A complex multi-step network attack detection method based on space-time fusion features

By constructing a deep learning model based on spatiotemporal fusion features and combining graph neural networks and LSTM, the problem of detecting multi-step network attacks in spatiotemporal overlapping scenarios is solved. This enables accurate segmentation and step identification of complex multi-step attack chains, improving the accuracy and efficiency of detection.

CN120074929BActive Publication Date: 2026-07-14BEIJING UNIV OF TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING UNIV OF TECH
Filing Date
2025-02-28
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies struggle to effectively detect and differentiate complex, multi-step network attacks in spatiotemporal overlapping scenarios, especially multiple attack chains that execute in parallel within the same time period and IP environment. Traditional methods cannot accurately identify the steps and relationships of different attack chains and lack systematic support.

Method used

A deep learning model based on spatiotemporal fusion features is constructed. By combining graph neural networks and LSTM models with graph generation algorithms and time weights, the spatiotemporal features of multi-step attack chains are analyzed. A three-layer composite network structure is designed to divide the attack chains and identify the steps.

Benefits of technology

It achieves accurate detection of spatiotemporally overlapping multi-step attacks, effectively distinguishes and identifies complex multi-step attack chains and their steps, and improves the accuracy and efficiency of detection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120074929B_ABST
    Figure CN120074929B_ABST
Patent Text Reader

Abstract

The application discloses a kind of complex multi-step network attack detection methods based on space-time fusion features, including model training stage and multi-step attack detection stage, the method of the present application is combined with graph neural network, time weight and LSTM, the space-time characteristics of complex multi-step attack are comprehensively analyzed, the complex correlation between and inside multi-step attack chain is effectively captured.Through five-tuple fingerprint construction traffic graph structure, node attribute fusion protocol type, timestamp and load characteristics, the designed edge generation algorithm can effectively represent the space-time correlation characteristics of multi-step attack.Design the adjacent matrix updating algorithm with time decay characteristics, dynamically adjust the information propagation intensity between nodes through the configurable decay factor, effectively suppress the interference of time sequence confusion noise on attack chain division.Design a three-layer composite network structure, form a progressive feature learning path of "space-global-time", solve the division problem of space-time overlapping multi-step attack chain.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, specifically relating to a method and system for detecting complex multi-step network attacks in spatiotemporal overlapping scenarios. Background Technology

[0002] With the rapid development of the internet and the advancement of digital transformation, the network environment is becoming increasingly complex, involving multiple organizations, systems, and network layers. Attackers use multi-stage attack strategies to gradually penetrate systems, reducing the risk of detection and prevention. These attacks, consisting of multiple stages, are called multi-step attacks. Due to their high degree of concealment and complexity, they have become one of the main methods of current cyberattacks. At the same time, attackers increasingly tend to launch multiple multi-step attacks simultaneously, and these attacks exhibit significant spatiotemporal overlap characteristics within the same network environment. Specifically, attackers use spatiotemporal overlap strategies to execute multiple attack chains in parallel within the same time period and IP segment, further increasing the difficulty of detection.

[0003] Such spatiotemporally overlapping multi-step attacks present three main challenges: First, the difficulty of event description and modeling. Spatiotemporally overlapping multi-step attacks not only require consideration of the contextual relationships and correlations between events, but also a comprehensive analysis of the temporal sequence, scope of impact, and interactions of events. The meaning and impact of each attack event may depend on the occurrence of preceding events. Second, the difficulty of distinguishing attack chains. When multiple attack chains overlap within the same time period and the same IP environment, distinguishing the independent steps of each attack chain becomes a challenge. For example, within the same IP and time window, if two different multi-step attack chains perform steps such as scanning, login attempts, and data theft, traditional IP address-based detection systems (such as community detection algorithms) struggle to accurately distinguish the steps of different attack chains because they cannot effectively utilize information other than IP addresses. Finally, the difficulty of detecting similar attack steps. During the step detection process of multi-step attacks, attackers may use the same techniques or protocols at different stages, even though the purposes of these steps differ, making it difficult for existing detection methods to accurately identify them. Existing technologies have the following limitations when dealing with such complex, multi-step attacks: Traditional intrusion detection systems (such as Snort and Suricata) rely on predefined rule bases to identify attack features, but cannot capture the correlations between multiple attack stages. Temporal modeling methods, such as Hidden Markov Models (HMMs) and Long Short-Term Memory (LSTMs), while able to model the stage sequence, face the problem of temporal confusion. When the time windows of multiple attack chains overlap, LSTMs cannot effectively distinguish the step order of different attack chains, leading to stage misjudgment. Furthermore, most existing solutions focus on detecting a single attack chain and lack systematic support for spatiotemporally overlapping scenarios. Summary of the Invention

[0004] To address the shortcomings of the existing technologies, this invention proposes a method for detecting complex multi-step network attacks based on spatiotemporal fusion features. This method constructs a deep learning model to effectively divide and accurately classify complex multi-step attacks containing multiple attack chains.

[0005] A complex multi-step network attack detection method based on spatiotemporal fusion features includes a model training phase and a multi-step attack detection phase, the specific process of which is as follows:

[0006] The model training phase described in this step includes the following steps:

[0007] Step 1) Take the set of multiple labeled multi-step attack network traffic packets as input, preprocess the packets, extract the header information and payload byte information of each packet in each flow, and thus obtain a set of multiple flow sequences containing header information and payload byte information.

[0008] Step 2) Using the set of multiple multi-step attack stream sequences obtained in Step 1) as input, synthesize a set of spatiotemporally overlapping multi-step attack stream sequences.

[0009] Step 3) Using the multiple multi-step attack flow sequence sets from Step 1) and the spatiotemporally overlapping flow sequence set synthesized in Step 2) as input, extract the load information of each flow sequence to form a node information set. Based on the associations between the quintuples, generate an edge set, ultimately obtaining multiple corresponding multi-step attack graph structures and a graph structure containing multiple multi-step attacks.

[0010] Step 4) Using the graph structure containing multiple multi-step attacks generated in Step 3) as input, train a model for dividing multi-step attack chains.

[0011] Step 5) Using the multiple corresponding multi-step attack graph structures generated in Step 3) as input, train a model for detecting specific multi-step attack stages.

[0012] The multi-step attack detection phase includes the following steps:

[0013] Step 6) Using the set of unlabeled raw network traffic packets as input, the Snort intrusion detection system processes the data to generate an alert set. Packet matching is performed on the alert set to obtain the attack network traffic packet set. Following the same method as in step 1) of the model training phase, the traffic packet set is processed into a flow set, and flow sequence information is further extracted to obtain an unlabeled flow sequence information set consisting of header information and payload byte information.

[0014] Step 7) Using the unlabeled flow sequence information set obtained in Step 6) as input, extract the load information of each flow sequence as the node information set, and generate the edge set according to the association between the quintuples, thereby obtaining a graph structure containing the node information set and the edge set.

[0015] Step 8) Using the graph structure obtained in Step 7) as input, input it into the model used to classify multi-step attacks in Step 4) of the training phase, calculate the multi-step attack type of each node, and generate a graph structure containing multi-step attack type labels.

[0016] Step 9) Using the graph structure containing multi-step attack type labels obtained in Step 8) as input, perform subgraph extraction and obtain subgraph structure information for each type of multi-step attack. Then, using the model for detecting specific multi-step attack stages in Step 5), calculate the stage value of each node belonging to a specific multi-step attack and assign it a different label.

[0017] A deep learning-based multi-step attack detection system based on spatiotemporal feature fusion includes a model training phase for constructing a spatiotemporal feature extraction model and a detection phase for multi-step attack chain segmentation and step identification, wherein:

[0018] The model training phase comprises three sequential modules: a data preprocessing module, a graph structure generation module, and two model training modules. First, labeled multi-step attack traffic data is received. The data preprocessing module performs stream sequence standardization, generates fixed-length stream sequences using 5-tuple matching and packet truncation, and constructs composite attack scenarios with spatiotemporal overlap through address substitution and timeline interleaving strategies. Next, the graph structure generation module constructs a baseline graph structure for a single attack chain and a composite graph structure for a hybrid attack chain based on node attributes (including protocol type, first packet timestamp, and payload characteristics) and an edge generation algorithm. Finally, the graph structures for each multi-step attack and the composite attack are input into the two models, respectively, yielding models for attack step identification and multi-step attack chain partitioning.

[0019] The detection stage of multi-step attack chain segmentation and step identification includes four sequential modules: data preprocessing module, graph structure generation module, multi-step attack chain segmentation module, and attack step identification module. First, an unlabeled set of raw network traffic packets is received. An intrusion detection system triggers an alarm. Based on the five-tuple features (source / destination IP, source / destination port, protocol) of the alarm information, flow matching is performed. The attack flow payload after matching is standardized using a predefined truncation length, generating a flow feature set containing a payload byte sequence and a payload length sequence. Then, the graph structure generation module constructs a time adjacency matrix based on the first packet timestamp. Node attributes include protocol type, TTL value, and truncation payload features. At the same time, a self-loop edge compensation mechanism is used to process isolated nodes, forming a graph structure containing spatiotemporal features. In the multi-step attack chain segmentation module, the graph structure containing spatiotemporal features is used as input. A time-weighted mechanism is used to strengthen the information aggregation of time-adjacent nodes, and the multi-step attack type label of each node in the graph is output. Finally, in the attack step identification module, subgraph structures belonging to the same attack chain are extracted using subgraph segmentation technology as input. The attack step identification model classifies the attack steps and outputs a graph structure containing step labels as the detection result.

[0020] The key technical point of this invention is:

[0021] 1. This invention proposes a novel method for detecting complex multi-step attacks. This method combines graph neural networks, temporal weights, and LSTM to comprehensively analyze the spatiotemporal characteristics of complex multi-step attacks, effectively capturing the complex relationships between and within multi-step attack chains.

[0022] 2. Design a graph generation algorithm. Construct a traffic graph structure using a 5-tuple fingerprint. Integrate node attributes with protocol type, timestamp, and load characteristics. The designed edge generation algorithm can effectively characterize the spatiotemporal correlation characteristics of multi-step attacks.

[0023] 3. Design an adjacency matrix update algorithm with time decay characteristics. By dynamically adjusting the information propagation intensity between nodes through a configurable decay factor, the interference of temporal confusion noise on attack chain partitioning can be effectively suppressed.

[0024] 4. Design a three-layer composite network structure. The first layer GCN extracts spatial features such as protocol type and load distribution through local neighborhood aggregation. The second layer GCN realizes global interaction feature extraction of multi-hop neighbors. The third layer LSTM unit models the temporal evolution law of attack steps, forming a progressive feature learning path of "space-global-time".

[0025] The method of this invention can achieve accurate detection of spatiotemporal overlapping multi-step attacks, and has the following significant advantages compared with existing detection technologies:

[0026] 1. This invention designs a graph neural network based on time-weighted aggregation, introduces a time decay function, dynamically adjusts the aggregation weight of nodes, makes the model pay more attention to the related traffic with similar time, and solves the problem of dividing multi-step attack chains with spatiotemporal overlap.

[0027] 2. This invention designs a neural network based on multi-layer spatiotemporal feature extraction, which integrates the spatial features of multi-layer graph convolutional neural network and the temporal features of LSTM in the step recognition stage, thus solving the problem of similar attack stage recognition in multi-step attacks. Attached Figure Description

[0028] Figure 1 This is a flowchart of the model training process for a complex multi-step network attack detection method based on spatiotemporal fusion features.

[0029] Figure 2 This is a flowchart of the detection phase for multi-step attack chain segmentation and step identification.

[0030] Figure 3 This is a graph showing the experimental results of the multi-step attack chain partitioning model under different decay rates.

[0031] Figure 4(a) shows the experimental results of the multi-step attack chain partitioning model under the DARPA2000 (L1+L2) hybrid attack scenario.

[0032] Figure 4(b) shows the experimental results of the multi-step attack chain partitioning model under the DARPA2000(L1+L2)+ISCX2012 hybrid attack scenario.

[0033] Figure 5(a) shows the experimental results of the multi-step attack step identification model on the DARPA2000 test set.

[0034] Figure 5(b) shows the experimental results of the multi-step attack step identification model on the ISCX2012 test set.

[0035] Figure 6(a) is the confusion matrix of the multi-step attack step identification model on the DARPA2000 test set.

[0036] Figure 6(b) is the confusion matrix of the multi-step attack step identification model on the ISCX2012 test set. Detailed Implementation

[0037] The workflow of this invention includes a model training phase and a detection phase for multi-step attack chain segmentation and step identification. In the model training phase, labeled network traffic is used as input to train learnable parameters in the neural network, thereby constructing a multi-step attack chain segmentation model and an attack step identification model. In the detection phase for multi-step attack chain segmentation and step identification, unlabeled traffic in a real network environment is used as input. An intrusion detection system triggers an alarm, and a graph structure with multi-step attack flows as nodes is obtained through flow matching and graph generation modules. Then, the multi-step attack chain segmentation model segments the multi-step attack chains in the graph structure and obtains the multi-step attack type label for each node. Finally, the sub-graph structure of a single multi-step attack is extracted and input into the attack step identification model to obtain a graph structure containing multi-step attack step labels.

[0038] During the model training phase, the key technical aspects of this invention lie in the construction of a multi-step attack partitioning model and a multi-step attack step identification model. The model construction process is as follows: Figure 1 As shown. The input to this stage is a set of labeled multi-step attack network traffic packets, and the output is a multi-step attack partitioning model and a multi-step attack step identification model.

[0039] The multi-step attack partitioning model and multi-step attack step recognition model of the present invention are constructed based on the training method of deep neural network models, and their specific implementation steps are as follows:

[0040] The data preprocessing step takes a set of labeled multi-step attack network traffic packets as input, preprocesses the packets in the set, and extracts the header and payload byte information of each packet in each flow, thereby obtaining a set of header and payload byte sequences. The specific implementation steps are as follows:

[0041] First, the set of labeled multi-step attack network traffic packets is processed into a flow set. Given the original labeled network traffic packets as input, they are assembled into a set according to the 5-tuple identifier. (y i ∈[1,N] represents a flow i Multi-step attack type labels, where N is the total number of known multi-step attack categories, y' i ∈[1,N] represents a flow i The multi-step attack steps are labeled, where M is the total number of flows. The 5-tuple refers to the source IP address (ip.src), destination IP address (ip.dst), source port (port.src), destination port (port.dst), and communication protocol (protocol) of the data packet.

[0042] Then, the convection set D raw Perform stream sequence information extraction operations to obtain a multi-step attack traffic set. Where H i for flow i The header information, H' i To extract the header information, P i for flow i The payload byte sequence. For ease of understanding, subsequent steps will use a single stream. i Taking an example, the stream sequence information extraction operation in this invention is introduced, and its specific steps are as follows:

[0043] First, header information is extracted by taking the first L data packets from each flow in the flow set. Then, the header information of each of the L data packets is extracted sequentially. Since each flow consists of an ordered sequence of data packets, for any flow... i We define its data packet sequence as in Represents flow i The j-th data packet, m represents the flow. i It contains m data packets. To prevent overfitting during model training, IP addresses and MAC addresses are removed from the header, while the transport layer protocol type (e.g., TCP=6, UDP=17) and other header information are retained to maintain traffic behavior characteristics. (flow) i For example, extracting flow i The first L data packets are denoted as After deleting the address, the header information H' i According to the header information in flow' i The order of appearance is used to obtain the header information sequence H'. i ={H' i1 ,...,H' i2 ,...,H' iL}

[0044] Then, payload byte sequence information is extracted, and the first L data packets of each stream in the stream set are extracted. Subsequently, the payload byte information of the L data packets is extracted sequentially. (This is done using the flow...) i For example, first, extract the payload byte information of each data packet. Then, the payload bytes of each data packet are arranged according to their appearance in the flow. i The bytes are arranged in the order listed above to obtain the payload byte sequence. in Represents flow i The payload bytes of the j-th data packet. Specifically, for the stream... i For the j-th data packet, this step extracts the first P bytes of the packet payload, thus obtaining the payload byte information. in This represents the e-th byte of the payload of the j-th data packet.

[0045] A set of multiple multi-step attack stream sequences D f As input, a set of spatiotemporally overlapping multi-step attack flow sequences is synthesized. Taking the preprocessed multi-step attack data flow sets D1 and D2 as inputs, the output is a synthesized spatiotemporally overlapping attack dataset D. merged The specific implementation steps are as follows:

[0046] First, timeline interleaving is performed, defining a time offset Δt, and then the timestamps of all attack steps in D2 are interleaved. Transpose the data to the time window of D1 and generate a new timestamp. Where T start and T end Let D1 be the start and end time. This represents the total duration of D2.

[0047] Then, perform IP address replacement and define address mapping rules. Replace the attack source / target IP in D2 with an address within the subnet of D1: Finally, the attack chains are merged by combining the traffic data from D1 and D2 in ascending order of timestamps to generate a mixed data traffic set. in This represents the i-th original attack traffic stream from dataset D1. This represents the j-th adjusted attack traffic flow from dataset D2.

[0048] The input is a mixed data traffic set D merge Or a multi-step attack data traffic set D that has undergone data preprocessing. f The output is a graph structure that can be used to train a graph neural network, including the generation of nodes and edges: nodes represent the various flows in a multi-step attack, while edges depict the spatial relationships between these flows. The specific implementation steps are as follows:

[0049] Node generation. Based on preprocessed multi-step attack data traffic sets. Taking the example as input, the output node set V = {v1, v2, ..., v...} M} and the node feature matrix take F∈R M×d Each stream i Corresponding unique node v i First, extract the header information H. i The quintuple in the table represents the node identifier ID (v i Then extract each stream s i Feature construction of node attribute vector f i∈R d :f i =[t i TTL i OneHot(proto i ),x i ], where timestamp t i ∈R is the stream s i First packet time, TTL value i ∈Z is the maximum packet lifetime, and the protocol type is OneHot(proto i )∈{0,1} k It is a K-dimensional one-hot encoding, with load feature x i ∈R n*m It is the header information H' of the preprocessed address deletion information. i and the extracted payload byte sequence P i .

[0050] Generation is performed on a pre-processed multi-step attack data traffic set. Taking an example as input, the output set of edges is E. The specific operations are as follows: Set the maximum number of edges per node, max_edges; and set the attack flow set D = {f1, f2, ..., f...}. M First, the generation of candidate edges depends on the quintuple correlation determination. For any two flows f i ,f j If an edge ∈D satisfies one of the following spatial association conditions, it is marked as a candidate edge:

[0051]

[0052] Then, edge count constraints are applied to each node v. i Maintain a priority queue Q i Store candidate edges in ascending order of time difference. Iterate through all candidate edges e. ij and e ji Insert into queue Q in sequence i and Q j When queue Q i Current size | Q i If |≥max_edges, then perform the following operation: If Δt ij <Δt max_current , where Δt max_current If the maximum time difference is in the current queue, then replace the edge with the maximum time difference in the queue.

[0053] Finally, merge queues Q1, Q2, and Q3 of all nodes. M After removing duplicate edges, the final edge set is generated:

[0054] Training a multi-step attack chain partitioning model. Key techniques in the training process lie in constructing the temporal weight adjacency matrix and designing the graph convolutional neural network, with input edge set E, node set V, and timestamp vector T∈R. M The attenuation factor λ outputs a multi-step attack chain partitioning model:

[0055] First, the adjacency matrix is ​​initialized and the time decay weights are calculated. The total number of nodes is defined as M = |T|, and the adjacency matrix is ​​initialized with all zeros: A = 0. M*M For each edge e ij ∈E, calculate the time difference and fill in the symmetric weights: Δt=|T i -T j |, A[i,j]=A[j,i]=w ij Add a self-loop edge to an unconnected node, A[i,i] = 1.0, if and only if

[0056] Then, we design a graph convolutional neural network, where each node v... i The updated representation of h' i It is due to its own characteristics h i and the feature set {h} of its neighboring nodes i |j∈N(i)} is derived through a time-weighted, difference-weighted combination. Node features are arranged according to h' i =σ(W·h i +Σ i∈N(i) α ij ·W·h j Update. Where σ is the ReLU nonlinear activation function, W is the learnable weight matrix, and... It is a weight based on time difference.

[0057] Where w = e (-decay_rate·|Δt|) w represents the time weight of the node. sum =∑ k∈N(i) e (-decay_rate·|Δt|) For node v i The cumulative weight of all connected nodes. And to avoid isolated nodes causing w to become undesirable when they have no neighbors. sum For errors where w is zero, check the sum of the weights of each node. sum If it is zero, then pass Set it to 1.

[0058] In e (-decay_rate·|Δt|) In this context, decay_rate is a hyperparameter that controls the magnitude of the impact of time differences on the weights, where |Δt| = |t_t. i -t j | represents the time difference between nodes.

[0059] Training a multi-step attack step recognition model. The key technology in the training process lies in the design of a three-layer spatiotemporal feature deep learning model, which takes as input a specific multi-step attack graph structure, an edge set E, and a node feature matrix X∈R. M*d Output a multi-step attack step identification model:

[0060] First, a two-layer graph convolutional neural network is used to update the spatial features of the multi-step attack. Each layer of the graph convolutional neural network uses the ReLU function as the activation function. The update formulas for the first and second layers of the graph convolutional neural network are as follows:

[0061]

[0062] Where, d i d j W represents the distance between node i and node j, and W is a trainable parameter. Represents node v i The representation in the first layer, Represents node v i Representation in the second layer.

[0063] Then, to obtain temporal features, the output of the second GCN layer is transformed by dimension transformation and then input into the LSTM layer to initialize the hidden state and cell state: h0 = 0. 2*h c0 = 0 2*h , 2 indicates a two-layer LSTM. Then H (2) Sort by timestamp and input LSTM: H seq ,(h n ,c n ) = LSTM(H (2) ,(h0,c0)), where H seq ∈R M*h It is the temporal feature matrix, and h is the dimension of the hidden layer.

[0064] Finally, the spatiotemporal features and gating weights are calculated by concatenating them using a gating mechanism. The gating value G is calculated as follows:

[0065] G=σ([H (2) ||H seq W g +b g )

[0066] Where || indicates column concatenation, W g ∈R 2h*h Here, σ is the gating parameter, and σ(·) is the Sigmoid activation function. Based on the gating control, the fused features can be calculated:

[0067] H fuse =G⊙H(2) +(1-G)⊙H seq

[0068] Where ⊙ denotes element-wise multiplication. Then, the attack step classification probability matrix P = Softmax(H) is obtained through a fully connected classification layer. fuse W c +b c ),W c These are the parameters for the classification layer.

[0069] The workflow of the detection phase for multi-step attack chain segmentation and step identification is as follows: Figure 2 As shown. This stage, based on the multi-step attack chain segmentation model and multi-step attack step identification model built during the model training stage, performs multi-step attack chain segmentation and step identification on the unlabeled raw traffic, and outputs the multi-step attack chain category and multi-step attack step category to which the attack traffic belongs. The specific process of the multi-step attack chain segmentation and step identification detection stage is as follows:

[0070] Step 1: Using a set of unlabeled raw network traffic packets as input, an intrusion detection system generates an alert. Through the same data preprocessing mechanism as in Step 1 of the training phase, multi-step attack traffic containing header and payload information is obtained.

[0071] Step 2 involves inputting the multi-step attack traffic containing header and payload information into the graph structure generation model to generate a graph structure containing a set of nodes and edges, similar to Step 3 in the training phase.

[0072] Step 3: Input the graph structure obtained in Step 2 into the multi-step attack chain partitioning model to classify all nodes in the graph and obtain the label l∈[1,N] of all nodes, where N is the number of multi-step attack chain types.

[0073] Step 4: Extract the subgraph of the specific multi-step attack chain using the subgraph algorithm. This is derived from the labeled graph structure G = (V, E) from Step 3, where the node feature matrix X ∈ R. M*n The classification label vector S∈{1,2,...,K} M The target is a multi-step attack chain of type k. First, filter the nodes by selecting the set of nodes for target attack type k based on the category label: V k ={v i ∈V|S[i]=k}. Then, the edges are filtered, keeping only those where both ends belong to V. k Edge: E k ={(v i ,v j )∈E|v i ∈V k ∧v j ∈V k}

[0074] Step 5: Input the corresponding subgraph into the corresponding multi-step attack step identification model, classify all nodes in the subgraph, and obtain the label l'∈[1,M] of all nodes, where M is the number of step categories of the multi-step attack.

[0075] In the verification experiments, this invention was validated using network traffic from two different multi-step attacks: the DARPA2000 (LLDOS 1.0+LLDOS 2.0) dataset and the UNB ISCX2012 dataset. The specific network traffic information used in the experiments is shown in Table 1. Two multi-step attacks were used to verify the multi-step attack step identification model, and two hybrid multi-step attacks were used to verify the multi-step attack chain partitioning model. The training and test sets were stratified, with a 7:3 ratio of training to test sets for each step of each multi-step attack type.

[0076] Table 1: Application names and network traffic information for each category used in the experimental verification

[0077] Multi-step attack name Number of data packets Number of alarms Number of streams DARPA2000 LLDOS 1.0 6719 5590 4096 ISCX 2012 61456 1329 1050 LLDOS 1.0+ISCX 2012 68583 6919 5146 LLDOS 1.0 + LLDOS 2.0 + ISCX 2012 70685 8719 5202

[0078] To evaluate its classification performance, the following metrics are defined to assess the classification performance of the classifier:

[0079]

[0080] For multi-step attack chain partitioning models, True Positive (TP) means that the predicted attack type is the same as the actual attack type;

[0081] False Positive (FP) refers to a situation where the predicted attack type differs from the actual attack type, meaning the attack sample is incorrectly classified as another type. False Negative (FN) refers to a situation where the actual attack type is inconsistent with the predicted attack type, meaning the attack type was missed. For multi-step attack step identification models, TP means the predicted attack step matches the actual attack step; FP means the predicted attack step is inconsistent with the actual attack step, meaning the wrong step was predicted.

[0082] FN refers to a discrepancy between the actual attack steps and the predicted attack steps, meaning that the attack step was missed.

[0083] Figure 3 The F1 score of the multi-step attack chain splitting model on the test set of the experimental dataset was plotted for different values ​​of the time decay rate λ. Four different decay rates were used in the experiment: 0.001, 0.002, 0.005, and 0.01. The results showed that the model converged faster and achieved better F1 scores under different decay rates.

[0084] Figures 4(a) and 4(b) illustrate the performance of the multi-step attack chain partitioning model in two mixed multi-step attack scenarios: DARPA2000(L1+L2) and DARPA2000(L1+L2)+ISCX2012, respectively, and compare the performance of five methods for multi-step attack partitioning. Figure 4(a) shows that in the DARPA2000(L1+L2) mixed scenario, the F1 score, recall, and precision of the multi-step attack chain partitioning model are 0.971, 0.944, and 0.999, respectively. Figure 4(b) shows that in the DARPA2000(L1+L2)+ISCX2012 mixed scenario, after adding one more multi-step attack, the performance metrics of the multi-step attack chain partitioning model are 0.973, 0.958, and 0.987, respectively.

[0085] Figures 5(a) and 5(b) show the performance metrics of the multi-step attack step identification model on DARPA2000L1 and ISCX2012, respectively. In DARPA2000L1, the F1 score, recall, and precision are 0.986, 0.973, and 0.997, respectively; while in ISCX2012, the F1 score, recall, and precision are 0.992, 0.986, and 0.997, respectively. Finally, Figures 6(a) and 6(b) plot the confusion matrices of the multi-step attack step identification model for each step of the two multi-step attack types.

Claims

1. A method for detecting complex multi-step network attacks based on spatiotemporal fusion features, characterized in that, The process includes a model training phase and a multi-step attack detection phase, and the specific steps are as follows: The model training phase described in this step includes the following steps: Step 1) Take the set of multiple labeled multi-step attack network traffic packets as input, preprocess the packets, extract the header information and payload byte information of each packet in each flow, and thus obtain a set of multiple flow sequences containing header information and payload byte information. Step 2) Using the set of multiple multi-step attack stream sequences obtained in Step 1) as input, synthesize a set of spatiotemporally overlapping multi-step attack stream sequences; Step 3) Using the set of multiple multi-step attack flow sequences from Step 1) and the set of spatiotemporally overlapping flow sequences synthesized in Step 2) as input, extract the load information of each flow sequence to form a set of node information; generate an edge set based on the association between the quintuples, and finally obtain multiple corresponding multi-step attack graph structures and a graph structure containing multiple multi-step attacks. Step 4) Using the graph structure containing multiple multi-step attacks generated in Step 3) as input, train a model for dividing multi-step attack chains; Step 5) Using the multiple corresponding multi-step attack graph structures generated in Step 3) as input, train a model for detecting specific multi-step attack stages; The multi-step attack detection phase includes the following steps: Step 6) Using the set of unlabeled raw network traffic packets as input, the Snort intrusion detection system processes the data to generate an alarm set; the alarm set is matched with packets to obtain the set of attack network traffic packets, and the set of traffic packets is processed into a stream set in the same way as in step 1) of the model training phase, and the stream sequence information is further extracted to obtain an unlabeled stream sequence information set composed of header information and payload byte information. Step 7) Using the unlabeled flow sequence information set obtained in Step 6) as input, extract the load information of each flow sequence as the node information set, and generate the edge set according to the association between the five tuples, thereby obtaining a graph structure containing the node information set and the edge set. Step 8) Using the graph structure obtained in Step 7) as input, input it into the model used to divide the multi-step attack chain in Step 4) of the training phase, calculate the multi-step attack type of each node, and generate a graph structure containing multi-step attack type labels. Step 9) Using the graph structure containing multi-step attack type labels obtained in Step 8) as input, perform subgraph extraction and obtain the subgraph structure information of each multi-step attack. Then, using the model for detecting specific multi-step attack stages in Step 5), calculate the stage value of each node belonging to a specific multi-step attack and assign it a different label.

2. A deep learning-based multi-step attack detection system based on spatiotemporal feature fusion, implementing the method of claim 1, characterized in that, This includes a model training phase for constructing a spatiotemporal feature extraction model and a detection phase for multi-step attack chain partitioning and step identification, wherein: The model training phase comprises three sequential modules: a data preprocessing module, a graph structure generation module, and two model training modules. First, labeled multi-step attack traffic data is received. The data preprocessing module performs stream sequence standardization, uses quintuple matching and packet truncation to generate fixed-length stream sequences, and constructs a composite attack scenario with spatiotemporal overlap using address substitution and timeline interleaving strategies. Next, the graph structure generation module constructs a baseline graph structure for a single attack chain and a composite graph structure for a hybrid attack chain based on node attributes and an edge generation algorithm. The node attributes include protocol type, first packet timestamp, and payload characteristics. Finally, the graph structures for each multi-step attack and the composite attack are input into the two models, respectively, to obtain models for attack step identification and multi-step attack chain partitioning. The detection phase of multi-step attack chain segmentation and step identification includes four sequential modules: data preprocessing, graph structure generation, multi-step attack chain segmentation, and attack step identification. First, it receives a set of unlabeled raw network traffic packets, triggers an alarm through the intrusion detection system, and performs flow matching based on the five-tuple features of the alarm information. These five-tuple features include source / destination IP, source / destination port, and protocol. The matched attack flow payload is standardized using a predefined truncation length to generate a flow feature set containing a payload byte sequence and a payload length sequence. Then, it enters the graph structure generation module, based on the first packet timestamp... A temporal adjacency matrix is ​​constructed, with node attributes including protocol type, TTL value, and truncated load characteristics. A self-loop edge compensation mechanism is employed to handle isolated nodes, forming a graph structure containing spatiotemporal features. In the multi-step attack chain segmentation module, the graph structure containing spatiotemporal features is used as input, and a time-weighted mechanism is employed to enhance the aggregation of information from temporally adjacent nodes, outputting a multi-step attack type label for each node in the graph. Finally, in the attack step identification module, subgraph structures belonging to the same attack chain are extracted using subgraph segmentation technology as input. The attack step identification model is used to classify attack steps, outputting a graph structure containing step labels as the detection result.

3. The deep learning multi-step attack detection system based on spatiotemporal feature fusion according to claim 2, characterized in that, Data preprocessing takes a set of labeled multi-step attack network traffic packets as input, preprocesses the packets in the set, and extracts the header information and payload byte information of each packet in each flow, thereby obtaining a set of header information and payload byte sequences; the specific implementation steps are as follows: First, the set of labeled multi-step attack network traffic packets is processed into a flow set; then, given the original labeled network traffic packets as input, they are assembled into a set according to the five-tuple identifier. , For flow Multi-step attack type tags, Given the total number of known multi-step attack categories, For flow Multi-step attack steps tag, This represents the total number of flows; where the 5-tuple refers to the source IP address, destination IP address, source port, destination port, and communication protocol of the data packet; Then, convection set Perform stream sequence information extraction operations to obtain a multi-step attack traffic set. ,in For flow header information, To extract the header information, For flow The load byte sequence.

4. The deep learning multi-step attack detection system based on spatiotemporal feature fusion according to claim 3, characterized in that, Single Stream The specific steps for extracting midstream sequence information are as follows: First, header information is extracted, and the preceding information is extracted from each flow in the flow set. One data packet; then, extract them sequentially. The header information of each data packet; since each stream consists of an ordered sequence of data packets, for any stream Define its data packet sequence as ,in Represents a stream The One data packet, Represents a stream Total of One data packet; To prevent overfitting during model training, the IP address and MAC address in the header are removed, while the transport layer protocol type and other header information are retained to maintain traffic behavior characteristics. flow In the middle, extract The former The data packets are denoted as Header information after deleting the address According to the header information The order of appearance is used to obtain the header information sequence. ; Then, the payload byte sequence information is extracted, and the first byte of each stream in the stream set is truncated. One data packet; then, extract them sequentially. Payload byte information for each data packet; stream First, extract the payload bytes of each data packet. Then, the payload bytes of each data packet are arranged according to their position in the order they appear in the data packet. The bytes are arranged in the order listed above to obtain the payload byte sequence. ,in Represents a stream The The payload bytes of each data packet; specifically, for a stream The One data packet, extract the first part of the packet payload. Each byte yields the payload byte information. ,in Indicates the first The first packet payload 1 byte.

5. The deep learning multi-step attack detection system based on spatiotemporal feature fusion according to claim 4, characterized in that, Multiple multi-step attack traffic sets As input, a set of spatiotemporally overlapping multi-step attack flow sequences is synthesized; Preprocessed multi-step attack data traffic set and Input, Output: Synthetic Spatiotemporal Overlap Attack Dataset The specific implementation steps are as follows: First, perform timeline interleaving and define the time offset. ,Will Timestamps of all attack steps Translate to Generate a new timestamp within the time window. , ,in and for The start and end times, for The total duration; Then, perform IP address replacement and define address mapping rules. ,Will Replace the attack source / target IP with Address within the subnet: = Finally, the attack chains are merged, and... and Traffic data is merged in ascending order of timestamps to generate a mixed data traffic set: ,in Indicates that it comes from the dataset The i-th original attack traffic stream, Indicates that it comes from the dataset The j-th adjusted attack traffic flow; The input is a mixed data traffic set Or a multi-step attack traffic set that has undergone data preprocessing. The output is a graph structure that can be used to train a graph neural network, including the generation of nodes and edges: nodes represent the various flows in a multi-step attack, while edges depict the spatial relationships between these flows. The specific implementation steps are as follows: Node generation; a multi-step attack data set after data preprocessing. As input, output node set and node feature matrix Each stream Corresponding unique node First, extract the header information. The quintuple in the diagram is the node identifier. Then extract each stream Feature construction of node attribute vectors : The timestamp It is a flow First packet time, TTL value This refers to the maximum data packet lifetime and the protocol type. It is a K-dimensional one-hot encoding with load characteristics. This is the header information for preprocessing and deleting address information. and the extracted payload byte sequence ; Edge generation; a multi-step attack data set after data preprocessing. The set of input and output edges The specific steps are as follows: Set the maximum number of edges per node (max_edges), and the attack flow set. First, the generation of candidate edges depends on the quintuple correlation determination, for any two node attribute vectors An edge is marked as a candidate edge if it meets one of the following spatial association conditions: ; Then, edge count constraints are applied to each node. Maintain a priority queue Store candidate edges in ascending order of time difference; iterate through all candidate edges. and Insert into the queue in sequence and When the queue Current size Then perform the following operations: If ,in If the edge with the largest time difference in the current queue is the one with the largest time difference, then replace the edge with the largest time difference in the queue; finally, merge the queues of all nodes. , ,..., After removing duplicate edges, the final edge set is generated: .

6. The deep learning multi-step attack detection system based on spatiotemporal feature fusion according to claim 5, characterized in that, Training a multi-step attack chain partitioning model; key techniques during training lie in constructing the temporal weight adjacency matrix and designing the graph convolutional neural network, with input edge set... Node set timestamp vector The attenuation factor λ outputs a multi-step attack chain partitioning model: First, the adjacency matrix is ​​initialized and the time decay weight is calculated; the total number of nodes is defined. Initialize the all-zero adjacency matrix: For each edge Calculate the time difference and fill in the symmetric weights: , , Add a self-loop edge to an unconnected node if and only if ,So ; Then, the graph convolutional neural network was designed, with each node... Updated It is due to its own characteristics and the feature set of its neighboring nodes. It is derived from a time-weighted, difference-weighted combination; node features are based on... Update; among which It is the ReLU nonlinear activation function. It is a learnable weight matrix, and It is a weight based on time difference; in The weights of nodes and time. For nodes The cumulative weight of all connected nodes; And to avoid isolated points causing problems when there are no neighbors For errors where the value is zero, check the sum of the weights of each node; If a certain node If it is zero, then pass Set it to 1; exist In this context, `decay_rate` is a hyperparameter that controls the magnitude of the impact of time differences on the weights. The time difference between nodes; Training a multi-step attack step recognition model; the key technology in the training process lies in the design of a three-layer spatiotemporal feature deep learning model, which takes as input a set of edges from a specific multi-step attack graph structure. Node feature matrix Output a multi-step attack step identification model: First, a two-layer graph convolutional neural network is used to update the spatial features of the multi-step attack; each layer of the graph convolutional neural network uses the ReLU function as the activation function; the following are the update formulas for the first and second layers of the graph convolutional neural network: in, This represents the distance between node i and node j. These are trainable parameters. Represents a node The representation in the first layer, Represents a node Representation in the second layer; Then, to obtain temporal features, the output of the second GCN layer is transformed by dimension transformation and then input into the LSTM layer to initialize the hidden state and cell state: , ,2 indicates a two-layer LSTM; Then Sort by timestamp and input into LSTM: ,in It is a time series feature matrix. For the hidden layer dimension; Finally, the spatiotemporal features and gating weights are concatenated through a gating mechanism; the gating value is then calculated. The calculation method is as follows: in This indicates concatenation by column. For gating parameters, The activation function is Sigmoid; the fused features can be calculated based on the gate control. ; in This represents element-wise multiplication; then, the attack step classification probability matrix is ​​obtained through a fully connected classification layer. , These are the parameters for the classification layer.