A method, apparatus and equipment for detecting APT attacks
By constructing a dynamic spatiotemporal graph and performing neural network calculations, high-risk nodes and attack paths are identified, solving the problems of insufficient real-time performance and tracing capabilities in existing APT attack detection technologies, and achieving efficient APT attack detection and automated attack chain reconstruction.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM NETWORK SECURITY TECH CO LTD
- Filing Date
- 2025-09-09
- Publication Date
- 2026-06-30
AI Technical Summary
In existing technologies, security data is scattered across various heterogeneous data sources at different levels and of different types, such as network traffic, device logs, and threat intelligence. This lacks effective automated correlation analysis, makes it difficult to achieve deep correlation of cross-domain events, and makes it impossible to perceive APT attacks in real time as a whole, thus limiting the ability to trace the source.
The system constructs and dynamically updates a spatiotemporal graph. By identifying changing nodes and their impact on the subgraphs, it performs spatiotemporal graph neural network calculations to determine node threat scores, screens high-risk nodes and extracts operational behaviors, uses a pre-set attack tactical system to determine tactical stages, forms security events, and constructs a directed event graph through causal correlation analysis to identify attack paths.
It enables real-time and accurate detection of APT attacks and automated attack chain reconstruction, improving identification and tracing capabilities while reducing computational overhead.
Smart Images

Figure CN120979783B_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of information security technology, and in particular relates to an APT attack detection method, apparatus and equipment. Background Technology
[0002] Advanced Persistent Threat (APT) is a form of cyberattack characterized by its long duration, stealth, and multi-stage nature.
[0003] In existing technologies, security data is scattered across various heterogeneous data sources at different levels and of different types, such as network traffic, device logs, and threat intelligence. There is a lack of effective automated correlation analysis between security data, making it difficult to achieve deep correlation of cross-domain events, and making it impossible to perceive APT attacks in real time as a whole, thus limiting the ability to trace the source.
[0004] Therefore, there is an urgent need for a more efficient and accurate APT attack detection method to improve the ability to identify and trace APT attacks. Summary of the Invention
[0005] To address the aforementioned issues, this application provides an APT attack detection method, apparatus, and device that can achieve efficient and accurate APT attack detection, helping to solve the problems of data silos, poor real-time performance, and poor attack chain reconstruction capabilities in existing technologies.
[0006] Firstly, this application provides an APT attack detection method, the method comprising:
[0007] Based on the acquired multi-source security data, a spatiotemporal graph is constructed and dynamically updated. In the spatiotemporal graph, nodes represent entities and edges represent the relationships between entities.
[0008] After acquiring multi-source security data each time, identify the change nodes in the spatiotemporal graph, and extract the change subgraphs affected by the change nodes in the spatiotemporal graph.
[0009] Spatiotemporal graph neural network calculations are performed on the nodes within the changed subgraph, and the threat score of the nodes within the changed subgraph is determined based on the calculated spatiotemporal fusion features;
[0010] High-risk nodes with threat scores exceeding a preset threshold are identified, and the operational behaviors of these high-risk nodes are extracted from the multi-source security data.
[0011] Based on a pre-defined attack tactical system, the tactical phase to which the operation belongs is determined, and a corresponding security event is generated; wherein, the security event includes a timestamp of the operation, a behavior description vector, and a tactical phase label;
[0012] Based on the time interval between any two of the aforementioned security events, tactical intent Figure 1 Consistency and tactical phase coherence are used to determine the causal correlation degree of any two security events forming a security event pair;
[0013] The security events and the causal correlation are mapped to nodes and edges of a directed event graph, respectively.
[0014] An attack path is determined based on at least one candidate attack path in the directed graph of the event where the cumulative edge weight is higher than a preset value.
[0015] In this embodiment, by constructing a dynamically updated spatiotemporal graph, multi-source security data can be dynamically fused to reflect changes in entities (such as IPs, processes, and users) and their relationships (such as network connections and file access) in the network environment in real time. After each alarm data update, the changed subgraph affected by the changed nodes is identified, and spatiotemporal graph neural network calculations are performed only on the changed subgraphs. Based on the calculated spatiotemporal fusion features, the threat score of the node is determined, high-risk nodes are screened, and their operational behaviors are extracted, thereby achieving real-time and accurate perception of APT attack behavior while effectively reducing computational overhead. Furthermore, a preset attack tactical system is used to determine the tactical stage to which the operational behavior belongs, forming a security event containing a timestamp, behavior description vector, and tactical stage label, and combining time intervals and tactical intentions... Figure 1 This application analyzes the causal relationships between security incidents to determine consistency and tactical coherence, ultimately constructing a directed event graph and identifying high-confidence attack paths. It achieves real-time, accurate detection of APT attacks and automated attack chain reconstruction.
[0016] In one possible implementation, the step of constructing and dynamically updating the spatiotemporal graph based on the acquired security data includes:
[0017] Acquire multi-source security data by sliding within a set time window;
[0018] Entities, entity attribute information corresponding to each entity, and association relationships between entities are extracted from the multi-source security data in the first time window. The entities and the association relationships are used as the initial nodes and initial edges of the spatiotemporal graph, and the entity attribute information is stored as node attribute information in the corresponding initial nodes.
[0019] Based on multi-source security data from subsequent time windows, a graph update operation is performed to dynamically update the spatiotemporal graph. The graph update operation includes at least one of the following: adding nodes, updating node attribute information, adding edges, updating edge weights based on interactions between nodes, updating edge weights using an edge decay model, and deleting edges whose weights are below a preset threshold. The edge decay model updates edge weights based on the number of security events in the current time window and the time difference between the current time and the edge's most recent weight update. For any edge, the more frequent the interactions between the nodes at both ends of the edge, the fewer the number of security events in the current time window, the smaller the time difference, and the less the edge weight decays.
[0020] In this embodiment, a sliding time window mechanism is used to process multi-source security data in batches, ensuring the incremental construction and continuous evolution of the spatiotemporal graph. The initial stage establishes the graph structure foundation, and subsequent stages achieve dynamic maintenance of the graph through operations such as adding nodes, updating attributes, and adding / deleting edges. Specifically, edge weights not only dynamically increase based on the interaction behavior between nodes, but also incorporate a decay mechanism. An edge weight decay model automatically filters out outdated and invalid associations, maintaining the timeliness and relevance of the graph structure and improving the quality of graph representation. Specifically, the edge weight decay model allows the edge weights of edges that have been inactive for a long time to decay naturally over time until they are deleted. Furthermore, the more active the system (the more security events within the current time window), the faster the edge weights decay, effectively suppressing noise accumulation, highlighting current potential threats, and providing an accurate and lightweight data foundation for subsequent subgraph calculations.
[0021] In one possible implementation, after each acquisition of multi-source security data, identifying change nodes in the spatiotemporal graph and extracting change subgraphs affected by the change nodes in the spatiotemporal graph includes:
[0022] After the graph update operation in the current time window is completed, the newly added nodes, the nodes whose node attribute information has been updated, and the nodes whose edge weights have been updated according to the interaction behavior between nodes in the spatiotemporal graph are regarded as the changed nodes.
[0023] For any of the changed nodes, the dynamic propagation radius is calculated based on the degree of the changed node, the network load, and the average degree of the entire graph. All nodes within the dynamic propagation radius are extracted in the spatiotemporal graph to form a change subgraph affected by the changed node.
[0024] The higher the degree of any changed node compared to the average degree of the entire graph, the lower the network load, and the larger the dynamic propagation radius.
[0025] This application proposes a method for extracting changing subgraphs based on dynamic propagation radius, which adaptively adjusts the graph computation range. Specifically, when calculating the dynamic propagation radius for each changed node, the importance (degree) of the node itself and the current network load of the system are comprehensively considered. Changes in important nodes have a wider impact, so a larger dynamic propagation radius is assigned; when the system is under high load, the radius is reduced to decrease computational overhead. This application, through this method for extracting changing subgraphs based on dynamic propagation radius, ensures that the inference computation of the spatiotemporal graph always focuses on the core region of system state changes, reducing computational complexity from the full graph level to the subgraph level while maintaining detection accuracy.
[0026] In one possible implementation, performing spatiotemporal graph neural network computation on the nodes within the changed subgraph and determining the threat score of the nodes within the changed subgraph based on the calculated spatiotemporal fusion features includes:
[0027] For any target node within the changed subgraph, perform the following operations:
[0028] Based on the multi-source security data of the current time window, spatial convolution and temporal convolution are performed on any target node to obtain the spatiotemporal fusion feature vector of any target node;
[0029] Perform a neighbor aggregation operation on any target node to obtain the aggregated features of the target node; wherein the neighbor aggregation operation includes calculating a weighted average of the spatiotemporal fusion feature vectors of the neighbor nodes using the degree of the neighbor nodes of the target node as the weight.
[0030] Based on the Euclidean distance between the aggregated features of any target node and the mean aggregated features of its neighboring nodes, the local feature deviation of any target node is determined.
[0031] The aggregated features of any target node are input into a pre-trained anomaly detection model, which outputs the global anomaly probability of any target node. The anomaly detection model is trained based on historical normal operation behavior data. The global anomaly probability represents the degree to which the aggregated features of any target node deviate from normal operation behavior.
[0032] The threat score of any target node is determined based on the local feature deviation and the global anomaly probability.
[0033] This application proposes a dual-dimensional threat scoring mechanism to comprehensively evaluate the degree of anomalousness in node behavior. First, spatiotemporal graph calculation is performed on the changing subgraph, fusing the spatial neighborhood features and time-series features of the node. Then, a neighbor aggregation operation is performed to make the contributions of important neighbors (high-connectivity neighbor nodes) to the node's aggregation features more prominent, better reflecting the influence distribution of key nodes in real networks. The threat score is jointly determined by the local feature deviation and the global anomaly probability: the former reflects the difference between the node and its direct neighbors, while the latter measures the degree to which the node's overall behavior deviates from the normal pattern. This dual-dimensional threat scoring mechanism improves the detection capability of highly covert APT attacks (such as low-frequency lateral movement) and helps reduce the false positive rate.
[0034] In one possible implementation, the operation of extracting the high-risk node from the security data includes:
[0035] Extract the operational behaviors that trigger the changes of the high-risk nodes from the multi-source security data corresponding to the current time window;
[0036] The operational behavior consists of a subject, an action, and an object.
[0037] In this application embodiment, a method for reverse tracing operational behavior from high-risk nodes is proposed to provide input for subsequent attack chain reconstruction. Specifically, the method parses the triple information (subject < action> object) constituting the operational behavior from security data associated with threat nodes, such as "process A created file B".
[0038] In one possible implementation, the system of preset attack tactics determines the tactical phase to which the operation belongs and generates a corresponding security event, including:
[0039] The operational behavior is converted into a behavior description vector and input into a pre-trained tactical classification model to obtain the classification probability vector of the operational behavior in each tactical stage under the preset attack tactical system.
[0040] Based on the classification probability vector, the tactical stage with the highest probability is determined as the tactical stage to which the operation belongs;
[0041] The timestamp of the operation, the description vector of the operation, and the tactical stage label corresponding to the tactical stage to which the operation belongs are combined to form the security event corresponding to the operation.
[0042] In this embodiment, a pre-trained tactical classification model is used to determine the tactical stage to which an operational behavior belongs, achieving automated and accurate mapping from operational behavior to tactical intent. This method vectorizes the operational behavior and inputs it into a pre-trained tactical classification model (e.g., a deep neural network trained based on historical APT attack data and ATT&CK tactical tags), outputting a classification probability vector for each tactical stage of the operational behavior within a preset attack tactical framework (e.g., $V_{intent}=(p_{reconnaissance}, p_{resource development}, ..., p_{impact})^T$). Finally, the tag corresponding to the tactical stage with the highest probability is selected and encapsulated together with a timestamp and behavior description vector into a security event corresponding to the operational behavior. This helps provide a high-quality, interpretable input foundation for subsequent causal reasoning and attack chain reconstruction.
[0043] In one possible implementation, the time interval between any two security events, tactical intent... Figure 1 Consistency and tactical phase coherence, determining the causal correlation degree of any two security events forming a security event pair, including:
[0044] The security events are combined in pairs to form security event pairs;
[0045] For any two security events in any of the aforementioned security event pairs, perform the following steps:
[0046] Based on the time interval between the occurrence times of the two security events, determine the time correlation score of any security event pair;
[0047] Based on whether the tactical phase labels of the two security events are consistent, the tactical intent of any security event pair is determined. Figure 1 Consistency score;
[0048] Based on the degree of conformity between the tactical transition sequence corresponding to the two security events and the preset tactical phase evolution path, the tactical phase coherence score of any security event pair is determined; the tactical transition sequence follows the chronological order of the security events.
[0049] Based on the time-related score and the tactical intent Figure 1 The causal correlation degree of any security event pair is obtained by combining the consistency score and the tactical phase coherence score.
[0050] In this embodiment, causal correlation is used to evaluate the logical relationship between security events. This is achieved through time interval scores (shorter intervals result in higher scores) and tactical intent... Figure 1The joint assessment of the causal relationship between security events using three dimensions—consistency score (measures whether two events serve the same attack target; higher scores for identical labels) and tactical phase coherence score (higher scores for conforming to the evolutionary logic of typical tactical phase evolution paths)—can effectively distinguish between real attack chains and accidental concurrent behaviors, improve the accuracy of security event correlation analysis, and provide a high-quality, interpretable input basis for attack chain reconstruction.
[0051] In one possible implementation, determining the attack path based on at least one candidate attack path in the event-directed graph with a cumulative edge weight higher than a preset value includes:
[0052] Based on the graph search algorithm, at least one path with a cumulative edge weight higher than a preset value is searched in the directed graph of the event and used as a candidate attack path.
[0053] For any candidate attack path among the candidate attack paths, based on a pre-trained Bayesian network, the predicted probability that any candidate attack path is a real attack chain is output; the Bayesian network is trained based on historical APT attack chains;
[0054] Tactical phase labels are extracted from each security event in any candidate attack path to form a tactical phase sequence arranged in chronological order. The transition probability between adjacent tactical phase labels in the tactical phase sequence is determined based on a tactical transition matrix, thus determining the tactical sequence coherence score of any candidate attack path. The tactical transition matrix includes tactical transition probabilities extracted from historical APT attack chains, where each tactical transition probability represents the probability of transitioning from one tactical phase to another. The tactical sequence coherence score is the product of the transition probabilities between adjacent tactical phase labels in the tactical phase sequence.
[0055] The credibility of any candidate attack path is determined based on the cumulative edge weight, the predicted probability, and the tactical sequence coherence score.
[0056] An attack path is determined based on the credibility of each candidate attack path.
[0057] In this application, a multi-evidence fusion attack path credibility assessment and selection strategy is proposed to filter out the most likely true attack path from candidate attack paths. Specifically, the cumulative edge weights reflect the causal strength between events; a Bayesian network integrates historical attack pattern knowledge to output the probability that the overall path constitutes an attack chain; and a tactical sequence coherence score quantifies the rationality of the path in tactical evolution logic. This strategy improves the accuracy and robustness of attack chain identification.
[0058] Secondly, this application provides an APT attack detection device, the device comprising:
[0059] The spatiotemporal graph update module is used to construct and dynamically update a spatiotemporal graph based on the acquired multi-source security data. In the spatiotemporal graph, nodes represent entities and edges represent the relationships between entities.
[0060] The local subgraph extraction module is used to identify change nodes in the spatiotemporal graph after each acquisition of multi-source security data, and to extract the change subgraphs affected by the change nodes in the spatiotemporal graph.
[0061] The node threat scoring determination module is used to perform spatiotemporal graph neural network calculations on the nodes in the changed subgraph and determine the threat scores of the nodes in the changed subgraph based on the calculated spatiotemporal fusion features.
[0062] The operation behavior extraction module is used to filter out high-risk nodes whose threat scores exceed a preset threshold, and extract the operation behaviors of the high-risk nodes from the multi-source security data.
[0063] The security event construction module is used to determine the tactical stage to which the operation belongs based on a preset attack tactical system, and to generate a corresponding security event; wherein, the security event includes the timestamp of the operation, the behavior description vector, and the tactical stage label;
[0064] The causal correlation determination module is used to determine the causal correlation degree based on the time interval between any two security events and tactical intent. Figure 1 Consistency and tactical phase coherence are used to determine the causal correlation degree of any two security events forming a security event pair;
[0065] The event-directed graph construction module is used to map the security events and the causal correlation degree to nodes and edges of the event-directed graph, respectively.
[0066] The attack path determination module is used to determine the attack path based on at least one candidate attack path whose cumulative edge weight in the event directed graph is higher than a preset value.
[0067] Thirdly, embodiments of this application provide an apparatus including at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform any of the APT attack detection methods provided in the first aspect of this application.
[0068] Fourthly, embodiments of this application also provide a computer-readable storage medium storing a computer program that, when executed by a processor, enables a terminal device to perform the APT attack detection method as described in any of the first aspects of this application.
[0069] The technical effects brought about by the second to fourth aspects and any one of their implementation methods can be referred to the technical effects brought about by the corresponding implementation methods in the first aspect, and will not be repeated here.
[0070] Other features and advantages of the invention will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention may be realized and obtained by means of the structures particularly pointed out in the written description, claims, and drawings. Attached Figure Description
[0071] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0072] Figure 1 A flowchart of an APT attack detection method provided in this application embodiment;
[0073] Figure 2 This is a schematic diagram of the overall architecture of the attack detection system provided in the embodiments of this application;
[0074] Figure 3 A schematic diagram of an APT attack detection device provided in an embodiment of this application;
[0075] Figure 4 This is a schematic diagram of an APT attack detection device provided in an embodiment of this application. Detailed Implementation
[0076] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. The described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the scope of protection of this application.
[0077] The following explanations of some terms used in the embodiments of this application are provided to facilitate understanding by those skilled in the art.
[0078] (1) Spatial-Temporal Graph Neural Network (STGNN): A deep learning model that combines graph neural networks (GNN) and time series analysis. It can process data in both spatial and temporal dimensions and is suitable for modeling and predicting dynamic systems.
[0079] (2) ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework that systematically classifies attack behaviors. It aims to systematically organize and describe the various strategies, techniques, and procedures used by network attackers in the attack lifecycle, including 14 tactical phases (reconnaissance, resource exploitation, initial access, execution, persistence, privilege escalation, defense evasion, credential acquisition, discovery, lateral movement, collection, command and control, data breach, and impact). Each tactical phase includes multiple techniques.
[0080] Unless otherwise defined, the technical or scientific terms used in this invention shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention pertains.
[0081] The terms "first," "second," and similar terms used in this invention do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the term encompasses the elements or objects listed following the term and their equivalents, without excluding other elements or objects. The term "module" refers to any known or subsequently developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and / or software code capable of performing the functions associated with that element.
[0082] It should be noted that the brief descriptions of terms in this application are only for the convenience of understanding the embodiments described below, and are not intended to limit the embodiments of this application. Unless otherwise stated, these terms should be understood in their ordinary and common meaning.
[0083] Advanced Persistent Threat (APT) is a form of cyberattack characterized by its long duration, stealth, and multi-stage nature.
[0084] In existing technologies, security data is scattered across various heterogeneous data sources at different levels and of different types, such as network traffic, device logs, and threat intelligence. There is a lack of effective automated correlation analysis between security data, making it difficult to achieve deep correlation of cross-domain events, and making it impossible to perceive APT attacks in real time as a whole, thus limiting the ability to trace the source.
[0085] Therefore, there is an urgent need for a more efficient and accurate APT attack detection method to improve the ability to identify and trace APT attacks.
[0086] In view of the above problems, embodiments of this application provide an APT attack detection method, apparatus, and device, which constructs and updates a spatiotemporal graph based on multi-source security data; calculates node threat scores only for the changed subgraphs affected by the changed nodes to identify high-risk nodes; extracts the operational behaviors of high-risk nodes and uses a preset attack tactical system to determine the tactical stage to which the operational behaviors belong, forming security events containing timestamps, behavior description vectors, and tactical stage labels; and analyzes the time interval and tactical intent between any two security events. Figure 1 This application achieves real-time, accurate detection and automated attack chain reconstruction of APT attacks by considering consistency and tactical phase coherence; mapping security events and causal relationships to nodes and edges in a directed event graph; and identifying attack paths from candidate attack paths with high accumulated edge weights in the directed event graph.
[0087] The specific embodiments of the present invention will now be described with reference to the accompanying drawings.
[0088] It should be noted that the following scenarios are for illustrative purposes only and are not intended to limit the scope of this application. In actual implementation, the technical solutions provided in the embodiments of this application can be flexibly applied according to actual needs.
[0089] like Figure 1 The diagram shown is a flowchart of an APT attack detection method provided in an embodiment of this application. The method includes the following steps S101-S108.
[0090] Step S101: Based on the acquired multi-source security data, construct and dynamically update a spatiotemporal graph. In the spatiotemporal graph, nodes represent entities, and edges represent the relationships between entities.
[0091] In this embodiment, multi-source security data can be acquired periodically, and entities and their relationships can be extracted from the acquired multi-source security data to construct and dynamically update a spatiotemporal graph. The spatiotemporal graph consists of nodes and edges connecting the nodes, where nodes represent entities (such as IP addresses, processes, and users), and edges represent the relationships between entities (such as network connections and file access).
[0092] In one possible implementation, the above-mentioned construction and dynamic updating of the spatiotemporal graph based on the acquired security data includes the following steps S101a-S101c.
[0093] Step S101a: Obtain multi-source security data by sliding according to the set time window.
[0094] Optionally, this application acquires multi-source security data based on a streaming window (such as a 10-second sliding window). The acquired multi-source security data includes the following four categories: network traffic data, device log data (various logs generated by devices including network security devices, endpoint security devices, hosts, etc.), asset information and vulnerability information, and threat intelligence data.
[0095] Step S101b: Extract entities, entity attribute information corresponding to each entity, and relationships between entities from the multi-source security data of the first time window, and use the entities and relationships as the initial nodes and initial edges of the spatiotemporal graph, and store the entity attribute information as node attribute information in the corresponding initial nodes.
[0096] In this embodiment of the application, after obtaining the multi-source security data of the current time window, data preprocessing is performed to extract entities and the relationships between entities.
[0097] Specifically, data preprocessing involves parsing the data and normalizing entity information.
[0098] Data parsing can extract entity information from multi-source security data. The extracted entity information includes network information (such as source IP, destination IP, port, protocol, timestamp), user information (such as username, user ID, etc.), file information (such as file name, file path, file operation, file hash, etc.), process information (such as process PID, parent process PID, command line, process user, process file path, etc.), registry entity information (such as registry key, registry action, etc.), and vulnerability information (such as vulnerability number, vulnerability level, mitigation measures, vulnerability patch, etc.).
[0099] After extracting the entity information, the entity information is normalized, including IP address normalization (e.g., converting to IPv6 compressed format), path information normalization (e.g., normalization of paths between Linux-like systems and Windows systems), vulnerability information normalization (using standard CVE numbers and CVSS scores), etc., and the normalized entity information is aligned using timestamps based on the NTP protocol.
[0100] In this embodiment of the application, entities and relationships between entities are extracted based on normalized entity information to complete the creation of nodes and edges in the spatiotemporal graph.
[0101] Optionally, the types of nodes in the spatiotemporal graph include three:
[0102] Network entity nodes: such as IP addresses, domain names, URLs, etc.;
[0103] System entity nodes: such as devices, users, processes, registry, services, files, etc.;
[0104] Vulnerable nodes: such as CVE vulnerabilities, configuration weaknesses, etc.
[0105] Optionally, the definition of edge relationships in a spacetime graph can be divided into the following four types:
[0106] Communication relationships: such as network connections between hosts;
[0107] Causal dependencies: such as the temporal dependencies between events, process A creating file B, user operations on the registry, etc.
[0108] Hierarchical relationships: such as user-host, process-host, etc.;
[0109] Exploitation relationship: such as an attack that exploits a specific vulnerability.
[0110] Based on the aforementioned constraints regarding node and edge relationships, a spatiotemporal graph is constructed using multi-source security data within the first time window. For example, when network connection information is encountered, edges representing communication relationships are added; when vulnerability exploitation information is discovered, edges representing exploitation relationships are added. Simultaneously, an initial weight value is assigned when an edge is created. When duplicate edges are encountered (e.g., two nodes interact multiple times), the edge weights are superimposed.
[0111] In some embodiments, when different data sources have conflicting records of the same event, the judgments of the multi-source information are fused in a weighted manner based on the credibility weights predefined for different data sources, thereby determining the more credible judgment.
[0112] For example, if the creation behavior of a certain process is recorded by multiple data sources, but the descriptions differ, the Threat Intelligence Data (TI) reports the process as known malware with a confidence weight of 0.9; while the Asset Information and Vulnerability Information (ASSET) records the process as a critical system process with a confidence weight of 0.8; then when creating a node in the spatiotemporal graph, the malicious label from TI is used as the node attribute information.
[0113] Step S101c: Based on the multi-source security data of subsequent time windows, perform a graph update operation to dynamically update the spatiotemporal graph.
[0114] In this embodiment of the application, the graph update operation includes at least one of the following: adding a node, updating node attribute information, adding an edge, updating edge weights based on the interaction behavior between nodes, updating edge weights using an edge decay model, and deleting edges whose weights are lower than a preset threshold.
[0115] Specifically, in this embodiment, each edge maintains a weight. When a new entity or relationship appears, a corresponding node and edge are created in the spatiotemporal graph, and an initial weight is assigned to the edge. When entity attributes change or new interaction events occur on the edge, the node attribute information is updated, or the edge weight is increased. In particular, the edge weight not only dynamically increases according to the increase in interaction behavior between nodes, but also introduces a decay mechanism. Through the edge weight decay model, outdated and invalid relationships are automatically filtered out, maintaining the timeliness and relevance of the graph structure and improving the quality of graph representation.
[0116] The edge decay model updates edge weights based on the number of security events in the current time window and the time difference between the current time and the edge's most recent weight update. For any edge, the more frequent the interaction between the nodes at both ends of the edge, the fewer the number of security events in the current time window, and the smaller the time difference, the less the edge weight of that edge decays.
[0117] As a feasible implementation, the edge decay model described above updates the weight of each edge based on the following formula:
[0118] q t =q0·e -λada pt(tt last )
[0119] Where, q t λ represents the updated edge weights, q0 represents the initial edge weights; adapt λ represents the adaptive edge decay coefficient; the more security events there are in the current time window, the higher the λ value. adapt The larger; t represents the current time, t last This indicates the time of the edge's most recent update.
[0120] Specifically, when an edge is associated with a new interaction event, t is updated. last =t.
[0121] Optionally, when the edge weight drops below 30% of its initial value, i.e., q t When the value is less than 0.3q0, the edge is automatically deleted.
[0122] As a feasible implementation method, the adaptive edge attenuation coefficient λ is determined using the following formula. adapt :
[0123] λ adapt =λ base ·(1+sigmoid(β·N))
[0124] Where, λ base β represents the preset base attenuation coefficient; β represents the preset event frequency sensitivity coefficient; N represents the number of security events occurring per unit time within the current time window.
[0125] Optional, λ base =0.05.
[0126] Based on the above formula, it can be understood that the edge decay model will not have a significant impact on active edges within the current window (edges with more interaction events and more weight added before decay is implemented), but it can make the weights of inactive edges decay faster.
[0127] For example, by adjusting the adaptive edge decay coefficient, inactive edges that originally required three windows to be deleted when the system is active can be deleted in just two windows.
[0128] This application utilizes an edge weight decay model, which allows the edge weights of inactive edges to decay naturally over time until they are deleted. On the other hand, the more active the system (the more security events in the current time window), the faster the edge weights of inactive edges decay. This effectively suppresses noise accumulation, highlights current potential threats, and provides an accurate and lightweight data foundation for subsequent subgraph calculations.
[0129] After completing the construction of the spatiotemporal graph, a dynamic spatiotemporal graph neural network is constructed based on the preprocessed multi-source secure data.
[0130] First, feature projection is performed on information from different modalities. These modalities include network traffic data, device log data, asset information, vulnerability information, and threat intelligence data, corresponding to network features (NET), device features (DEV), asset features (ASSET), and threat features (TI).
[0131] M = {net, dev, asset, ti}
[0132] p k =W k f k +b k ,k∈M
[0133] Where M represents the modality set, W k f represents the eigenprojection matrix of the k-mode. k b represents the eigenvector of mode k. k p represents the modal bias vector. k This represents the output of the k-th modality data after feature projection.
[0134] Then, a cross-modal attention mechanism is used to align features from different data sources to obtain the fused output feature h. fusion :
[0135]
[0136] Where, α kThe k-modal attention weights are represented by the following formula:
[0137]
[0138] Among them, W a Let f be the attention parameter matrix. global v is the feature vector of the global graph. T For the attention parameter vector; exp(·) represents the pair of (v) T tanh(W a [f k ||f global Take the index.
[0139] The Spatiotemporal Graph Neural Network (STGNN) model structure includes spatial convolutional layers and temporal recurrent layers. By integrating spatial graph convolution and time series modeling capabilities, it can simultaneously capture the spatial relationships and temporal evolution patterns between nodes.
[0140] For spatial convolutional layers: the goal is to capture spatial dependencies between nodes, such as network access relationships and vulnerability exploitation information.
[0141] For a spatiotemporal graph with X nodes, the input features h(l-1) of node i (from the multimodal fusion layer) are used to output new node features h, which are expressed as:
[0142]
[0143] Where || denotes the concatenation and merging operation of multiple attention; A represents the number of attention heads; σ represents a non-linear activation function (such as ELU); X(i) represents the set of neighbors of node i; W a The weight matrix represents the attention head a; This represents the attention weight of node j to node i in the a-th attention head.
[0144] For temporal convolutional layers: gated temporal convolution is used, which combines causal convolution and gating mechanism. The goal is to model the time-series features of each node and capture dynamic patterns, such as the evolution of attack behavior.
[0145] The feature sequence of node i over a period of time The new sequence is represented as Z. i :
[0146] F i =tanh(Θ) f *H i )
[0147] G i =σ(Θ) g *H i )
[0148] Z i =F i ⊙G i
[0149] Where * denotes a one-dimensional causal convolution operation; Θ f and Θ g σ represents the filter convolution kernel parameters and the gated convolution kernel parameters, respectively; σ represents the Sigmoid activation function; ⊙ represents element-wise multiplication.
[0150] For the spatiotemporal attention fusion layer: Based on the attention mechanism, the weights of the spatial and temporal features of each node at different times are automatically learned. The goal is to adaptively fuse features from spatial graph convolution (modeling spatial dependencies) and temporal convolution (modeling temporal dynamics).
[0151] The spatiotemporal fusion feature vector of node i is The calculation method is as follows:
[0152]
[0153] in, This represents the spatial characteristics of node i at time t; This represents the temporal characteristics of node i at time t; W represents the spatial feature weights; sp and W tp These represent the spatial and temporal learning weight vectors, respectively.
[0154] Step S102: After acquiring multi-source security data each time, identify the change nodes in the spatiotemporal graph and extract the change subgraph affected by the change nodes in the spatiotemporal graph.
[0155] As can be seen from the foregoing embodiments, after each acquisition and preprocessing of multi-source security data, a graph update operation is performed to dynamically update the spatiotemporal graph. When a graph structure change occurs (node update, adjacency update, addition of new nodes), it is necessary to determine which nodes and edges will be affected, thereby extracting the affected changed subgraph.
[0156] In one possible implementation, step S102 above includes:
[0157] Step S102a: After the graph update operation in the current time window is completed, the newly added nodes, the nodes whose node attribute information has been updated, and the nodes whose edge weights have been updated according to the interaction behavior between nodes in the spatiotemporal graph are regarded as changed nodes.
[0158] Step S102b: For any changed node among the changed nodes, calculate the dynamic propagation radius based on the degree of the changed node, the network load and the average degree of the whole graph, and extract all nodes within the dynamic propagation radius in the spatiotemporal graph to form a change subgraph affected by the changed node.
[0159] Among them, the higher the degree of any changed node compared to the average degree of the entire graph, the smaller the network load and the larger the dynamic propagation radius.
[0160] As a feasible implementation method, the above dynamic propagation radius is calculated using the following formula:
[0161]
[0162] Where, r i The dynamic propagation radius of node i is represented by d; the average degree of the entire graph is represented by d; degree(i) represents the degree of node i; δ represents the load adaptation factor, which decreases as the network load increases; R base R represents the predefined base radius. max R represents the predefined maximum radius. base <R max ; This represents the floor function, ensuring that r i It is an integer.
[0163] Optional, δ∈[1.0,1.5]; R base ≥2. In some embodiments, R is taken as... base Given 3, take R. max It is 6.
[0164] In some embodiments, this application performs region fusion and optimization on the extracted multiple variation sub-graphs based on methods such as overlapping region merging, small-spacing region gap filling, and graph shape optimization, and outputs the optimized variation sub-graph.
[0165] This application proposes a method for extracting changing subgraphs based on dynamic propagation radius, which adaptively adjusts the graph computation range. Specifically, when calculating the dynamic propagation radius for each changed node, the importance (degree) of the node itself and the current network load of the system are comprehensively considered. Changes in important nodes have a wider impact, so a larger dynamic propagation radius is assigned; when the system is under high load, the radius is reduced to decrease computational overhead. This application, through this method for extracting changing subgraphs based on dynamic propagation radius, ensures that the inference computation of the spatiotemporal graph always focuses on the core region of system state changes, reducing computational complexity from the full graph level to the subgraph level while maintaining detection accuracy.
[0166] Step S103: Perform spatiotemporal graph neural network calculations on the nodes within the changed subgraph, and determine the threat score of the nodes within the changed subgraph based on the calculated spatiotemporal fusion features.
[0167] In one possible implementation, step S103 above includes performing the following steps S103a-S103e for any target node within the changed subgraph:
[0168] Step S103a: Based on the multi-source security data of the current time window, perform spatial convolution and temporal convolution calculations on any target node to obtain the spatiotemporal fusion feature vector of any target node.
[0169] Step S103b: Perform a neighbor aggregation operation on any target node to obtain the aggregated features of any target node; wherein the neighbor aggregation operation includes calculating a weighted average of the spatiotemporal fusion feature vectors of the neighbor nodes using the degree of the neighbor nodes of any target node as the weight.
[0170] In the embodiments of this application, a node's neighboring node refers to a node that is connected to the node by an edge.
[0171] In one possible implementation, the neighbor aggregation operation is based on the following formula:
[0172]
[0173] Where AggValue(i) represents the aggregated feature of node i; X(i) represents the set of neighboring nodes of node i; degree(u) represents the degree of node u; and h(u) represents the spatiotemporal fusion feature vector of node u.
[0174] The above formula is used to calculate the aggregation characteristics of node i because attackers usually target critical nodes with high connectivity. Neighbor aggregation can amplify and spread the abnormal behavior of critical nodes quickly, triggering the threat score to rise earlier and more significantly, thereby accelerating the discovery of the attack chain.
[0175] Step S103c: Determine the local feature deviation of any target node based on the Euclidean distance between the aggregated features of any target node and the mean aggregated features of its neighboring nodes.
[0176] Step S103d: Input the aggregated features of any target node into the pre-trained anomaly detection model and output the global anomaly probability of any target node.
[0177] The anomaly detection model is trained based on historical normal operation data; the global anomaly probability characterizes the degree to which the aggregated features of any target node deviate from normal operation behavior.
[0178] Step S103e: Determine the threat score of any target node based on the local feature deviation and the global anomaly probability.
[0179] Optionally, the local feature deviation and the global anomaly probability are multiplied, and the result of the product, which is the threat score of the node, is then mapped to the [0,1] interval through nonlinear scaling to obtain a standardized threat score.
[0180] For example, the threat score of a node is determined using the following formula:
[0181]
[0182] Among them, s i Let AggValue(i) represent the overall score of node i; let AggValue(i) represent the aggregated feature of node i; let μX(i) represent the mean of the aggregated features of neighboring nodes; let ||AggValue(i)-μX(i)||2 represent the Euclidean distance between the aggregated feature of node i and μX(i), i.e. the local feature deviation. Represents the anomaly detection weight vector; σ represents
[0183] Sigmoid activation function This represents the global anomaly probability. The anomaly detection model is a three-layer deep autoencoder, trained based on historical normal behavior data.
[0184] In some embodiments, to further enhance the context-awareness and temporal continuity recognition capabilities of the detection, after calculating the threat score of each target node within the changing subgraph, the embodiments of this application also introduce the following mechanism:
[0185] Mechanism 1, Context Awareness Enhancement: Threat scores for one-hop neighbors of high-risk nodes are enhanced, with the enhancement magnitude being positively correlated with their connection strength; anomaly weights are adaptively increased based on node type (such as critical servers).
[0186] Mechanism 2, Time Persistence Analysis: Establish node-level time-series threat records and mark nodes whose threat scores exceed the threshold for multiple consecutive periods; for nodes whose threat scores return to normal in a short period of time, retain historical abnormal memories, and new abnormalities can activate historical records to form a cumulative effect.
[0187] By combining localized graph computation, context-aware enhancement, and temporal persistence analysis, this approach helps to address the problems of high latency in full-graph inference, poor adaptability of static models, and easy false negatives in single-point detection in traditional methods, thereby improving the efficiency, accuracy, and real-time detection capabilities against APT attacks.
[0188] This application proposes a dual-dimensional threat scoring mechanism to comprehensively evaluate the degree of anomalousness in node behavior. The model first performs spatiotemporal graph computation on the changing subgraph, fusing the spatial neighborhood features and time-series features of the nodes. Subsequently, a neighbor aggregation operation is performed to make the contributions of important neighbors (high-connectivity neighbor nodes) to the node's aggregation features more prominent, better reflecting the influence distribution of key nodes in real networks. The threat score is jointly determined by the local feature deviation and the global anomaly probability: the former reflects the difference between the node and its direct neighbors, while the latter measures the degree to which the node's overall behavior deviates from the normal pattern. This dual-dimensional threat scoring mechanism improves the detection capability of covert attacks (such as low-frequency lateral movement) and helps reduce the false positive rate.
[0189] Step S104: Filter out high-risk nodes whose threat scores exceed a preset threshold, and extract the operational behaviors of high-risk nodes from multi-source security data.
[0190] As a feasible implementation method, extracting the operational behaviors of high-risk nodes from security data includes:
[0191] Extract the operational behaviors that trigger changes to the high-risk nodes from the multi-source security data corresponding to the current time window; wherein, the operational behaviors consist of a subject, an action, and an object.
[0192] In this application embodiment, a method for reverse tracing operational behavior from high-risk nodes is proposed to provide input for subsequent attack chain reconstruction. Specifically, the triplets (subject < action> object) constituting the operational behavior are parsed from security data associated with threat nodes, such as "process A created file B".
[0193] Step S105: Determine the tactical stage to which the operation belongs based on the preset attack tactical system, and generate the corresponding security event.
[0194] Security events include timestamps of operational actions, behavior description vectors, and tactical phase labels.
[0195] In one possible implementation, step S105 above includes the following steps S105a-S105c:
[0196] Step S105a: Convert the operational behavior into a behavior description vector and input it into a pre-trained tactical classification model to obtain the classification probability vector of the operational behavior in each tactical stage under the preset attack tactical system.
[0197] Step S105b: Based on the classification probability vector, the tactical stage with the highest probability is determined as the tactical stage to which the operation belongs.
[0198] In this embodiment, a pre-trained tactical classification model is used to determine the tactical stage to which an operational behavior belongs, achieving automated and accurate mapping from operational behavior to tactical intent. Specifically, after vectorizing the operational behavior, it is input into a pre-trained tactical classification model (e.g., a deep neural network trained based on historical APT attack data and ATT&CK tactical labels), and outputs a classification probability vector of the operational behavior for each tactical stage under a preset attack tactical system (e.g., $V_{intent}=(p_{reconnaissance},p_{resource development},...,p_{impact})^T$). Finally, the tactical stage with the highest probability is selected as the tactical stage to which the operational behavior belongs.
[0199] Step S105c: Combine the timestamp of the operation, the behavior description vector, and the tactical stage label corresponding to the tactical stage to which the operation belongs to form the security event corresponding to the operation.
[0200] Transforming the operational behaviors corresponding to high-risk nodes into corresponding security events helps provide a high-quality and interpretable input foundation for subsequent causal reasoning and attack chain reconstruction.
[0201] Step S106, based on the time interval between any two security events and tactical intent Figure 1 Consistency and tactical phase coherence determine the causal correlation between any two security events forming a security event pair.
[0202] In one possible implementation, step S106 above includes steps S106a-S106e.
[0203] Step S106a: Combine security events into security event pairs.
[0204] Specifically, a causal relationship matrix M is constructed. For each pair of security events (ei, ej), the element corresponding to the causal relationship matrix is the causal correlation degree M[i][j]. The larger M[i][j] is, the stronger the causal relationship between security event ei and security event ej. It should be noted that if ei occurs later than ej, then M[i][j] is 0.
[0205] For any security event pair and the two security events constituting that security event pair, perform the following steps S106b-S106e:
[0206] Step S106b: Determine the time correlation score of any of the above security event pairs based on the time interval between the occurrence times of the two security events.
[0207] Specifically, for each pair of events (ei, ej), the time interval between the occurrence times of ei and ej is calculated, and the calculated time interval is normalized to obtain the time correlation score of event (ei, ej). Optionally, the function for normalizing the calculated time interval is as follows:
[0208] f(Δt)=e-λΔt
[0209] Where Δt is the time interval between the occurrences of ei and ej, and λ is the decay parameter (adjusted according to the data distribution, for example, λ = 1 / mean(Δt)).
[0210] Step S106c: Based on whether the tactical phase labels of the two security events are consistent, determine the tactical intent of any of the above security event pairs. Figure 1 Consistency score.
[0211] For example, if ei and ej have the same tactical phase label, then the tactical intention... Figure 1 Consistency score = 1; otherwise, 0.
[0212] Step S106d: Based on the degree of conformity between the tactical transfer order corresponding to the two security events and the preset tactical phase evolution path, determine the tactical phase coherence score of any of the above security event pairs; the tactical transfer order follows the chronological order of the security events.
[0213] For example, if the tactical stages of ei and ej are different, and the tactical stage from the tactical stage corresponding to ei to the tactical stage corresponding to ej conforms to the preset tactical stage evolution path, then the tactical stage coherence score = 1; otherwise, it is 0.
[0214] Step S106e, based on time-related scores and tactical intentions Figure 1 The causal correlation between any of the above security event pairs is obtained by combining the consistency score and the tactical phase coherence score.
[0215] For example, time-related scores, tactical intentions Figure 1 The causal correlation degree of any security event pair is obtained by weighting and summing the consistency score and the tactical phase coherence score.
[0216] In this embodiment, causal correlation is used to evaluate the logical relationship between security events. This is achieved through time interval scores (shorter intervals result in higher scores) and tactical intent... Figure 1 The joint assessment of the causal relationship between security events using three dimensions—consistency score (measures whether two events serve the same attack target; higher scores for identical labels) and tactical phase coherence score (higher scores for evolutionary logic that conforms to typical tactical phase evolution paths)—can effectively distinguish between real attack chains and accidental concurrent behaviors, improve the accuracy of security event correlation analysis, and provide a high-quality, interpretable input basis for attack chain reconstruction.
[0217] Step S107: Map security events and causal correlation degrees to nodes and edges of a directed event graph, respectively.
[0218] Step S108: Determine the attack path based on at least one candidate attack path whose cumulative edge weight in the event directed graph is higher than a preset value.
[0219] In one possible implementation, step S108 above includes steps S108a-S108e.
[0220] Step S108a: Based on the graph search algorithm, at least one path with a cumulative edge weight higher than a preset value is searched in the directed graph of events as a candidate attack path.
[0221] Step S108b: For any candidate attack path among the candidate attack paths, based on the pre-trained Bayesian network, output the predicted probability that any candidate attack path is a real attack chain.
[0222] Among them, the Bayesian network is trained based on historical APT attack links and can predict the probability that the attack path is the real attack chain.
[0223] Step S108c: Extract the tactical phase labels of each security event in any candidate attack path to form a tactical phase sequence arranged in chronological order, and determine the transition probability between adjacent tactical phase labels in the tactical phase sequence based on the tactical transition matrix to determine the tactical sequence coherence score of any candidate attack path.
[0224] The tactical transition matrix includes tactical transition probabilities extracted from historical APT attack chains. The tactical transition probability represents the probability of transitioning from one tactical stage to another. The tactical sequence coherence score is the product of the transition probabilities between adjacent tactical stage labels in the tactical stage sequence.
[0225] Step S108d: Based on the cumulative edge weights, predicted probabilities, and tactical sequence coherence scores, determine the credibility of any candidate attack path.
[0226] Step S108e: Determine the attack path based on the credibility of each candidate attack path.
[0227] Specifically, a graph search algorithm is first used to identify preliminary candidate paths. Then, instead of simply selecting the path with the highest cumulative weight, a Bayesian network and a tactical transition matrix are introduced as additional validation evidence to calculate the predicted probability and tactical sequence coherence score of each candidate path. Finally, the credibility of each candidate attack path is determined by combining the cumulative edge weight, predicted probability, and tactical sequence coherence score, and the candidate attack path with the highest credibility is selected as the output attack path. This cross-validation mechanism minimizes the limitations of single-path search algorithms (such as A*) or the interference of statistical noise, enabling the selection of the most interpretable attack chain from multiple possible paths, which best aligns with historical experience, tactical logic, and real-time evidence.
[0228] For example, the cumulative edge weights, predicted probabilities, and tactical sequence coherence scores are used as input evidence sources for the DS evidence theory to determine the credibility of each candidate attack path.
[0229] In this application, a multi-evidence fusion attack path credibility assessment and selection strategy is proposed to filter out the most likely true attack path from candidate attack paths. Specifically, the cumulative edge weights reflect the causal strength between events; a Bayesian network integrates historical attack pattern knowledge to output the probability that the overall path constitutes an attack chain; and a tactical sequence coherence score quantifies the rationality of the path in tactical evolution logic. This strategy improves the accuracy and robustness of attack chain identification.
[0230] In some embodiments, after determining the attack path, the attack path is also converted into an executable defense action according to a preset defense strategy.
[0231] Specifically, when determining the tactical stage of an operation based on a pre-defined attack tactical system, the technical ID (such as the ATT&CK technical ID) of the operation can also be determined. This allows for the identification of the technical IDs corresponding to various security events along a defined attack path.
[0232] Therefore, after determining the attack path, the corresponding defensive action is searched in a pre-established mapping table of technical IDs and defensive actions, and the execution order of the defensive actions is determined based on a predefined priority principle of the defensive strategy. For example, blocking is prioritized, meaning that ongoing attack phases are blocked first; suppression is secondary, meaning that damage control is implemented for completed phases; and prevention is fundamental, predicting and preventing the next attack point. The optimal sequence of defensive actions is generated and executed according to the priority.
[0233] In some embodiments, after executing the defense actions corresponding to the optimal defense action sequence, the defense results are also tracked and processed based on a preset closed-loop feedback mechanism. Specifically, after executing the defense action, the behavior changes of the changed nodes are collected in real time, and the effect of the strategy is tracked through monitoring indicators (such as the target node traffic change rate after blocking, process activity, network connectivity reachability, etc.), and related feedback actions are executed (such as: if the anomaly persists: increase the threat score weight of the node by 30%; if the associated anomaly returns to zero within 60 seconds after blocking, the weight of the corresponding edge in the graph is forcibly decayed to 0, etc.).
[0234] like Figure 2 The diagram shown illustrates the overall architecture of the attack detection method provided in this application embodiment. It includes a data acquisition and preprocessing layer, a spatiotemporal graph neural network construction layer, an incremental inference layer, an attack chain reconstruction layer, and a policy generation and response layer.
[0235] The data acquisition layer and preprocessing layer are responsible for collecting multi-source security data from multiple sources, including network traffic, device logs (including network security devices, endpoint security devices, hosts, etc.), asset information and vulnerability information, and threat intelligence, and for parsing and normalizing entity information of the collected data.
[0236] A spatiotemporal graph neural network construction layer is used to construct and dynamically update graph structures based on preprocessed multi-source secure data.
[0237] The incremental reasoning layer is used to extract changed subgraphs based on changes in the graph structure, perform reasoning calculations on the changed subgraphs, obtain threat scores for nodes within the changed subgraphs, and identify high-risk nodes.
[0238] The attack chain reconstruction layer is used to extract the operational behaviors corresponding to high-risk nodes, and reconstruct the attack chain that conforms to the APT attack lifecycle through causal relationship modeling, critical path retrieval and tactical phase coherence verification mechanisms, and predict the next possible attack action.
[0239] The strategy generation and response layer is used to transform attack paths into executable defense actions based on preset defense strategies. After executing the defense actions, it monitors the behavior changes of affected nodes in real time, tracks the effect of the strategy, and makes necessary adjustments and optimizations, forming a closed-loop protection system of "detection-response-feedback".
[0240] Based on the same inventive concept, embodiments of this application also provide an APT attack detection device, such as... Figure 3 As shown, the device includes:
[0241] The spatiotemporal graph update module 301 is used to construct and dynamically update a spatiotemporal graph based on the acquired multi-source security data. In the spatiotemporal graph, nodes represent entities and edges represent the relationships between entities.
[0242] The local subgraph extraction module 302 is used to identify the change nodes in the spatiotemporal graph after each acquisition of multi-source security data, and extract the change subgraphs affected by the change nodes in the spatiotemporal graph.
[0243] The node threat score determination module 303 is used to perform spatiotemporal graph neural network calculations on the nodes in the changed subgraph and determine the threat score of the nodes in the changed subgraph based on the calculated spatiotemporal fusion features.
[0244] The operation behavior extraction module 304 is used to filter out high-risk nodes whose threat scores exceed a preset threshold, and extract the operation behavior of the high-risk nodes from the multi-source security data.
[0245] The security event construction module 305 is used to determine the tactical stage to which the operation belongs based on a preset attack tactical system, and to form a corresponding security event; wherein, the security event includes the timestamp of the operation, the behavior description vector, and the tactical stage label;
[0246] The causal correlation determination module 306 is used to determine the causal correlation degree based on the time interval between any two security events and tactical intent. Figure 1 Consistency and tactical phase coherence are used to determine the causal correlation degree of any two security events forming a security event pair;
[0247] The event-directed graph construction module 307 is used to map the security event and the causal correlation degree to nodes and edges of the event-directed graph, respectively.
[0248] The attack path determination module 308 is used to determine the attack path based on at least one candidate attack path whose cumulative edge weight in the event directed graph is higher than a preset value.
[0249] As one feasible implementation, the spatiotemporal graph update module 301 is specifically used for:
[0250] Acquire multi-source security data by sliding within a set time window;
[0251] Entities, entity attribute information corresponding to each entity, and association relationships between entities are extracted from the multi-source security data in the first time window. The entities and the association relationships are used as the initial nodes and initial edges of the spatiotemporal graph, and the entity attribute information is stored as node attribute information in the corresponding initial nodes.
[0252] Based on multi-source security data in subsequent time windows, a graph update operation is performed to dynamically update the spatiotemporal graph; the graph update operation includes at least one of the following: adding nodes, updating node attribute information, adding edges, updating edge weights according to the interaction behavior between nodes, updating edge weights using an edge decay model, and deleting edges whose weights are lower than a preset threshold.
[0253] The edge decay model updates edge weights based on the number of security events in the current time window and the time difference between the current time and the edge's most recent weight update. For any edge, the more frequent the interaction between the nodes at both ends of the edge, the fewer the number of security events in the current time window, the smaller the time difference, and the less the edge weight decays.
[0254] As one possible implementation, the local subgraph extraction module 302 is specifically used for:
[0255] After the graph update operation in the current time window is completed, the newly added nodes, the nodes whose node attribute information has been updated, and the nodes whose edge weights have been updated according to the interaction behavior between nodes in the spatiotemporal graph are regarded as the changed nodes.
[0256] For any of the changed nodes, the dynamic propagation radius is calculated based on the degree of the changed node, the network load, and the average degree of the entire graph. All nodes within the dynamic propagation radius are extracted in the spatiotemporal graph to form a change subgraph affected by the changed node.
[0257] The higher the degree of any changed node compared to the average degree of the entire graph, the lower the network load, and the larger the dynamic propagation radius.
[0258] As a feasible implementation, the node threat scoring and determination module 303 is specifically used for:
[0259] For any target node within the changed subgraph, perform the following operations:
[0260] Based on the multi-source security data of the current time window, spatial convolution and temporal convolution are performed on any target node to obtain the spatiotemporal fusion feature vector of any target node;
[0261] Perform a neighbor aggregation operation on any target node to obtain the aggregated features of the target node; wherein the neighbor aggregation operation includes calculating a weighted average of the spatiotemporal fusion feature vectors of the neighbor nodes using the degree of the neighbor nodes of the target node as the weight.
[0262] Based on the Euclidean distance between the aggregated features of any target node and the mean aggregated features of its neighboring nodes, the local feature deviation of any target node is determined.
[0263] The aggregated features of any target node are input into a pre-trained anomaly detection model, which outputs the global anomaly probability of any target node. The anomaly detection model is trained based on historical normal operation behavior data. The global anomaly probability represents the degree to which the aggregated features of any target node deviate from normal operation behavior.
[0264] The threat score of any target node is determined based on the local feature deviation and the global anomaly probability.
[0265] As one feasible implementation, the operation behavior extraction module 304 is specifically used for:
[0266] Extract the operational behaviors that trigger the changes of the high-risk nodes from the multi-source security data corresponding to the current time window;
[0267] The operational behavior consists of a subject, an action, and an object.
[0268] As one possible implementation, the security event construction module 305 is specifically used for:
[0269] The operational behavior is converted into a behavior description vector and input into a pre-trained tactical classification model to obtain the classification probability vector of the operational behavior in each tactical stage under the preset attack tactical system.
[0270] Based on the classification probability vector, the tactical stage with the highest probability is determined as the tactical stage to which the operation belongs;
[0271] The timestamp of the operation, the description vector of the operation, and the tactical stage label corresponding to the tactical stage to which the operation belongs are combined to form the security event corresponding to the operation.
[0272] As a feasible implementation method, the causal correlation determination module 306 is specifically used for:
[0273] The security events are combined in pairs to form security event pairs;
[0274] For any two security events in any of the aforementioned security event pairs, perform the following steps:
[0275] Based on the time interval between the occurrence times of the two security events, determine the time correlation score of any security event pair;
[0276] Based on whether the tactical phase labels of the two security events are consistent, the tactical intent of any security event pair is determined. Figure 1 Consistency score;
[0277] Based on the degree of conformity between the tactical transition sequence corresponding to the two security events and the preset tactical phase evolution path, the tactical phase coherence score of any security event pair is determined; the tactical transition sequence follows the chronological order of the security events.
[0278] Based on the time-related score and the tactical intent Figure 1 The causal correlation degree of any security event pair is obtained by combining the consistency score and the tactical phase coherence score.
[0279] As a feasible implementation method, the attack path determination module 308 is specifically used for:
[0280] Based on the graph search algorithm, at least one path with a cumulative edge weight higher than a preset value is searched in the directed graph of the event and used as a candidate attack path.
[0281] For any candidate attack path among the candidate attack paths, based on a pre-trained Bayesian network, the predicted probability that any candidate attack path is a real attack chain is output; the Bayesian network is trained based on historical APT attack chains;
[0282] Tactical phase labels are extracted from each security event in any candidate attack path to form a tactical phase sequence arranged in chronological order. The transition probability between adjacent tactical phase labels in the tactical phase sequence is determined based on a tactical transition matrix, thus determining the tactical sequence coherence score of any candidate attack path. The tactical transition matrix includes tactical transition probabilities extracted from historical APT attack chains, where each tactical transition probability represents the probability of transitioning from one tactical phase to another. The tactical sequence coherence score is the product of the transition probabilities between adjacent tactical phase labels in the tactical phase sequence.
[0283] The credibility of any candidate attack path is determined based on the cumulative edge weight, the predicted probability, and the tactical sequence coherence score.
[0284] An attack path is determined based on the credibility of each candidate attack path.
[0285] Based on the same inventive concept, this application also provides an APT attack detection device 400, such as... Figure 4 As shown, it includes at least one processor 402; and a memory 401 communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the above-described APT attack detection method.
[0286] Memory 401 is used to store programs. Specifically, the program may include program code, which includes computer operation instructions. Memory 401 may be volatile memory, such as random-access memory (RAM); it may also be non-volatile memory, such as flash memory, hard disk drive (HDD), or solid-state drive (SSD); or it may be any one or a combination of the above-mentioned volatile and non-volatile memory types.
[0287] Processor 402 can be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. It can also be a hardware chip. The aforementioned hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The aforementioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
[0288] This invention also provides a computer-readable storage medium including instructions that, when executed on a computer, cause the computer to perform the APT attack detection method provided in the above embodiments.
[0289] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the above-described device and module can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0290] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatus and methods can be implemented in other ways.
[0291] For example, the device embodiments described above are merely illustrative. For instance, the division of modules is only a logical functional division; in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual couplings, direct couplings, or communication connections may be through some interfaces; indirect couplings or communication connections between devices or modules may be electrical, mechanical, or other forms.
[0292] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.
[0293] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The integrated module can be implemented in hardware or as a software functional module. If the integrated module is implemented as a software functional module and sold or used as an independent product, it can be stored in a computer-readable storage medium.
[0294] In the above embodiments, the implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, in the form of a computer program product.
[0295] The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that a computer can store or a data storage device such as a server or data center that integrates one or more available media. The available medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state disk (SSD)).
[0296] The technical solutions provided in this application have been described in detail above. Specific examples have been used in this application to illustrate the principles and implementation methods of this application. The description of the above embodiments is only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
[0297] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0298] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, as well as combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions.
[0299] These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions, which are executable by the processor of the computer or other programmable data processing device, produce instructions for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0300] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0301] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0302] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. An APT attack detection method, characterized in that, include: Based on the acquired multi-source security data, a spatiotemporal graph is constructed and dynamically updated. In the spatiotemporal graph, nodes represent entities and edges represent the relationships between entities. After acquiring multi-source security data each time, identify the change nodes in the spatiotemporal graph, and extract the change subgraphs affected by the change nodes in the spatiotemporal graph. Spatiotemporal graph neural network calculations are performed on the nodes within the changed subgraph, and the threat score of the nodes within the changed subgraph is determined based on the calculated spatiotemporal fusion features; High-risk nodes with threat scores exceeding a preset threshold are identified, and the operational behaviors of these high-risk nodes are extracted from the multi-source security data. Based on a pre-defined attack tactical system, the tactical phase to which the operation belongs is determined, and a corresponding security event is generated; wherein, the security event includes a timestamp of the operation, a behavior description vector, and a tactical phase label; Based on the time interval, consistency of tactical intent, and coherence of tactical phases of any two security events, determine the causal correlation degree of the security event pair consisting of any two security events. The security events and the causal correlation are mapped to nodes and edges of a directed event graph, respectively. An attack path is determined based on at least one candidate attack path in the directed graph of the event where the cumulative edge weight is higher than a preset value.
2. The method according to claim 1, characterized in that, The process of constructing and dynamically updating the spatiotemporal graph based on the acquired security data includes: Acquire multi-source security data by sliding within a set time window; Extract entities, entity attribute information corresponding to each entity, and association relationships between entities from the multi-source security data in the first time window. Use the entities and association relationships as initial nodes and initial edges of the spatiotemporal graph, and store the entity attribute information as node attribute information in the corresponding initial nodes. Based on multi-source security data from subsequent time windows, a graph update operation is performed to dynamically update the spatiotemporal graph. The graph update operation includes at least one of the following: adding nodes, updating node attribute information, adding edges, updating edge weights based on interactions between nodes, updating edge weights using an edge decay model, and deleting edges whose weights are below a preset threshold. The edge decay model updates edge weights based on the number of security events in the current time window and the time difference between the current time and the edge's most recent weight update. For any edge, the more frequent the interactions between the nodes at both ends of the edge, the fewer the number of security events in the current time window, the smaller the time difference, and the less the edge weight decays.
3. The method according to claim 2, characterized in that, Each time multi-source security data is acquired, the change nodes in the spatiotemporal graph are identified, and the changed subgraphs affected by the change nodes are extracted from the spatiotemporal graph, including: After the graph update operation in the current time window is completed, the newly added nodes, the nodes whose node attribute information has been updated, and the nodes whose edge weights have been updated according to the interaction behavior between nodes in the spatiotemporal graph are regarded as the changed nodes. For any of the changed nodes, the dynamic propagation radius is calculated based on the degree of the changed node, the network load, and the average degree of the entire graph. All nodes within the dynamic propagation radius are extracted in the spatiotemporal graph to form a change subgraph affected by the changed node. The higher the degree of any changed node compared to the average degree of the entire graph, the lower the network load, and the larger the dynamic propagation radius.
4. The method according to claim 2, characterized in that, The step of performing spatiotemporal graph neural network calculations on the nodes within the changed subgraph and determining the threat score of the nodes within the changed subgraph based on the calculated spatiotemporal fusion features includes: For any target node within the changed subgraph, perform the following operations: Based on the multi-source security data of the current time window, spatial convolution and temporal convolution are performed on any target node to obtain the spatiotemporal fusion feature vector of any target node; Perform a neighbor aggregation operation on any target node to obtain the aggregated features of the target node; wherein the neighbor aggregation operation includes calculating a weighted average of the spatiotemporal fusion feature vectors of the neighbor nodes using the degree of the neighbor nodes of the target node as the weight. Based on the Euclidean distance between the aggregated features of any target node and the mean aggregated features of its neighboring nodes, the local feature deviation of any target node is determined. The aggregated features of any target node are input into a pre-trained anomaly detection model, which outputs the global anomaly probability of any target node. The anomaly detection model is trained based on historical normal operation behavior data. The global anomaly probability represents the degree to which the aggregated features of any target node deviate from normal operation behavior. The threat score of any target node is determined based on the local feature deviation and the global anomaly probability.
5. The method according to claim 2, characterized in that, The operation of extracting the high-risk node from the security data includes: Extract the operational behaviors that trigger the changes of the high-risk nodes from the multi-source security data corresponding to the current time window; The operational behavior consists of a subject, an action, and an object.
6. The method according to claim 5, characterized in that, The preset attack tactic system determines the tactical phase to which the operation belongs and generates a corresponding security event, including: The operational behavior is converted into a behavior description vector and input into a pre-trained tactical classification model to obtain the classification probability vector of the operational behavior in each tactical stage under the preset attack tactical system. Based on the classification probability vector, the tactical stage with the highest probability is determined as the tactical stage to which the operation belongs; The timestamp of the operation, the description vector of the operation, and the tactical stage label corresponding to the tactical stage to which the operation belongs are combined to form the security event corresponding to the operation.
7. The method according to claim 1, characterized in that, The determination of the causal correlation degree of the security event pair composed of any two security events, based on the time interval, consistency of tactical intent, and coherence of tactical phases, includes: The security events are combined in pairs to form security event pairs; For any two security events in any of the aforementioned security event pairs, perform the following steps: Based on the time interval between the occurrence times of the two security events, determine the time correlation score of any security event pair; Based on whether the tactical phase labels of the two security events are consistent, the tactical intent consistency score of any security event pair is determined. Based on the degree of conformity between the tactical transition sequence corresponding to the two security events and the preset tactical phase evolution path, the tactical phase coherence score of any security event pair is determined; the tactical transition sequence follows the chronological order of the security events. Based on the time correlation score, the tactical intent consistency score, and the tactical phase coherence score, the causal correlation degree of any security event pair is obtained.
8. The method according to claim 7, characterized in that, The determination of the attack path based on at least one candidate attack path in the directed graph of the event with a cumulative edge weight higher than a preset value includes: Based on the graph search algorithm, at least one path with a cumulative edge weight higher than a preset value is searched in the directed graph of the event and used as a candidate attack path. For any candidate attack path among the candidate attack paths, based on a pre-trained Bayesian network, the predicted probability that any candidate attack path is a real attack chain is output; the Bayesian network is trained based on historical APT attack chains; Tactical phase labels are extracted from each security event in any candidate attack path to form a tactical phase sequence arranged in chronological order. The transition probability between adjacent tactical phase labels in the tactical phase sequence is determined based on a tactical transition matrix, thus determining the tactical sequence coherence score of any candidate attack path. The tactical transition matrix includes tactical transition probabilities extracted from historical APT attack chains, where each tactical transition probability represents the probability of transitioning from one tactical phase to another. The tactical sequence coherence score is the product of the transition probabilities between adjacent tactical phase labels in the tactical phase sequence. The credibility of any candidate attack path is determined based on the cumulative edge weight, the predicted probability, and the tactical sequence coherence score. An attack path is determined based on the credibility of each candidate attack path.
9. An APT attack detection device, characterized in that, include: The spatiotemporal graph update module is used to construct and dynamically update a spatiotemporal graph based on the acquired multi-source security data. In the spatiotemporal graph, nodes represent entities and edges represent the relationships between entities. The local subgraph extraction module is used to identify change nodes in the spatiotemporal graph after each acquisition of multi-source security data, and to extract the change subgraphs affected by the change nodes in the spatiotemporal graph. The node threat scoring determination module is used to perform spatiotemporal graph neural network calculations on the nodes in the changed subgraph and determine the threat scores of the nodes in the changed subgraph based on the calculated spatiotemporal fusion features. The operation behavior extraction module is used to filter out high-risk nodes whose threat scores exceed a preset threshold, and extract the operation behaviors of the high-risk nodes from the multi-source security data. The security event construction module is used to determine the tactical stage to which the operation belongs based on a preset attack tactical system, and to generate a corresponding security event; wherein, the security event includes the timestamp of the operation, the behavior description vector, and the tactical stage label; The causal correlation determination module is used to determine the causal correlation of a security event pair consisting of any two security events based on the time interval, consistency of tactical intent, and coherence of tactical phases between any two security events. The event-directed graph construction module is used to map the security events and the causal correlation degree to nodes and edges of the event-directed graph, respectively. The attack path determination module is used to determine the attack path based on at least one candidate attack path whose cumulative edge weight in the event directed graph is higher than a preset value.
10. An APT attack detection device, characterized in that, The method includes at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described in any one of claims 1-8.