A threat detection method based on time window data exploration and incremental learning
The threat detection method, which utilizes time-window data probing and incremental learning, addresses the issues of redundant data and poor dynamic adaptability in source graph analysis, achieving efficient threat detection and improving resource utilization and detection accuracy.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING UNIV OF POSTS & TELECOMM
- Filing Date
- 2024-11-28
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies face problems such as inefficient use of computing resources due to redundant data and poor dynamic adaptability of models when dealing with advanced persistent threats (APTs). In particular, in source graph analysis, graph reduction methods affect the integrity of detection data, while retraining methods cannot effectively solve dynamic variability.
A threat detection method based on time window data probing and incremental learning is adopted. Log event information is extracted into quadruples through regular expressions, and vectorized using hierarchical feature hashing technology. It combines Temporal Graph Network (TGN) and Multilayer Perceptron (MLP) for benign behavior modeling. The model is dynamically updated through time window data probing and incremental learning mechanisms, filtering redundant data and retaining stable patterns to achieve dynamic model updates.
It improved resource utilization efficiency, ensured the integrity of detection data, enhanced the model's adaptability to changes in data distribution, and improved the accuracy and reliability of threat detection.
Smart Images

Figure CN122153884A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of threat detection based on source graph extraction from audit logs, and particularly relates to incremental learning, audit logs, source graphs, threat detection and other related fields. Background Technology
[0002] In recent years, Advanced Persistent Threats (APTs) have become one of the most serious security challenges in modern computing environments. These attacks are typically characterized by their long duration, complexity, and stealth, posing a significant threat to the sensitive data and system security of enterprises, government agencies, and individual users. To combat APT attacks, most operating systems today are equipped with auditing frameworks to capture detailed records of events occurring on target systems. These records can serve as the basis for data attribution techniques, constructing dependency graphs (attribution graphs) that explain the causal relationships between events. Therefore, attribution graph analysis has become a key method for identifying complex threats.
[0003] Due to the scarcity of attack data, current threat detection methods primarily employ unsupervised approaches, modeling normal behavioral patterns to identify anomalies and thus achieve threat detection. However, the inherent redundancy and dynamic variability of audit logs present two major challenges: redundant data leads to inefficient use of computational resources during model training, and changes in data distribution over time can degrade detection performance. For the redundancy issue, current methods mainly employ graph reduction to decrease data redundancy; however, rule-based graph reduction methods can compromise the integrity of detection data, thus affecting the detection results. For the dynamic variability issue, current methods generally employ retraining, but this cannot fundamentally solve the problem of poor model dynamic adaptability.
[0004] To address the aforementioned issues, research into a new data exploration method and a dynamic model update mechanism is essential. Summary of the Invention
[0005] This invention proposes a threat detection method based on time window data probing and incremental learning. The time window data probing method, combined with the incremental learning mechanism, enables the model to adopt a non-static training method, loading training data in batches, deleting redundant data in new batches, and dynamically updating the model, while ensuring the integrity of the detection data during the threat detection stage.
[0006] This invention proposes a threat detection method based on time window data probing and incremental learning, comprising the following steps:
[0007] 1) Use regular expressions to extract log event information into quadruples, and then use hierarchical feature hashing technology to vectorize the time-ordered quadruples to obtain the initial vectorized representation of the source graph;
[0008] 2) Using a temporal graph network (TGN) as the encoder and a multilayer perceptron (MLP) as the decoder, we learn benign source graphs and model normal behavior patterns.
[0009] 3) Use time window data probing and incremental learning mechanisms to dynamically update the threat detection model;
[0010] 4) Threat detection is achieved using threat-associated entities and time-window queues.
[0011] Further, in step 1), regular expressions are used to parse the audit logs to obtain a four-tuple representation of the system event (source entity, relation, target entity, timestamp). Here, the entity represents a process, file, or socket in the system; the relation is the type of relationship between entities when the system event occurs; and the timestamp represents the time the system event occurred. Then, hierarchical feature hashing is used to vectorize the four-tuple, as shown in equation (1):
[0012] e t =[E src E R E dst ,t] (1)
[0013] e t E is the initialization vector representation of each event edge. src and E dst E represents the source and target entities respectively, using hierarchical feature hashing based on their attribute names as initialization vectors. R It is a one-hot vector representation of the relation type, where t is the timestamp of the event.
[0014] By organizing the initial vector representation of each system event in chronological order, a vectorized representation of the source graph extracted from the audit log is obtained.
[0015] Furthermore, in step 2), a temporal graph network (TGN) is used as the encoder to generate a high-dimensional representation of edge e at time t. As shown in equation (2):
[0016]
[0017] The encoder passes through the aggregation edge e t The source node v src and target node v dst The state vector of the neighboring nodes Generate its high-dimensional representation If v src or v dst This is a new node, and its feature vector is initialized to zero. If this node is at time t... - (That is, it exists before time point t) and edge e exists.t If the state of its neighbors changes, the state vector is updated using a gated recurrent unit (GRU), as shown in equations (3) and (4):
[0018]
[0019]
[0020] The decoder uses a multilayer perceptron (MLP) to predict edges. t The source node v src and target node v dst The type of relationship between edges. t The representation of The time and structure information of this edge are encoded. Output P(e t ) represents edge e t The probability of belonging to each relation type is shown in equation (5):
[0021]
[0022] During the training phase, the encoder and decoder are trained together, with the goal of minimizing edge e. t Actual operation type E R (e t ) and prediction operation type P(e t The difference RE between the two is given by the loss function as shown in equation (6):
[0023] loss = RE = CrossEntropy(P(e t ),E R (e t (6)
[0024] Furthermore, in step 3), when a new batch of data arrives, the model is dynamically updated by integrating data probing and incremental learning mechanisms. Let the current model parameters be θ, and the updated parameters be θn. i The following section explains how to combine data exploration and incremental learning to effectively update θ.
[0025] a) Data Probeing: When new data D new Upon arrival, D bew The time window is divided into fixed-length time windows, and the behavioral pattern score of the data in each time window is calculated based on the reconstruction error of each side, as shown in Equation (7):
[0026] BPS=ω1 RE tw +ω2MAD tw (ω1+ω2=1) (7)
[0027] Where ω1 and ω2 are weighting coefficients, RE tw and MADtw These represent the average reconstruction error and mean absolute deviation for each time window, respectively. New Behavioral Pattern D newp attern The detection is determined by the threshold thr new The threshold is determined by the model's last training data D. trained The decision is as shown in equation (8):
[0028] thr new =ω1f(RE) tw ,β)+ω2f(MAD tw ,β) (8)
[0029] β is the definition of thr new The hyperparameters, f(·), are used to compute thr new The function. When the BPS value exceeds thr new The time window is arranged in chronological order to form new behavioral pattern data D new pattern For D trained Select a time window with a lower BPS value to form a combination with D. new pattern A comparable amount of stable behavioral pattern data D old .
[0030] b) Incremental learning: The goal of dynamic updates is to enable the model to learn new data D based on the current parameters θ. new The distribution of the data while retaining the original data D trained This knowledge allows for the improvement of the overall representation and the acquisition of updated parameters θ. i Let the dynamically updated overall loss function L be as shown in equation (9):
[0031] L = L new +L existing (9)
[0032] L new It is the loss function in the network affected by new data, L existing The aim is to integrate previously learned behavioral patterns. For new data D new To reduce resource waste caused by benign redundant data, this invention focuses only on the new behavioral pattern D. new pattern The impact on model parameters. Therefore, L new As shown in equation (10):
[0033]
[0034] l(θ i ;e i ) represents edge e i The reconstruction loss value.
[0035] To retain knowledge of previously learned behavioral patterns, this invention combines data replay and elastic weighting strategies, integrating data and models from their respective perspectives.
[0036] 1. From a data perspective, the D obtained during the data exploration phase old This represents the stable behavioral patterns that the model has learned. D old The data is replayed during dynamic updates to maintain the model's representational power. Therefore, the data portion L that integrates the learned patterns... data In L existing The definition of is shown in equation (11):
[0037]
[0038] 2. From a model perspective, to prevent replaying D during dynamic updates... old Overfitting may occur. This invention uses the current model parameters θ to constrain the updated model, thereby improving its generalization ability. This invention uses stable behavioral data D. old The Fisher information matrix F is estimated as shown in equation (12):
[0039]
[0040] n represents the previously trained data D. trained The total amount of data, m represents the stable behavior pattern D old The total amount of data, g(θ) i ;e i ) is edge e i For model parameters θ i The log-likelihood gradient. Therefore, used in L existing The model component L integrates previously learned behavioral patterns. model As shown in equation (13):
[0041]
[0042] λ measures the importance of F relative to the existing information in the new network. k θ represents the importance of the k-th parameter. k This indicates the parameter value from the previous update.
[0043] By integrating the knowledge of learned behavioral patterns from both data and model perspectives, an optimization objective is obtained. existing As shown in equation (14):
[0044] l existing =L data +L model (14)
[0045] Therefore, the dynamic update loss function L of the model is shown in equation (15):
[0046]
[0047] Training data D train As shown in equation (16):
[0048] D train =D old +D new pattern (16)
[0049] Further, step 4) involves comparing the reconstruction error of each edge. Threat events are identified by adding 1.5 times the standard deviation σ to the average error μ of the window. Entities involved in the threat event are defined as threat entities. Threat entities that appear in several time windows are defined as threat-related entities and added to the threat-related entity set S. If the anomaly score of the time window queue established based on the threat-related entity set exceeds a certain threshold, it is considered an anomaly queue. The time windows contained in it are all considered to contain attack activities, thereby realizing threat detection. The anomaly score AnomalyScore is calculated as shown in Equation (17):
[0050]
[0051] q represents the time window queue, tw k S represents the k-th time window in the time window queue. q This represents the set of threat entities in the time window queue, Num(S) q ∩S) represents the number of threat-related entities included in the time window queue.
[0052] The method of this invention can effectively perform threat detection at the time window granularity, and has the following advantages compared with the prior art:
[0053] 1. This invention proposes a new data detection method that solves the problem of wasted training resources caused by benign redundant data while ensuring the integrity of detection data. This helps to improve resource efficiency and at the same time ensures the reliability of detection results.
[0054] 2. This invention solves the problem of poor dynamic adaptability of unsupervised threat detection methods based on anomalies by introducing an incremental learning mechanism to improve the model's adaptability to changes in data distribution, thereby improving the accuracy of model detection. Attached Figure Description
[0055] Figure 1 This is a flowchart of the threat detection method based on time window data detection and incremental learning according to the present invention.
[0056] Figure 2This paper presents a comparison of the threat detection results between the present invention and KAIROS, a threat detection method that also uses a temporal graph network (TGN) as the encoder and a multilayer perceptron (MLP) as the decoder, with time windows as the detection granularity.
[0057] Figure 3 This is a statistical summary of the usage of the E3-CADETS dataset training set by KAIROS in relation to this invention.
[0058] Figure 4 This document presents statistics on the training time and cumulative resource consumption of the E3-CADETS dataset for this invention and KAIROS. Detailed Implementation
[0059] To make the above-mentioned features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to specific embodiments and accompanying drawings. The specific process is as follows: Figure 1 As shown, its main steps include:
[0060] Step 101: Use regular expressions to preprocess the audit logs to extract event quadruples, and use hierarchical feature hashing technology to vectorize them.
[0061] Step 201: Input the vectorized source graph into a network with a temporal graph network (TGN) as the encoder and a multilayer perceptron (MLP) as the decoder to model benign behavior.
[0062] Step 301: When new batches of training data arrive, use the time window data probing method to detect new behavioral patterns, filter redundant benign data, and select stable behavioral patterns.
[0063] Step 302: Based on the detected data, perform incremental learning by combining data replay and elastic weight fixation strategies to achieve dynamic updates of the model;
[0064] Step 401: Perform threat detection based on the anomaly scores of the time window queue established by the threat-associated entities, and finally obtain the threat detection results at the time window granularity.
[0065] This invention uses the publicly available DARPA datasets E3-THEIA and E3-CADETS for training and validation, and compares it with the threat detection method KAIROS, which also uses a temporal graph network (TGN) as the encoder and a multilayer perceptron (MLP) as the decoder. KAIROS does not process benign redundant data and loads all training data at once. Threat detection results based on time window granularity are shown below. Figure 2 As shown. Figure 3This paper demonstrates the data usage of the E3-CADETS dataset in the model training process compared to KAIROS. The present invention uses batch loading of training data and filters out redundant and benign data, resulting in significantly less data usage than KAIROS. Figure 4 This paper demonstrates the training time and resource usage of the present invention and KAIROS on the E3-CADETS dataset during model training. The training time and resource consumption of the present invention are almost half that of KAIROS. Experimental results show that the present invention can detect effective data and reduce resource waste caused by redundant data through the time window data probing method. At the same time, the combination of data replay and elastic weight strategy enables the model to effectively perform incremental learning, realize the dynamic update of the model to adapt to the dynamically changing data distribution, and thus achieve better threat detection results.
[0066] The above description is merely a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A threat detection method based on time window data probing and incremental learning, characterized in that, include: A. From the structured audit logs, use regular expressions to parse the audit logs and extract event quadruples. Use hierarchical feature hashing technology to vectorize the quadruples and obtain a time-ordered vectorized source map as input to the threat detection model. B. For the first batch of source map data, a temporal graph network (TGN) is used as an encoder to encode the spatial and temporal information of the nodes in the graph, and a multilayer perceptron (MLP) is used as a decoder to predict the relationship type between the nodes on the edge of the source map. The encoder and decoder are trained together to minimize the reconstruction error of the relationship type of the edge, thereby modeling the benign behavior pattern. C. For new batches of data, combine time window data probing and incremental learning mechanisms to achieve dynamic model updates, so as to solve the problems of resource waste and poor model dynamic adaptability caused by redundant data. D. Determine the threat-associated entities based on the reconstruction error of each edge, and perform threat detection based on the anomaly score of the time window queue to obtain threat detection results based on time window granularity.
2. The threat detection method based on time window data detection and incremental learning according to claim 1, characterized in that, Step A further includes the following steps: A1. Structured audit logs use regular expressions to extract the four-tuple representation of system events, which includes the source entity, target entity, relationship between entities, and event timestamp. A2. Use hierarchical feature hashing technology to initialize the vector representation of system events using the extracted quadruple information.
3. The threat detection method based on time window data detection and incremental learning according to claim 1, characterized in that, Step B further includes the following steps: B1. Input the vectorized data obtained in step A into a network with a temporal graph network (TGN) as the encoder and a multilayer perceptron (MLP) as the decoder. B2, Encoder Time-Sequence Graph Network (TGN) Aggregates Source Node of Edge e at Time t and target node The state vector of the neighboring nodes Generate edge e t High-dimensional representation if or At time t - (That is, it exists before time point t) and edge e exists. t If the state of its neighbors changes, the state vector is updated using a gated recurrent unit (GRU): The decoder uses a multilayer perceptron (MLP) to predict edges. t source node and target node Determine the relationship type and output the probability of each relationship type: The encoder and decoder are trained together, with the goal of minimizing edge e. t Actual operation type E R (e t ) and prediction operation type P(e t The difference between RE and ). loss=RE=CrossEntropy(P(e t ),E R (e t ))。 4. The threat detection method based on time window data detection and incremental learning according to claim 1, characterized in that, Step C further includes the following steps: C1, when the new batch of data D new Upon arrival, the Behavioral Pattern Score (BPS) based on time window data detects new behavioral patterns (D). newpattern and stable behavioral pattern D old New behavioral pattern threshold thr new From the trained data D trained The BPS value is determined; BPS and thr new The calculation method is as follows: BPS=ω1RE tw +ω2MAD tw (ω1+ω2=1) thr new =ω1f(RE tw ,β)+ω2f(MAD tw ,b) ω1 and ω2 are weighting coefficients, RE tw and MAD tw These represent the average reconstruction error and mean absolute deviation for each time window, respectively, and β is defined as thr new The hyperparameters, f(·), are used to compute thr new The function; for the new batch of data D new BPS value exceeding thr new The time window is arranged in chronological order to form new behavioral pattern data D newpattren For D trained Select a time window with a lower BPS value to form a combination with D. newpattern A comparable amount of stable behavioral pattern data D old ; C2. After data exploration, in learning new behavioral patterns D newpattern Simultaneously, the learned behavioral patterns D are reinforced by combining data replay and elastic weight solidification methods. trained The goal is to learn new behavioral patterns while preventing the forgetting of previously learned knowledge, and to obtain updated parameters θ based on the current parameters θ. i Let the dynamically updated overall loss function be L: L=L new +L existing L new It is the loss function in the network affected by new batches of data, L existing Aimed at integrating previously learned behavioral patterns; L new Focusing only on the new behavioral pattern D newpattern Impact on model parameters: l(θ i ;e i ) represents edge e i The reconstruction loss value; By combining data replay and elastic weighting strategies, we can integrate them from both data and model perspectives: 1) Data perspective: D obtained during the data exploration phase old The model's dynamic update process is replayed to reinforce learned behavioral patterns; the data portion L that integrates learned patterns is also replayed. data In L existing The definition in is as follows: 2) From a model perspective: To prevent replaying D during dynamic updates old If overfitting occurs, use the current model parameters θ to constrain the updated model in order to improve its generalization ability; Using stable behavioral pattern data D old To estimate the Fisher information matrix F: n represents the previously trained data D. trained The total amount of data, m represents the stable behavior pattern D old The total amount of data, g(θ) i ;e i ) is edge e i For model parameters θ i The log-likelihood gradient; Therefore, used in L existing L is a model component that integrates learned behavioral patterns. model As shown below: λ measures the importance of F relative to the existing information in the new network. k θ represents the importance of the k-th parameter. k This represents the previously updated parameter value; by integrating the learned behavioral patterns with data and models, the optimization objective L is obtained. existing : L existing L data +L model Therefore, the model dynamically updates the loss function L: Training data D train =D old +D newpattern .
5. The threat detection method based on time window data detection and incremental learning according to claim 1, characterized in that, Step D further includes the following steps: D1. Set the dynamically updated model to the evaluation state and compare the reconstruction error of each edge. Threat events are identified by adding 1.5 times the standard deviation σ to the average error μ of the window. Entities in a threat event are defined as threat entities. Threat entities that appear in several time windows are defined as threat-related entities and added to the threat-related entity set S. D2. Threat detection based on the anomaly score (AnomalyScore) of the time window queue associated with the threat-associated entity set S: q represents the time window queue, tw k S represents the k-th time window in the time window queue. q This represents the set of threat entities in the time window queue, Num(S) q ∩S) represents the number of threat-related entities contained in the time window queue; if the anomaly score of the queue exceeds a certain threshold, it is an abnormal queue, and the time windows contained therein are all considered to contain attack activities, thereby achieving threat detection.