Method, device, equipment, storage medium and program product for attack behavior detection

By constructing heterogeneous graphs and semantic sequences, and combining vector representation models and anomaly detection models, the problem of insufficient accuracy of detection models in existing technologies is solved, and efficient detection of lateral movement attacks on internal networks is achieved.

CN122160078APending Publication Date: 2026-06-05CHINA MOBILEHANGZHOUINFORMATION TECH CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA MOBILEHANGZHOUINFORMATION TECH CO LTD
Filing Date
2024-12-05
Publication Date
2026-06-05

Smart Images

  • Figure CN122160078A_ABST
    Figure CN122160078A_ABST
Patent Text Reader

Abstract

The application discloses a method, device, equipment, storage medium and program product for attack behavior detection, and specific technical solutions include: obtaining to-be-detected log data; determining a heterogeneous graph corresponding to the to-be-detected log data based on the to-be-detected log data; constructing a semantic sequence based on a preset meta path and the heterogeneous graph, the semantic sequence being used to represent behaviors included in the to-be-detected log data; inputting the semantic sequence into a vector representation model to obtain a semantic sequence vector, the vector representation model being obtained by training sample preset elements, sample weights, sample attribute information and sample correlation relationships of historical log data; and detecting the semantic sequence vector by using an anomaly detection model to obtain a prediction result of the anomaly detection model, the prediction result indicating whether an attack behavior exists in the behaviors included in the to-be-detected log data. In this way, the accuracy of the prediction result can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of security technology, and in particular relates to a method, apparatus, device, storage medium and program product for detecting attack behavior. Background Technology

[0002] With the development of internet technology, various industries are leveraging the internet to improve the convenience of users accessing resources and increase work efficiency. Correspondingly, with the popularization of internet technology, the number of cyberattacks on various industries has also increased.

[0003] Lateral movement within an intranet refers to the process by which an attacker, after gaining access to the intranet, moves to the machine storing core data. Once attackers control this machine, they can obtain confidential data or disrupt system operations. Lateral movement is a crucial step in the Advanced Persistent Threat (APT) attack process. To improve network security, detecting lateral movement attacks can prevent attacks before attackers reach the machine storing core data, effectively mitigating the threat.

[0004] Currently, by extracting feature vectors of lateral movement behavior, relationships between network entities exhibiting attack behavior are constructed using these feature vectors. Machine learning or deep learning algorithms are then employed to learn the characteristics of the attack behavior, and the trained model is subsequently used to detect attacks in the target data source. However, the model trained using the relationships between network entities exhibiting attack behavior cannot accurately detect hidden attacks within the data source. Summary of the Invention

[0005] This application provides an attack behavior detection method, apparatus, device, storage medium, and program product. These can improve the accuracy of attack behavior detection.

[0006] In a first aspect, embodiments of this application provide a method for detecting attack behavior, including:

[0007] Obtain the log data to be tested;

[0008] Determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected;

[0009] A semantic sequence is constructed based on a preset meta-path and the heterogeneous graph. The semantic sequence is used to characterize the behaviors included in the log data to be detected.

[0010] The semantic sequence is input into the vector representation model to obtain the semantic sequence vector. The vector representation model is trained using sample preset elements, sample weights, sample attribute information and sample association relationships of historical log data.

[0011] The semantic sequence vector is detected using an anomaly detection model to obtain the prediction result of the anomaly detection model. The prediction result indicates whether there is an attack behavior in the behavior included in the log data to be detected.

[0012] In one possible implementation, determining the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected includes:

[0013] Obtain statistical feature data of preset elements in the log data to be detected;

[0014] Obtain the association relationship of preset elements in the log data to be detected;

[0015] The weight of the association is calculated based on the user operation behavior data and statistical data in the log data to be detected;

[0016] The statistical feature data of the preset element is used as the attribute information of the preset element, and a heterogeneous graph is constructed according to the weight, the attribute information, the preset element and the relationship.

[0017] In one possible implementation, the step of using an anomaly detection model to detect the semantic sequence vector and obtaining the prediction result of the anomaly detection model includes:

[0018] Obtain the timestamp corresponding to the semantic sequence vector, the subtype information of the association relationship, and the statistical feature information corresponding to the subtype information, wherein the subtype information is used to represent the behavioral features corresponding to the association relationship;

[0019] The timestamp, the subtype information of the association, the statistical feature information corresponding to the subtype information, and the semantic sequence vector are input into the anomaly detection model to obtain the prediction result.

[0020] In one possible implementation, inputting the timestamp, the subtype information of the association relationship, the statistical feature information corresponding to the subtype information, and the semantic sequence vector into the anomaly detection model to obtain the prediction result includes:

[0021] For each pair of nodes in the semantic sequence vector, the product between the node representation vectors corresponding to each pair of nodes is calculated to obtain the target representation vector.

[0022] The target representation vector, the timestamp corresponding to the target representation vector, the target subtype information of the association relationship corresponding to the target representation vector, and the statistical feature information corresponding to the target subtype information are concatenated to obtain the input vector;

[0023] The input vector is input into the anomaly detection model to obtain the prediction result.

[0024] In one possible implementation, before inputting the semantic sequence into the vector representation model to obtain the semantic sequence vector, the method further includes:

[0025] Obtain the historical log data;

[0026] According to the preset statistical rules, obtain the sample statistical feature data of the preset elements in the historical log data;

[0027] The sample weights for the sample association relationships between the preset elements of the sample are calculated according to the preset weight calculation rules.

[0028] The sample statistical feature data of the preset element is used as the sample attribute information of the sample preset element, and a sample heterogeneity graph is constructed according to the sample weight, the sample attribute information, the sample preset element and the sample association relationship.

[0029] Based on a preset meta-path, the sample semantic sequence is obtained from the sample heterogeneity graph;

[0030] The sample semantic sequence is input into the graph embedding algorithm model to obtain the vector representation model;

[0031] In one possible implementation, before detecting the semantic sequence vector using the anomaly detection model and obtaining the prediction result of the anomaly detection model, the method further includes:

[0032] Obtain the sample semantic sequence vector corresponding to the sample semantic sequence;

[0033] The sample semantic sequence vector is input into the encoding and decoding model to obtain the output of the encoding and decoding model. The output includes whether the historical log data includes attack behavior.

[0034] The loss function of the encoding / decoding model is calculated according to the preset loss function and the output result. The preset loss function includes target samples, which are used to distinguish attack behaviors in the historical log data.

[0035] The anomaly detection model is obtained by adjusting the encoding / decoding model based on the loss function.

[0036] Secondly, embodiments of this application provide an apparatus for detecting attack behavior, comprising:

[0037] The acquisition module is used to acquire the log data to be detected.

[0038] The determination module is used to determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected.

[0039] The construction module is used to construct a semantic sequence based on a preset meta-path and the heterogeneous graph, wherein the semantic sequence is used to characterize the behaviors included in the log data to be detected;

[0040] The input module is used to input the semantic sequence into the vector representation model to obtain the semantic sequence vector. The vector representation model is trained using sample preset elements, sample weights, sample attribute information and sample association relationships of historical log data.

[0041] The detection module is used to detect the semantic sequence vector using an anomaly detection model and obtain the prediction result of the anomaly detection model. The prediction result indicates whether there is an attack behavior in the behavior included in the log data to be detected.

[0042] Thirdly, embodiments of this application provide an electronic device, the device comprising: a processor and a memory storing computer program instructions;

[0043] When the processor executes the computer program instructions, it implements the method for detecting attack behavior as described in any one of the first aspects.

[0044] Fourthly, embodiments of this application provide a computer-readable storage medium storing computer program instructions, which, when executed by a processor, implement the attack behavior detection method as described in any one of the first aspects.

[0045] Fifthly, embodiments of this application provide a computer program product, wherein instructions in the computer program product, when executed by a processor of an electronic device, cause the electronic device to perform the attack behavior detection method as described in any one of the first aspects.

[0046] This application discloses a method, apparatus, device, storage medium, and program product for detecting attack behavior. After acquiring log data to be detected, a heterogeneous graph of the log data is constructed based on the log data. Then, after constructing a semantic sequence using the heterogeneous graph, a vector representation model outputs the semantic sequence vector corresponding to the semantic sequence. The vector representation model is trained using preset elements, weights, attribute information, and relationships of samples from historical log data. Therefore, the vector representation model can accurately and comprehensively describe the information in the heterogeneous graph. Consequently, the semantic sequence vector can accurately represent the behaviors contained in the log data to be detected. The semantic sequence vector corresponding to the semantic sequence is input into an anomaly detection model, which can determine whether the behaviors included in the log data to be detected include attack behavior. Since the vector representation model can output relatively comprehensive information from the heterogeneous graph, the accuracy of the anomaly detection model's prediction results is improved. Attached Figure Description

[0047] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0048] Figure 1 This is a flowchart illustrating a method for detecting attack behavior provided in an embodiment of this application;

[0049] Figure 2 This is an exemplary schematic diagram of system log data provided in an embodiment of this application;

[0050] Figure 3 This is a flowchart illustrating a heterogeneous graph construction method provided in an embodiment of this application;

[0051] Figure 4 This is a flowchart illustrating a vector representation model training method provided in an embodiment of this application;

[0052] Figure 5 This is an exemplary schematic diagram of a semantic sequence construction method provided in an embodiment of this application;

[0053] Figure 6 This is an exemplary schematic diagram of a vector representation model training method provided in an embodiment of this application;

[0054] Figure 7 This is a flowchart illustrating an anomaly detection model training method provided in an embodiment of this application;

[0055] Figure 8 This is an exemplary schematic diagram of an encoding / decoding model structure provided in an embodiment of this application;

[0056] Figure 9 This is an exemplary schematic diagram of an attack behavior detection method provided in an embodiment of this application;

[0057] Figure 10 This is a schematic diagram of the structure of an attack behavior detection device provided in an embodiment of this application;

[0058] Figure 11 This is a schematic diagram of the structure of an electronic device provided in another embodiment of this application. Detailed Implementation

[0059] The features and exemplary embodiments of various aspects of this application will be described in detail below. To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only intended to explain this application and not to limit it. For those skilled in the art, this application can be implemented without some of these specific details. The following description of the embodiments is merely to provide a better understanding of this application by illustrating examples.

[0060] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising..." does not exclude the presence of additional identical elements in the process, method, article, or apparatus that includes said element.

[0061] Currently, when detecting lateral movement attacks on internal networks, log information can be used to identify network entities, and a user authentication graph can be constructed based on the relationships between these entities. Then, the user authentication graph can be processed using a meta-path-based random walk strategy to obtain a representation vector. This representation vector can be used to represent the login link, and the relative reconstruction error of the representation vector can be calculated based on this vector to determine the security of the login link.

[0062] Thus, when extracting network entities and building a user authentication graph, since the user authentication graph only has structural relationships, the subsequently calculated representation vectors cannot accurately describe the information of the login link, thereby reducing the accuracy of the login link identification.

[0063] To address the problems existing in the prior art, embodiments of this application provide a method, apparatus, device, storage medium, and program product for detecting attack behavior, firstly based on... Figure 1 This application introduces a method for detecting attack behavior, as provided in its embodiments. Figure 1 As shown, the method includes:

[0064] S101. Obtain the log data to be detected.

[0065] Understandably, system log data records not only local behavioral data but also information related to various user-initiated activities. Currently, system log data includes system kernel log data, security log data, and application log data. Therefore, electronic devices can use log data to determine whether an internal network lateral movement attack is occurring.

[0066] Based on the log data acquired by the electronic device, in order to unify the format of the log data, the log data can be uniformly defined as a six-tuple, which includes the source computer, destination computer, source user, destination user, time type, and other attribute information.

[0067] In one example, a six-tuple can be represented as: <C src U src C dst U dst ,T,A>, where C represents the computer, U represents the user, the subscript src indicates the source of the event, dst indicates the destination, T indicates the event type, such as login, authentication, process creation, file read / write, etc., and A represents other attribute information of the event, such as login method.

[0068] like Figure 2 As shown, Figure 2 An example diagram of log data is shown, in which the system log records log data of process startup.

[0069] S102. Determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected.

[0070] S103. Construct semantic sequences based on preset meta-paths and heterogeneous graphs.

[0071] The semantic sequence is used to characterize the behaviors included in the log data to be detected. The preset meta-path is set in advance based on experience. In this way, after acquiring the heterogeneous graph and the preset meta-path, the electronic device can construct the semantic sequence based on the heterogeneous graph according to the random walk strategy corresponding to the preset meta-path.

[0072] S104. Input the semantic sequence into the vector representation model to obtain the semantic sequence vector.

[0073] The vector representation model is trained using preset elements, weights, attribute information, and relationships of samples from historical log data.

[0074] S105. Use the anomaly detection model to detect semantic sequence vectors and obtain the prediction results of the anomaly detection model.

[0075] The prediction result indicates whether there are any attack behaviors in the log data to be detected.

[0076] Using the above method, after acquiring the log data to be detected, a heterogeneous graph of the log data is constructed. Then, after constructing a semantic sequence using the heterogeneous graph, a vector representation model outputs the corresponding semantic sequence vector. This vector representation model is trained using preset elements, weights, attribute information, and relationships of samples from historical log data. Therefore, the vector representation model can accurately and comprehensively describe the information in the heterogeneous graph. Consequently, the semantic sequence vector can accurately represent the behaviors contained in the log data to be detected. The semantic sequence vector corresponding to the semantic sequence is input into an anomaly detection model, which can determine whether the behaviors in the log data to be detected include attack behaviors. Because the vector representation model can output relatively comprehensive information from the heterogeneous graph, the accuracy of the anomaly detection model's prediction results is improved.

[0077] Regarding S102 above, the heterogeneous graph corresponding to the log data to be detected is determined based on the log data to be detected, such as... Figure 3 As shown, it can be specifically implemented as follows:

[0078] S1021. Obtain the statistical feature data of preset elements in the log data to be detected.

[0079] The preset elements are elements that can serve as nodes in a heterogeneous graph, pre-defined based on experience. In this embodiment, the preset elements can be computers, processes, users, and executable files. Statistical feature data is used to represent the patterns of different preset elements over different time periods. The statistical feature data of different preset elements can be pre-defined based on experience.

[0080] Specifically, for computer elements, information such as the computer's domain, IP address, earliest user access time, latest user access time, number of user accesses per day, number of different user accesses per day, number of different access types per day, number of user accesses per week, number of different user accesses per week, and number of different access types per week are used as statistical characteristic data for computer elements.

[0081] For user elements, the following information is used as statistical feature data: user's domain, earliest access time, latest access time, number of computers accessed per day, number of different computers accessed per day, number of different access types per day, number of computers accessed per week, number of different computers accessed per week, and number of different access types per week.

[0082] For process elements, information such as process ID, parent process ID, whether the process is associated with a file, number of times the process is started per day, number of times the process is started per week, earliest start time of the process, and latest start time of the process are used as statistical feature data for process elements.

[0083] For executable file elements, information such as file extension, file size, file creation time, file modification time, and file creation user are used as statistical feature data for executable file elements.

[0084] S1022. Obtain the association relationship of preset elements in the log data to be detected.

[0085] Understandably, in addition to defining preset elements, the relationships between preset elements can also be determined based on the log data to be detected. For example, if the log data to be detected represents the behavior of "computer creating process", then there is a relationship between the computer and the process.

[0086] Specifically, the types of relationships include usage type, startup type, access type, executed type, belonging type, creation type, modification type, and execution type.

[0087] In one example, the preset elements and relationships are shown in Table 1:

[0088] Table 1

[0089]

[0090]

[0091] S1023. Calculate the weight of the association relationship based on the user operation behavior data and statistical data in the log data to be detected.

[0092] Specifically, regarding the association relationship of usage type, electronic devices can calculate the average daily number of successful target users during the process of edge node computers connecting to the outside world within a week, divided by the average daily number of failed target users, to obtain the weight of the association relationship of usage type;

[0093] Regarding the association relationship of access types, electronic devices can calculate the average number of successful accesses to the target computer per day and the average number of failed accesses to the target computer per day during the week-long process of the source node user accessing the target computer, and obtain the weight of the association relationship of access types.

[0094] Regarding the association of startup types, electronic devices can calculate the average daily number of target processes created by the source node computer or user within a week to obtain the weight of the association of startup types.

[0095] Regarding the association relationship of creation type, the electronic device can calculate the average number of times the target executable file is created per day in the files created by the source node computer or user within a week, and obtain the weight of the association relationship of creation type;

[0096] Based on the association relationship of modification type, the electronic device can calculate the average number of times the target executable file is modified by the user or process of the source node within a week, and obtain the weight of the association relationship of modification type;

[0097] Based on the association of execution types, electronic devices can calculate the average number of times the target executable file is executed per day within a week when the source node computer or user executes the executable file, and obtain the weight of the association of execution types;

[0098] Based on the association of the execution type, the electronic device can calculate the average number of times the source node file of the edge is executed and transformed into a process within a week, and obtain the weight of the association of the execution type;

[0099] The weight calculation method for the above-mentioned types is the same as the weight calculation method for the association relationship between the above-mentioned creation type and startup type, and will not be repeated here.

[0100] S1024. Use the statistical feature data of the preset elements as the attribute information of the preset elements, and construct a heterogeneous graph according to the weight, attribute information, preset elements and relationships.

[0101] The method provided in this application involves identifying preset elements in the log to be detected, obtaining their statistical feature data and relationships, and using the statistical feature data as attribute information. Weights of the relationships are calculated based on user operation behavior data and statistical data. The preset elements can then be treated as nodes, and the connections between nodes are determined based on the relationships, thereby constructing a heterogeneous graph. In this way, each node possesses corresponding attribute information, and each relationship has a corresponding weight. This heterogeneous graph can more accurately represent the behavioral features contained in the log to be detected, and based on this graph, it can accurately determine whether the log data to be detected contains attack behavior.

[0102] The following combination Figure 4 The training process of the above vector representation model is introduced, such as... Figure 4 As shown, the training process of the vector representation model is as follows:

[0103] S401, Obtain historical log data.

[0104] S402. Obtain the sample statistical feature data of the preset elements in the historical log data.

[0105] Among them, the sample preset elements are elements that are pre-set based on experience and can serve as nodes in the sample heterogeneity graph. Sample statistical feature data are used to represent the patterns of different sample preset elements over different time periods. The sample statistical feature data of different sample preset elements can be pre-set based on experience.

[0106] S403. Obtain the sample association relationship of the preset elements in the historical log data.

[0107] S404. Calculate the sample weights of sample association relationships based on the user's historical operation behavior data and historical statistical data in the historical log data.

[0108] The specific method for calculating the sample weights of the sample association relationship is described in the above embodiment, and will not be repeated here.

[0109] S405. Use the sample statistical feature data of the preset elements as the sample attribute information of the preset elements, and construct a sample heterogeneity graph according to the sample weight, sample attribute information, sample preset elements and sample association relationship.

[0110] S406. Based on the preset meta-path, obtain the sample semantic sequence in the sample heterogeneous graph.

[0111] The sample semantic sequence is used to characterize the behaviors included in historical log data. The preset meta-path is set in advance based on experience. In this way, after acquiring the sample heterogeneity graph and the preset meta-path, the electronic device can construct the sample semantic sequence based on the sample heterogeneity graph according to the random walk strategy corresponding to the preset meta-path.

[0112] In one example, such as Figure 5 As shown, Figure 5 The left side illustrates an example of a sample heterogeneous graph, which includes nodes C, U, F, and P. Node C represents a computer node, node U represents a user node, node P represents a process node, and node F represents an executable file node.

[0113] Specifically, solid lines connecting nodes are determined based on the relationships between them, while dashed lines represent lateral movement attacks. Electronic devices are based on... Figure 5 The three preset meta paths shown on the right are examples of... Figure 5 The sample semantic sequence can be constructed based on the random walk strategy in the sample heterogeneity graph on the left.

[0114] S407. Input the sample semantic sequence into the graph embedding algorithm model to obtain the vector representation model.

[0115] The graph embedding algorithm model can employ the Metapath2Vec++ algorithm, which learns the behavioral relationships between nodes by setting specific preset metapath sampling nodes' neighborhoods and aggregating the features of neighborhood nodes. In this way, the graph embedding model can learn the structural features of heterogeneous graphs and also the semantic features of sample semantic sequences.

[0116] like Figure 6 As shown, the following is combined Figure 6 Introducing the training process of the vector representation model:

[0117] in, Figure 6 The diagram in Figure A is used to represent the behavioral sequences contained in historical log data. The first row represents the time series of user 1's actions, that is, the time series of user 1 accessing executable files through the computer;

[0118] The second line represents the time series of user 2's actions, that is, the time series of user 2 accessing other computers through the computer.

[0119] The third line represents the time sequence of the actions of computer 1, that is, the time sequence of computer 1 accessing other computers in response to user operations;

[0120] The fourth line represents the time sequence of the actions of computer 2, that is, the time sequence of computer 2 accessing other computers in response to user operations.

[0121] Figure B is a sample heterogeneity graph constructed by the electronic device based on the time series in Figure A. The specific method for constructing the sample heterogeneity graph is described in the relevant embodiments above, and will not be repeated here.

[0122] Graph C is a semantic sequence of samples constructed by an electronic device based on the sample heterogeneity graph and preset meta-path in Graph B.

[0123] Based on the constructed sample semantic sequence, the electronic device inputs the sample semantic sequence, the attribute information of the nodes in the sequence, and the weights of the relationships between the nodes into a Skip-Gram-based embedding learning model. The Skip-Gram-based embedding learning model is the graph embedding algorithm model mentioned above, which can be trained to obtain a vector representation model.

[0124] The method provided in this application involves determining preset sample elements in historical log data, obtaining sample statistical feature data and sample association relationships for these preset elements, and using the sample statistical feature data as sample attribute information. Based on user historical operation behavior data and historical statistical data, sample weights for sample association relationships are calculated. Preset sample elements can be used as nodes, and the connection relationships between nodes are determined based on sample association relationships, thereby constructing a sample heterogeneous graph. In this way, each node has corresponding attribute information, and each association relationship has corresponding weights. This sample heterogeneous graph can more accurately represent the behavioral features contained in historical log data. Based on this sample heterogeneous graph, the graph embedding algorithm model can learn the behavioral features of user behavior included in historical log data based on the aforementioned sample attribute information, sample weights, and the structural features of the sample heterogeneous graph, thereby improving the accuracy of the vector representation model and consequently improving the accuracy of the prediction results of the subsequent anomaly detection model.

[0125] The following combination Figure 7 The training process of the above anomaly detection model is described below, such as... Figure 7 As shown, the training process of the anomaly detection model is as follows:

[0126] S701. Obtain the sample semantic sequence vector corresponding to the sample semantic sequence.

[0127] Specifically, the vector representation model obtained through the above training is used to obtain the sample semantic sequence vector corresponding to the sample semantic sequence.

[0128] S702. Input the sample semantic sequence vector into the encoding / decoding model to obtain the output of the encoding / decoding model.

[0129] The output includes whether the historical log data includes attack behavior.

[0130] S703. Calculate the loss function of the encoding / decoding model according to the preset loss function and the output results.

[0131] The preset loss function includes target samples, which are used to distinguish attack behaviors in historical log data.

[0132] It should be noted that, in order to reduce the encoder's sensitivity to data and avoid overfitting, the loss function of the encoding and decoding model is calculated by introducing samples that can distinguish attack texts into the preset loss function, thereby improving the robustness of the encoding and decoding model.

[0133] Specifically, the preset loss function is shown in Formula 1:

[0134]

[0135] Among them, Dn Let L(x, g(f(x)))) represent the sample semantic sequence vector, (L(x, g(f(x)))) be the mean squared error (MSE) loss function, λ be a preset parameter, and J be the mean squared error (MSE) loss function. f (x) is the Jacobian matrix, used to represent the fluctuation effect between input and output. Specifically, in Samples whose partial derivatives are not zero are the target samples.

[0136] Furthermore, to further reduce the encoder's sensitivity to data, noise can be introduced into the input data of the encoding / decoding model. Specifically, random numbers can be added to the input data according to a preset ratio, thereby disrupting some dimensions of the input data. Since the aforementioned sample semantic sequences cannot fully cover all situations in real-world scenarios, introducing noise into the input data can improve the model's accuracy and prevent the model from outputting large deviations when there are small fluctuations in the input data, thus avoiding false alarms due to noise.

[0137] S704. Adjust the encoding / decoding model based on the loss function to obtain the anomaly detection model.

[0138] The structure of the anomaly detection model is as follows: Figure 8 As shown, X represents the input data. Noise is introduced into the input data to obtain input data X'. Then, input data X' is input into the fully connected layer, and the decoder reconstructs the input data to output the final result. Electronic devices use the Jacobian matrix to calculate the loss function of the encoding and decoding model based on the input and output data, thereby adjusting the encoding and decoding model and obtaining an anomaly detection model.

[0139] It should be noted that positive samples are used to train the encoding / decoding model during the training of the anomaly detection model. This allows the anomaly detection model to learn the behavioral characteristics of normal intranet behavior. Therefore, when the input data to the anomaly detection model is a behavioral feature vector that does not conform to normal intranet behavior, the anomaly detection model can amplify the error through reconstruction. This allows the anomaly detection model to determine that the behavioral feature vector represents abnormal intranet behavior. Therefore, the prediction result output by the anomaly detection model is that the behavior included in the log data to be detected corresponding to the behavioral feature vector contains attack behavior.

[0140] By using the method provided in this application embodiment, when adjusting the encoding and decoding model using a preset loss function, the loss function of the target sample in the preset loss function can be calculated. This allows the calculation to be performed on data in dimensions that have a distinguishing effect on attack behavior, thereby ensuring the accuracy of the calculation results. Consequently, when adjusting the encoding and decoding model using the loss function in the future, the accuracy of the anomaly detection model can be improved.

[0141] Based on the anomaly detection model obtained through the above training, to improve the accuracy of prediction results when using the anomaly detection model to detect semantic sequence vectors, timestamps, subtype information, and corresponding statistical feature information can be simultaneously input into the anomaly detection model. This ensures that the anomaly detection model detects attack behavior in the log data to be detected based on the timestamps, subtype information, and corresponding statistical feature information. Specifically, S105 above, using the anomaly detection model to detect semantic sequence vectors and obtaining the prediction results of the anomaly detection model, can be implemented as follows:

[0142] Step 1: Obtain the timestamp, subtype information of the association relationship, and statistical feature information corresponding to the semantic sequence vector.

[0143] Among them, subtype information is used to represent the behavioral characteristics corresponding to the association relationship.

[0144] Understandably, every computer user has their own unique usage habits. Therefore, timestamps can reflect a user's usage patterns over a certain period of time.

[0145] Specifically, converting timestamps into two vector dimensions, week and day, can reflect users' usage patterns during office hours.

[0146] For each type of association in the above embodiments, the behavior of that type can be further differentiated. For example, for access type associations, they can be further divided into interactive login and non-interactive login. Based on the sub-type information corresponding to each association, the behavioral patterns in intranet behavior can be determined more accurately.

[0147] In one example, the subtypes corresponding to each association can be as shown in Table 2, which exemplarily illustrates the categories of subtypes:

[0148] Table 2

[0149]

[0150]

[0151] For each subtype in Table 2, the corresponding statistical characteristics can be calculated as follows:

[0152] Calculate the number of times each subtype appears on a single day and the number of times it appears on a single week to obtain the statistical characteristic information corresponding to the subtype information.

[0153] Step 2: Input the timestamp, subtype information of the association relationship, statistical feature information corresponding to the subtype information, and semantic sequence vector into the anomaly detection model to obtain the prediction result.

[0154] The electronic device can concatenate the feature vectors corresponding to the timestamps, the feature vectors of the subtype information and the corresponding statistical feature information, and the semantic sequence vectors into a feature vector set, and normalize the feature vectors in the feature vector set. The normalized feature vector set is then used as the input data for the anomaly detection model.

[0155] Furthermore, in practical implementations, electronic devices can individually detect edge relationships within semantic sequence vectors. Thus, based on the semantic sequence, the electronic device can split the semantic sequence into different sequences of edge relationships to be detected. For example, a remote login event includes an event about the user logging into the target computer. In the case of remote login, the remote computer also includes process creation; that is, the remote login event contains three nodes: user, computer, and process. The electronic device can split the semantic sequence corresponding to this remote login event to obtain the user-to-computer sequence and the computer-to-process sequence, and then perform anomaly detection on the aforementioned user-to-computer sequence and computer-to-process sequence respectively.

[0156] Specifically, step 2 above can be implemented as follows:

[0157] For each pair of nodes in the semantic sequence vector, the product of the node representation vectors corresponding to each pair of nodes is calculated to obtain the target representation vector. The target representation vector, the timestamp corresponding to the target representation vector, the target subtype information of the association corresponding to the target representation vector, and the statistical feature information corresponding to the target subtype information are concatenated to obtain the input vector. The input vector is then fed into the anomaly detection model to obtain the prediction result.

[0158] It should be noted that lateral movement attacks mainly occur in two scenarios: first, between nodes with no connection; and second, between nodes with a connection. To ensure that the anomaly detection model is applicable to both scenarios, the probability of a connection between two nodes can be represented by multiplying and summing the vectors of the two nodes, similar to existing link prediction methods. In this embodiment, for any two nodes in a heterogeneous graph, the electronic device can calculate the product of the node representation vectors of the two nodes to obtain the target representation vector. Then, the calculated target representation vector is used as a semantic sequence vector and concatenated with the timestamp, subtype information of the association relationship, and statistical feature information corresponding to the subtype information to obtain the input vector.

[0159] Using the method provided in this application, an electronic device acquires the timestamp, subtype information of the association relationship, and statistical feature information corresponding to the subtype information of the semantic sequence vector. This information, along with the semantic sequence vector itself, is then input into an anomaly detection model. The model integrates the timestamp, subtype information of the association relationship, and statistical feature information of the subtype information to determine whether the log data to be detected contains attack behavior. The timestamp reflects the user's device usage habits during office hours, the subtype information can more finely distinguish the association relationships between nodes, and the statistical feature information corresponding to the subtype information can characterize the weight of the subtype information of the association relationship. Therefore, the anomaly detection model can more accurately predict the user's usage habits based on the aforementioned timestamp and subtype information, thereby improving the accuracy of the anomaly detection model's prediction results.

[0160] Based on the above embodiments, combined with Figure 9 This section describes the process of detecting attack behavior in the log data to be tested, such as... Figure 9 As shown:

[0161] Based on historical log data, the electronic device constructs a sample heterogeneity graph and corresponding sample semantic sequence vectors. Specifically, the methods for constructing the heterogeneity graph and the sample semantic sequence vectors are described in the aforementioned embodiments and will not be repeated here.

[0162] The electronic device then uses the Jacobian matrix to adjust the encoding / decoding model, resulting in a trained anomaly detection model. The specific training process is described in the above embodiments and will not be repeated here.

[0163] Based on the completed model training described above, after receiving the log data to be detected, the electronic device constructs a heterogeneous graph using the method described in the previous embodiment, and obtains the semantic sequence vector corresponding to the log data to be detected based on the constructed heterogeneous graph. The semantic sequence vector is then input into the anomaly detection model to obtain the prediction result of the anomaly detection model.

[0164] Furthermore, if the prediction results indicate that the attack behavior in the log data to be detected does not include the attack behavior, the electronic device can use the aforementioned log data to be detected as historical log data to retrain the vector representation model and the anomaly detection model, adjust the model parameters, and improve the accuracy of the model output results.

[0165] Based on the same concept, embodiments of this application provide an apparatus for detecting attack behavior, such as... Figure 10As shown, the device includes:

[0166] Module 1001 is used to acquire the log data to be detected;

[0167] The determination module 1002 is used to determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected;

[0168] Construction module 1003 is used to construct a semantic sequence based on a preset meta-path and the heterogeneous graph, wherein the semantic sequence is used to characterize the behaviors included in the log data to be detected;

[0169] Input module 1004 is used to input the semantic sequence into the vector representation model to obtain the semantic sequence vector. The vector representation model is trained using sample preset elements, sample weights, sample attribute information and sample association relationships of historical log data.

[0170] The detection module 1005 is used to detect the semantic sequence vector using an anomaly detection model and obtain the prediction result of the anomaly detection model. The prediction result indicates whether there is an attack behavior in the behavior included in the log data to be detected.

[0171] In one possible implementation, module 1002 is specifically used for:

[0172] Obtain statistical feature data of preset elements in the log data to be detected;

[0173] Obtain the association relationship of preset elements in the log data to be detected;

[0174] The weight of the association is calculated based on the user operation behavior data and statistical data in the log data to be detected;

[0175] The statistical feature data of the preset element is used as the attribute information of the preset element, and a heterogeneous graph is constructed according to the weight, the attribute information, the preset element and the relationship.

[0176] In one possible implementation, the detection module 1005 is specifically used for:

[0177] Obtain the timestamp corresponding to the semantic sequence vector, the subtype information of the association relationship, and the statistical feature information corresponding to the subtype information, wherein the subtype information is used to represent the behavioral features corresponding to the association relationship;

[0178] The timestamp, the subtype information of the association, the statistical feature information corresponding to the subtype information, and the semantic sequence vector are input into the anomaly detection model to obtain the prediction result.

[0179] In one possible implementation, the detection module 1005 is specifically used for:

[0180] For each pair of nodes in the semantic sequence vector, the product between the node representation vectors corresponding to each pair of nodes is calculated to obtain the target representation vector.

[0181] The target representation vector, the timestamp corresponding to the target representation vector, the target subtype information of the association relationship corresponding to the target representation vector, and the statistical feature information corresponding to the target subtype information are concatenated to obtain the input vector;

[0182] The input vector is input into the anomaly detection model to obtain the prediction result.

[0183] In one possible implementation, the device further includes:

[0184] The acquisition module 1001 is also used to acquire the historical log data;

[0185] The acquisition module 1001 is also used to acquire sample statistical feature data of the preset elements of the samples in the historical log data;

[0186] The acquisition module 1001 is also used to acquire the sample association relationship of the sample preset element in the historical log data;

[0187] The calculation module is used to calculate the sample weights of the association relationships based on the user's historical operation behavior data and historical statistical data in the historical log data.

[0188] The construction module 1003 is used to use the sample statistical feature data of the preset element as the sample attribute information of the sample preset element, and construct a sample heterogeneity graph according to the sample weight, the sample attribute information, the sample preset element and the sample association relationship.

[0189] The acquisition module 1001 is also used to acquire sample semantic sequences in the sample heterogeneity graph based on a preset meta-path;

[0190] The input module 904 is used to embed the sample semantic sequence into the input graph of the algorithm model to obtain the vector representation model.

[0191] In one possible implementation, the device further includes:

[0192] The acquisition module 1001 is also used to acquire the sample semantic sequence vector corresponding to the sample semantic sequence;

[0193] The input module 1004 is further configured to input the sample semantic sequence vector into the encoding and decoding model to obtain the output result of the encoding and decoding model, wherein the output result includes whether the historical log data includes attack behavior;

[0194] The calculation module is also used to calculate the loss function of the encoding and decoding model according to the preset loss function and the output result. The preset loss function includes target samples, which are used to distinguish attack behaviors in the historical log data.

[0195] The adjustment module is used to adjust the encoding / decoding model based on the loss function to obtain the anomaly detection model.

[0196] It should be noted that the device for detecting attack behavior is the same as the method for detecting attack behavior described above. All implementation methods in the above method embodiments are applicable to the embodiments of this device and can achieve the same technical effect.

[0197] Figure 11 A schematic diagram of the hardware structure of the electronic device provided in an embodiment of this application is shown.

[0198] An electronic device may include a processor 1101 and a memory 1102 storing computer program instructions.

[0199] Specifically, the processor 1101 may include a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits that can be configured to implement the embodiments of this application.

[0200] Memory 1102 may include mass storage for data or instructions. For example, and not limitingly, memory 1102 may include a hard disk drive (HDD), floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or Universal Serial Bus (USB) drive, or a combination of two or more of these. Where appropriate, memory 1102 may include removable or non-removable (or fixed) media. Where appropriate, memory 1102 may be internal or external to the integrated gateway disaster recovery device. In a particular embodiment, memory 1102 is non-volatile solid-state memory.

[0201] Memory may include read-only memory (ROM), random access memory (RAM), disk storage media devices, optical storage media devices, flash memory devices, and electrical, optical, or other physical / tangible memory storage devices. Therefore, typically, memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software including computer-executable instructions, and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the methods according to one aspect of this disclosure.

[0202] The processor 1101 reads and executes computer program instructions stored in the memory 1102 to implement any of the attack behavior detection methods in the above embodiments.

[0203] In one example, the electronic device may also include a communication interface 1103 and a bus 1104. For example, Figure 11 As shown, the processor 1101, memory 1102, and communication interface 1103 are connected through bus 1104 and complete communication with each other.

[0204] The communication interface 1103 is mainly used to realize communication between various modules, devices, units and / or equipment in the embodiments of this application.

[0205] Bus 1104 includes hardware, software, or both, that couples components of an electronic device together. For example, and not limitingly, the bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an Infinite Bandwidth Interconnect, a Low Pin Count (LPC) bus, a memory bus, a Microchannel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local (VLB) bus, or other suitable buses, or combinations of two or more of these. Where appropriate, bus 1104 may include one or more buses. Although specific buses are described and illustrated in embodiments of this application, any suitable bus or interconnect is contemplated herein.

[0206] Furthermore, in conjunction with the attack behavior detection methods in the above embodiments, this application embodiment can provide a computer storage medium for implementation. The computer storage medium stores computer program instructions; when these computer program instructions are executed by a processor, they implement any of the attack behavior detection methods in the above embodiments.

[0207] In conjunction with the attack behavior detection methods in the above embodiments, this application embodiment can provide a computer program product, in which the instructions in the computer program product are executed by the processor of an electronic device, causing the electronic device to perform any of the attack behavior detection methods in the above embodiments.

[0208] It should be clarified that this application is not limited to the specific configurations and processes described above and shown in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of this application is not limited to the specific steps described and shown. Those skilled in the art can make various changes, modifications, and additions, or change the order of steps, after understanding the spirit of this application.

[0209] The functional blocks shown in the above-described structural diagram can be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, they can be, for example, electronic circuits, application-specific integrated circuits (ASICs), appropriate firmware, plug-ins, function cards, etc. When implemented in software, the elements of this application are programs or code segments used to perform the required tasks. Programs or code segments can be stored on a machine-readable medium or transmitted over a transmission medium or communication link via data signals carried on a carrier wave. "Machine-readable medium" can include any medium capable of storing or transmitting information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, etc. Code segments can be downloaded via computer networks such as the Internet, intranets, etc.

[0210] It should also be noted that the exemplary embodiments mentioned in this application describe methods or systems based on a series of steps or apparatus. However, this application is not limited to the order of the above steps; that is, the steps can be performed in the order mentioned in the embodiments, or in a different order, or several steps can be performed simultaneously.

[0211] The aspects of this disclosure have been described above with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It should be understood that each block in the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus to produce a machine such that these instructions, executable via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions / actions specified in one or more blocks of the flowchart illustrations and / or block diagrams. Such a processor can be, but is not limited to, a general-purpose processor, a special-purpose processor, a special application processor, or a field-programmable logic circuit. It is also understood that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can also be implemented by special-purpose hardware performing the specified functions or actions, or can be implemented by a combination of special-purpose hardware and computer instructions.

[0212] The above description is merely a specific implementation of this application. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, modules, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here. It should be understood that the protection scope of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the protection scope of this application.

Claims

1. A method for detecting attack behavior, characterized in that, include: Obtain the log data to be tested; Determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected; A semantic sequence is constructed based on a preset meta-path and the heterogeneous graph. The semantic sequence is used to characterize the behaviors included in the log data to be detected. The semantic sequence is input into the vector representation model to obtain the semantic sequence vector. The vector representation model is trained using the sample preset elements, sample weights, sample attribute information and sample association relationships of historical log data. The semantic sequence vector is detected using an anomaly detection model to obtain the prediction result of the anomaly detection model. The prediction result indicates whether there is an attack behavior in the behavior included in the log data to be detected.

2. The method according to claim 1, characterized in that, The step of determining the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected includes: Obtain statistical feature data of preset elements in the log data to be detected; Obtain the association relationship of preset elements in the log data to be detected; The weight of the association is calculated based on the user operation behavior data and statistical data in the log data to be detected; The statistical feature data of the preset element is used as the attribute information of the preset element, and a heterogeneous graph is constructed according to the weight, the attribute information, the preset element and the relationship.

3. The method according to claim 1, characterized in that, The step of using an anomaly detection model to detect the semantic sequence vector and obtaining the prediction result of the anomaly detection model includes: Obtain the timestamp corresponding to the semantic sequence vector, the subtype information of the association relationship, and the statistical feature information corresponding to the subtype information, wherein the subtype information is used to represent the behavioral features corresponding to the association relationship; The timestamp, the subtype information of the association, the statistical feature information corresponding to the subtype information, and the semantic sequence vector are input into the anomaly detection model to obtain the prediction result.

4. The method according to claim 3, characterized in that, The step of inputting the timestamp, the subtype information of the association relationship, the statistical feature information corresponding to the subtype information, and the semantic sequence vector into the anomaly detection model to obtain the prediction result includes: For each pair of nodes in the semantic sequence vector, the product between the node representation vectors corresponding to each pair of nodes is calculated to obtain the target representation vector. The target representation vector, the timestamp corresponding to the target representation vector, the target subtype information of the association relationship corresponding to the target representation vector, and the statistical feature information corresponding to the target subtype information are concatenated to obtain the input vector; The input vector is input into the anomaly detection model to obtain the prediction result.

5. The method according to claim 1, characterized in that, Before inputting the semantic sequence into the vector representation model to obtain the semantic sequence vector, the method further includes: Obtain the historical log data; Obtain the sample statistical feature data of the preset elements in the historical log data; Obtain the sample association relationship of the preset elements in the historical log data; Based on the user's historical operation behavior data and historical statistical data in the historical log data, calculate the sample weight of the association relationship; The sample statistical feature data of the preset element is used as the sample attribute information of the sample preset element, and a sample heterogeneity graph is constructed according to the sample weight, the sample attribute information, the sample preset element and the sample association relationship. Based on a preset meta-path, the sample semantic sequence is obtained from the sample heterogeneity graph; The sample semantic sequence is input into the graph embedding algorithm model to obtain the vector representation model.

6. The method according to claim 5, characterized in that, Before using the anomaly detection model to detect the semantic sequence vector and obtaining the prediction result of the anomaly detection model, the method further includes: Obtain the sample semantic sequence vector corresponding to the sample semantic sequence; The sample semantic sequence vector is input into the encoding and decoding model to obtain the output of the encoding and decoding model. The output includes whether the historical log data includes attack behavior. The loss function of the encoding / decoding model is calculated according to the preset loss function and the output result. The preset loss function includes target samples, which are used to distinguish attack behaviors in the historical log data. The anomaly detection model is obtained by adjusting the encoding / decoding model based on the loss function.

7. A device for detecting attack behavior, characterized in that, include: The acquisition module is used to acquire the log data to be detected. The determination module is used to determine the heterogeneous graph corresponding to the log data to be detected based on the log data to be detected. The construction module is used to construct a semantic sequence based on a preset meta-path and the heterogeneous graph, wherein the semantic sequence is used to characterize the behaviors included in the log data to be detected; The input module is used to input the semantic sequence into the vector representation model to obtain the semantic sequence vector. The vector representation model is trained using sample preset elements, sample weights, sample attribute information and sample association relationships of historical log data. The detection module is used to detect the semantic sequence vector using an anomaly detection model and obtain the prediction result of the anomaly detection model. The prediction result indicates whether there is an attack behavior in the behavior included in the log data to be detected.

8. An electronic device, characterized in that, The device includes: a processor and a memory storing computer program instructions; When the processor executes the computer program instructions, it implements the attack behavior detection method as described in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer program instructions, which, when executed by a processor, implement the attack behavior detection method as described in any one of claims 1-6.

10. A computer program product, characterized in that, When the instructions in the computer program product are executed by the processor of the electronic device, the electronic device performs the attack behavior detection method as described in any one of claims 1-6.