An attack homology analysis method, system, electronic device and storage medium
By integrating multi-dimensional features and dynamically updating the APT organization feature library, the problems of single data source and incomplete disassembly in existing technologies are solved, enabling accurate characterization of attack events and efficient source analysis, thus improving accuracy and robustness.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA ACADEMY OF INFORMATION & COMM
- Filing Date
- 2026-03-25
- Publication Date
- 2026-06-05
Smart Images

Figure CN122160154A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, and in particular relates to an attack origin analysis method, system, electronic device and storage medium. Background Technology
[0002] In recent years, with the rapid advancement of information technology, the complexity of cyberspace has increased daily, and security challenges have become increasingly prominent. The forms of cyber threats are constantly evolving, from initial single virus propagations and denial-of-service attacks to advanced persistent threats (APTs), data breaches, and even AI-assisted automated attacks. To effectively address these challenges, strengthening in-depth attribution and common-origin analysis of cyberattacks has become particularly important.
[0003] Current methods for attack origin analysis mainly include the following: The first is an analysis method based on email metadata. This method relies heavily on the complete metadata of the email and can only deal with attacks launched through email, but is powerless against attacks from non-email sources. The second is an analysis method based on data packets. This method mainly focuses on the feature extraction of the data packets themselves, ignoring the temporal and tactical correlation of attack behaviors, resulting in the inability to accurately identify the attacker's complete behavioral pattern. The third is a malware analysis method based on family gene similarity. This method relies on disassemblers to obtain the assembly function set, but when faced with advanced encryption or code obfuscation techniques, it often cannot obtain the complete function set, and incomplete parsing increases the risk of false positives.
[0004] Therefore, how to provide an attack origin analysis method that integrates multi-dimensional data resources, accurately characterizes attack events, and effectively overcomes the false positive problem caused by incomplete disassembly, thereby improving the accuracy of origin analysis, has become a technical problem that urgently needs to be solved in this field. Summary of the Invention
[0005] The purpose of this invention is to provide an attack origin analysis method, system, electronic device, and storage medium to solve the technical problems in the prior art, such as reliance on a single data source, neglect of attack timing correlation, and high false positive rate due to incomplete disassembly parsing.
[0006] The first aspect of this invention discloses an attack homology analysis method; the method includes: Step S1: Obtain event clues, alarm data, and sample data of the attack event to be tested; Step S2: Extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. Step S3: Calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH value, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature database. Step S4: Calculate the overall similarity score based on the various similarities. Step S5: Determine the APT organization with the same origin as the attack event to be tested based on the comprehensive similarity score.
[0007] It is evident that by integrating three major information sources—event clues, alarm data, and malicious sample data—the limitations of a single data source are overcome. This allows for a comprehensive depiction of attacker activity patterns from multiple dimensions, including tactical behavior, underlying code, and attack background, significantly improving the accuracy and comprehensiveness of attack origin analysis.
[0008] Further, in step S2, code features are extracted from the sample data, including: The sample data is disassembled to obtain a set of assembly functions, and the opcode sequence and system call sequence of each function are extracted. The opcode sequence is mapped and pooled into a basic vector using a pre-trained continuous bag-of-words model, and the system call sequence is embedded and pooled into a system call vector. The function feature vector is obtained by concatenating the base vector with the system call vector. Hierarchical density clustering algorithm is used to cluster the feature vectors of all functions and merge similar functions. The discrimination of each function in the sample corpus after clustering is evaluated based on the term frequency inverse document frequency algorithm, and a predetermined number of the most representative function feature vectors are selected as code features.
[0009] It is evident that by concatenating the basic vector and the system call vector, and combining hierarchical density clustering and word frequency inverse document frequency algorithms to extract the most representative semantic genes, the robustness of the model to encrypted and obfuscated code is greatly enhanced, overcoming the false positive problem caused by incomplete disassembly parsing.
[0010] Further, in step S2, ATT&CK attack tactical features and ATT&CK attack technical features are extracted from the alarm data, including: Analyze the attack type, triggering conditions, and affected object attributes in the alarm data; Based on the pre-built mapping table between alarm features and the ATT&CK framework, the parsed attributes are associated with the corresponding ATT&CK technologies and sub-technologies; Generate ATT&CK attack technique features in sparse matrix form based on the associated ATT&CK techniques, and generate ATT&CK attack tactical features in sparse matrix form based on the tactics to which the techniques belong.
[0011] It is evident that structuring discrete alarm data onto the ATT&CK framework effectively captures the temporal flow and tactical intent correlation in attack events, solving the problem that traditional data packet analysis ignores the attack sequence and interrelationships.
[0012] Further, in step S3, the similarity between the extracted features and the corresponding features in the preset APT tissue feature library is calculated, including: The cosine similarity algorithm is used to calculate the similarity between the technical features and tactical features of ATT&CK attacks and the corresponding features in the preset APT organization feature database; The similarity between code features and corresponding code features in a pre-defined APT organization feature library is calculated using the edit distance algorithm. The direct comparison method is used to calculate the similarity between the sample's HASH value, attack industry characteristics, and attack country characteristics and the corresponding characteristics in the preset APT organization characteristic library. If they match, the similarity is assigned a value of 1; otherwise, it is assigned a value of 0.
[0013] It is evident that by employing cosine similarity for sparse matrices, edit distance for code encoding sequences, and direct comparison for explicit objective attributes, the similarity of features in different dimensions can be quantified in a way that suits local conditions, ensuring the scientific rigor and high efficiency of the underlying data feature comparison.
[0014] Furthermore, in step S4, calculating the comprehensive similarity score based on each similarity score includes: weighting and summing each similarity score according to a preset weight to obtain the comprehensive similarity score; In step S5, determining the APT organization of the attack event to be tested based on the comprehensive similarity score includes: comparing the comprehensive similarity score with a preset threshold; if the comprehensive similarity score is greater than the preset threshold, then determining that the APT organization corresponding to the preset APT organization feature library is the APT organization of the attack event to be tested.
[0015] Furthermore, the process of generating the preset threshold includes: Obtain a sample set of historical attack events, and calculate the comprehensive similarity score between each sample in the sample set to obtain comprehensive similarity distribution data; Based on the comprehensive similarity distribution data, a preset fixed percentile method is used to determine the comprehensive similarity score corresponding to a specified percentile as the preset threshold.
[0016] Furthermore, the process of constructing and updating the preset APT organization feature library includes: Acquire multi-source historical attack event data and extract the corresponding historical feature vectors; The HDBSCAN clustering algorithm is used to perform density clustering on the historical feature vectors to generate multiple clusters. Each cluster is identified as an independent APT organization, and representative features of each cluster are extracted and stored in the preset APT organization feature library; If the overall similarity score of the attack event to be tested is not greater than the preset threshold, the attack event to be tested is stored as a new sample in the clustering pool, and the HDBSCAN clustering algorithm is re-executed to achieve dynamic updating of the preset APT organization feature library.
[0017] It is evident that by adopting a weighted allocation and comprehensive score comparison mechanism, and combining it with the threshold set by the historical attack benchmark, the detection rate and false alarm rate of homology detection are effectively balanced, thereby improving the reliability and reproducibility of the judgment results.
[0018] A second aspect of this invention discloses an attack homology analysis system; the system includes: The acquisition module is used to acquire event clues, alarm data, and sample data of the attack event to be tested; The feature extraction module is used to extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. The similarity calculation module is used to calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH values, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature library. The same-origin determination module is used to calculate a comprehensive similarity score based on various similarities, and to determine the same-origin APT organization of the attack event to be tested based on the comprehensive similarity score.
[0019] A third aspect of this invention discloses an electronic device. The electronic device includes a memory and a processor. The memory stores a computer program, and when the processor executes the computer program, it implements the steps of an attack homology analysis method according to any one of the first aspects of this disclosure.
[0020] A fourth aspect of this invention discloses a computer-readable storage medium. The computer-readable storage medium stores a computer program, which, when executed by a processor, implements the steps of an attack homology analysis method according to any one of the first aspects of this disclosure.
[0021] The present invention has the following beneficial effects: (1) This invention achieves a more comprehensive and accurate multi-dimensional feature characterization of attack events, significantly improving anti-obfuscation capabilities. By combining basic feature vectors and system call vectors, and introducing feature extraction techniques such as word vectors (e.g., Word2Vec) and TF-IDF, this invention not only effectively extracts the static text features of the attack code but also retains deep-level dynamic behavioral features. This multi-dimensional feature fusion mechanism greatly improves the robustness of the model against advanced evasion techniques such as malicious code obfuscation and packing, ensuring the accuracy of the underlying data in the homology analysis.
[0022] (2) It achieves adaptive dynamic updating of the APT organization feature database and discovery of unknown threats. This invention can not only accurately identify attacks launched by known APT organizations, but also discover potential unknown APT organizations by introducing the HDBSCAN equal-density clustering algorithm to continuously analyze and cluster unmatched samples when facing new attack events that do not match the existing feature database. This gives the homology analysis system a strong ability to self-learn and evolve over time, overcoming the shortcomings of traditional feature databases that are prone to aging and require complete manual updates.
[0023] (3) Improved the scientific rigor and scalability of source identification. This invention abandons rigid matching based on a single dimension and uses a weighted summation of multiple similarities (such as algorithms combining edit distance) to calculate the comprehensive similarity score, and dynamically sets percentile thresholds based on historical distribution data. This mechanism can flexibly adjust the weights of various features according to different network security scenarios, and significantly reduces the false positive and false negative rates of source identification, possessing extremely high engineering application value and business scalability. Attached Figure Description
[0024] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0025] Figure 1 This is a flowchart of an attack homology analysis method according to an embodiment of the present invention; Figure 2 This is a flowchart illustrating a method for attack homology analysis according to an embodiment of the present invention. Figure 3 This is a structural diagram of an attack homology analysis system according to an embodiment of the present invention; Figure 4 This is a structural diagram of an electronic device according to an embodiment of the present invention. Detailed Implementation
[0026] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0027] Example 1: The first aspect of this invention discloses an attack homology analysis method. Prior to this method, an APT organization signature database is first constructed, as follows: The APT organization signature database construction phase includes two steps: APT event reporting and sample collection and storage, and APT organization signature database construction.
[0028] APT incident reporting, sample collection, and database storage are primarily achieved through regular collection of incident reports from publicly available internet databases, close collaboration with threat intelligence agencies to obtain the latest incident reports from APT organizations, and the comprehensive collection of information on APT attack events and malicious samples used, combined with sandbox technology, honeypot technology, and cooperation with third-party organizations. This process lays the foundation for building an APT organization signature database.
[0029] The construction of the APT group signature database mainly involves analyzing attack event reports and samples from various APT groups to obtain their attack payloads, targets, and corresponding ATT&CK attack tactics and techniques, which are then stored in the APT group signature database. The attack payload includes malicious sample hashes and code characteristics; the attack targets include the victim's industry and country of origin; the attack tactics are the ATT&CK attack tactics used; and the attack techniques are the ATT&CK attack techniques employed.
[0030] The specific feature extraction process is as follows: a. Attack techniques By analyzing the attack methods used by various APT groups, all attack methods are mapped to ATT&CK techniques and processed into a sparse matrix. If the corresponding technique is used, it is assigned a value of 1, otherwise it is assigned a value of 0, thus obtaining the attack technique vector.
[0031] b. Attack tactics Based on the techniques used by each APT group, each technique is mapped to the tactics of ATT&CK and processed into a sparse matrix. If the corresponding tactic is used, it is assigned a value of 1, otherwise it is assigned a value of 0, thus obtaining the attack tactic vector.
[0032] c. Attack payload The malicious sample hash is in string form and stored in a list. For the malicious sample file, it is first disassembled to obtain the set of assembly functions. For each function, its opcode sequence is extracted, and a pre-trained Word2Vec model is used to map each opcode to a corresponding word vector. Average pooling is then used to obtain the function's base vector. Simultaneously, the system call sequence of the same function is extracted, embedded into a vector using another pre-trained model, and then average pooled to obtain the system call vector. To improve the model's robustness to obfuscated code, the base vector and system call vector are concatenated to form a comprehensive function feature vector containing multi-level semantic information. Based on this, HDBSCAN clustering is performed on all function vectors, grouping similar functions together. Finally, based on these function vectors, the TF-IDF algorithm is used to evaluate the discriminative power of each function in the entire APT family corpus, selecting the K most representative functions as "semantic genes," and their corresponding vectors are used for subsequent analysis.
[0033] Word2Vec is a neural network language model for learning word vector representations. Its core idea is to map words to a low-dimensional continuous vector space, such that semantically or grammatically similar words are close in distance within this space. Word2Vec mainly includes two model architectures: Skip-gram and Continuous Bag-of-Words (CBOW). This paper uses the CBOW model for word vector training.
[0034] In the CBOW model, the goal is to predict the center word based on context words. Let the vocabulary size be V and the word vector dimension be d. For a given center word w... t and its context window (With a window size of c), the CBOW model maximizes the conditional probability P(w) t |C) to learn word vector representations.
[0035] Specifically, the CBOW model first takes the input vector of context words (from the input matrix) as an example. The average is calculated as shown in formula (1).
[0036] (1) Among them, v w This represents the input word vector corresponding to word w.
[0037] Then, the score of each word as the center word is calculated through the output layer (using the output matrix), as shown in Equation (2).
[0038] (2) in, It is a word Row vectors in the output matrix.
[0039] Ultimately, the central word The conditional probability is given by the softmax function, as shown in equation (3).
[0040] (3) The objective function of the CBOW model is to minimize the log-likelihood of all center words in the entire corpus, as shown in Equation (4).
[0041] (4) Where T is the total number of words in the corpus. The objective function is optimized using stochastic gradient descent, allowing simultaneous learning of the input word vector W and the output vector. The final word vectors are usually taken from the input matrix W.
[0042] HDBSCAN (Hierarchical Density-Based Spatial Clustering of Applications with Noise) is a hierarchical density clustering algorithm. Its core advantage lies in overcoming the sensitivity of the classic DBSCAN algorithm to global density parameters. It can adaptively identify clusters of arbitrary shapes and label noise points, making it suitable for analyzing complex datasets with uneven density. Its process is as follows: 1) Calculate core distance Iterate through all sample points in the dataset and calculate the core distance for each point according to the core distance formula. To distinguish between potential core points and non-core points, the specific formula is shown in equation (5).
[0043] (5) Core distance is a fundamental metric for characterizing the local density of samples. Given a dataset D = {x1, x2, ..., x...} n} and the minimum neighborhood number parameter minPts, sample point x i The core distance is defined as: the distance that makes x i The minimum neighborhood radius of the core point is the minimum sphere radius containing at least minPts samples. express The minPts nearest neighbor sample set, for The distance to its minPts nearest neighbor (usually Euclidean distance); if the number of nearest neighbors is less than minPts, the core distance is infinite, and this point is a potential noise point.
[0044] 2) Construct the mutual distance matrix Based on the mutual reachability distance formula, the distance between any two sample points is calculated. Generate the cross-distance matrix of all samples, and the specific formula is shown in equation (6).
[0045] (6) Reachability is a key metric for measuring density-based accessibility between two points and a core basis for constructing hierarchical clusters. For sample points... and The reachability between two points is the maximum value of the core distance and the direct distance. The significance of this formula is that strong density reachability is only achieved when both points are core points and the direct distance is small enough. The reachability between non-core points and core points is dominated by the core distance between the core points.
[0046] 3) Construct the minimum spanning tree Using sample points as nodes and the distance between them as edge weights, construct a minimum spanning tree for the dataset. This tree satisfies the conditions that all nodes are connected and the total sum of edge weights is minimized, while preserving the density correlation between samples.
[0047] 4) Generate agglomerative hierarchy tree Edges of the minimum spanning tree are removed in ascending order of edge weight, gradually dividing the samples into different clusters to generate a linkage tree. The height of each node in the tree corresponds to the reach distance of the edges, representing the density threshold for cluster merging.
[0048] 5) Optimal clustering partitioning The stability index of each cluster in the agglomerative tree is calculated. The stability is positively correlated with the number of samples within the cluster and the merging distance. The cluster structure with the highest stability is retained, and the final clustering result is obtained and noise points are marked.
[0049] The TF-IDF algorithm is used in malicious sample analysis to evaluate the importance of a function vector to a malicious sample file. Its core combines two concepts: Term Frequency (TF) and Inverse Document Frequency (IDF). Term Frequency represents the number of times a function vector appears in a single sample file. To increase the algorithm's universality, normalization is performed during the calculation process, that is, the number of times the function vector appears in the sample is divided by the total number of function vectors contained in the sample, thus representing the relative weight of the function in the current sample, as shown in equation (7). Inverse Document Frequency assesses the rarity of the function vector in the entire sample corpus. The fewer sample files a function vector appears in, the higher its IDF value, indicating that it has stronger class discrimination ability. Its calculation formula is shown in equation (8). The TF-IDF algorithm considers both the frequency of a function in the current sample and the scarcity of the function in the entire sample corpus, and can find the most representative and discriminative functions or function sets for the samples, as shown in equation (9).
[0050] (7) in, , Let i and k represent the number of times functions i and k appear in a sample, respectively. This represents the total number of functions for a sample.
[0051] (8) Where M represents the number of samples in the sample library, X represents the number of samples in which a certain function has appeared, and X+1 is used to avoid the denominator being 0.
[0052] (9) d. Target of attack We construct digital coding mapping tables for industries and countries respectively, and encode the industries and countries attacked by each APT group to obtain the characteristics of the attack targets.
[0053] The APT organization feature library constructed by extracting the above four types of features is shown in Table 1.
[0054] Table 1 Examples of APT Organization Feature Database
[0055] In this table, APT organization name represents each APT organization, attack technology represents the feature vector of the technology used by each APT organization, attack tactic represents the feature vector of the tactic used by each APT organization, attack payload (sample HASH) represents the HASH of the attack samples used by each APT organization, attack payload (sample code) represents the feature vector extracted from the attack sample code used by each APT organization, attack target (attack industry) represents the feature vector of the industries historically attacked by each APT organization, and attack target (attack country) represents the feature vector of the countries historically attacked by each APT organization.
[0056] Figure 1 A flowchart of an attack homology analysis method according to an embodiment of the present invention is shown below. Figure 1 As shown, the method is as follows: Step S1: Obtain event clues, alarm data, and sample data of the attack event to be tested; First, it's necessary to access incident leads, alert data, and malicious sample data. Incident leads include fields such as attacker IP, victim IP, victim's industry, and victim's country of origin. The victim's industry comes from a threat intelligence database; if there's no explicit identifier in the database, it's categorized as "uncategorized industry." The victim's country of origin comes from an IP geolocation database; if no corresponding geolocation information is found, it's marked as "unknown." Alert data includes time, source IP, destination IP, alert type, and alert level. Malicious sample data includes malicious sample hashes and malicious sample files.
[0057] Step S2: Extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. In step S2, code features are extracted from the sample data, including: The sample data is disassembled to obtain a set of assembly functions, and the opcode sequence and system call sequence of each function are extracted. The opcode sequence is mapped and pooled into a basic vector using a pre-trained continuous bag-of-words model, and the system call sequence is embedded and pooled into a system call vector. The function feature vector is obtained by concatenating the base vector with the system call vector. Hierarchical density clustering algorithm is used to cluster the feature vectors of all functions and merge similar functions. The discrimination of each function in the sample corpus after clustering is evaluated based on the term frequency inverse document frequency algorithm, and a predetermined number of the most representative function feature vectors are selected as code features.
[0058] In step S2, ATT&CK attack tactical features and ATT&CK attack technical features are extracted from the alarm data, including: Analyze the attack type, triggering conditions, and affected object attributes in the alarm data; Based on the pre-built mapping table between alarm features and the ATT&CK framework, the parsed attributes are associated with the corresponding ATT&CK technologies and sub-technologies; Generate ATT&CK attack technique features in sparse matrix form based on the associated ATT&CK techniques, and generate ATT&CK attack tactical features in sparse matrix form based on the tactics to which the techniques belong.
[0059] In some specific embodiments, the feature extraction methods are as follows: For alert data, a mapping method based on the ATT&CK framework is used to associate it with corresponding tactics and techniques. The mapping table is constructed based on the official MITRE definition, combined with behavioral logic in real attack scenarios, and implemented through manual rule-based methods. Specifically, firstly, the behavioral descriptions, attack targets, and typical characteristics of various techniques and sub-techniques in ATT&CK are sorted out to form a technical feature library; secondly, the key attributes of various alerts (such as attack type, triggering conditions, affected objects, etc.) are analyzed to construct an alert feature dimension set; finally, the correspondence between alert features and ATT&CK techniques and tactics is established through manual verification, and one alert can correspond to one or more techniques and tactics. For example, the "SQLInjection" alert, because its behavior is to manipulate the database by injecting malicious SQL statements to perform unauthorized operations, can be mapped to ATT&CK technique T1190 (using a public-facing application), and the tactic is "Initial Access" (TA0001). The mapping rule for this alert is: when the alert content contains the keyword "SQL Injection" and involves database access behavior, it is directly associated with this technique and the corresponding tactic. This establishes a structured mapping relationship between alerts and ATT&CK tactics and techniques, and generates attack tactical and technical vectors accordingly. Examples of the correspondence between alerts and ATT&CK are shown in Table 2. For malicious sample data, their hash and code feature vectors are extracted. For event clue data, the industry and country characteristics of the attack are extracted.
[0060] Table 2 Example of Alarm Name and ATT&CK Correspondence
[0061] Step S3: Calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH value, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature database. In step S3, the similarity between the extracted features and the corresponding features in the preset APT tissue feature library is calculated, including: The cosine similarity algorithm is used to calculate the similarity between the technical features and tactical features of ATT&CK attacks and the corresponding features in the preset APT organization feature database; The similarity between code features and corresponding code features in a pre-defined APT organization feature library is calculated using the edit distance algorithm. The direct comparison method is used to calculate the similarity between the sample's HASH value, attack industry characteristics, and attack country characteristics and the corresponding characteristics in the preset APT organization characteristic library. If they match, the similarity is assigned a value of 1; otherwise, it is assigned a value of 0.
[0062] Specifically, when calculating feature similarity, different similarity calculation methods are used depending on the feature, as follows: attack techniques When calculating the similarity of attack techniques, given that the relevant feature vectors are usually sparse, the cosine similarity calculation method is used to measure the degree of similarity between the attack techniques of the current attack event and the techniques used by various APT groups.
[0063] Cosine similarity is the cosine of the angle between two n-dimensional vectors in n-dimensional space. Its value is the dot product of the two vectors divided by the product of their lengths, as shown in equation (10).
[0064] (10) Here, A and B are two vectors, and ||A|| and ||B|| represent the magnitudes of A and B, respectively. Represent the dot product of A and B. , These are elements in vectors A and B, respectively. The cosine similarity value ranges from -1 to 1, where -1 represents complete dissimilarity and 1 represents complete similarity.
[0065] Attack tactics For the analysis of attack tactics, since their feature vectors are also sparse, cosine similarity is also used as an evaluation method to obtain the correlation between the tactics used in the current attack event and the tactics used by different APT groups.
[0066] Attack payload The attack payload includes sample hashes and sample code features. For sample hashes, a direct comparison method is used: if the sample hash of the current attack event matches any sample hash recorded by the APT organization, it is assigned a value of 1, indicating a perfect match; otherwise, it is assigned a value of 0. For sample code features, a unique function name ID is first generated for each function based on its feature vector. Samples are then encoded based on the function name ID sequence, and edit distance is used to quantify the similarity between two encoded sequences, thus obtaining the code-level similarity.
[0067] Edit distance, proposed by scientist Vladimir Levenshtein in 1965, uses characters as the editing unit and calculates the minimum number of operations (deletion, insertion, replacement) required to move from one string to another. It is often used to calculate string similarity. Let two strings S=S1S2S3…Sm and T=T1T2T3…Tn, construct a matrix LD[m+1,n+1]. Use dynamic programming to iteratively calculate the value of LD(i, j) in each cell of the matrix. The LD(m, n) in the bottom right corner is the desired edit distance. The calculation formula is shown in equation (11).
[0068] (11) in, When the i-th word of S is not equal to the j-th word of T, ;otherwise, LD itself can represent the similarity between two strings. Intuitively, the larger the LD, the smaller the similarity. The formula for calculating the similarity Sim(S,T) is shown in equation (12).
[0069] (12) Attack Target Regarding attack targets, this includes the industry targeted and the country targeted. If the industry targeted by the current attack is the same as the industry targeted by the APT group in its historical attacks, the corresponding similarity value is assigned as 1, indicating that the industry target is consistent; otherwise, it is 0. Similarly, the same logic is used to calculate the similarity of the country targeted, thus obtaining two key attack target characteristics: industry similarity and country similarity, to comprehensively characterize the target characteristics of the attack event.
[0070] By calculating the similarity between attack techniques, attack tactics, attack payloads, and attack targets, six similarity calculation results can be obtained, as shown in Table 3.
[0071] Table 3 Examples of attack origin analysis similarity values
[0072] Step S4: Calculate the overall similarity score based on the various similarities. In step S4, the comprehensive similarity score is calculated based on each similarity, including: weighting and summing each similarity according to a preset weight to obtain the comprehensive similarity score.
[0073] Step S5: Determine the APT organization with the same origin as the attack event to be tested based on the comprehensive similarity score; In step S5, determining the APT organization of the attack event to be tested based on the comprehensive similarity score includes: comparing the comprehensive similarity score with a preset threshold; if the comprehensive similarity score is greater than the preset threshold, then determining that the APT organization corresponding to the preset APT organization feature library is the APT organization of the attack event to be tested.
[0074] The process of generating the preset threshold includes: Obtain a sample set of historical attack events, and calculate the comprehensive similarity score between each sample in the sample set to obtain comprehensive similarity distribution data; Based on the comprehensive similarity distribution data, a preset fixed percentile method is used to determine the comprehensive similarity score corresponding to a specified percentile as the preset threshold.
[0075] Furthermore, the process of constructing and updating the preset APT tissue feature library includes: Acquire multi-source historical attack event data and extract the corresponding historical feature vectors; The HDBSCAN clustering algorithm is used to perform density clustering on the historical feature vectors to generate multiple clusters. Each cluster is identified as an independent APT organization, and representative features of each cluster are extracted and stored in the preset APT organization feature library; If the overall similarity score of the attack event to be tested is not greater than the preset threshold, the attack event to be tested is stored as a new sample in the clustering pool, and the HDBSCAN clustering algorithm is re-executed to achieve dynamic updating of the preset APT organization feature library.
[0076] Here, APT organization name represents each APT organization; attack technique represents the similarity between the current event and the corresponding APT organization's attack technique; attack tactic represents the similarity between the current event and the corresponding APT organization's attack tactic; attack payload (sample hash) represents the similarity between the sample used in the current event and the sample hash of the corresponding APT organization; attack payload (sample code) represents the similarity between the sample used in the current event and the sample code of the corresponding APT organization; attack target (attack industry) represents the similarity between the attack industry of the current event and the historical attack industry of the corresponding APT organization; and attack target (attack country) represents the similarity between the attack country of the current event and the historical attack countries of the corresponding APT organization.
[0077] When performing attack homology analysis, the comprehensive similarity between the features of the event to be detected and the features of the APT organization is first calculated, as shown in equation (13). If the overall similarity... If the value is greater than the threshold, it indicates that the event was an attack by this APT group; otherwise, it is not, thus obtaining the homology analysis results of the attack events. The threshold can be set using a fixed percentile method based on the similarity distribution of historical attack samples to ensure that the false alarm rate is effectively controlled while maintaining the detection rate, thereby improving the reliability and reproducibility of the judgment results.
[0078] (13) Where v represents the similarity value of each feature, and w represents the weight of each feature. This paper adopts the equal weighting method to determine the weights, that is, to make the weights of each feature equal, thereby establishing a fair contribution benchmark for all features in the early stage of analysis, effectively avoiding the bias that may be introduced by subjective assignment, and enhancing the interpretability and robustness of the model.
[0079] Experiments were conducted on the same test set. When using only static code features for attack source analysis, the model accuracy was 68.4%; when using only alarm features, the accuracy was 56.2%; however, after adopting the joint analysis method proposed in this invention, which integrates code features and alarm features, the prediction accuracy improved to 79.1%. These data demonstrate that this invention significantly enhances the accuracy and robustness of attack source identification by effectively integrating information from different dimensions.
[0080] Example 2: In practical applications, such as Figure 2As shown, this embodiment provides an attack origin analysis method. The execution subject of this method can be a server with strong computing power, a cloud computing cluster, or a local security device. This method mainly relies on a pre-built APT organization feature library. Before performing origin detection, the system first collects attack event reports and malicious samples from major APT organizations to build an APT organization feature library. During the construction process, historical events are analyzed to extract the attack payloads (malicious sample hashes and code features), attack targets (the industry and country of the victim), ATT&CK attack tactics, and ATT&CK attack techniques of each APT organization. The processing method is to map the techniques and tactics used into sparse matrices to generate technique vectors and tactic vectors; for malicious samples, disassembly is performed to obtain the set of assembly functions, and opcode sequences and system call sequences are extracted. In order to improve the ability to identify obfuscated code, a Word2Vec model (specifically using the CBOW architecture) is used to map opcodes into word vectors and calculate the average to obtain the base vector. The system call sequence is embedded and then averaged to obtain the system call vector. The two are then concatenated to form a high-dimensional function feature vector. Next, the HDBSCAN (Hierarchical Density Clustering) algorithm is used to calculate the core distance and reach distance of sample points, constructing an agglomerative hierarchical tree to extract the optimal clustering partitions and merging similar functions. Finally, the TF-IDF (Term Frequency Inverse Document Frequency) algorithm is used to evaluate the discriminative power of the functions in the APT family corpus, selecting the K most representative functions as "semantic genes" and storing them in the APT organization's feature library. For attack targets, industry and country-specific digital encoding mapping tables are constructed for encoding.
[0081] After the feature library is built, the homology determination stage begins. For example... Figure 1 As shown, the homology determination process specifically includes the following execution steps: Data sources for the attack events to be tested are obtained. These include event clues, alarm data, and malicious sample data generated at the system's network boundary, terminal devices, or security management platform. Event clues include the attacker's IP, the victim's IP, the victim's industry, and their country of origin. Industry information can be obtained by querying the threat intelligence database; if no explicit identifier is found, it is categorized as "uncategorized industry." Country information is queried through the IP geolocation database; if not found, it is marked as "unknown." Alarm data includes time, source IP, destination IP, alarm type, and alarm level. Malicious sample data includes captured malicious sample files and calculated sample hash values.
[0082] Multi-dimensional features are extracted from different data sources. For alarm data, based on the MITRE-defined ATT&CK framework, behavioral descriptions of various technologies and sub-techniques are manually compiled to build a mapping rule base. The system parses alarm types and triggering conditions. For example, when an alarm contains "SQL Injection" and involves database access, it is associated with ATT&CK technology T1190 (using a public-facing application), and the corresponding tactic is TA0001 (initial access). Through this structured mapping, discrete alarms are converted into attack tactic vectors and technical vectors that reflect the timing and intent of the attack. For malicious sample data, the system directly extracts the sample hash value and performs the same disassembly, Word2Vec vectorization, HDBSCAN clustering, and TF-IDF dimensionality reduction filtering process as when building the feature base to extract the code feature vector of the sample to be tested. For event clue data, the industry and country characteristics of the victim are directly extracted.
[0083] Feature similarity is calculated separately. The system calls the corresponding algorithm engine to calculate the similarity between the features of the event to be tested and each record in the APT organization's feature database. Due to the sparsity of attack techniques and tactics feature vectors, the system uses cosine similarity for calculation, which is to calculate the dot product of two high-dimensional space vectors divided by the product of their magnitudes. The value ranges from -1 to 1, with the closer the value is to 1, the more similar the tactics and techniques. For sample hash values in the attack payload, a direct comparison method is used; if the values are the same, the similarity is assigned 1, and if they are different, it is assigned 0. For code features in the attack payload, the system generates a unique function name ID for the selected function features and encodes it into a sequence. The Levenshtein edit distance between two sequences is calculated using dynamic programming, quantifying the difference by minimizing the number of deletion, insertion, and replacement operations. The smaller the edit distance, the higher the similarity at the code level. For industry and country features in the attack target, the same direct comparison method is used; if a historical target is matched, the corresponding similarity is assigned 1, otherwise it is 0.
[0084] The system calculates a comprehensive score and identifies the originating organization. After obtaining similarity scores across six dimensions—attack tactics, attack techniques, sample hash, sample code, industry, and country—the system performs a weighted summation of these similarities. In basic implementation scenarios, an equal-weighted allocation method can be used to ensure a fair contribution benchmark for each feature in the initial assessment, avoiding subjective bias. The system compares the calculated comprehensive similarity score with a set dynamic threshold. This threshold is dynamically generated using a fixed percentile method based on the similarity distribution of historical attack samples. If the comprehensive similarity score of the current event with a certain APT organization is greater than this threshold, the system determines that the event is a source attack and outputs an assessment result including the corresponding APT organization label and a similarity evidence chain.
[0085] The second aspect of this invention discloses an attack homology analysis system. Figure 3 This is a structural diagram of an attack homology analysis system according to an embodiment of the present invention; as shown below. Figure 3 As shown, the system 100 employs the method described in any of the above embodiments, and includes: The acquisition module 101 is used to acquire event clues, alarm data and sample data of the attack event to be tested; The feature extraction module 102 is used to extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. The similarity calculation module 103 is used to calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH values, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature library. The same-origin determination module 104 is used to calculate a comprehensive similarity score based on various similarities, and to determine the same-origin APT organization of the attack event to be tested based on the comprehensive similarity score.
[0086] A third aspect of this invention discloses an electronic device. The electronic device includes a memory and a processor. The memory stores a computer program, and when the processor executes the computer program, it implements the steps of an attack homology analysis method according to any one of the first aspects of this invention.
[0087] Figure 4 This is a structural diagram of an electronic device according to an embodiment of the present invention, such as... Figure 4 As shown, the electronic device includes a processor, memory, communication interface, display screen, and input device connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, carrier networks, Near Field Communication (NFC), or other technologies. The display screen can be an LCD screen or an e-ink screen. The input device can be a touch layer covering the display screen, buttons, a trackball, or a touchpad mounted on the device's casing, or an external keyboard, touchpad, or mouse.
[0088] Those skilled in the art will understand that Figure 4The structure shown is merely a structural diagram of the part related to the technical solution of this disclosure and does not constitute a limitation on the electronic device to which the solution of this application is applied. The specific electronic device may include more or fewer components than shown in the figure, or combine certain components, or have different component arrangements.
[0089] A fourth aspect of this invention discloses a computer-readable storage medium. The computer-readable storage medium stores a computer program, which, when executed by a processor, implements the steps of an attack homology analysis method according to any one of the first aspects of this invention.
[0090] Please note that the technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, not all possible combinations of the technical features in the above embodiments have been described. However, as long as the combination of these technical features does not contradict each other, it should be considered within the scope of this specification. The above embodiments only illustrate several implementation methods of this application, and their descriptions are relatively specific and detailed, but they should not be construed as limiting the scope of the invention patent. It should be pointed out that for those skilled in the art, several modifications and improvements can be made without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this patent application should be determined by the appended claims.
Claims
1. A method for attack homology analysis, characterized in that, The method includes: Step S1: Obtain event clues, alarm data, and sample data of the attack event to be tested; Step S2: Extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. Step S3: Calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH value, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature database. Step S4: Calculate the overall similarity score based on the various similarities. Step S5: Determine the APT organization with the same origin as the attack event to be tested based on the comprehensive similarity score.
2. The attack homology analysis method according to claim 1, characterized in that, In step S2, code features are extracted from the sample data, including: The sample data is disassembled to obtain a set of assembly functions, and the opcode sequence and system call sequence of each function are extracted. The opcode sequence is mapped and pooled into a basic vector using a pre-trained continuous bag-of-words model, and the system call sequence is embedded and pooled into a system call vector. The function feature vector is obtained by concatenating the base vector with the system call vector. Hierarchical density clustering algorithm is used to cluster the feature vectors of all functions and merge similar functions. The discrimination of each function in the sample corpus after clustering is evaluated based on the term frequency inverse document frequency algorithm, and a predetermined number of the most representative function feature vectors are selected as code features.
3. The attack homology analysis method according to claim 1, characterized in that, In step S2, ATT&CK attack tactical features and ATT&CK attack technical features are extracted from the alarm data, including: Analyze the attack type, triggering conditions, and affected object attributes in the alarm data; Based on the pre-built mapping table between alarm features and the ATT&CK framework, the parsed attributes are associated with the corresponding ATT&CK technologies and sub-technologies; Generate ATT&CK attack technique features in sparse matrix form based on the associated ATT&CK techniques, and generate ATT&CK attack tactical features in sparse matrix form based on the tactics to which the techniques belong.
4. The attack homology analysis method according to claim 1, characterized in that, In step S3, the similarity between the extracted features and the corresponding features in the preset APT tissue feature library is calculated, including: The cosine similarity algorithm is used to calculate the similarity between the technical features and tactical features of ATT&CK attacks and the corresponding features in the preset APT organization feature database; The similarity between code features and corresponding code features in a pre-defined APT organization feature library is calculated using the edit distance algorithm. The direct comparison method is used to calculate the similarity between the sample's HASH value, attack industry characteristics, and attack country characteristics and the corresponding characteristics in the preset APT organization characteristic library. If they match, the similarity is assigned a value of 1; otherwise, it is assigned a value of 0.
5. A method for attack homology analysis according to any one of claims 1 to 4, characterized in that, In step S4, the comprehensive similarity score is calculated based on each similarity, including: weighting and summing each similarity according to a preset weight to obtain the comprehensive similarity score; In step S5, determining the APT organization of the attack event to be tested based on the comprehensive similarity score includes: comparing the comprehensive similarity score with a preset threshold; if the comprehensive similarity score is greater than the preset threshold, then determining that the APT organization corresponding to the preset APT organization feature library is the APT organization of the attack event to be tested.
6. The attack homology analysis method according to claim 5, characterized in that, The process of generating the preset threshold includes: Obtain a sample set of historical attack events, and calculate the comprehensive similarity score between each sample in the sample set to obtain comprehensive similarity distribution data; Based on the comprehensive similarity distribution data, a preset fixed percentile method is used to determine the comprehensive similarity score corresponding to a specified percentile as the preset threshold.
7. A method for attack homology analysis according to any one of claims 1 to 6, characterized in that, The process of constructing and updating the preset APT organization feature library includes: Acquire multi-source historical attack event data and extract the corresponding historical feature vectors; The HDBSCAN clustering algorithm is used to perform density clustering on the historical feature vectors to generate multiple clusters. Each cluster is identified as an independent APT organization, and representative features of each cluster are extracted and stored in the preset APT organization feature library; If the overall similarity score of the attack event to be tested is not greater than the preset threshold, the attack event to be tested is stored as a new sample in the clustering pool, and the HDBSCAN clustering algorithm is re-executed to achieve dynamic updating of the preset APT organization feature library.
8. An attack origin analysis system, characterized in that, include: The acquisition module is used to acquire event clues, alarm data, and sample data of the attack event to be tested; The feature extraction module is used to extract ATT&CK attack tactical features and ATT&CK attack technical features from alarm data, extract sample HASH values and code features from sample data, and extract attack industry features and attack country features from event clues. The similarity calculation module is used to calculate the similarity between the extracted ATT&CK attack tactical features, ATT&CK attack technical features, sample HASH values, code features, attack industry features, and attack country features and the corresponding features in the preset APT organization feature library. The same-origin determination module is used to calculate a comprehensive similarity score based on various similarities, and to determine the same-origin APT organization of the attack event to be tested based on the comprehensive similarity score.
9. An electronic device, characterized in that, The electronic device includes a memory and a processor. The memory stores a computer program, and when the processor executes the computer program, it implements the steps of the attack homology analysis method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, which, when executed by a processor, implements the steps of the attack homology analysis method according to any one of claims 1 to 7.