodiments, those skilled in the art should understand that various changes in form and detail may be made to the invention without departing from the spirit and scope of the invention as defined in the appended claims, all of which shall be within the scope of protection of the invention.

Claims

1. An automatic attack tracing method, characterized in that, Includes the following steps: S1: Receive logs from different sources, classify all log entries in the logs according to event type, and sort all log entries corresponding to each event type according to time. S2: After word-level splitting of log entries, the resulting words are used as tags to obtain tokenized log entries. The method for splitting log entries is as follows: first, the content of the log entries is split according to field type; then, the split content is split into words using the corresponding domain-specific splitting algorithm. The domains corresponding to the split content include: path, URL, IP address, and temporary filename. Paths are split by recognizing special forward slashes; URLs are considered as a combination of network protocols, domain names, ports, and paths; IP addresses are split using periods. S3: Construct an abnormal log recognition model. The model includes an embedding extraction module and a classification module. All labeled log entries are used as the training set. The model is trained in the form of synchronous federated learning to obtain the trained abnormal log recognition model. S4: When a log to be traced is received, first, all log entries included in the log to be traced are marked according to steps S1 and S2. Then, the marked log entries are input into the trained model to obtain the abnormal log entry identification results. S5: Treat the event type corresponding to the identified abnormal log entries as suspicious events; S6: Construct an independent causal graph for each suspicious event, merge the independent causal graphs of all suspicious events, and reconstruct the attack story based on the merged causal graph; The process of merging the independent causal graphs of all suspicious events includes: first, expanding each independent causal graph by identifying nodes adjacent to other independent causal graphs in the original log text to construct extended nodes for the independent causal graphs; then, merging extended nodes with the same content from two different independent causal graphs into a shared node.

2. The automatic attack tracing method according to claim 1, characterized in that: After receiving logs from different sources, the process also includes preprocessing the received logs; the preprocessing includes removing non-language symbols and stop words, and splitting compound words into individual words.

3. The automatic attack tracing method according to claim 1, characterized in that: The embedding extraction module uses BERT based on bidirectional Transformer. Its input embedding consists of token embedding, segment embedding and position embedding. In the segment embedding, each event is treated as a unit, and all tokens belonging to the same event are set to have the same segment embedding.

4. The automatic attack tracing method according to claim 1, characterized in that: The classification module uses a single-class support vector machine.

5. An automatic attack tracing terminal device, characterized in that: It includes a processor, a memory, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer program to implement the steps of the method as described in any one of claims 1 to 4.

6. A computer-readable storage medium storing a computer program, characterized in that: When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1 to 4.