APT attack detection method and device based on graph attention learning and electronic equipment
By using a graph attention-based learning method, the relationships between nodes in an APT attack are dynamically analyzed. Combined with the cross-entropy loss function and threat intelligence mapping table, the problem of low APT attack detection rate in existing technologies is solved, and efficient and accurate APT attack detection and report generation are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SOFTPOLE NETWORK TECH (BEIJING) CO LTD
- Filing Date
- 2025-09-08
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies have low detection rates and high false positive and false negative rates when facing APT attacks, especially those with unknown mutation methods or zero-day attacks, and cannot meet the real-time defense requirements of complex and covert attacks.
A graph attention-based learning approach is adopted. By acquiring the operation logs of the system under monitoring to form a time series graph, the encoder of the time series graph neural network and the decoder of the graph attention network are used, combined with the cross-entropy loss function and the isolation forest algorithm to dynamically analyze the relationship between nodes, capture abnormal patterns, and generate attack reports by combining threat intelligence mapping table and large language model.
It enables accurate and efficient detection of APT attacks without relying on known attack signatures, improving detection accuracy and robustness, reducing false positives and false negatives, and generating concise natural language attack reports for rapid response.
Smart Images

Figure CN121283670B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of APT attack detection technology, and in particular to an APT attack detection method, apparatus, and electronic device based on graph attention learning. Background Technology
[0002] With the evolution of cyberattack techniques, advanced persistent threats (APT attacks) have become a major challenge facing the global cybersecurity field.
[0003] According to relevant technologies, current methods often rely on known attack signature databases for matching and detection. However, when faced with a large number of unknown mutation methods or zero-day attacks in APT attacks, there are problems such as low detection rate and high false positive and false negative rates, which cannot meet the real-time defense needs for complex and covert attacks.
[0004] Therefore, finding an APT attack detection method that can accurately and efficiently detect APT attacks without relying on known attack characteristics has become a current research hotspot. Summary of the Invention
[0005] This invention provides an APT attack detection method, device, and electronic device based on graph attention learning, which enables accurate and efficient APT attack detection without relying on known attack features.
[0006] This invention provides an APT attack detection method based on graph attention learning. The method includes: acquiring the operation logs of a system to be monitored, and forming a time-series graph of the system to be monitored based on the operation logs, wherein the time-series graph includes multiple nodes and time-series graph edges connecting the nodes, the time-series graph is used to characterize the operation information of each node of the system to be monitored in the time dimension, and the nodes are matched with kernel objects in the system to be monitored; inputting the time-series graph into a pre-trained edge type prediction model to obtain the time-series graph edge types output by the edge type prediction model, wherein the time-series graph edge types are used to characterize the node operation characteristics of the system to be monitored, and the edge type prediction model includes an encoder based on a time-series graph neural network and a decoder based on a graph attention network; based on the time-series graph edge types and the true edge types, obtaining the reconstruction error of the actual time-series graph edges corresponding to the time-series graph edge types through a cross-entropy loss function, wherein the true edge types are the edge types of the observed actual time-series graph edges; and determining whether the system to be monitored is subjected to an APT attack based on the reconstruction error.
[0007] According to the present invention, an APT attack detection method based on graph attention learning is provided. The reconstruction error includes the reconstruction error of the actual time-series graph edges of the system under test under a continuous time window. The step of determining whether the system under test is subjected to an APT attack based on the reconstruction error specifically includes: obtaining anomaly scores corresponding to each actual time-series graph edge using the isolation forest algorithm based on the reconstruction error of the actual time-series graph edges of the system under test under a continuous time window; and determining whether the system under test is subjected to an APT attack based on the anomaly scores corresponding to each actual time-series graph edge.
[0008] According to the present invention, an APT attack detection method based on graph attention learning, before determining whether the monitored system is subject to an APT attack based on the anomaly scores corresponding to the edges of each actual time-series graph, the method further includes: obtaining the inverse document frequency of each node; the determination of whether the monitored system is subject to an APT attack based on the anomaly scores corresponding to the edges of each actual time-series graph specifically includes: if the monitored system has anomaly nodes, calling a pre-set threat intelligence mapping table, wherein the threat intelligence mapping table includes the correspondence between different anomaly nodes and different anomaly node types, the anomaly node being a node whose anomaly score is greater than a score threshold and whose inverse document frequency is greater than a frequency threshold; determining the anomaly node type of the anomaly node based on the anomaly node and the threat intelligence mapping table; if the anomaly node type of the anomaly node is an APT attack type, determining that the monitored system is subject to an APT attack.
[0009] According to the present invention, an APT attack detection method based on graph attention learning is provided. The step of determining the abnormal node type of the abnormal node based on the abnormal node and the threat intelligence mapping table specifically includes: determining the abnormal node type of the abnormal node based on the abnormal node and the correspondence between different abnormal nodes and different abnormal node types in the threat intelligence mapping table.
[0010] According to the present invention, an APT attack detection method based on graph attention learning is provided. The step of determining the anomalous node type of the anomalous node based on the anomalous node and the threat intelligence mapping table specifically includes: inputting the anomalous node and the threat intelligence mapping table into a pre-trained large language model to obtain the anomalous node type of the anomalous node output by the large language model, wherein the large language model is used to determine the anomalous node type of the anomalous node based on the anomalous node and the threat intelligence mapping table.
[0011] According to the APT attack detection method based on graph attention learning provided by the present invention, the threat intelligence mapping table further includes the correspondence between different abnormal nodes and different abnormal node solutions; after determining the abnormal node type of the abnormal node, the method further includes: determining the abnormal node solution of the abnormal node based on the abnormal node and the correspondence between different abnormal nodes and different abnormal node solutions in the threat intelligence mapping table; and visually displaying the abnormal node solution of the abnormal node and the abnormal node type of the abnormal node.
[0012] According to the present invention, an APT attack detection method based on graph attention learning is provided. The time series graph includes time series graph edges, and the time series graph edges include node features involved in the operation of the system under test, as well as the running timestamps corresponding to the running nodes. The step of inputting the time series graph into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model specifically includes: inputting the time series graph edges into an encoder based on a time series graph neural network in the edge type prediction model to obtain the edge embeddings corresponding to the time series graph edges output by the encoder; and inputting the edge embeddings into a decoder based on a graph attention network to obtain the time series graph edge type output by the decoder.
[0013] According to the APT attack detection method based on graph attention learning provided by the present invention, the decoder outputs the temporal graph edge type in the following manner: In the decoder, a processed edge embedding is obtained based on the edge embedding and the graph attention mechanism, wherein the processed edge embedding is obtained by aggregating edge embedding and neighbor node edge embedding; an enhanced edge embedding is obtained based on the processed edge embedding, as well as the source node features and target node features in the node; and the temporal graph edge type output by the decoder is obtained based on the enhanced edge embedding, multilayer perceptron, and residual connection.
[0014] This invention also provides an APT attack detection device based on graph attention learning. The device includes: an acquisition module, used to acquire the operation logs of the system to be monitored and form a time series graph of the system to be monitored based on the operation logs, wherein the time series graph includes multiple nodes and time series graph edges connecting the nodes, the time series graph is used to characterize the operation information of each node of the system to be monitored in the time dimension, and the nodes are matched with kernel objects in the system to be monitored; a prediction module, used to input the time series graph into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model, wherein the time series graph edge type is used to characterize the node operation characteristics of the system to be monitored, and the edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network; a processing module, used to obtain the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type based on the time series graph edge type and the true edge type through a cross-entropy loss function, wherein the true edge type is the edge type of the observed actual time series graph edge; and a determination module, used to determine whether the system to be monitored is subjected to an APT attack based on the reconstruction error.
[0015] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the APT attack detection method based on graph attention learning as described above.
[0016] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the APT attack detection method based on graph attention learning as described above.
[0017] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the APT attack detection method based on graph attention learning as described above.
[0018] This invention provides an APT attack detection method, apparatus, and electronic device based on graph attention learning, comprising: acquiring the operation log of a system to be monitored, and forming a time series graph of the system to be monitored based on the operation log, wherein the time series graph includes multiple nodes and time series graph edges connecting the nodes; inputting the time series graph into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model, wherein the time series graph edge type is used to characterize the node operation characteristics of the system to be monitored, and the edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network; based on the time series graph edge type and the actual edge type, obtaining the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type through a cross-entropy loss function; and determining whether the system to be monitored is subjected to an APT attack based on the reconstruction error. By using the edge type prediction model to obtain the edge type of the temporal graph, the system can determine whether the system under monitoring is subject to APT attacks. By learning the context awareness capability of the encoder based on the temporal graph neural network and the decoder based on the graph attention network, the system overcomes the limitation of relying on known attack features and achieves the capture of abnormal patterns without prior knowledge. Thus, it can accurately and efficiently detect APT attacks without relying on known attack features. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0020] Figure 1 This is one of the flowcharts of the APT attack detection method based on graph attention learning provided by the present invention.
[0021] Figure 2 This is a schematic diagram of the process provided by the present invention for determining whether the system under monitoring is subject to an APT attack based on the abnormal scores corresponding to each edge of the actual time series graph.
[0022] Figure 3 This is a schematic diagram of the output timing graph edge type of the decoder provided by the present invention.
[0023] Figure 4 This is a schematic diagram of the APT attack detection device based on graph attention learning provided by the present invention.
[0024] Figure 5 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0025] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0026] According to relevant technologies, APT attacks exhibit high context dependence and non-linear behavior patterns. Decoders without attention mechanisms struggle to effectively capture the dynamic relationships between different nodes and edges in the source graph and the importance weights of temporal context when processing edge embeddings in the encoder output. This can lead to decoders ignoring key anomalous signals or overemphasizing noisy data when reconstructing attack trajectories or quantifying anomalies, thus reducing detection accuracy and robustness.
[0027] The APT attack detection method based on graph attention learning provided by this invention overcomes the limitation of relying on known attack features by learning the context awareness capability of the encoder based on temporal graph neural network and the decoder based on graph attention network. It realizes the capture of abnormal patterns without prior knowledge, thereby enabling accurate and efficient APT attack detection without relying on known attack features, and improving detection accuracy and robustness.
[0028] Figure 1 This is one of the flowcharts of the APT attack detection method based on graph attention learning provided by the present invention.
[0029] The following will combine Figure 1 The process of the APT attack detection method based on graph attention learning provided by this invention will be described.
[0030] In an exemplary embodiment of the present invention, combined with Figure 1 As can be seen, the APT attack detection method based on graph attention learning can include steps 110 to 140, and each step will be described below.
[0031] In step 110, the operation log of the system to be monitored is obtained, and a time sequence diagram of the system to be monitored is generated based on the operation log. The sequence diagram comprises multiple nodes and edges connecting them. It represents the runtime information of each node in the monitored system over time, with each node corresponding to a kernel object within the system. The runtime information of each node can be understood to include information about inter-entity interactions and event execution within the sequence diagram.
[0032] In one embodiment, runtime logs generated by the system under monitoring (such as an enterprise server cluster) can be collected, including records of process creation, file access, and network connections. Further, the runtime logs are converted into a time sequence graph. The time sequence graph includes multiple nodes and time sequence graph edges connecting the nodes. Each node corresponds to a system kernel object (such as a process ID, file handle, registry key, etc.); the time sequence graph edges can connect consecutively occurring node operations in chronological order (e.g., if process A accesses file B at time t, an edge A→B is generated). It can be understood that the time sequence graph structure reflects the interaction sequence of nodes in the time dimension.
[0033] In another embodiment, kernel-level tools (Windows ETW, Linux Audit, etc.) can be used to obtain fine-grained runtime data (corresponding to runtime logs) from the host system, capturing interactions between processes, files, and socket objects. Through system call tracing, read, write, run, send, and receive operations are recorded and transformed into a system-wide source graph. Further, a timing graph is obtained based on the system-wide source graph. The timing graph includes multiple nodes. Nodes represent kernel objects (processes, files, sockets). Edges are timestamped to indicate dependencies (each edge represents an interaction between a subject and an object, such as program A reading file B, and this edge is marked with a time stamp, for example, this interaction occurred on April 10, 2025 at 10:00 AM). Log data is stored in a streaming manner, laying the foundation for subsequent analysis. In one example, the objects of the subject and their corresponding relationship types are shown in Table 1:
[0034] Table 1. Subject Objects and Corresponding Relationship Types
[0035]
[0036] In the process of obtaining a time series graph based on the global source graph, features of nodes and edges can be generated. Each node (process, file, socket) has its own identity information (path name of the process, path name of the file, IP address and port of the socket). Hierarchical feature hashing is used to transform this identity information into a numerical vector. For example, the file path name / home / gamai / ctftools is split into hierarchical substrings: / home, / home / gamai, / home / gamai / ctftools. These substrings are represented as a 16-dimensional vector through feature hashing. The advantage of doing this is that nodes with similar semantics (such as files in the same directory) are closer in the feature space. The feature of each edge consists of three parts: the feature vector of the source node, the feature vector of the target node, and the one-hot encoding of the edge type (such as the 9 types in the table above, corresponding to 9 dimensions). In short, the edge feature is like a relational instruction manual. It not only tells you who the two roles in this relation are (the features of the source node and the target node), but also tells you how they interact (the one-hot encoding of the edge type). For example, the edge "process A reads file B" would have features including the identity of process A, the identity of file B, and a description of the "read" action. In one example, a sequence graph can consist of a source node (src), a target node (dst), a timestamp (t), and edge features (msg, including source / target vectors + edge type one-hot, i.e., source node embedding vector + edge type one-hot + target node embedding vector), collectively describing the graph's structure, temporal sequence, and semantic information. In other words, a sequence graph is like a relational table, where each row is an edge containing "who (source node) -> who (target node)", when (timestamp), details of the relationship (edge features), and information listing all nodes' identities (node features).
[0037] In step 120, the time series graph is input into the pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model. The time series graph edge type is used to characterize the node operation characteristics of the system to be monitored. The edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network.
[0038] In one embodiment, the pre-trained edge type prediction model may include an encoder based on a temporal graph neural network (TGN) and a decoder based on a graph attention network (GAT). During application, the encoder of the TGN can be used to extract the temporal dependency features of nodes. The decoder based on the GAT calculates the attention weights between nodes and outputs the type label for each edge. The model output is the temporal graph edge type, representing the semantic features of the behavior between nodes (e.g., the edge type "Process_Create_File" can represent a legitimate operation of a process creating a file).
[0039] In step 130, based on the temporal graph edge type and the true edge type, the reconstruction error of the actual temporal graph edge corresponding to the temporal graph edge type is obtained through the cross-entropy loss function, where the true edge type is the edge type of the observed actual temporal graph edge.
[0040] In step 140, based on the reconstruction error, it is determined whether the system under monitoring is subject to an APT attack.
[0041] In another embodiment, the predicted edge types of the time series graph can be compared with the actual edge types. During application, the reconstruction error of each time series graph edge can be calculated using the cross-entropy loss function, and then based on the reconstruction error, it can be determined whether the system under monitoring is subject to an APT attack.
[0042] In one embodiment, the reconstruction error of the actual time-series graph edges corresponding to the time-series graph edge types can be obtained using a cross-entropy loss function based on the time-series graph edge types and the actual edge types. Furthermore, based on the reconstruction error, it can be determined whether the system under monitoring is subject to an APT attack. Here, the actual edge type refers to the edge type of the observed actual time-series graph edges.
[0043] It should be noted that the edge type of the time series graph can be determined by the edge type probability distribution predicted by the decoder in the edge type prediction model. The true edge type is the observed type of the actual time series graph edge corresponding to the edge type of the time series graph (represented by a one-hot vector).
[0044] During the training phase, the edge type prediction model is trained by minimizing the reconstruction error using data from only benign temporal graphs, enabling the edge type prediction model to learn and be biased towards the spatiotemporal context patterns of benign systems. During the deployment phase, i.e. the application phase, if the actual edges are caused by attacks, it will lead to context bias, which will also result in a larger reconstruction error jointly determined by the temporal graph edge types predicted by the model and the actual edge types.
[0045] In one embodiment, if the reconstruction error is greater than the error threshold, the system under monitoring can be considered to be under APT attack; if the reconstruction error is less than or equal to the error threshold, the system under monitoring can be considered to be free of APT attack.
[0046] In another embodiment, the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type can be expressed as formula (1):
[0047] (1)
[0048] in, RE This represents the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type; P(e t )Indicates the edge type of the sequence graph; L(e t ) Indicates the type of the actual edge.
[0049] The present invention provides an APT attack detection method based on graph attention learning. The method acquires the operation logs of the system under test and forms a time-series graph of the system based on the logs. The time-series graph includes multiple nodes and edges connecting the nodes. The time-series graph is input into a pre-trained edge type prediction model to obtain the edge types output by the model. These edge types characterize the node operation features of the system under test. The edge type prediction model includes an encoder based on a time-series neural network and a decoder based on a graph attention network. Based on the edge types and the actual edge types, the reconstruction error of the actual time-series graph edges corresponding to the edge types is obtained using a cross-entropy loss function. Based on the reconstruction error, the method determines whether an APT attack exists in the system under test. By using the edge type prediction model to obtain the edge type of the temporal graph, the system can determine whether the system under monitoring is subject to APT attacks. By learning the context awareness capability of the encoder based on the temporal graph neural network and the decoder based on the graph attention network, the system overcomes the limitation of relying on known attack features and achieves the capture of abnormal patterns without prior knowledge. Thus, it can accurately and efficiently detect APT attacks without relying on known attack features.
[0050] In another exemplary embodiment of the present invention, the reconstruction error may include the reconstruction error of the edge of the actual time series graph of the system under monitoring under a continuous time window; wherein, based on the reconstruction error, determining whether the system under monitoring is subject to an APT attack can be achieved in the following manner:
[0051] Based on the reconstruction error of the actual time series graph edges of the system under monitoring under a continuous time window, the isolation forest algorithm is used to obtain the anomaly scores corresponding to each actual time series graph edge.
[0052] Based on the anomaly scores corresponding to each actual time series graph edge, it is determined whether the system under monitoring is subject to an APT attack.
[0053] In one embodiment, streaming event data can be divided into windows of fixed duration (e.g., every 15 minutes) according to timestamps, and the edge data within each window can be analyzed independently, that is, the reconstruction error of the actual time series graph edges of the system to be monitored under continuous time windows can be analyzed.
[0054] In application, based on the reconstruction errors of different actual time-series graph edges of the system under monitoring within a continuous time window, the isolation forest algorithm can be used to obtain anomaly scores corresponding to each actual time-series graph edge. Furthermore, based on these anomaly scores, it can be determined whether the system under monitoring is subject to an APT attack. In one example, if the anomaly score is greater than a score threshold, the system under monitoring can be considered to be subject to an APT attack.
[0055] In another example, the anomaly scores corresponding to each actual time series graph edge can be represented by formula (2):
[0056] (2)
[0057] in, Indicates sample The average path length of the corresponding node across all isolation trees, i.e., the average number of splitting steps from the root to the leaf node isolating the sample. Abnormal samples have shorter paths (smaller values) due to sparseness, while normal samples have longer paths (larger values).
[0058] Denotes the normalization constant, representing the expected average path length for each sample, approximately equal to... (where ≈0.57721 is Euler's constant). It ensures that the fraction is standardized in the range [0,1].
[0059] A value close to 1 indicates a high degree of abnormality (short path), a value close to 0.5 indicates no obvious abnormality or a normal pattern (similar to a random sample), and a value below 0.5 indicates normal.
[0060] Fixed thresholds may fail in complex scenarios because they cannot adapt to changes in distribution, potentially leading to false positives (misclassifying normal edges as abnormal) or false negatives (missing abnormal edges). In this embodiment, the isolated forest fits the RE values of different actual time-series graph edges within the window and calculates the anomaly score for each actual time-series graph edge, which is used to set a dynamic threshold. That is, this embodiment does not set a fixed threshold to distinguish between normal and abnormal classes, thereby avoiding strong assumptions about the data distribution (such as a normal distribution) and handling complex scenarios with long-tailed or irregular distributions.
[0061] Figure 2 This is a schematic diagram of the process provided by the present invention for determining whether the system under monitoring is subject to an APT attack based on the abnormal scores corresponding to each edge of the actual time series graph.
[0062] The following will combine Figure 2 The process provided by this invention for determining whether the system under monitoring is subject to an APT attack based on the anomaly scores corresponding to the edges of each actual time series graph is explained.
[0063] In an exemplary embodiment of the present invention, combined with Figure 2 As can be seen, determining whether the system under monitoring is subject to an APT attack based on the abnormal scores corresponding to each edge of the actual time series graph can include steps 210 to 240, and each step will be described below.
[0064] In step 210, the inverse document frequency of each node is obtained.
[0065] In one embodiment, the inverse document frequency (IDF) of each node can be obtained. The IDF can be obtained using the following formula (3):
[0066] (3)
[0067] in, It is the total number of time windows. This represents the number of time windows containing node v. The higher the IDF value, the rarer the node. A threshold can be set; if the value exceeds this threshold, the node is considered scarce.
[0068] In step 220, if there are abnormal nodes in the system to be monitored, a pre-set threat intelligence mapping table is invoked. The threat intelligence mapping table includes the correspondence between different abnormal nodes and different abnormal node types. Abnormal nodes are nodes whose abnormal scores are greater than the score threshold and whose inverse document frequency is greater than the frequency threshold.
[0069] In one embodiment, a node that simultaneously meets the following conditions is marked as an abnormal node:
[0070] Abnormal scores > score threshold;
[0071] IDF > Frequency threshold;
[0072] In the application process, within each time window, abnormal nodes can be screened based on the isolated forest, and rare nodes can be screened using high IDF (IDF higher than the empirical threshold). This method believes that within the time window, the combination of screening abnormal nodes based on the isolated forest and using IDF to obtain suspected APT attack nodes can ensure that the suspected nodes are both abnormal (high RE) and rare (high IDF), thereby improving the accuracy of anomaly detection. When both anomaly and rarity are satisfied, the node is classified as a suspected APT attack node, which is the abnormal node in step 220.
[0073] In step 230, the abnormal node type is determined based on the abnormal node and the threat intelligence mapping table.
[0074] In step 240, if the abnormal node type of the abnormal node is an APT attack type, it is determined that the system to be monitored is under APT attack.
[0075] In one embodiment, a pre-set threat intelligence mapping table can be invoked, wherein the threat intelligence mapping table includes the correspondence between different abnormal nodes and different abnormal node types. Furthermore, based on the abnormal node and the threat intelligence mapping table, the abnormal node type of the abnormal node can be determined. If the abnormal node type of the abnormal node is determined to be an APT attack type, it can be determined that the system under monitoring is under APT attack.
[0076] In this embodiment, an alarm is triggered only when a node simultaneously meets the criteria of statistical anomaly (high anomaly score) and rare behavior (high IDF), thus eliminating interference from legitimate low-frequency operations and improving the accuracy of determining whether an APT attack exists in the monitored system.
[0077] In yet another exemplary embodiment of the present invention, the abnormal node type of an abnormal node is determined based on the abnormal node and the threat intelligence mapping table, which can be achieved in the following way:
[0078] Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node types in the threat intelligence mapping table, the abnormal node type of the abnormal node is determined.
[0079] In one embodiment, a mapping table is retrieved based on the abnormal node X. This allows for the determination of the abnormal node's type based on the abnormal node itself and the correspondence between different abnormal nodes and different abnormal node types in the threat intelligence mapping table. This embodiment enables the rapid determination of the abnormal node's type, i.e., quickly identifying whether the abnormal node is a node subject to an APT attack.
[0080] In yet another exemplary embodiment of the present invention, the abnormal node type of an abnormal node is determined based on the abnormal node and the threat intelligence mapping table, which can be achieved in the following way:
[0081] The abnormal nodes and the threat intelligence mapping table are input into the pre-trained large language model to obtain the abnormal node type of the abnormal nodes output by the large language model. The large language model is used to determine the abnormal node type of the abnormal nodes based on the abnormal nodes and the threat intelligence mapping table.
[0082] In one embodiment, anomaly node and threat intelligence mapping table can be input into a pre-trained LLM, which can then output the anomaly node type based on the LLM. In this embodiment, the semantic association reasoning capability of the mapping table combined with the LLM can be used to identify APT attack combination patterns not explicitly defined in the table.
[0083] In an exemplary embodiment of the present invention, the threat intelligence mapping table may further include the correspondence between different anomalous nodes and different anomalous node solutions. After determining the anomalous node type, the APT attack detection method based on graph attention learning may further include the following steps:
[0084] Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node solutions in the threat intelligence mapping table, the abnormal node solutions are determined.
[0085] The solutions for abnormal nodes and the types of abnormal nodes are visualized.
[0086] In one embodiment, solutions for abnormal nodes can be retrieved based on the abnormal nodes and the correspondence between different abnormal nodes and their solutions in the threat intelligence mapping table. Furthermore, the solutions for abnormal nodes and the types of abnormal nodes are then visualized for easy access by users.
[0087] In another embodiment, an attack event sequence can be generated. Each time window in the abnormal time window queue q can be traversed, the corresponding edge data file read, and all edges and their reconstruction loss extracted. All edges are merged into a global directed graph g, recording additional edge information (loss, srcmsg, dstmsg, edge_type, time), and then the global graph g is output, containing edges from all time windows in queue q.
[0088] Given a global graph g, extract the reconstruction losses of all edges from the global graph to form a loss list. Use the Isolation Forest algorithm to determine an automatic threshold, filter edges whose reconstruction losses are greater than the automatic threshold, and construct a weighted graph. ,in For a set of nodes, The set of edges contains only those edges whose reconstruction error (RE) exceeds an automatic threshold. Let be the set of edge weights, where each weight represents the reconstruction error of each edge. The weighted graph is represented by formula (4):
[0089] (4)
[0090] in The threshold is set automatically and determined by the Isolation Forest algorithm; RE e This represents the reconstruction error of edge e in the actual time series graph.
[0091] To identify dense attack communities connected by edges with high reconstruction errors, the Leiden algorithm can be used to partition the weighted graph into communities. Modularity optimization tends to group tightly connected nodes (high edge density) into the same community. The optimization process can be represented by formula (5):
[0092] (5)
[0093] Indicates community; This represents the sum of the weights of all edges within community c (the weights are the reconstruction error RE). The sum of the weights of the neighboring edges of community c (edges with one end inside c and the other end outside c). This represents the sum of the weights of all edges in the graph (i.e., ).
[0094] Then, a subgraph is extracted from each community, and attack-related nodes and edges are labeled as candidate attack summary graphs. That is, input: weighted graph. The edge weights are the reconstruction loss. Operation: [The remaining text appears to be incomplete and requires further context.] Convert to an undirected graph and then to igraph format. Use the Leiden algorithm for community partitioning, optimizing modularity and considering edge weights. Output: Community partitioning results—each node maps to its corresponding community ID. Further, a subgraph can be extracted from each community, labeling attack-related nodes and edges. Output: A visualization file of the candidate attack summary graph. Based on the summary graph, known attack nodes and anomalous but unconfirmed attacks can be identified, requiring security personnel to determine unidentified attack behaviors (not included in the known anomaly list).
[0095] In another exemplary embodiment of the present invention, the time series graph may include time series graph edges, which include node features involved in the operation of the system under monitoring, and the running timestamps corresponding to the running nodes. The process of inputting the time series graph into a pre-trained edge type prediction model to obtain the time series graph edge types output by the edge type prediction model can be implemented in the following way:
[0096] The edges of the temporal graph are input into the encoder based on the temporal graph neural network in the edge type prediction model to obtain the edge embeddings corresponding to the edges of the temporal graph output by the encoder.
[0097] The edge is embedded into the input and fed into the decoder based on the graph attention network to obtain the temporal graph edge type of the decoder output.
[0098] In one embodiment, when the edge At time t, the encoder uses a temporal graph network to generate edge embeddings. Capture the spatiotemporal context for subsequent decoding, where edge embedding This can be expressed as formula (6):
[0099] (6)
[0100] in, is the state of the neighboring nodes (feature vector of historical graph changes), e is the neighborhood edge, and t is the timestamp. The initial node state is a zero vector, which is updated over time. The encoder updates the source and target node states through GRU, which can be expressed as formula (7):
[0101] (7)
[0102] Based on the aforementioned processing, it can be ensured that the node state evolves over time, supporting streaming analysis. Indicates the source node after the update at time t. The state embedding vector; This represents the source node before time t (i.e., time t-). The state embedding vector; Indicates the target node after time t update. The state embedding vector; This represents the target node before time t (i.e., at time t-). The state embedding vector. This represents the embedding vector of the new edge that appears at time t.
[0103] In yet another embodiment, edge embedding can be based on the encoder-generated edge. By enhancing features through the GAT attention mechanism, edge type prediction can be achieved. That is, the edge type of the timing graph output by the decoder.
[0104] Figure 3 This is a schematic diagram of the output timing graph edge type of the decoder provided by the present invention.
[0105] The following will combine Figure 3 The process of the decoder outputting the timing graph edge type is explained.
[0106] In an exemplary embodiment of the present invention, combined with Figure 3 As can be seen, the edge type of the decoder output timing graph can include steps 310 to 330, and each step will be described below.
[0107] In step 310, in the decoder, the processed edge embedding is obtained based on the edge embedding and graph attention mechanism, wherein the processed edge embedding is obtained by aggregating the edge embedding and the neighbor node edge embedding.
[0108] In one embodiment, for node i, GAT aggregates the embeddings of its neighbor node j through a 4-head (corresponding to h in the formula) attention mechanism. That is, neighbor node edge embedding. A weighted sum (weight) is calculated for each node. (Determined by the attention mechanism), then averaged to generate a new embedding. That is, processing the subsequent embedding. It is a feature transformation, which will A linear transformation yields a new feature space; Let represent the weight matrix of the h-th attention head. Embedding vector of node j at time t The linear transformation (linear projection) is performed. The formula is shown in formula (8):
[0109] (8)
[0110] right Perform layer normalization to stabilize the feature distribution, as shown in formula (9):
[0111] (9)
[0112] It should be noted that in formula (9) This corresponds to the previous text. ; Indicates and The corresponding layer normalization result.
[0113] In step 320, an enhanced back embedding is obtained based on the processed back embedding, as well as the source node features and target node features in the node.
[0114] In one embodiment, the source node and the target node can be concatenated for each edge. Extract the enhanced embeddings of the source node and the target node, that is, obtain the enhanced post-embedded embedding h. t And expressed as formula (10):
[0115] (10)
[0116] in, Let represent the source node (src) embedding vector after GAT (Graph Attention Network) enhancement and layer normalization (LayerNorm); Let represent the target node (dst) embedding vector after GAT (GraphAttention Network) enhancement and layer normalization (LayerNorm).
[0117] In step 330, the temporal graph edge type of the decoder output is obtained based on enhanced back-edge embedding, multilayer perceptron, and residual connection.
[0118] In one embodiment, the edge type can be predicted by MLP based on enhanced post-edge embedding and residual connections can be added to obtain the temporal graph edge type output by the decoder, which can be expressed as formula (11):
[0119] (11)
[0120] MLP consists of two layers (Linear → ReLU → Linear). This indicates a residual connection.
[0121] As is known from relevant technologies, APT attack detection has always been a challenging problem in the field of cybersecurity. Its complexity and stealth place higher demands on detection technologies. Traditional methods, when analyzing system source maps, rely on known attack characteristics, making them ill-equipped to handle unknown attacks; they fail to accurately capture complex behavioral patterns, leading to inaccurate detection; and relying solely on fixed thresholds for anomaly detection results in limited flexibility. This invention proposes an APT attack detection method based on graph attention learning. This method enhances the modeling of complex behaviors by introducing an attention mechanism, utilizes the isolated forest algorithm for automatic threshold adjustment, and combines a large language model to generate natural language attack reports. First, the attention mechanism dynamically analyzes the relationships between nodes in the source map, accurately capturing APT behavioral patterns across time and components, significantly improving detection accuracy. Second, the automatic threshold, through the isolated forest algorithm, adapts to changes in behavioral characteristics, avoiding false positives and false negatives caused by fixed thresholds, thus enhancing detection reliability. Finally, the large language model generates concise natural language attack reports, enabling non-technical personnel to quickly understand the attack process and significantly improving response efficiency. Therefore, this invention overcomes the limitations of traditional methods, providing enterprises with an accurate, reliable, and efficient APT attack detection solution.
[0122] The APT attack detection device based on graph attention learning provided by the present invention will be described below. The APT attack detection device based on graph attention learning described below can be referred to in correspondence with the APT attack detection method based on graph attention learning described above.
[0123] Figure 4 This is a schematic diagram of the APT attack detection device based on graph attention learning provided by the present invention.
[0124] In an exemplary embodiment of the present invention, combined with Figure 4 As can be seen, the APT attack detection device based on graph attention learning may include an acquisition module 410, a prediction module 420, a processing module 430, and a determination module 440. Each module will be described in detail below.
[0125] The acquisition module 410 can be configured to acquire the operation logs of the system to be monitored and form a timing diagram of the system to be monitored based on the operation logs. The timing diagram includes multiple nodes and timing diagram edges connecting the nodes. The timing diagram is used to characterize the operation information of each node of the system to be monitored in the time dimension. The nodes are matched with the kernel objects in the system to be monitored.
[0126] The prediction module 420 can be configured to input the time series graph into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model, wherein the time series graph edge type is used to characterize the node operation characteristics of the system to be monitored, and the edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network.
[0127] Processing module 430 can be configured to obtain the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type by means of the cross-entropy loss function based on the time series graph edge type and the true edge type, wherein the true edge type is the edge type of the observed actual time series graph edge;
[0128] The determination module 440 can be configured to determine whether the system under monitoring is subject to an APT attack based on the reconstruction error.
[0129] In an exemplary embodiment of the present invention, the reconstruction error includes the reconstruction error of the monitoring system at different actual time series graph edges under a continuous time window; the determination module 440 can determine whether the monitoring system is subject to an APT attack based on the reconstruction error in the following manner:
[0130] Based on the reconstruction error of the actual time series graph edges of the system under monitoring under a continuous time window, the isolation forest algorithm is used to obtain the anomaly scores corresponding to each actual time series graph edge.
[0131] Based on the anomaly scores corresponding to each edge of the actual time series graph, it is determined whether the system under monitoring is subject to an APT attack.
[0132] In an exemplary embodiment of the present invention, the determining module 440 may further be configured to:
[0133] Obtain the inverse document frequency for each node;
[0134] The determination module 440 can determine whether the system under monitoring is subject to an APT attack based on the anomaly scores corresponding to each edge of the actual time series graph:
[0135] When there are abnormal nodes in the system to be monitored, a pre-set threat intelligence mapping table is invoked. The threat intelligence mapping table includes the correspondence between different abnormal nodes and different abnormal node types. The abnormal node is a node whose abnormal score is greater than the score threshold and whose inverse document frequency is greater than the frequency threshold.
[0136] Based on the abnormal nodes and the threat intelligence mapping table, the abnormal node type of the abnormal node is determined.
[0137] If the abnormal node type of the abnormal node is an APT attack type, it is determined that the system to be monitored is under APT attack.
[0138] In an exemplary embodiment of the present invention, the determining module 440 may determine the abnormal node type of the abnormal node based on the abnormal node and the threat intelligence mapping table in the following manner:
[0139] Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node types in the threat intelligence mapping table, the abnormal node type of the abnormal node is determined.
[0140] In an exemplary embodiment of the present invention, the determining module 440 may determine the abnormal node type of the abnormal node based on the abnormal node and the threat intelligence mapping table in the following manner:
[0141] The abnormal node and the threat intelligence mapping table are input into a pre-trained large language model to obtain the abnormal node type of the abnormal node output by the large language model. The large language model is used to determine the abnormal node type of the abnormal node based on the abnormal node and the threat intelligence mapping table.
[0142] In an exemplary embodiment of the present invention, the threat intelligence mapping table further includes the correspondence between different abnormal nodes and solutions for different abnormal nodes; the determining module 440 can also be configured to:
[0143] Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node solutions in the threat intelligence mapping table, the abnormal node solution is determined.
[0144] The solutions for the abnormal nodes and the types of abnormal nodes are visualized.
[0145] In an exemplary embodiment of the present invention, the timing graph includes timing graph edges, and the timing graph edges include node features involved in the operation of the system to be monitored, as well as the running timestamps corresponding to the running nodes;
[0146] The prediction module 420 can input the time series graph into a pre-trained edge type prediction model in the following way to obtain the edge types of the time series graph output by the edge type prediction model:
[0147] The temporal graph edges are input into the encoder based on the temporal graph neural network in the edge type prediction model to obtain the edge embeddings corresponding to the temporal graph edges output by the encoder.
[0148] The edge embeddings are fed into a graph attention-based decoder to obtain the temporal graph edge type output by the decoder.
[0149] In an exemplary embodiment of the present invention, the prediction module 420 may implement the decoder output timing graph edge type in the following manner:
[0150] In the decoder, a processed edge embedding is obtained based on the edge embedding and graph attention mechanism, wherein the processed edge embedding is obtained by aggregating the edge embedding and the neighbor node edge embedding;
[0151] Based on the post-processing embedding, as well as the source node features and target node features in the node, an enhanced post-processing embedding is obtained;
[0152] Based on enhanced back-end embedding, multilayer perceptron, and residual connection, the temporal graph edge type output by the decoder is obtained.
[0153] Figure 5 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 5As shown, the electronic device may include: a processor 510, a communications interface 520, a memory 530, and a communications bus 540, wherein the processor 510, the communications interface 520, and the memory 530 communicate with each other through the communications bus 540. Processor 510 can call logic instructions in memory 530 to execute an APT attack detection method based on graph attention learning. This method includes: acquiring the operation logs of the system under monitoring, and forming a time-series graph of the system under monitoring based on the operation logs, wherein the time-series graph includes multiple nodes and time-series graph edges connecting the nodes, the time-series graph is used to characterize the operation information of each node in the system under monitoring in the time dimension, and the nodes are matched with kernel objects in the system under monitoring; inputting the time-series graph into a pre-trained edge type prediction model to obtain the time-series graph edge types output by the edge type prediction model, wherein the time-series graph edge types are used to characterize the node operation characteristics of the system under monitoring, and the edge type prediction model includes an encoder based on a time-series graph neural network and a decoder based on a graph attention network; based on the time-series graph edge types and the true edge types, obtaining the reconstruction error of the actual time-series graph edges corresponding to the time-series graph edge types through a cross-entropy loss function, wherein the true edge types are the edge types of the observed actual time-series graph edges; and determining whether the system under monitoring is subjected to an APT attack based on the reconstruction error.
[0154] Furthermore, the logical instructions in the aforementioned memory 530 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0155] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer is able to execute the APT attack detection method based on graph attention learning provided by the above methods. The method includes: acquiring the operation log of the system to be monitored, and forming a time sequence graph of the system to be monitored based on the operation log, wherein the time sequence graph includes multiple nodes and time sequence graph edges connecting the nodes, the time sequence graph is used to characterize the operation information of each node of the system to be monitored in the time dimension, and the nodes are connected to the internal nodes of the system to be monitored. The kernel objects are matched; the time series graph is input into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model, wherein the time series graph edge type is used to characterize the node operation characteristics of the system under monitoring, and the edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network; based on the time series graph edge type and the true edge type, the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type is obtained through the cross-entropy loss function, wherein the true edge type is the edge type of the observed actual time series graph edge; based on the reconstruction error, it is determined whether the system under monitoring is subjected to an APT attack.
[0156] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, is implemented to perform the APT attack detection method based on graph attention learning provided by the above methods. The method includes: acquiring the operation logs of the system to be monitored, and forming a timing graph of the system to be monitored based on the operation logs, wherein the timing graph includes multiple nodes and timing graph edges connecting the nodes, the timing graph being used to characterize the operation information of each node of the system to be monitored in the time dimension, and the nodes being matched with kernel objects in the system to be monitored; inputting the timing graph... The edge type prediction model is pre-trained to obtain the temporal graph edge type output by the edge type prediction model. The temporal graph edge type is used to characterize the node operation characteristics of the system under monitoring. The edge type prediction model includes an encoder based on a temporal graph neural network and a decoder based on a graph attention network. Based on the temporal graph edge type and the true edge type, the reconstruction error of the actual temporal graph edge corresponding to the temporal graph edge type is obtained through the cross-entropy loss function. The true edge type is the edge type of the observed actual temporal graph edge. Based on the reconstruction error, it is determined whether the system under monitoring is subjected to an APT attack.
[0157] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0158] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0159] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. An APT attack detection method based on graph attention learning, characterized in that, The method includes: The system to be monitored acquires its operation logs and forms a time sequence diagram of the system based on the operation logs. The time sequence diagram includes multiple nodes and time sequence diagram edges connecting the nodes. The time sequence diagram is used to characterize the operation information of each node of the system to be monitored in the time dimension. The nodes are matched with the kernel objects in the system to be monitored. The time series graph is input into a pre-trained edge type prediction model to obtain the time series graph edge type output by the edge type prediction model. The time series graph edge type is used to characterize the node operation characteristics of the system to be monitored. The edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network. Based on the time series graph edge type and the true edge type, the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type is obtained through the cross-entropy loss function. The true edge type is the edge type of the observed actual time series graph edge. The time series graph includes time series graph edges, which include the node features involved in the operation of the system under monitoring, and the running timestamps corresponding to the running nodes. The step of inputting the time series graph into a pre-trained edge type prediction model to obtain the edge types of the time series graph output by the edge type prediction model specifically includes: The temporal graph edges are input into the encoder based on the temporal graph neural network in the edge type prediction model to obtain the edge embeddings corresponding to the temporal graph edges output by the encoder, thereby capturing the spatiotemporal context for subsequent decoding; The edge embeddings are fed into a graph attention network-based decoder to obtain the temporal graph edge type output by the decoder; Based on the reconstruction error, it is determined whether the system under monitoring is subject to an APT attack.
2. The APT attack detection method based on graph attention learning according to claim 1, characterized in that, The reconstruction error includes the reconstruction error of the edge of the actual time series graph of the system under monitoring under a continuous time window; the determination of whether the system under monitoring is subject to an APT attack based on the reconstruction error specifically includes: Based on the reconstruction error of the actual time series graph edges of the system under monitoring under a continuous time window, the isolation forest algorithm is used to obtain the anomaly scores corresponding to each actual time series graph edge. Based on the anomaly scores corresponding to each edge of the actual time series graph, it is determined whether the system under monitoring is subject to an APT attack.
3. The APT attack detection method based on graph attention learning according to claim 2, characterized in that, Before determining whether the system under monitoring is subject to an APT attack based on the anomaly scores corresponding to each edge of the actual time series graph, the method further includes: Obtain the inverse document frequency for each node; The determination of whether the system under monitoring is subject to an APT attack based on the anomaly scores corresponding to each edge of the actual time series graph specifically includes: When there are abnormal nodes in the system to be monitored, a pre-set threat intelligence mapping table is invoked. The threat intelligence mapping table includes the correspondence between different abnormal nodes and different abnormal node types. The abnormal node is a node whose abnormal score is greater than the score threshold and whose inverse document frequency is greater than the frequency threshold. Based on the abnormal nodes and the threat intelligence mapping table, the abnormal node type of the abnormal node is determined. If the abnormal node type of the abnormal node is an APT attack type, it is determined that the system to be monitored is under APT attack.
4. The APT attack detection method based on graph attention learning according to claim 3, characterized in that, The process of determining the abnormal node type based on the abnormal node and the threat intelligence mapping table specifically includes: Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node types in the threat intelligence mapping table, the abnormal node type of the abnormal node is determined.
5. The APT attack detection method based on graph attention learning according to claim 3, characterized in that, The process of determining the abnormal node type based on the abnormal node and the threat intelligence mapping table specifically includes: The abnormal node and the threat intelligence mapping table are input into a pre-trained large language model to obtain the abnormal node type of the abnormal node output by the large language model. The large language model is used to determine the abnormal node type of the abnormal node based on the abnormal node and the threat intelligence mapping table.
6. The APT attack detection method based on graph attention learning according to any one of claims 3 to 5, characterized in that, The threat intelligence mapping table also includes the correspondence between different abnormal nodes and solutions for different abnormal nodes; After determining the abnormal node type of the abnormal node, the method further includes: Based on the abnormal nodes and the correspondence between different abnormal nodes and different abnormal node solutions in the threat intelligence mapping table, the abnormal node solution is determined. The solutions for the abnormal nodes and the types of abnormal nodes are visualized.
7. The APT attack detection method based on graph attention learning according to claim 1, characterized in that, The decoder outputs a timing graph edge type, which is implemented in the following way: In the decoder, a processed edge embedding is obtained based on the edge embedding and graph attention mechanism, wherein the processed edge embedding is obtained by aggregating the edge embedding and the neighbor node edge embedding; Based on the post-processing embedding, as well as the source node features and target node features in the node, an enhanced post-processing embedding is obtained; Based on enhanced back-end embedding, multilayer perceptron, and residual connection, the temporal graph edge type output by the decoder is obtained.
8. An APT attack detection device based on graph attention learning, characterized in that, The apparatus is used to implement the APT attack detection method based on graph attention learning as described in any one of claims 1 to 7, and the apparatus comprises: The acquisition module is used to acquire the operation logs of the system to be monitored and to form a time sequence diagram of the system to be monitored based on the operation logs. The time sequence diagram includes multiple nodes and time sequence diagram edges connecting the nodes. The time sequence diagram is used to characterize the operation information of each node of the system to be monitored in the time dimension. The nodes are matched with the kernel objects in the system to be monitored. The prediction module is used to input the time series graph into a pre-trained edge type prediction model to obtain the edge type of the time series graph output by the edge type prediction model. The edge type of the time series graph is used to characterize the node operation characteristics of the system to be monitored. The edge type prediction model includes an encoder based on a time series graph neural network and a decoder based on a graph attention network. The processing module is used to obtain the reconstruction error of the actual time series graph edge corresponding to the time series graph edge type by using the cross-entropy loss function based on the time series graph edge type and the true edge type, wherein the true edge type is the edge type of the observed actual time series graph edge; The determination module is used to determine whether the system under monitoring is subject to an APT attack based on the reconstruction error.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the APT attack detection method based on graph attention learning as described in any one of claims 1 to 7.