A network security fault diagnosis and defense method, system, medium and product
By constructing an event correlation graph and calculating threat weights, the problem of inaccurate identification of network attack paths in smart factories was solved, and accurate network security fault diagnosis and defense were achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- FUJIAN GUOKE INFORMATION TECH CO LTD
- Filing Date
- 2026-02-11
- Publication Date
- 2026-06-05
AI Technical Summary
In smart factories, existing network security systems struggle to accurately determine the propagation paths of multi-stage, distributed network attacks, leading to inaccurate threat source identification and reducing the accuracy of network security fault diagnosis and defense.
By acquiring and sorting network log data, an event correlation graph is constructed, anomaly scores of propagation paths are identified, attack fragments are segmented, attack chains with target semantic tags are generated, threat weights are calculated, and firewall rules are automatically generated for precise defense.
It enables accurate identification and defense against network attacks, improves the accuracy of network security fault diagnosis and defense, and can systematically analyze the correlation between abnormal behaviors and accurately determine the source address of threats.
Smart Images

Figure CN122160108A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data processing technology, specifically to a method, system, medium, and product for network security fault diagnosis and defense. Background Technology
[0002] With the rapid development of Industry 4.0, smart factories have become an important direction for the digital transformation of the manufacturing industry. In smart factories, industrial control systems, production equipment, and other components are interconnected through the Industrial Internet, forming a highly networked production environment. This makes cybersecurity a crucial issue in the operation of smart factories.
[0003] Currently, smart factories commonly use traditional security equipment such as firewalls and intrusion detection systems for network protection. These devices monitor network traffic in real time and intercept suspicious network behavior based on preset security rules. When abnormal traffic is detected, security experts analyze and handle the suspicious behavior based on the device alarm information.
[0004] However, in practical applications, as network attack methods continue to evolve, attackers often launch attacks in a multi-stage, distributed manner, hopping between different network nodes to penetrate the network. In such cases, relying solely on alarm information from a single device node makes it difficult for security experts to accurately determine the attack's propagation path. Especially when faced with massive amounts of network log data, the lack of systematic analysis of the correlations between abnormal behaviors leads to inaccurate judgments of the threat source, thereby reducing the accuracy of network security fault diagnosis and defense. Summary of the Invention
[0005] This application provides a method, system, medium, and product for network security fault diagnosis and defense, which can improve the accuracy of network security fault diagnosis and defense.
[0006] The first aspect of this application provides a method for diagnosing and defending against network security faults, including: Obtain network log data from the smart factory and sort it according to the timestamps of the network log data to obtain a network log set; Based on the source IP address and destination IP address of each network log in the network log set, the directed connections between event nodes are determined, and an event association graph is generated according to the directed connections. The event association graph is traversed to determine the propagation path, the anomaly score of the propagation path is calculated, the propagation path with the anomaly score exceeding a preset threshold is marked as a suspected attack propagation path, and the suspected attack propagation path is divided into multiple attack segments according to the abrupt change position of the time interval between event nodes in the suspected attack propagation path. Based on each of the attack fragments, generate an attack chain with target semantic tags; Obtain the out-degree and in-degree values of each event node in the attack chain, and calculate the threat weight of the event node; The source IP address of the event node with the highest threat weight is determined as the threat source address; Based on the critical threat source address and the destination IP address and port number in the attack chain, a set of firewall rules is generated and sent to the firewall device for execution.
[0007] By adopting the above technical solution, network log data is acquired and sorted to form a network log set. Then, an event correlation graph is constructed based on the source IP address and destination IP address of the network log, which can comprehensively reflect the correlation between event nodes in the network. By traversing the event correlation graph and calculating the anomaly score of the propagation path, and combining the position of time interval mutation, the suspected attack propagation path is divided into multiple attack fragments, which can accurately identify the propagation characteristics of the attack behavior. Furthermore, by generating attack chains with target semantic tags for the attack fragments, and calculating the threat weight based on the out-degree and in-degree values of the event nodes in the attack chain, the correlation between abnormal behaviors can be systematically analyzed, thereby accurately determining the threat source address. Finally, based on the identified threat source address and the destination IP address and port number in the attack chain, firewall rules are automatically generated and distributed, realizing precise defense measures and improving the accuracy of network security fault diagnosis and defense.
[0008] Optionally, the network log set is traversed, and each network log record in the network log set is taken as an event node. The source IP address and destination IP address of the event node are extracted. If the destination IP address of the first event node is the same as the source IP address of the second event node, and the timestamp of the second event node is later than the timestamp of the first event node, then a directed connection is established between the first event node and the second event node. The direction of the directed connection is from the first event node to the second event node. The first event node and the second event node are the event nodes corresponding to any two different network log records in the network log set. All event nodes and directed connections are organized into a directed graph structure to generate an event association graph.
[0009] Optionally, a preset depth-first traversal algorithm is used to traverse the event association graph; all event nodes reached from any starting event node are recorded to generate propagation paths; the number of different network regions involved in each propagation path is counted; propagation paths involving a number of different network regions greater than or equal to a preset number are selected; the path length, the number of different ports involved in the path, and the time distribution dispersion of event nodes in the path are weighted and calculated to obtain the anomaly score of the selected propagation path; propagation paths with anomaly scores exceeding a preset anomaly threshold are marked as suspected attack propagation paths.
[0010] Optionally, the time interval between all adjacent event nodes in the suspected attack propagation path is calculated; based on the time interval between adjacent event nodes, the average time interval of the suspected attack propagation path is calculated; adjacent event nodes in the suspected attack propagation path are traversed, and when the time interval between any two adjacent event nodes exceeds a preset multiple of the average time interval, the positions of the two adjacent event nodes are marked as stage segmentation points; the suspected attack propagation path is segmented into multiple attack segments according to the stage segmentation points.
[0011] Optionally, for each attack fragment, the protocol type sequence and port number sequence in the attack fragment are extracted, and the similarity between the protocol type sequence and the port number sequence and the pre-stored attack pattern library is calculated to obtain the pattern similarity of the attack fragment; attack fragments whose pattern similarity exceeds the matching threshold are assigned target semantic tags; and attack fragments with target semantic tags are connected to obtain the attack chain with target semantic tags.
[0012] Optionally, the number of directed connections from each event node in the attack chain to other event nodes and the number of directed connections to the event node are obtained to obtain the out-degree and in-degree values of the event nodes, respectively. Based on the ratio of the out-degree to the in-degree values, event nodes whose ratio is greater than or equal to a preset ratio are marked as diffusion nodes, and event nodes whose ratio is less than the preset ratio are marked as aggregation nodes. Starting from the diffusion node, the number of reachable aggregation nodes is recursively counted along the directed connections to obtain the influence range of the diffusion node. According to a preset weight correction coefficient mapping table, the correction coefficient corresponding to the protocol type of the aggregation node is determined, and the baseline weight value corresponding to the influence range is corrected according to the correction coefficient to obtain the threat weight of the event node.
[0013] Optionally, based on the threat source address and all destination IP addresses in the attack chain, a first firewall rule is generated to block communication between the threat source address and the destination IP addresses; based on the port numbers involved in the attack chain, a second firewall rule is generated to limit the access rate of the port numbers; based on the network areas affected in the attack chain, a third firewall rule is generated to isolate the network areas; the first firewall rule, the second firewall rule, and the third firewall rule are combined into a firewall rule set; the firewall rule set is distributed to the firewall device of the smart factory, and the firewall device executes the blocking operation corresponding to the firewall rule set.
[0014] Secondly, embodiments of this application provide a network security fault diagnosis and defense system, which includes: one or more processors and a memory; the memory is coupled to the one or more processors, and the memory is used to store computer program code, which includes computer instructions, and the one or more processors call the computer instructions to cause the network security fault diagnosis and defense system to perform the method described in the first aspect and any possible implementation thereof.
[0015] Thirdly, embodiments of this application provide a computer-readable storage medium including instructions that, when executed on a network security fault diagnosis and defense system, cause the network security fault diagnosis and defense system to perform the method described in the first aspect and any possible implementation thereof.
[0016] Fourthly, embodiments of this application provide a computer program product containing instructions that, when the computer program product is run on a network security fault diagnosis and defense system, cause the network security fault diagnosis and defense system to execute the method described in the first aspect and any possible implementation thereof.
[0017] In summary, one or more technical solutions provided in this application have at least the following technical effects or advantages: By adopting the above technical solution, network log data is acquired and sorted to form a network log set. Then, an event correlation graph is constructed based on the source IP address and destination IP address of the network log, which can comprehensively reflect the correlation between event nodes in the network. By traversing the event correlation graph and calculating the anomaly score of the propagation path, and combining the position of time interval mutation, the suspected attack propagation path is divided into multiple attack fragments, which can accurately identify the propagation characteristics of the attack behavior. Furthermore, by generating attack chains with target semantic tags for the attack fragments, and calculating the threat weight based on the out-degree and in-degree values of the event nodes in the attack chain, the correlation between abnormal behaviors can be systematically analyzed, thereby accurately determining the threat source address. Finally, based on the identified threat source address and the destination IP address and port number in the attack chain, firewall rules are automatically generated and distributed, realizing precise defense measures and improving the accuracy of network security fault diagnosis and defense. Attached Figure Description
[0018] Figure 1 This is a flowchart illustrating a network security fault diagnosis and defense method disclosed in an embodiment of this application; Figure 2 This is another schematic flowchart of a network security fault diagnosis and defense method disclosed in an embodiment of this application; Figure 3 This is a schematic diagram of the structure of a system provided in an embodiment of this application.
[0019] Explanation of reference numerals in the attached drawings: 301, Central Processing Unit; 302, Read-Only Memory; 303, Random Access Memory; 304, Bus; 305, Input / Output Interface; 306, Input Section; 307, Output Section; 308, Storage Section; 309, Communication Section; 310, Driver; 311, Removable Media. Detailed Implementation
[0020] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments.
[0021] In the description of the embodiments of this application, the words "for example" or "for instance" are used to indicate examples, illustrations, or explanations. Any embodiment or design that is described as "for example" or "for instance" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design options. Rather, the use of the words "for example" or "for instance" is intended to present the relevant concepts in a specific manner.
[0022] In the description of the embodiments of this application, the term "multiple" means two or more. For example, multiple systems means two or more systems, and multiple screen terminals means two or more screen terminals. Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the indicated technical features. Thus, a feature defined with "first" or "second" may explicitly or implicitly include one or more of that feature. The terms "comprising," "including," "having," and variations thereof all mean "including but not limited to," unless otherwise specifically emphasized.
[0023] This application provides a method for network security fault diagnosis and defense, referring to... Figure 1 , Figure 1 This is a flowchart illustrating a network security fault diagnosis and defense method provided in an embodiment of this application. The method is applied to a system, which refers to a hardware and software integrated platform capable of executing network security fault diagnosis and defense programs. The system can execute a network security fault diagnosis and defense program. The method includes steps 101 to 106, as follows: Step 101: Obtain the network log data of the smart factory and sort it according to the timestamp of the network log data to obtain the network log set.
[0024] A smart factory refers to a modern manufacturing plant that utilizes next-generation information technologies such as the Internet of Things (IoT) and artificial intelligence (AI) to achieve the digitalization, networking, and intelligentization of its production processes. Network log data refers to various data records generated during the operation of the factory network, including equipment connection information, data transmission records, system operating status, and operational behaviors. Each record is timestamped. A timestamp is a numerical value that represents the precise point in time when the data was generated, typically recorded in Unix timestamp format (the number of seconds since January 1, 2020, at midnight UTC) or ISO 8601 standard format (e.g., "2024-12-30T10:30:00Z"). A network log collection refers to a dataset of these time-sensitive log data organized in a unified format.
[0025] Specifically, the first step is data acquisition. Network logs are collected through a network monitoring system deployed within the factory. Specific methods include: directly reading system log files from network devices, collecting network device operational data via the SNMP protocol, capturing data packets using network packet capture tools, and calling device API interfaces to obtain operational logs. The acquired raw data needs to be formatted uniformly, and the timestamp information of each record is extracted. Then, a sorting operation is performed, using the timestamp as the sorting key. Algorithms such as quicksort and mergesort can be used to rearrange all logs in chronological order. For example, if a device connection log has a timestamp of "2024-12-30T10:30:00Z" and a device status log has a timestamp of "2024-12-30T10:29:58Z", after sorting, the status log will appear before the connection log. This ultimately forms a strictly chronologically ordered set of network logs, facilitating subsequent analysis and processing.
[0026] Step 102: Based on the source IP address and destination IP address of each network log in the network log set, determine the directed connections between event nodes, and generate an event association graph based on the directed connections.
[0027] In a network log collection, the source and destination IP addresses refer to the network identifiers of the sender and receiver of the data packets, respectively, represented in IPv4 or IPv6 format, such as "192.168.1.1". Event nodes are participating entities in network communication, including servers, workstations, and network devices, and are represented as nodes in association analysis. A directed connection represents the communication relationship between two event nodes, with a clear direction, pointing from the source node to the destination node. An event association graph is a data structure that graphically displays the communication relationships between nodes in a network, containing two basic elements: nodes (vertex) and edges (edge). Nodes represent communication entities, and edges represent communication relationships.
[0028] Specifically, the process begins by traversing each log record in the network log collection, extracting the source and destination IP address fields. For each IP address pair, a corresponding event node object is created, and a directed edge is established from the source IP node to the destination IP node. During implementation, an adjacency list or adjacency matrix is used to store the graph structure data. For example, if a log record shows data being sent from IP address "192.168.1.100" to "192.168.1.200", two nodes are created to represent these two IP addresses, and a directed edge is added from the "192.168.1.100" node to the "192.168.1.200" node. If multiple log records show the same communication relationship, the number of communications needs to be recorded on the corresponding directed edge. After processing all log records, a complete event association graph is obtained, containing all observed network communication relationships. This graph can be further used for tasks such as network behavior analysis and anomaly detection. In practical implementation, graph theory libraries such as NetworkX can be used to construct and manipulate graph structures, and tools such as Graphviz can be used to achieve graphical display.
[0029] In one possible implementation, directed connections between event nodes are determined based on the source IP addresses and destination IP addresses of each network log in the network log set, and an event association graph is generated based on the directed connections. Specifically, this includes steps 1021-1023, as follows: Step 1021: Traverse the network log collection, treat each network log record in the network log collection as an event node, and extract the source IP address and destination IP address of the event node.
[0030] A network log record is a single data record generated during network communication, containing fields such as time, IP address, port number, and protocol type. An event node here specifically refers to a data object converted from a single network log record; this object contains complete information about the log record. The source IP address is the network identifier of the device sending data in network communication, represented in dotted decimal (IPv4, e.g., "192.168.1.1") or hexadecimal (IPv6, e.g., "2001:0db8:85a3:0000:0000:8a2e:0370:7334") format. The destination IP address is the network identifier of the device receiving data, with the same format as the source IP address.
[0031] Specifically, the sorted network log collection is first sequentially traversed, reading each log record. For each log record, a new event node object is created, which needs to contain a unique identifier (such as an auto-incrementing ID or UUID). Then, the source IP address and destination IP address fields are parsed from the log record. The parsing process needs to handle IP address formats of different types, including IPv4 and IPv6, and perform format validation to ensure the validity of the IP addresses. For example, for a log record containing the source IP "192.168.1.100" and the destination IP "192.168.1.200", an event node object is created, containing the node ID (such as "node_1"), source IP, and destination IP information. In implementation, object-oriented programming methods can be used to define the event node class, including the necessary attributes and methods. Specific IP address parsing can be performed using regular expressions or a dedicated IP address processing library. These event node objects will be used to subsequently build the event association graph. Invalid IP address records need to be marked or filtered to ensure data accuracy.
[0032] Step 1022: If the destination IP address of the first event node is the same as the source IP address of the second event node, and the timestamp of the second event node is later than the timestamp of the first event node, then a directed connection is established between the first event node and the second event node. The direction of the directed connection is from the first event node to the second event node. The first event node and the second event node are the event nodes corresponding to any two different network log records in the network log set.
[0033] An event node is a data object derived from network log records, containing attributes such as timestamp, source IP address, and destination IP address. A directed connection is a fundamental concept in graph theory, representing a directional relationship between two nodes, represented by a directed edge with a clearly defined starting point (source node) and ending point (destination node). A timestamp is a numerical record of when an event occurred, using Unix timestamps (e.g., 1703925600 represents 2023-12-30 00:00:00 UTC) or ISO8601 format (e.g., "2023-12-30T00:00:00Z"). The temporal order of two event nodes is determined by comparing their timestamp values.
[0034] Specifically, this step implements the process of constructing directed connections between event nodes based on IP address association and timing relationships. In practice, the event nodes in the network log set need to be traversed twice. During the traversal, any two distinct event nodes are selected and designated as the first event node and the second event node, respectively. For each pair of event nodes, the destination IP address of the first event node and the source IP address of the second event node are first compared to see if they are completely identical. This requires string matching or IP address numerical comparison. Then, the timestamps of the two event nodes are compared. After converting the timestamps to a unified format (such as Unix timestamps), the values are compared to determine if the timestamp of the second event node is greater than that of the first event node. When both conditions are met—that is, the IP addresses match and the timing is correct—a directed connection is created between the two event nodes. For example, the first event node records communication from "192.168.1.100" to "192.168.1.200" with a timestamp of "2025-12-30T10:00:00Z", and the second event node records communication from "192.168.1.200" to "192.168.1.300" with a timestamp of "2025-12-30T10:01:00Z". Since the destination IP of the first event node is the same as the source IP of the second event node (both are "192.168.1.200"), and the time of the second event node is later than that of the first event node, a directed connection from the first event node to the second event node is established between these two nodes. This connection relationship can be stored using an adjacency list or adjacency matrix and can be implemented and managed using a graphics library (such as NetworkX).
[0035] Step 1023: Organize all event nodes and directed connections into a directed graph structure to generate an event association graph.
[0036] A directed connection is a directional relationship between two event nodes, representing the direction of data flow or behavior transmission. A directed graph structure is a data structure composed of a set of nodes and a set of directed edges, where nodes represent entities and directed edges represent directional relationships between entities. An event association graph is a complete example of a directed graph data structure that visualizes and structures the event connections in network behavior, containing all related event nodes and the directed connections between them.
[0037] Specifically, first, create an empty directed graph data structure, which can be represented using an adjacency list or adjacency matrix. Iterate through all event nodes, adding each node to the graph structure and assigning a unique identifier to each node. Then, iterate through all established directed connections, adding these connections as directed edges to the graph, with each edge containing direction information from the source node to the target node. During implementation, graph theory libraries (such as Python's NetworkX) can be used to construct the graph structure. For example, for event node A (timestamp: 2024-12-30T10:00:00Z, source IP: 192.168.1.100, destination IP: 192.168.1.200) and event node B (timestamp: 2024-12-30T10:01:00Z, source IP: 192.168.1.200, destination IP: 192.168.1.300), if a directed connection exists between them, a directed edge from node A to node B is added to the graph. After the graph structure is constructed, graph layout algorithms (such as force-directed layout and hierarchical layout) can be used to spatially arrange the nodes, and a graph rendering library (such as Graphviz) can be used to visualize the graph structure, generating an intuitive event association graph. This graph supports subsequent graph algorithm operations such as path analysis, connectivity analysis, and community detection, and can be persistently stored and queried through a graph database (such as Neo4j).
[0038] Step 103: Traverse the event association graph, determine the propagation path, calculate the anomaly score of the propagation path, mark the propagation path with anomaly score exceeding the preset threshold as a suspected attack propagation path, and divide the suspected attack propagation path into multiple attack segments according to the abrupt change position of the time interval between event nodes in the suspected attack propagation path.
[0039] Anomaly score is a numerical metric used to quantify the degree of anomaly in a propagation path, derived by calculating multiple characteristic parameters along the path. The preset threshold is the criterion for anomaly detection, serving as the numerical boundary distinguishing between normal and abnormal paths. A suspected attack propagation path is a propagation path whose anomaly score exceeds the preset threshold. A time interval abrupt change location refers to the point where the time difference between adjacent event nodes on the path changes significantly. An attack segment is a subsequence of the path segmented from these time interval abrupt change locations.
[0040] Specifically, this step uses a depth-first search or breadth-first search algorithm to traverse the event association graph. Starting from each possible starting node, it explores all reachable ending nodes along the directed edges, thereby identifying all propagation paths in the graph. For each identified propagation path, its anomaly score needs to be calculated. The calculation process comprehensively considers multiple feature dimensions of the path: the number of nodes in the path reflects the breadth of propagation; the time difference between the first and last nodes of the path represents the duration of propagation; the statistical characteristics of the time intervals between nodes (mean, variance, maximum, and minimum) reflect the temporal pattern of propagation; and the range of IP address ranges represents the spatial propagation characteristics. These features are weighted and summed to obtain the comprehensive anomaly score of the path. For example, a propagation path contains 5 nodes, with a total time span of 30 minutes, an average time interval between nodes of 7.5 minutes, a time interval variance of 2 minutes, a maximum interval of 10 minutes, and a minimum interval of 5 minutes. Substituting these values into the anomaly score calculation formula yields the final score. The calculated anomaly score is compared with a pre-set threshold (e.g., 0.8), and paths exceeding the threshold are marked as suspected attack propagation paths. For each suspected attack propagation path, the abrupt change in time intervals is identified by calculating the time interval sequence between adjacent nodes and using statistical methods (such as the 3σ rule based on the mean and standard deviation or outlier detection methods based on quartiles). When a time interval is found to be significantly larger than other intervals, that location is identified as an abrupt change point, and the propagation path is segmented into independent attack segments at that point. This segmentation method can separate attack behaviors at different time stages, facilitating subsequent in-depth analysis and feature extraction for each attack segment.
[0041] In one possible implementation, the event correlation graph is traversed to determine the propagation path, anomaly scores are calculated for the propagation path, and propagation paths with anomaly scores exceeding a preset threshold are marked as suspected attack propagation paths. Specifically, this includes steps 1031-1033, as follows: Step 1031: Use a preset depth-first traversal algorithm to traverse the event association graph; record all event nodes reached from any starting event node, and generate a propagation path.
[0042] Depth-first search (DFS) is a graph traversal algorithm that starts from a specified starting node and explores along a path to the deepest point, backtracking to the previous node when it cannot proceed further, and continuing to explore other unvisited paths. An event graph is a graph structure composed of event nodes and directed connections, representing the relationships between network behaviors. A propagation path is a complete path from the starting node to the ending node in the graph, recording the order in which network behaviors are transmitted. The starting event node is the first node on the propagation path, representing the beginning of the behavior sequence.
[0043] Specifically, first, an empty set of visit markers and a stack structure are created to store the current path. For each node in the graph as the starting node, the following traversal process is performed: push the starting node onto the stack and mark it as visited; then find all unvisited neighboring nodes of the current node. Select an unvisited neighboring node, push it onto the stack and mark it as visited, and continue exploring the neighboring nodes of this new node. When a node is encountered that has no unvisited neighboring nodes, record the node sequence in the stack as a complete propagation path, then pop the node from the stack and backtrack to the previous node to continue exploring other branches. For example, in an event graph containing nodes A, B, C, and D, starting from node A, traversing to B and C, the path A->B->D is first explored to the end, this propagation path is recorded, and then backtracking is performed to explore the path A->C->D, ultimately obtaining two complete propagation paths. During the traversal, loops need to be avoided by checking whether a node is already in the current path to prevent infinite loops. After all possible propagation paths have been explored and recorded, a propagation path set is formed, with each path containing a complete node sequence and corresponding temporal information.
[0044] Step 1032: Count the number of different network regions involved in each propagation path; filter out propagation paths that involve a number of different network regions greater than or equal to a preset number.
[0045] A network area is a logical partition within a network containing a group of devices with similar network characteristics (such as IP address ranges and subnet masks), distinguished by the network part of their IP addresses. The number of different network areas refers to the number of different network areas traversed by a propagation path, calculated by analyzing the network areas to which the IP addresses of each node along the path belong. The preset number is a threshold used to filter propagation paths, representing the minimum number of different network areas a propagation path must traverse.
[0046] Specifically, the first step is to perform network area analysis on each propagation path. For each event node in the path, its source IP address and destination IP address are extracted, and the network area to which it belongs is determined by calculating the network number portion of the IP address. The network number is calculated by performing a bitwise AND operation between the IP address and the subnet mask. For example, the network number of the IP address "192.168.1.100" under the subnet mask "255.255.255.0" is "192.168.1.0". This calculation process is performed on all IP addresses along a propagation path, and the resulting network numbers are stored in a set. Due to the nature of sets, duplicate elements are automatically removed, and the final size of the set represents the number of different network areas involved in the propagation path. For example, a propagation path might contain three event nodes with IP addresses "192.168.1.100", "192.168.2.200", and "192.168.2.300". Under a subnet mask of "255.255.255.0", the corresponding network numbers are "192.168.1.0" and "192.168.2.0" (the latter two IPs belong to the same network area). Therefore, this path involves two different network areas. The calculated number of network areas is compared to a preset threshold, and only propagation paths with a number of network areas greater than or equal to the threshold are retained. If the preset threshold is 2, the propagation path in the above example will be retained, while paths that propagate only within a single network area will be filtered out. This filtering method helps identify complex propagation behaviors that span multiple network areas.
[0047] Step 1033: Perform a weighted calculation on the path length, the number of different ports involved in the path, and the time distribution dispersion of event nodes in the path of the selected propagation path to obtain the anomaly score of the selected propagation path; mark the propagation path with anomaly score exceeding the preset anomaly threshold as a suspected attack propagation path.
[0048] Path length is the number of event nodes included in the propagation path. Port is a numerical identifier used in network communication to distinguish applications or services, ranging from 0 to 65535, where 0-1023 are system ports, 1024-49151 are registration ports, and 49152-65535 are dynamic ports. Temporal distribution dispersion is a statistical indicator used to measure the degree of dispersion of event occurrence times, usually calculated using standard deviation or coefficient of variation; a higher value indicates a more dispersed temporal distribution. Anomaly score is a comprehensive score obtained by weighting multiple feature indicators, used to quantify the degree of anomaly in the propagation path. Preset anomaly threshold is a numerical boundary used to distinguish between normal and abnormal propagation paths.
[0049] Specifically, the first step is to calculate three characteristic indicators for each selected propagation path. The path length is obtained directly by counting the number of nodes in the path. The number of different ports is obtained by collecting the source and destination ports of all event nodes in the path, deduplicating them using a set, and then calculating the number of elements. The calculation process for the time distribution dispersion is as follows: First, convert the timestamps of all event nodes in the path to Unix timestamp format (seconds), calculate the mean and standard deviation of these timestamps, and divide the standard deviation by the mean to obtain the coefficient of variation, which is used as the time distribution dispersion. These three indicators are then weighted and calculated using the following formula: Anomaly Score = w1 × Path Length Standardized Value + w2 × Port Count Standardized Value + w3 × Time Distribution Dispersion Standardized Value, where w1, w2, and w3 are predefined weight coefficients that satisfy w1 + w2 + w3 = 1, and the standardized value is the result of mapping the original value to the [0, 1] interval through the maximum and minimum values. For example, a propagation path with a length of 5, involving 8 different ports, a time distribution dispersion of 0.6, and weights of 0.3, 0.3, and 0.4 respectively, can be substituted into the calculation formula to obtain the anomaly score for that path. If the preset anomaly threshold is 0.7, then propagation paths with anomaly scores exceeding 0.7 will be marked as suspected attack propagation paths. This comprehensive scoring method based on multi-dimensional features can more comprehensively identify propagation paths with attack characteristics.
[0050] Step 104: Generate an attack chain with target semantic tags based on each attack fragment.
[0051] Target semantic tags are identifiers that describe the characteristics and purpose of attack behavior, including information such as attack type, attack stage, and attack target. An attack chain is a complete attack sequence formed by connecting multiple attack fragments in the logical order of the attack process, reflecting the evolution path of the entire attack. Semantic tag annotation is based on network behavioral characteristics in the attack fragments, such as typical attack patterns like port scanning, privilege escalation, and data theft.
[0052] Specifically, the first step is to perform feature analysis and semantic annotation on each attack segment. Feature extraction is performed on the event sequence within the attack segment, including: communication port patterns (e.g., numerous accesses to the same port indicate service scanning, access to high-risk ports such as 445 and 3389 indicates potential vulnerability exploitation), data transmission patterns (e.g., a large number of small data packets in a short period indicates scanning behavior, continuous transmission of large data packets indicates data theft), and protocol features (e.g., a large number of ICMP packets indicate network probing, abnormal DNS requests indicate possible tunneling communication), etc. Based on the extracted features, the attack segment is matched against a predefined attack pattern library to determine the most matching attack type and stage. For example, an attack segment showing a large number of TCP SYN packets accessing multiple ports matches the "port scanning" attack type and belongs to the "information gathering" stage; another attack segment showing continuous access to Web service ports and sending abnormally long data packets matches the "Web attack" type and belongs to the "vulnerability exploitation" stage. The semantically annotated attack segments are then connected according to chronological order and the logical relationship of attack stages to form a complete attack chain. For each attack segment, information such as start time, end time, involved IP addresses, port numbers, protocol type, attack type, and attack stage is recorded. This information constitutes a complete description of the attack chain with semantic tags. Attack chains constructed in this way can clearly show the entire attack process, helping to understand the attacker's behavioral patterns and goals.
[0053] Step 105: Obtain the out-degree and in-degree values of each event node in the attack chain, and calculate the threat weight of the event node.
[0054] Out-degree refers to the number of directed connections originating from a node, representing the number of communications initiated by that node as a source. In-degree refers to the number of directed connections pointing to that node, representing the number of communications received by that node as a target. Threat weight is a numerical metric that measures the importance of an event node in an attack, calculated using the node's topological characteristics (such as out-degree and in-degree) and behavioral characteristics (such as communication frequency and data volume). An attack chain is a sequence of event nodes arranged in chronological and logical order, describing the complete attack process.
[0055] Specifically, the first step is to traverse each event node in the attack chain and count its out-degree and in-degree values. The out-degree value is calculated by counting the number of directed connections originating from that node, while the in-degree value is calculated by counting the number of directed connections originating from that node. Based on these topological characteristics, the threat weight is calculated by combining the node's behavioral characteristics. The formula for calculating the threat weight is: Threat Weight = α × Normalized Out-degree + β × Normalized In-degree + γ × Behavioral Feature Value, where α, β, and γ are weight coefficients and satisfy α + β + γ = 1. The normalization process uses the maximum-minimum standardization method to map the original values to the [0, 1] interval. The calculation of the behavioral feature value considers multiple behavioral indicators of the node: communication frequency (number of communications per unit time), data transmission volume (total amount of data generated by communication), port type (whether a high-risk port is used), etc. For example, if an event node has an out-degree value of 5, an in-degree value of 3, a communication frequency of 10 times / minute, a data transmission volume of 1MB, and uses the high-risk port 445, then its behavioral feature value may be high. With α=0.3, β=0.3, γ=0.4, and assuming a normalized out-degree of 0.8, an in-degree of 0.6, and a behavioral characteristic of 0.9, the threat weight of this node is calculated as: 0.3×0.8+0.3×0.6+0.4×0.9=0.78. This threat weight calculation comprehensively reflects the node's importance and level of danger in network attacks, providing crucial information for subsequent attack analysis and defense strategies.
[0056] In one possible implementation, the out-degree and in-degree values of each event node in the attack chain are obtained, and the threat weight of the event node is calculated. Specifically, steps 1051-1054 are included, as follows: Step 1051: Obtain the number of directed connections from each event node to other event nodes and the number of directed connections to event nodes in the attack chain, and obtain the out-degree and in-degree values of the event nodes respectively.
[0057] Specifically, the out-degree and in-degree values are counted by traversing each event node in the attack chain. In implementation, two counters are first created to record the out-degree and in-degree respectively. For each event node, all its connections in the attack chain are checked. The out-degree is counted by traversing and counting all directed connections originating from the current node, and the in-degree is counted by traversing and counting all directed connections ending at the current node. For example, for event node A, if there are directed connections A->B, A->C, and A->D, then A's out-degree is 3; if there are directed connections E->A and F->A, then A's in-degree is 2. In terms of data structure implementation, adjacency lists or adjacency matrices can be used to store the connections between nodes. When using an adjacency list, each node maintains a list pointing to other nodes; the out-degree is the length of this list. The in-degree requires traversing all lists of nodes and counting the number of connections pointing to the current node. When using an adjacency matrix, the number of 1s in the i-th row represents the out-degree of node i, and the number of 1s in the i-th column represents the in-degree of node i. After the statistics are completed, each event node will obtain a pair of out-degree and in-degree values. These values serve as the basic indicators for measuring the importance of nodes and are used in subsequent threat weight calculations.
[0058] Step 1052: Based on the ratio of out-degree to in-degree, mark event nodes with a ratio greater than or equal to a preset ratio as diffusion nodes, and mark event nodes with a ratio less than a preset ratio as convergence nodes.
[0059] The preset ratio is a threshold used to distinguish between diffusion nodes and sink nodes. A diffusion node is a node whose out-degree value is significantly greater than its in-degree value, indicating that it initiates communication to multiple targets. A sink node is a node whose in-degree value is significantly greater than or close to its out-degree value, indicating that it receives communication from multiple sources. These node types reflect different attack behavior patterns, such as scanning and data collection.
[0060] Specifically, the ratio calculation first needs to handle the special case of an in-degree of 0. When the in-degree is 0, the ratio is set to a sufficiently large value to ensure that the node is correctly marked as a diffusion node. For other cases, the ratio is directly calculated by dividing the out-degree by the in-degree. For example, if a node has an out-degree of 8 and an in-degree of 2, its ratio is 4; if another node has an out-degree of 3 and an in-degree of 6, its ratio is 0.5. The calculated ratio is then compared with a preset ratio (e.g., set to 1.5). When a node's ratio is greater than or equal to the preset ratio, it indicates that the node's outbound communication is significantly more than its inbound communication, which matches the characteristics of diffusion behavior, and it is marked as a diffusion node. These types of nodes typically correspond to network scanning, virus propagation, and other similar behaviors. When a node's ratio is less than the preset ratio, it indicates that the node has relatively more inbound communication, which matches the characteristics of convergence behavior, and it is marked as a convergence node. These types of nodes typically correspond to roles such as data collection and command and control servers. This marking method can identify key nodes with different functions in the attack chain, providing important clues for subsequent attack analysis. Once the node is labeled, the node type information can be added to the node's attributes to facilitate subsequent analysis and visualization.
[0061] Step 1053: Starting from the diffusion node, recursively count the number of reachable convergence nodes along the directed connections to obtain the influence range of the diffusion node.
[0062] A sink node is an event node whose out-degree to in-degree ratio is lower than a preset ratio, indicating the target node receiving communication. The scope of influence is the number of sink nodes reachable from the spreading nodes via directed connections, reflecting the attack coverage of the spreading nodes. Recursive statistics are a calculation method that traverses the graph structure by repeatedly calling itself.
[0063] Specifically, a depth-first search algorithm is used to recursively calculate the influence range of each diffusion node. The implementation first creates an access marker set to record visited nodes, avoiding redundant calculations and loops. For each diffusion node, the following recursive statistical process is performed: a counter is initialized to record the number of reachable sink nodes, and the current diffusion node is marked as visited. All outgoing connections to the current node are searched. For each unvisited next-level node, if it is a sink node, the counter is incremented by 1, and the recursive processing of its outgoing connections continues; if it is a diffusion node, its outgoing connections are processed directly without incrementing the counter. For example, in an attack chain, diffusion node A is directly connected to sink nodes B and diffusion node C via directed connections, and diffusion node C is connected to sink nodes D and E. Starting recursively from A, sink node B is first found to have a count of 1, then sink nodes D and E are found through C, ultimately resulting in an influence range of 3 sink nodes for A. When the recursive traversal reaches a node where all outgoing connections have been visited or there are no outgoing connections, the current cumulative number of sink nodes is returned. This statistical process is performed on each diffusion node to obtain the influence range of each node. This influence range value reflects the importance of the diffusion node in the attack propagation; the larger the value, the wider the target range affected by the node.
[0064] Step 1054: Based on the preset weight correction coefficient mapping table, determine the correction coefficient corresponding to the protocol type of the aggregation node, and correct the baseline weight value corresponding to the scope of influence according to the correction coefficient to obtain the threat weight of the event node.
[0065] The weight correction coefficient mapping table is a predefined lookup table that records the risk level coefficients corresponding to different network protocol types. Protocol types are standardized protocols used in network communication, such as TCP, UDP, and ICMP. Correction coefficients are adjustment factors determined based on the risk level of the protocol type, used to adjust the baseline weight value. The baseline weight value is a weight value initially calculated based on the impact range. The threat weight is the final weight value after correction, comprehensively reflecting the threat level of a node in an attack. The impact range is the number of convergence nodes reachable from the originating node.
[0066] Specifically, the baseline weight value is first calculated based on the scope of impact. The calculation of the baseline weight value uses normalization: the scope of impact is divided by the largest scope of impact in the attack chain to obtain the baseline weight value within the interval [0, 1]. Then, the weight correction coefficient mapping table is consulted to obtain the correction coefficient. The mapping table records the correction coefficients for different protocols; for example, the correction coefficient for high-risk protocols (such as SMB / 445 port) is 2.0, the correction coefficient for medium-risk protocols (such as RDP / 3389 port) is 1.5, and the correction coefficient for regular protocols (such as HTTP / 80 port) is 1.0. For each node, the protocol type used for communication is extracted, and the corresponding correction coefficient is obtained by looking up the table. For example, if a node uses the SMB protocol for communication, with an scope of impact of 10, and the largest scope of impact in the current attack chain is 20, then its baseline weight value is 0.5, the corresponding correction coefficient for the SMB protocol is 2.0, and the final threat weight is calculated as: 0.5 × 2.0 = 1.0. If a node uses multiple protocols simultaneously, the maximum value of the corresponding correction coefficients for these protocols is used for calculation. When a node's protocol type is not defined in the mapping table, a default correction factor of 1.0 is used. Through this correction calculation, nodes with high-risk protocols will receive a higher threat weight, more accurately reflecting the actual threat level of the node. The final threat weight will be used for subsequent attack analysis and threat assessment.
[0067] Step 106: Determine the source IP address of the event node with the highest threat weight as the threat source address; generate a set of firewall rules based on the critical threat source address and the destination IP address and port number in the attack chain, and send them to the firewall device for execution.
[0068] The source IP address is the address identifier of the network device initiating the communication. The threat source address is the source IP address of the node with the highest threat weight. The destination IP address is the address identifier of the network device receiving the communication. The port number is a numerical identifier for a network service. A firewall rule is a configuration item that defines network access control policies and includes fields such as source address, destination address, and port number. A firewall device is a network security device that performs network access control. A firewall rule set is a combination of multiple firewall rules.
[0069] Specifically, firstly, by comparing the threat weights of all event nodes, the node corresponding to the maximum threat weight is identified, and its source IP address is extracted as the threat source address. Then, a set of firewall rules is generated based on the threat source address and communication information in the attack chain. The firewall rule generation process is as follows: traverse all event nodes in the attack chain, extracting the destination IP address and port number of each node. For each combination of destination IP address and port number, a firewall rule is generated, with the rule format: {Source IP address = Threat source address, Destination IP address = Node destination IP address, Destination port number = Node port number, Action = Deny}. For example, if the source IP address of the node with the highest threat weight in an attack chain is 192.168.1.100, and the attack chain includes communication with destination IP addresses 192.168.2.200 (port 445) and 192.168.2.300 (port 3389), then two firewall rules are generated: Rule 1 (Source IP: 192.168.1.100, Destination IP: 192.168.2.200, Destination Port: 445, Action: Deny) and Rule 2 (Source IP: 192.168.1.100, Destination IP: 192.168.2.300, Destination Port: 3389, Action: Deny). After the rules are generated, the rule set is converted into a configuration format supported by the firewall device. Common firewall configuration formats include Cisco ACL format and IPtables rule format. A device management protocol (such as SSH or NETCONF) is used to connect to the firewall device, and the converted rule configuration is then distributed to the device. The firewall device takes effect immediately upon receiving the configuration and denies network communication that matches the rule description, thereby achieving access control over threat sources.
[0070] In one possible implementation, a set of firewall rules is generated based on the critical threat source address and the destination IP address and port number in the attack chain, and then sent to the firewall device for execution. Specifically, this includes steps 1061-1062, as follows: Step 1061: Based on the threat source address and all destination IP addresses in the attack chain, generate a first firewall rule to block communication between the threat source address and the destination IP addresses; based on the port numbers involved in the attack chain, generate a second firewall rule to limit the access rate of the port numbers; based on the affected network areas in the attack chain, generate a third firewall rule to isolate the network areas.
[0071] The first firewall rule is an access control rule that blocks communication between specific IP addresses. The second firewall rule is a flow control rule that limits the rate of port access. The third firewall rule is an access control rule that implements network zone isolation. Access rate is the number of connection requests allowed per unit of time.
[0072] Specifically, the first type of rule is generated: traverse all destination IP addresses in the attack chain and generate a blocking rule for each destination IP address. The rule format is: {Source IP address=threat source address, Destination IP address=destination IP address, Protocol=ANY, Action=DROP}. For example, if the threat source address is 192.168.1.100 and the destination IP addresses include 192.168.2.200 and 192.168.2.300, then the following rules are generated: DROP ANY from 192.168.1.100 to 192.168.2.200 and DROPANY from 192.168.1.100 to 192.168.2.300. Next, the second type of rule is generated: All port numbers appearing in the attack chain are counted, and an access rate limiting rule is generated for each port number. The rule format is: {Destination Port = Port Number, Maximum Connections = Preset Threshold, Time Window = Preset Time, Action = LIMIT}. For example, the access rate limiting rules for ports 445 and 3389 are: LIMIT connections to port 445 max 100 per 60s and LIMIT connections to port 3389 max 50 per 60s. Finally, the third type of rule is generated: Based on the IP addresses of nodes in the attack chain, the affected network areas are identified (by the network number portion of the IP address), and isolation rules between network areas are generated. The rule format is: {Source Network = Affected Network, Destination Network = Other Network, Action = DROP}. For example, if the affected network is 192.168.2.0 / 24, the generated rule is: DROP ANY from 192.168.2.0 / 24 to ANY. All rules are organized in the order of blocking rules, rate limiting rules, and zone isolation rules to form a complete firewall rule set, achieving multi-layered protection against threat sources.
[0073] Step 1062: Combine the first firewall rule, the second firewall rule, and the third firewall rule into a firewall rule set; distribute the firewall rule set to the firewall devices in the smart factory, and execute the corresponding blocking operations through the firewall devices. The first firewall rule is a blocking rule for communication between specific IP addresses. The second firewall rule is a limit rule for port access rates. The third firewall rule is a control rule for network zone isolation. A firewall rule set is an ordered combination of multiple firewall rules. A firewall device is a hardware device that performs network access control. An interception operation is the specific control action performed by the firewall device according to the rules, including dropping packets, limiting connection rates, and redirecting traffic. A smart factory is a modern factory environment that deploys industrial control systems and network equipment.
[0074] Specifically, the three types of firewall rules are first combined and organized. The rule combination follows the principle of "from specific to general": the first firewall rule (specific IP address blocking rule) is placed at the beginning of the rule set to ensure priority matching and processing of known threat source communications; the second firewall rule (port access rate limiting rule) is placed in the middle to implement traffic control on suspicious ports; and the third firewall rule (network zone isolation rule) is placed last as the most basic protection measure. Example rule sets: Rule 1 (DROP ANY from 192.168.1.100 to 192.168.2.200), Rule 2 (DROP ANY from 192.168.1.100 to 192.168.2.300), Rule 3 (LIMIT connections to port 445 max 100 per 60s), Rule 4 (LIMIT connections to port 3389 max 50 per 60s), Rule 5 (DROP ANY from 192.168.2.0 / 24 to ANY). After combining the rules, connect to the firewall device in the smart factory using firewall management protocols (such as SSH, NETCONF, REST API). Based on the firewall device model and supported configuration formats (such as Cisco IOS format, IPtables format, OVS flow table format), convert the rule set into corresponding configuration commands. Send the configuration commands to the firewall device via the management protocol. After receiving the configuration, the device loads the rules into the access control list. The firewall device begins to inspect and control network traffic in real time according to the rule set: traffic matching the first type of rule is dropped directly, traffic matching the second type of rule is rate-limited, and traffic matching the third type of rule is isolated by region, thereby achieving comprehensive protection for the smart factory network.
[0075] In the above embodiments, a temporal feature-based attack link identification framework was implemented through time segmentation and semantic annotation. To further improve the accuracy and interpretability of attack link identification and reduce the impact of false positives and false negatives on attack analysis, this application also provides a network security fault diagnosis and defense method. This method analyzes the temporal characteristics of attack events, determines the boundary points of different attack stages, and performs multi-dimensional matching processing of protocol sequences, port sequences, and attack patterns, enabling the system to more accurately identify attack links and attack intentions in complex network attack scenarios. The following section combines... Figure 2 Another network security fault diagnosis and defense method in the embodiments of this application is described below: Please see Figure 2This is a flowchart illustrating a network security fault diagnosis and defense method in an embodiment of this application.
[0076] Step 201: Calculate the time interval between all adjacent event nodes in the suspected attack propagation path; based on the time interval between adjacent event nodes, calculate the average time interval of the suspected attack propagation path.
[0077] Adjacent event nodes are two nodes that are chronologically adjacent in the propagation path. The time interval is the difference in timestamps between two adjacent event nodes, in seconds. The average time interval is the arithmetic mean of the time intervals of all adjacent nodes in the path, reflecting the temporal characteristics of the attack propagation. A timestamp is the precise point in time when an event occurred, typically using the Unix timestamp format (the number of seconds since January 1, 1970, at midnight UTC).
[0078] Specifically, the process first iterates through all adjacent node pairs in the suspected attack propagation path and calculates the time interval between them. The time interval is calculated by subtracting the timestamp of the previous node from the timestamp of the next node. For example, the path contains four nodes: node A (timestamp: 1640995200, corresponding to 2022-01-01 00:00:00), node B (timestamp: 1640995205, corresponding to 2022-01-01 00:00:05), node C (timestamp: 1640995208, corresponding to 2022-01-01 00:00:08), and node D (timestamp: 1640995215, corresponding to 2022-01-01 00:00:15). Calculate the time intervals between adjacent nodes: the interval from A to B is 5 seconds (1640995205 - 1640995200), the interval from B to C is 3 seconds (1640995208 - 1640995205), and the interval from C to D is 7 seconds (1640995215 - 1640995208). After obtaining all time intervals, calculate the average time interval: add all time intervals together and divide by the number of intervals. In the example above, the average time interval is (5 + 3 + 7) / 3 = 5 seconds. The calculation process requires handling timestamp format conversion and special cases: if the timestamps use different formats (such as ISO 8601 format), they need to be uniformly converted to Unix timestamps first; if the path contains only one node, the average time interval is recorded as 0; if there are nodes with empty timestamps, the interval calculation for that node pair is skipped. The final average time interval is used for subsequent attack signature analysis.
[0079] Step 202: Traverse adjacent event nodes in the suspected attack propagation path. When the time interval between any two adjacent event nodes exceeds a preset multiple of the average time interval, mark the positions of the two adjacent event nodes as stage split points.
[0080] Phase transition points are location markers indicating transitions between attack phases. Phase transitions represent points in time when attack behavior patterns undergo significant changes.
[0081] Specifically, transition points in the attack phase are identified by analyzing the time intervals between adjacent nodes. First, all pairs of adjacent nodes in the propagation path are traversed chronologically. For each pair, the time interval between them is calculated and compared to a preset multiple of the average time interval. The preset multiple is set to 3, meaning that when a time interval exceeds three times the average time interval, a transition in the attack phase is considered to have occurred. For example, a propagation path contains 5 nodes: node A (timestamp: 1640995200), node B (timestamp: 1640995205), node C (timestamp: 1640995220), node D (timestamp: 1640995225), and node E (timestamp: 1640995230). The time intervals between adjacent nodes are calculated as follows: A to B is 5 seconds, B to C is 15 seconds, C to D is 5 seconds, and D to E is 5 seconds. The average time interval is (5 + 15 + 5 + 5) / 4 = 7.5 seconds. Each time interval is compared to a threshold (7.5 × 3 = 22.5 seconds): the interval from A to B is 5 seconds, less than the threshold, so it is not marked; the interval from B to C is 15 seconds, less than the threshold, so it is not marked; the interval from C to D is 5 seconds, less than the threshold, so it is not marked; the interval from D to E is 5 seconds, less than the threshold, so it is not marked. This comparison identifies locations with abnormal time intervals, marking these locations as phase split points. The marking method involves adding a boolean flag to the node attributes; true indicates that the node is the starting node of a phase split point. Identifying phase split points helps divide attack behavior into different phases, facilitating subsequent classification and analysis of attack phases.
[0082] Step 203: Divide the suspected attack propagation path into multiple attack segments based on the stage segmentation points.
[0083] Specifically, the suspected attack propagation path is segmented based on the marked stage split points. First, all nodes in the propagation path are traversed chronologically, and a split position is marked at each stage split point. Starting from the path's beginning node, all nodes before the first split point constitute the first attack segment; all nodes from the first split point to the second split point constitute the second attack segment; and so on, until the last node of the path. For example, a propagation path contains 8 nodes: A, B, C, D, E, F, G, H, where nodes C and F are marked as stage split points. Based on these two split points, the path is divided into three attack segments: Segment 1 contains nodes A and B (from the beginning to before the first split point), Segment 2 contains nodes C, D, and E (from the first split point to before the second split point), and Segment 3 contains nodes F, G, and H (from the second split point to the end of the path). For each attack segment, information such as its node list, start time (timestamp of the first node in the segment), end time (timestamp of the last node in the segment), and number of nodes is saved. This information constitutes the attribute set of the attack segment, used for subsequent attack feature analysis. The segmented attack fragments maintain the original connections between nodes, ensuring the integrity of the attack behavior. This segmentation process separates attack behaviors with significant temporal differences, facilitating the identification of behavioral characteristics at different attack stages.
[0084] In one possible implementation, the suspected attack propagation path is divided into multiple attack segments based on the stage segmentation point. This step is further followed by steps 2031-2032, as follows: Step 2031: For each attack fragment, extract the protocol type sequence and port number sequence from the attack fragment, and calculate the similarity between the protocol type sequence and port number sequence and the pre-stored attack pattern library to obtain the pattern similarity of the attack fragment.
[0085] The protocol type sequence is a chronological sequence of network protocols (such as TCP, UDP, and ICMP) used by each event node in the attack segment. The port number sequence is a chronological sequence of network port numbers involved by each event node in the attack segment. The pre-stored attack pattern library is a collection of data storing known attack behavior characteristics; each record contains the protocol sequence and port sequence of a typical attack. Pattern similarity is the degree of matching between the sequence features of the attack segment and the records in the pattern library, with a numerical range of [0, 1]. Similarity calculation is performed by using a sequence alignment algorithm to calculate the matching degree between two sequences.
[0086] Specifically, the first step is to extract feature sequences: traverse the event nodes in the attack fragment in chronological order, extracting the protocol type and port number for each node, and constructing protocol type sequences and port number sequences respectively. For example, if an attack fragment contains 5 nodes: node 1 (TCP, 445), node 2 (TCP, 445), node 3 (UDP, 137), node 4 (TCP, 445), and node 5 (TCP, 3389), then the protocol type sequence [TCP, TCP, UDP, TCP, TCP] and port number sequence [445, 445, 137, 445, 3389] are extracted. Then, similarity is calculated with records in the attack pattern library. The similarity calculation uses sequence alignment algorithms: for protocol type sequences, the Longest Common Subsequence (LCS) algorithm is used to calculate the length of the longest common part between the sequence to be analyzed and the sequences in the pattern library, and the similarity is obtained by dividing by the length of the longer sequence; for port number sequences, the edit distance algorithm is used to calculate the minimum number of operations required to convert the sequence to be analyzed into a sequence in the pattern library, and the similarity is obtained by subtracting the standardized edit distance from 1. The weighted average of protocol similarity and port similarity is taken as the final pattern similarity. For example, if the protocol sequence of a certain worm attack pattern in the pattern library is [TCP, TCP, TCP, TCP, UDP] and the port sequence is [445, 445, 445, 445, 137], the calculated protocol similarity with the above attack fragment is 0.8 (4 / 5) and the port similarity is 0.6 (1-3 / 5), with weights of 0.4 and 0.6 respectively. Therefore, the final pattern similarity is 0.8 × 0.4 + 0.6 × 0.6 = 0.68. Similarity calculation is performed on each record in the pattern library, and the highest similarity value is taken as the pattern similarity of that attack fragment. This similarity value reflects the degree of matching between the attack fragment and known attack patterns and is used for subsequent attack type determination.
[0087] Step 2032: Assign target semantic labels to attack fragments whose pattern similarity exceeds the matching threshold; connect the attack fragments with target semantic labels to obtain attack chains with target semantic labels.
[0088] Specifically, the first step is to threshold the pattern similarity of each attack fragment. A matching threshold of 0.8 is set, and all attack fragments are iterated through, checking their pattern similarity values. When the pattern similarity of an attack fragment exceeds 0.8, the semantic tag for the corresponding pattern is retrieved from the pre-stored attack pattern library and assigned to that attack fragment. For example, if an attack fragment has a similarity of 0.85 with the "SMB scan" pattern in the pattern library, exceeding the threshold of 0.8, then the semantic tag "SMB scan" is assigned to that fragment. After tagging, the attack fragments with semantic tags are joined. The joining process is based on temporal sequence and network communication relationships: first, the tagged attack fragments are sorted chronologically; then, a network communication relationship (the correspondence between source IP and destination IP) is checked between adjacent fragments; if a communication relationship exists, these fragments are joined into an attack chain. For example, consider three tagged attack segments: Segment 1 (Time: 10:00-10:05, Tag: "Port Scan", Source IP: 192.168.1.100, Destination IP: 192.168.2.200), Segment 2 (Time: 10:06-10:10, Tag: "Brute Force", Source IP: 192.168.1.100, Destination IP: 192.168.2.200), and Segment 3 (Time: 10:11-10:15, Tag: "Data Theft", Source IP: 192.168.1.100, Destination IP: 192.168.2.200). These three segments are consecutive in time and share the same source and destination IPs, indicating that they belong to the same attack. Therefore, they can be linked together to form an attack chain. The connected attack chain retains the semantic tags of each segment, forming a complete sequence of attack behaviors: "port scanning -> brute-force attack -> data theft". This semantically tagged attack chain can clearly show the evolution of the attack and the specific behavior type at each stage.
[0089] The following describes a network security fault diagnosis and defense system according to an embodiment of the present invention from the perspective of hardware processing. Please refer to [link / reference needed]. Figure 3 This is a schematic diagram of the structure of a network security fault diagnosis and defense system in an embodiment of this application.
[0090] It should be noted that, Figure 3 The structure of the network security fault diagnosis and defense system shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of the present invention.
[0091] like Figure 3As shown, a network security fault diagnosis and defense system includes a central processing unit (CPU) 301, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 302 or a program loaded from a storage section 308 into a random access memory (RAM) 303, such as executing the methods described in the above embodiments. The RAM 303 also stores various programs and data required for system operation. The CPU 301, ROM 302, and RAM 303 are interconnected via a bus 304. An input / output (I / O) interface 305 is also connected to the bus 304.
[0092] The following components are connected to I / O interface 305: input section 306 including audio input devices, push-button switches, etc.; output section 307 including a liquid crystal display (LCD) and audio output devices, indicator lights, etc.; storage section 308 including a hard disk, etc.; and communication section 309 including a network interface card such as a LAN (Local Area Network) card, modem, etc. Communication section 309 performs communication processing via a network such as the Internet. Drive 310 is also connected to I / O interface 305 as needed. Removable media 311, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 310 as needed so that computer programs read from them can be installed into storage section 308 as needed.
[0093] In particular, according to embodiments of the present invention, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing computer programs for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 309, and / or installed from removable medium 311. When the computer program is executed by central processing unit (CPU) 301, it performs the various functions defined in the present invention.
[0094] It should be noted that specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
[0095] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those shown in the drawings.
[0096] Specifically, the network security fault diagnosis and defense system of this embodiment includes a processor and a memory. The memory stores a computer program. When the computer program is executed by the processor, it implements the network security fault diagnosis and defense method provided in the above embodiment.
[0097] In another aspect, the present invention also provides a computer-readable storage medium, which may be included in the network security fault diagnosis and defense system described in the above embodiments; or it may exist independently and not assembled into the network security fault diagnosis and defense system. The storage medium carries one or more computer programs, which, when executed by a processor of the network security fault diagnosis and defense system, enable the network security fault diagnosis and defense system to implement the network security fault diagnosis and defense method based on IoT data encryption transmission provided in the above embodiments.
Claims
1. A method for diagnosing and preventing network security faults, characterized in that, The method includes: Obtain network log data from the smart factory and sort it according to the timestamps of the network log data to obtain a network log set; Based on the source IP address and destination IP address of each network log in the network log set, the directed connections between event nodes are determined, and an event association graph is generated according to the directed connections. The event association graph is traversed to determine the propagation path, the anomaly score of the propagation path is calculated, the propagation path with the anomaly score exceeding a preset threshold is marked as a suspected attack propagation path, and the suspected attack propagation path is divided into multiple attack segments according to the abrupt change position of the time interval between event nodes in the suspected attack propagation path. Based on each of the attack fragments, generate an attack chain with target semantic tags; Obtain the out-degree and in-degree values of each event node in the attack chain, and calculate the threat weight of the event node; The source IP address of the event node with the highest threat weight is determined as the threat source address; Based on the critical threat source address and the destination IP address and port number in the attack chain, a set of firewall rules is generated and sent to the firewall device for execution.
2. The method according to claim 1, characterized in that, The step of determining directed connections between event nodes based on the source IP addresses and destination IP addresses of each network log in the network log set, and generating an event association graph based on the directed connections, includes: Traverse the network log set, treat each network log record in the network log set as an event node, and extract the source IP address and destination IP address of the event node; If the destination IP address of the first event node is the same as the source IP address of the second event node, and the timestamp of the second event node is later than the timestamp of the first event node, then a directed connection is established between the first event node and the second event node. The direction of the directed connection is from the first event node to the second event node. The first event node and the second event node are the event nodes corresponding to any two different network log records in the network log set. Organize all event nodes and directed connections into a directed graph structure to generate an event association graph.
3. The method according to claim 1, characterized in that, The step of traversing the event association graph, determining propagation paths, calculating anomaly scores for the propagation paths, and marking propagation paths with anomaly scores exceeding a preset threshold as suspected attack propagation paths includes: The event association graph is traversed using a preset depth-first traversal algorithm; Record all event nodes reached from any starting event node, and generate a propagation path; Count the number of different network regions involved in each of the propagation paths; Filter out propagation paths that involve a number of different network regions greater than or equal to a preset number; The anomaly score of the selected propagation path is obtained by weighting the path length, the number of different ports involved in the path, and the time distribution dispersion of event nodes in the path. Propagation paths with abnormal scores exceeding a preset abnormal threshold are marked as suspected attack propagation paths.
4. The method according to claim 1, characterized in that, The suspected attack propagation path is segmented into multiple attack segments based on the abrupt changes in the time interval between event nodes in the suspected attack propagation path, including: Calculate the time interval between all adjacent event nodes in the suspected attack propagation path; Based on the time interval between the adjacent event nodes, the average time interval of the suspected attack propagation path is calculated; Traverse adjacent event nodes in the suspected attack propagation path. When the time interval between any two adjacent event nodes exceeds a preset multiple of the average time interval, mark the positions of the two adjacent event nodes as stage split points. The suspected attack propagation path is divided into multiple attack segments based on the stage segmentation points.
5. The method according to claim 4, characterized in that, The step of generating an attack chain with target semantic tags based on each of the attack fragments includes: For each of the aforementioned attack segments, extract the protocol type sequence and port number sequence from the attack segment. The similarity between the protocol type sequence and the port number sequence and the pre-stored attack pattern library is calculated to obtain the pattern similarity of the attack fragment; Attack fragments whose pattern similarity exceeds the matching threshold are assigned target semantic labels; The attack fragments with target semantic tags are concatenated to obtain the attack chain with target semantic tags.
6. The method according to claim 1, characterized in that, The step of obtaining the out-degree and in-degree values of each event node in the attack chain and calculating the threat weight of the event node includes: Obtain the number of directed connections from each event node in the attack chain to other event nodes and the number of directed connections to the event node, and obtain the out-degree and in-degree values of the event node respectively. Based on the ratio of the out-degree value to the in-degree value, event nodes with a ratio greater than or equal to a preset ratio are marked as diffusion nodes, and event nodes with a ratio less than the preset ratio are marked as convergence nodes; Starting from the diffusion node, the number of reachable convergence nodes is recursively counted along the directed connection to obtain the influence range of the diffusion node; Based on a preset weight correction coefficient mapping table, the correction coefficient corresponding to the protocol type of the aggregation node is determined, and the baseline weight value corresponding to the influence range is corrected according to the correction coefficient to obtain the threat weight of the event node.
7. The method according to claim 1, characterized in that, The step of generating a firewall rule set based on the critical threat source address and the destination IP address and port number in the attack chain, and then sending it to the firewall device for execution, includes: Based on the threat source address and all destination IP addresses in the attack chain, generate a first firewall rule to block communication between the threat source address and the destination IP address; Based on the port numbers involved in the attack chain, generate a second firewall rule that restricts the access rate of the port numbers; Based on the affected network regions in the attack chain, generate a third firewall rule to isolate the network regions. The first firewall rule, the second firewall rule, and the third firewall rule are combined into a firewall rule set; The firewall rule set is distributed to the firewall device in the smart factory, and the firewall device executes the blocking operation corresponding to the firewall rule set.
8. A network security fault diagnosis and defense system, characterized in that, The network security fault diagnosis and defense system includes: one or more processors and a memory; the memory is coupled to the one or more processors, the memory is used to store computer program code, the computer program code includes computer instructions, and the one or more processors call the computer instructions to cause the network security fault diagnosis and defense system to perform the method as described in any one of claims 1-7.
9. A computer-readable storage medium comprising instructions, characterized in that, When the instruction is executed on the network security fault diagnosis and defense system, the network security fault diagnosis and defense system performs the method as described in any one of claims 1-7.
10. A computer program product, characterized in that, When the computer program product is run on the network security fault diagnosis and defense system, the network security fault diagnosis and defense system performs the method as described in any one of claims 1-7.