Modeling method and device of network attack behavior, computer device, readable storage medium and program product

By using attack knowledge graphs and finite state machines for collaborative modeling, the problem of traditional network attack modeling being unable to associate multi-stage behaviors is solved, enabling systematic reconstruction of attack paths and identification of high-risk events, thereby improving the defense capabilities against network attacks.

CN122179233APending Publication Date: 2026-06-09CHINA SOUTHERN POWER GRID COMPANY +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA SOUTHERN POWER GRID COMPANY
Filing Date
2026-04-24
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Traditional network attack modeling methods cannot systematically depict the attack evolution process or correlate multi-stage attack behaviors, resulting in the inability to fully reconstruct attack paths and identify high-risk events.

Method used

A collaborative modeling approach combining attack knowledge graphs and attack behavior evolution finite state machines is adopted. Entities and relationships related to network attack behaviors are set as directed graphs to generate attack paths. Risks are assessed and high-risk events are identified through weight functions.

Benefits of technology

It enables the complete path reconstruction of multi-stage attacks and the accurate identification of high-risk events, improving the ability to perceive, trace, and defend against network attacks, and providing timely warnings and predictions of potential threats.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179233A_ABST
    Figure CN122179233A_ABST
Patent Text Reader

Abstract

This application relates to a method, apparatus, computer device, computer-readable storage medium, and computer program product for modeling network attack behavior. It includes: setting entities related to network attack behavior and the relationships between entities as a directed graph to obtain an attack knowledge graph; setting an attack behavior evolution finite state machine based on the evolution process of network attack behavior; generating an observed event after observing a network attack event; generating an attack path containing a state transition sequence based on the observed event, the attack knowledge graph, and the attack behavior evolution finite state machine; determining whether the attack behavior in the observed event has ended; if the determination result is that it has ended, generating a risk score for the attack path based on the weight function of each attack action in the attack path; if the risk score is not less than a preset risk threshold, determining the network attack event as a high-risk event and generating an alarm message. This method can completely reconstruct the attack path.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and in particular to a method, apparatus, computer device, computer-readable storage medium, and computer program product for modeling cyberattack behavior. Background Technology

[0002] With the development of cybersecurity technology, AI-driven intelligent network attack technology has emerged, which has the core characteristics of intelligent self-adaptation, precise customization, and large-scale automation, greatly improving the stealth and destructive power of attacks.

[0003] Traditional network attack modeling and defense primarily rely on signature matching, fixed rule configuration, and simple behavioral analysis. Known threats are identified through pre-set signature databases and manually configured strategies, and attack risks are traced manually. However, traditional methods lack a systematic portrayal of the attack evolution process, making it impossible to correlate multi-stage attack behaviors or reconstruct the complete attack path. Summary of the Invention

[0004] Therefore, it is necessary to provide a modeling method, apparatus, computer equipment, computer-readable storage medium, and computer program product that can completely reconstruct the attack path of network attack behavior to address the above-mentioned technical problems.

[0005] Firstly, this application provides a method for modeling network attack behavior, including:

[0006] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0007] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0008] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0009] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0010] In one embodiment, the method further includes:

[0011] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0012] In one embodiment, setting the entities and relationships between them related to network attack behavior into a directed graph to obtain an attack knowledge graph includes:

[0013] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0014] In one embodiment, the evolutionary process based on network attack behavior, which involves setting up a finite state machine for attack behavior evolution, includes:

[0015] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0016] In one embodiment, generating an attack path containing a state transition sequence based on the observed events, the attack knowledge graph, and the attack behavior evolution finite state machine includes:

[0017] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0018] In one embodiment, generating an observation event upon observing a network attack event includes:

[0019] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0020] Secondly, this application also provides a modeling apparatus for network attack behavior, comprising:

[0021] A construction module is used to set the entities related to network attack behavior and the relationships between entities into a directed graph to obtain an attack knowledge graph; the attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function; the nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the nodes, and the edge type mapping function represents the relationship type of the edges;

[0022] An evolution module is used to set up a finite state machine for attack behavior evolution based on the evolution process of network attack behavior. The finite state machine for attack behavior evolution includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0023] The observation module is used to generate an observation event after a network attack event is observed; and to generate an attack path containing a state transition sequence based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine.

[0024] The judgment module is used to determine whether the attack behavior in the observed event has ended. If the judgment result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated.

[0025] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0026] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0027] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0028] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0029] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0030] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:

[0031] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0032] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0033] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0034] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0035] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:

[0036] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0037] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0038] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0039] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0040] The aforementioned modeling method, apparatus, computer equipment, computer-readable storage medium, and computer program product for network attack behavior firstly establishes the entities related to the network attack behavior and the relationships between entities as a directed graph to obtain an attack knowledge graph. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to the network attack, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge. Then, based on the evolution process of the network attack behavior, an attack behavior evolution finite state machine is set. The attack behavior evolution finite state machine includes a finite state set, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite state set includes the entities in the network attack... The lifecycle consists of various stages, with the input symbol set including entities performing attack actions in the attack knowledge graph. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state, and the set of accepted states includes high-risk states and compromised states. Subsequently, upon observing a network attack event, an observation event is generated. Based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated. Finally, it is determined whether the attack behavior in the observation event has ended. If the determination result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated. This application utilizes the collaborative modeling of attack knowledge graphs and attack behavior evolution finite state machines. First, it uses knowledge graphs to structurally integrate attack-related entities and relationships, breaking down information silos. Then, it uses finite state machines to depict the dynamic evolution logic of the entire attack lifecycle, achieving a leap from isolated event detection to attack process modeling. Simultaneously, by combining attack path risk quantification and real-time attack status judgment, it can not only systematically reconstruct the complete path of multi-stage attacks and accurately identify high-risk attack events and issue timely alerts, but also make up for the shortcomings of traditional methods that lack attack evolution characterization and cannot associate multi-stage behaviors, significantly improving the ability to perceive, trace, and defend against complex network attacks. Attached Figure Description

[0041] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0042] Figure 1This is a flowchart illustrating a method for modeling network attack behavior in one embodiment;

[0043] Figure 2 A detailed flowchart of a method for modeling network attack behavior in one embodiment;

[0044] Figure 3 This is a structural block diagram of a network attack behavior modeling device in one embodiment;

[0045] Figure 4 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0046] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0047] It should be noted that the terms "first," "second," etc., used in this application can be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish the first element from the second element. The terms "comprising" and "having," and any variations thereof, used in this application, are intended to cover non-exclusive inclusion. The term "multiple" used in this application refers to two or more. The term "and / or" used in this application refers to one of the embodiments, or any combination of multiple embodiments.

[0048] In one embodiment, such as Figure 1 As shown, a method for modeling network attack behavior is provided. This embodiment illustrates the method by applying it to a terminal. It is understood that this method can also be applied to a server, and further to a system including both a terminal and a server, and is implemented through the interaction between the terminal and the server. In this embodiment, the method includes the following steps:

[0049] Step 102: Set the entities related to network attack behavior and the relationships between entities into a directed graph to obtain an attack knowledge graph; the attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function; the nodes are entities related to network attacks, the directed edges are the relationships between entities, the node type mapping function represents the category of the nodes, and the edge type mapping function represents the relationship type of the edges.

[0050] The entities in the node set specifically include attacker entities, vulnerability entities, attack tool entities, attack action entities, and target system entities. Each type of entity corresponds to a core participant in the network attack scenario, an exploitable security flaw, an attack tool, a specific attack operation, and the target system targeted by the attack. Each directed edge in the directed edge set explicitly points to a logical causal or interactive relationship between entities. The node type mapping function is used to clearly define node categories. The edge type mapping function is used to clarify the relational semantics of edges.

[0051] Step 104: Based on the evolution process of network attack behavior, set up an attack behavior evolution finite state machine; the attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states; the finite set of states includes the states of entities at each stage of the network attack lifecycle, the set of input symbols includes entities in the attack knowledge graph that perform attack actions, the state transition function represents the transition of an entity from its current state to the target state after being attacked, the initial state is a safe state, and the set of accepting states includes high-risk states and compromised states.

[0052] The finite set of states specifically represents the security states of the target system at each stage of the network attack lifecycle, including the initial secure state, the vulnerability exposed state, the attack in progress state, the privilege escalation state, the system under control state, and the system destroyed state. The initial secure state is the normal operating state of the target system without any attacks; the vulnerability exposed state is the state where the target system has exploitable vulnerabilities but has not yet been attacked; the attack in progress state is the state where the attacker has launched an attack and exploited the vulnerability; the privilege escalation state is the state where the attacker gains higher operational privileges on the target system through an attack; the system under control state is the state where the attacker controls the core resources of the target system; and the system destroyed state is the state where the target system's functions are disabled or data is leaked. The input symbol set is generated by mapping attack action entities in the attack knowledge graph. Each input symbol uniquely corresponds to an attack action, specifically including vulnerability exploitation symbols, privilege escalation symbols, system control symbols, data theft symbols, and system destruction symbols, corresponding to attack action entities in the attack knowledge graph for exploiting vulnerabilities, escalating privileges, controlling core resources, stealing data, and destroying system functions, respectively.

[0053] Step 106: After observing a network attack event, generate an observation event; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, generate an attack path containing a state transition sequence.

[0054] Specifically, generating observation events involves: continuously collecting multi-source network security data (including firewall logs, intrusion detection system alarms, network traffic data, target system logs, etc.), extracting network attack-related events from the data, parsing each event into a feature triplet (attack initiating entity, attack action type entity, and attack target entity), and organizing the events according to their occurrence sequence to form an observation event set.

[0055] Step 108: Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0056] The weighting function is a pre-defined quantification function based on the risk level of the attack actions. Its assignment rules are as follows: attack actions that directly threaten the core security of the target system, such as privilege escalation, system control, data theft, and system damage, have a higher weight than probing attack actions such as ordinary vulnerability detection and port scanning. Furthermore, the weight values ​​are calibrated using historical attack case data and security risk level standards to ensure the accuracy of risk quantification. The preset risk threshold is a risk threshold preset based on the security level requirements of the target system, the importance of core assets, and industry security standards. It can be dynamically adjusted according to actual application scenarios. When the risk score reaches or exceeds this threshold, it indicates that the attack has posed a serious security threat to the target system, and the system automatically classifies it as a high-risk event.

[0057] For example, suppose the attack path is obtained:

[0058]

[0059] Each transition is triggered by a specific observed event. Attack Path This invention depicts the evolution of an attack from its initial state to its final state. To quantify the risk level of an attack path, it assigns a weight function to each attack action based on a knowledge graph. :

[0060]

[0061] For example, ordinary scanning actions have a lower weight, while critical actions such as privilege escalation and system control have a higher weight. Therefore, the risk scoring function for an attack path is defined as follows:

[0062]

[0063] when Exceeding the set threshold At this time, the system determines that it has entered a high-risk state:

[0064]

[0065] The aforementioned modeling method for network attack behavior first sets the entities related to the network attack behavior and the relationships between them as a directed graph to obtain an attack knowledge graph. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to the network attack, the directed edges are the relationships between the entities, the node type mapping function represents the node category, and the edge type mapping function represents the relationship type of the edge. Then, based on the evolution process of the network attack behavior, an attack behavior evolution finite state machine is set. The attack behavior evolution finite state machine includes a finite state set, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite state set includes the states of entities at various stages of the network attack lifecycle. The input symbol set includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to a target state after being attacked. The initial state is a safe state, and the set of accepted states includes high-risk states and compromised states. Subsequently, when a network attack event is observed, an observation event is generated. Based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated. Finally, it is determined whether the attack behavior in the observation event has ended. If the determination result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated. This application utilizes the collaborative modeling of attack knowledge graphs and attack behavior evolution finite state machines. First, it uses knowledge graphs to structurally integrate attack-related entities and relationships, breaking down information silos. Then, it uses finite state machines to depict the dynamic evolution logic of the entire attack lifecycle, achieving a leap from isolated event detection to attack process modeling. Simultaneously, by combining attack path risk quantification and real-time attack status judgment, it can not only systematically reconstruct the complete path of multi-stage attacks and accurately identify high-risk attack events and issue timely alerts, but also make up for the shortcomings of traditional methods that lack attack evolution characterization and cannot associate multi-stage behaviors, significantly improving the ability to perceive, trace, and defend against complex network attacks.

[0066] In one exemplary embodiment, the method further includes:

[0067] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0068] For example, if the judgment result is not yet complete, the termination state of the current attack path and the sequence of attack actions that have occurred are first extracted. Combined with the relationships between entities in the attack knowledge graph (such as the logical relationship between privilege escalation actions and system control actions, and the compatibility between attack tools and exploitable vulnerabilities), a set of candidate attack actions is constructed. Then, based on the state transition rules of the finite state machine of attack behavior evolution, candidate attack actions that can trigger the transition from the current termination state to the next state are selected, forming a sequence of potential attack actions. Finally, combined with the path evolution patterns in historical attack cases, the potential attack action sequences are probabilistically ranked, prioritizing sequences with high overlap with historical high-risk attack paths and strong logical coherence, ultimately generating 1-3. The system predicts the most credible attack path, clearly identifying potential subsequent attack actions and corresponding system state transition trends. Its risk score generation method is consistent with the scoring logic of completed attack paths, that is, it iterates through each candidate attack action in the predicted path, obtains the corresponding weight value through a preset weight function, and accumulates it to obtain the total risk score of the predicted path. If the score is not less than a preset risk threshold, it indicates that the subsequent predicted attack behavior will pose a serious threat to the target system, and immediately generates early warning information including the current attack path progress, predicted subsequent attack actions and their probability of occurrence, the risk score of the predicted path, and key defense node prompts.

[0069] In this embodiment, by generating highly reliable potential attack path predictions, the limitation of traditional defenses that can only detect attacks that have already occurred is broken. At the same time, by using a unified weighting function to quantify the risk of the predicted path, high-risk threats can be identified in advance and targeted early warning information can be generated before the attack behavior is fully unfolded. This helps security managers to seize the initiative in defense and achieve an upgrade from a passive response to an active prediction defense mode.

[0070] In an exemplary embodiment, the step of setting the entities and relationships between entities related to network attack behavior into a directed graph to obtain an attack knowledge graph includes:

[0071] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0072] For example, first initialize an empty directed graph structure:

[0073]

[0074] The system provides interfaces for defining the reserved node set, directed edge set, and mapping function. Subsequently, it collects multi-source network attack behavior data, including firewall logs, intrusion detection alerts, vulnerability database information, attack tool signature databases, and historical attack records of target hosts. Based on the collected attack behavior data, it extracts five core entities: attacker, vulnerability, attack tool, attack action, and target host. Each entity is added as an independent node to the directed graph. It is represented as a set of nodes, where each node corresponds to a network security-related entity; This represents a set of directed edges, where each edge represents an attack relationship between entities; Define the node type mapping function to define the node category (e.g., attacker, target host, vulnerability, tool, attack action). Define the relationship type of the edges (e.g., exploit, cause, affect) for the edge type mapping function. During the construction process, it is necessary to formally represent key entities in the cybersecurity domain: Attacker entity: Vulnerable entity: Tool Entity: Attack Action Entity: System target entity: The edge relationships are defined as follows: Using the relationships: Usage relationship: Triggering relationship: ; Leading to the relationship: Through the above formal definition, the attack knowledge graph can be obtained. It can uniformly model the key elements and logical relationships of attack behavior and serve as the basis for subsequent finite state machine driven analysis.

[0075] In this embodiment, by constructing a directed graph and defining a standardized mapping function, scattered network attack behavior data can be transformed into a structured knowledge graph, clearly sorting out attack-related entities and the logical relationships between entities, and providing accurate static knowledge support for the dynamic evolution modeling of subsequent attack behaviors.

[0076] In an exemplary embodiment, the process of setting up a finite state machine for the evolution of network attack behavior includes:

[0077] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0078] For example, first initialize an empty finite state machine quintuple framework:

[0079]

[0080] Then, by setting the finite state set, input symbol set, state transition function, initial state, and accept state set of the finite state machine, the attack behavior evolution finite state machine is obtained; specifically including: This represents a finite set of possible states for the system, with each state corresponding to a stage in the network security lifecycle. This represents the set of input symbols, which are mapped from attack action entities in the knowledge graph. This represents the state transition function, which determines which state the system will transition to after receiving an attack action in a certain state. This represents the initial state of the system, usually the "safe state"; This represents the set of accepting states, corresponding to the system entering a high-risk or compromised state. To better reflect the actual process of a network attack, the state space needs further refinement. We will make specific classifications. Based on the attack lifecycle, the states are divided into the following categories: initial safe state. : Indicates a normal state where the system has not suffered any attacks; vulnerable state. : Indicates that a known vulnerability exists in the system, but has not yet been exploited; attack in progress. This indicates that an attacker has exploited the vulnerability and triggered specific attack actions; privilege escalation state. This indicates that the attacker has gained higher privileges through certain means, enabling them to carry out deeper attack activities; the system is in a controlled state. This indicates that the system's critical resources have been controlled by an attacker, and the system has entered a high-risk state; the system is in a damaged state. This state indicates that the attacker has achieved their ultimate goal, such as stealing data, compromising the system, or implanting a backdoor. This state belongs to the set of accepting states. .

[0081] Optionally, during the state transition process, each attack action event... Both will trigger a state transition. For example, when the system is in a vulnerable state. If an attack on a vulnerability is observed... The system will then transition to the attack in progress state. :

[0082]

[0083] For example, when the system is in the process of launching an attack... If a privilege escalation event occurs The system will then transition to elevated privilege state. :

[0084]

[0085] In this embodiment, by configuring the five-tuple core elements of a finite state machine, the evolutionary pattern of the entire life cycle of a network attack can be transformed into a formalized state transition logic, providing a standardized dynamic evolution modeling framework for subsequent attack path generation and risk prediction.

[0086] In an exemplary embodiment, generating an attack path containing a state transition sequence based on the observed events, the attack knowledge graph, and the attack behavior evolution finite state machine includes:

[0087] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0088] For example, suppose the set of attack events actually observed is:

[0089]

[0090] Each of these events All contain feature triples:

[0091]

[0092] The entity that initiates the event corresponds to the attacker node in the knowledge graph; The action type of the event corresponds to the attack action node in the knowledge graph; The target of the event corresponds to a vulnerability or system node in the knowledge graph. Next, a mapping function is defined. Mapping observed events to a knowledge graph middle:

[0093]

[0094] For example, when an event is detected where an attacker exploits the vulnerability CVE-2021-12345:

[0095]

[0096] This event will then be mapped to an edge in the knowledge graph:

[0097]

[0098] After mapping events to the knowledge graph, the action needs to be transformed into the input symbols of a finite state machine. Specifically defined as:

[0099]

[0100] For example, events After mapping, the input symbol is .

[0101] Finally, the state transitions of the finite state machine are thus triggered:

[0102]

[0103] in, Indicates the system in time state, Indicates the system in the event The new state after the attack occurs. By continuously receiving new event inputs, the finite state machine can dynamically evolve, thus accurately reflecting the development process of the attack behavior.

[0104] In this embodiment, the entity association logic of observed events is verified by attacking the knowledge graph, and then the events are transformed into input symbols to drive state transitions in a finite state machine. This can transform discrete observed events into a coherent sequence of attack state transitions, fully reconstructing the evolution path of the attack behavior. At the same time, by leveraging the semantic constraints of the knowledge graph and the state transition rules of the finite state machine, the accuracy and logic of the attack path generation are ensured, providing a reliable analytical basis for subsequent attack risk scoring and path prediction.

[0105] In an exemplary embodiment, generating an observation event upon observing a network attack event includes:

[0106] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0107] For example, when security monitoring devices such as firewalls, intrusion detection systems, and network traffic analysis tools detect network attack-related events such as abnormal access requests, malicious code execution, and vulnerability probing behavior, they immediately trigger the event parsing process. First, core elements are extracted from the raw event data, including the subject initiating the attack (i.e., the attack initiating entity, such as a malicious IP address, hacker account, or malicious program process), the specific operation performed (i.e., the attack action type entity, such as port scanning, vulnerability exploitation, privilege escalation, or data theft), and the target of the attack (i.e., the attack acting entity, such as a specific port on the target host, system vulnerability, core database, or business server). Then, according to the preset event format specifications, the extracted attack initiating entity, attack action type entity, and attack acting entity are structurally encapsulated, and corresponding attribute tags are added to each element (e.g., "Initiating entity type: Malicious IP", "Action type: Vulnerability exploitation", "Action acting entity: Web server port 80"). Finally, a structured observation event containing complete attack elements and clear semantics is generated. If multiple related attack events are detected, observation events are generated sequentially according to the order of their occurrence and integrated into an observation event set.

[0108] In this embodiment, by extracting three core elements—attack initiating entity, attack action type entity, and attack effect entity—the raw, chaotic attack event data captured by the security monitoring device is transformed into standardized observation events with a unified format and clear semantics. This not only provides accurate and consistent data input for subsequent mapping and matching with the attack knowledge graph and driving the state transition of the finite state machine for attack behavior evolution, but also effectively filters redundant information, improving the efficiency and accuracy of attack path generation and risk assessment.

[0109] In one embodiment, such as Figure 2 As shown, a method for modeling network attack behavior is provided, including: first, initializing an empty directed graph structure:

[0110]

[0111] The system provides interfaces for defining the reserved node set, directed edge set, and mapping function. Subsequently, it collects multi-source network attack behavior data, including firewall logs, intrusion detection alerts, vulnerability database information, attack tool signature databases, and historical attack records of target hosts. Based on the collected attack behavior data, it extracts five core entities: attacker, vulnerability, attack tool, attack action, and target host. Each entity is added as an independent node to the directed graph. It is represented as a set of nodes, where each node corresponds to a network security-related entity; This represents a set of directed edges, where each edge represents an attack relationship between entities; Define the node type mapping function to define the node category (e.g., attacker, target host, vulnerability, tool, attack action). Define the relationship type of the edges (e.g., exploit, cause, affect) for the edge type mapping function. During the construction process, it is necessary to formally represent key entities in the cybersecurity domain: Attacker entity: Vulnerable entity: Tool Entity: Attack Action Entity: System target entity: The edge relationships are defined as follows: Using the relationships: Usage relationship: Triggering relationship: ; Leading to the relationship: Through the above formal definition, the attack knowledge graph can be obtained. It can uniformly model the key elements and logical relationships of attack behavior, and serve as the basis for subsequent finite state machine-driven analysis. Initialize an empty finite state machine quintuple framework:

[0112]

[0113] Then, by setting the finite state set, input symbol set, state transition function, initial state, and accept state set of the finite state machine, the attack behavior evolution finite state machine is obtained; specifically including: This represents a finite set of possible states for the system, with each state corresponding to a stage in the network security lifecycle. This represents the set of input symbols, which are mapped from attack action entities in the knowledge graph. This represents the state transition function, which determines which state the system will transition to after receiving an attack action in a certain state. This represents the initial state of the system, usually the "safe state"; This represents the set of accepting states, corresponding to the system entering a high-risk or compromised state. To better reflect the actual process of a network attack, the state space needs further refinement. We will make specific classifications. Based on the attack lifecycle, the states are divided into the following categories: initial safe state. : Indicates a normal state where the system has not suffered any attacks; vulnerable state. : Indicates that a known vulnerability exists in the system, but has not yet been exploited; attack in progress. This indicates that an attacker has exploited the vulnerability and triggered specific attack actions; privilege escalation state. This indicates that the attacker has gained higher privileges through certain means, enabling them to carry out deeper attack activities; the system is in a controlled state. This indicates that the system's critical resources have been controlled by an attacker, and the system has entered a high-risk state; the system is in a damaged state. This state indicates that the attacker has achieved their ultimate goal, such as stealing data, compromising the system, or implanting a backdoor. This state belongs to the set of accepting states. During the state transition process, each attack action event... Both will trigger a state transition. For example, when the system is in a vulnerable state. If an attack on a vulnerability is observed... The system will then transition to the attack in progress state. :

[0114]

[0115] For example, when the system is in the process of launching an attack... If a privilege escalation event occurs The system will then transition to elevated privilege state. :

[0116]

[0117] Once a network attack event is observed, let the set of actually observed attack events be:

[0118]

[0119] Each of these events All contain feature triples:

[0120]

[0121] The entity that initiates the event corresponds to the attacker node in the knowledge graph; The action type of the event corresponds to the attack action node in the knowledge graph; The target of the event corresponds to a vulnerability or system node in the knowledge graph. Next, a mapping function is defined. Mapping observed events to a knowledge graph middle:

[0122]

[0123] For example, when an event is detected where an attacker exploits the vulnerability CVE-2021-12345:

[0124]

[0125] This event will then be mapped to an edge in the knowledge graph:

[0126]

[0127] After mapping events to the knowledge graph, the action needs to be transformed into the input symbols of a finite state machine. Specifically defined as:

[0128]

[0129] For example, events After mapping, the input symbol is .

[0130] Finally, the state transitions of the finite state machine are thus triggered:

[0131]

[0132] in, Indicates the system in time state, Indicates the system in the event The new state after the event occurs. By continuously receiving new event inputs, the finite state machine can dynamically evolve, thereby accurately reflecting the development process of the attack behavior. It determines whether the attack behavior in the observed event has ended. If the determination result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. Specifically, assuming the attack path is obtained:

[0133]

[0134] Each transition is triggered by a specific observed event. Attack Path This invention depicts the evolution of an attack from its initial state to its final state. To quantify the risk level of an attack path, it assigns a weight function to each attack action based on a knowledge graph. :

[0135]

[0136] For example, ordinary scanning actions have a lower weight, while critical actions such as privilege escalation and system control have a higher weight. Therefore, the risk scoring function for an attack path is defined as follows:

[0137]

[0138] when Exceeding the set threshold At this time, the system determines that it has entered a high-risk state:

[0139]

[0140] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0141] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps. It is understood that the steps in different embodiments can be freely combined as needed, and all non-contradictory solutions formed by such combinations are within the scope of protection of this application.

[0142] In one exemplary embodiment, such as Figure 3 As shown, a modeling device for network attack behavior is provided, comprising: a construction module 301, an evolution module 302, an observation module 303, and a judgment module 304, wherein:

[0143] A construction module is used to set the entities related to network attack behavior and the relationships between entities into a directed graph to obtain an attack knowledge graph; the attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function; the nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the nodes, and the edge type mapping function represents the relationship type of the edges;

[0144] An evolution module is used to set up a finite state machine for attack behavior evolution based on the evolution process of network attack behavior. The finite state machine for attack behavior evolution includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0145] The observation module is used to generate an observation event after a network attack event is observed; and to generate an attack path containing a state transition sequence based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine.

[0146] The judgment module is used to determine whether the attack behavior in the observed event has ended. If the judgment result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated.

[0147] In one exemplary embodiment, the determination module is further configured to:

[0148] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0149] In one exemplary embodiment, the building module is further configured to:

[0150] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0151] In one exemplary embodiment, the evolution module is further configured to:

[0152] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0153] In one exemplary embodiment, the evolution module is further configured to:

[0154] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0155] In one exemplary embodiment, the observation module is further configured to:

[0156] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0157] The modules in the aforementioned network attack modeling device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the operations corresponding to each module.

[0158] In one exemplary embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 4As shown, this computer device includes a processor, memory, input / output (I / O) interfaces, and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores observed events. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communicating with external terminals via a network connection. When executed by the processor, the computer program implements a modeling method for network attack behavior.

[0159] Those skilled in the art will understand that Figure 4 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0160] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0161] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0162] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0163] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0164] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0165] In one embodiment, the processor, when executing a computer program, also performs the following steps:

[0166] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0167] In one embodiment, the processor, when executing a computer program, also performs the following steps:

[0168] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0169] In one embodiment, the processor, when executing a computer program, also performs the following steps:

[0170] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0171] In one embodiment, the processor, when executing a computer program, also performs the following steps:

[0172] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0173] In one embodiment, the processor, when executing a computer program, also performs the following steps:

[0174] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0175] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:

[0176] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0177] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0178] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0179] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0180] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0181] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0182] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0183] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0184] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0185] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0186] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0187] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0188] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0189] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0190] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:

[0191] By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge.

[0192] Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states.

[0193] Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated.

[0194] Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

[0195] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0196] If the judgment result is not yet completed, an attack path prediction is generated based on the attack path using a path reasoning algorithm; a risk score for the attack path prediction is generated based on the weight function of each attack action in the attack path prediction; if the risk score is not less than a preset risk threshold, the network attack event is judged to be a high-risk event, and an alarm message is generated.

[0197] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0198] Initialize a directed graph and acquire network attack behavior data; based on the network attack behavior data, set a node set for the directed graph to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; based on the network attack behavior data, set a directed edge set for the first directed graph to obtain a second directed graph; each directed edge in the directed edge set corresponds to a network attack relationship between two nodes; based on the network attack behavior data, set a node type mapping function for the second directed graph to obtain a third directed graph; the node type mapping function is used to map nodes corresponding to attacker entities to attacker categories and nodes corresponding to vulnerability entities to vulnerability categories. The attack tool entity is mapped to an attack tool category, the attack action entity is mapped to an attack action category, and the target host entity is mapped to a target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, directed edges corresponding to the attacker's use of attack tools to use type, directed edges corresponding to the attack action triggering the target host's impact to trigger type, and directed edges corresponding to the vulnerability causing risk to the target host to cause type.

[0199] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0200] Initialize a finite state machine; based on the evolution of network attack behavior, set a finite set of states for the finite state machine to obtain a first finite state machine; the finite state set corresponds to the full-stage security posture of the network attack lifecycle, including the initial secure state, vulnerability exposure state, attack in progress state, privilege escalation state, system controlled state, and system destroyed state; based on the evolution of network attack behavior, set a set of input symbols for the first finite state machine to obtain a second finite state machine; the set of input symbols is generated by mapping attack action entities in the attack knowledge graph; based on the evolution of network attack behavior, set a state transition function for the second finite state machine to obtain a third finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, input symbols, and the target state of the target host; based on the evolution of network attack behavior, set an initial state for the third finite state machine to obtain a fourth finite state machine; the initial state is the initial secure state in the finite state set; based on the evolution of network attack behavior, set an acceptance state set for the fourth finite state machine to obtain an attack behavior evolution finite state machine; the acceptance state set includes high-risk states and compromised states in the finite state set.

[0201] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0202] The observed event set is mapped to the attack knowledge graph to obtain the mapping result; based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

[0203] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:

[0204] Upon observing a network attack event, the attack initiating entity, attack action type entity, and attack effect entity of the network attack event are obtained; based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

[0205] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.

[0206] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.

[0207] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A method of modeling cyber attack behavior, the method comprising: The method includes: By setting the entities related to network attack behavior and the relationships between entities as a directed graph, an attack knowledge graph is obtained. The attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function. The nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the node, and the edge type mapping function represents the relationship type of the edge. Based on the evolution of network attack behavior, an attack behavior evolution finite state machine is set up. The attack behavior evolution finite state machine includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states. Upon observing a network attack event, an observation event is generated; based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine, an attack path containing a state transition sequence is generated. Determine whether the attack behavior in the observed event has ended. If the determination result is that it has ended, generate a risk score for the attack path based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, determine that the network attack event is a high-risk event and generate an alarm message.

2. The method of claim 1, wherein, The method further includes: If the judgment result is not finished, then based on the attack path, an attack path prediction is generated by the path reasoning algorithm; Based on the weight function of each attack action in the attack path prediction, a risk score for the attack path prediction is generated; If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated.

3. The method of claim 1, wherein, The step of setting the entities and relationships related to network attack behavior into a directed graph to obtain an attack knowledge graph includes: Initialize the directed graph and obtain network attack behavior data; Based on network attack behavior data, a node set of the directed graph is set to obtain a first directed graph; each node in the node set corresponds to a network attack-related entity; Based on network attack behavior data, a set of directed edges is set in the first directed graph to obtain a second directed graph; each directed edge in the set of directed edges corresponds to a network attack relationship between two nodes; Based on network attack behavior data, a node type mapping function is set for the second directed graph to obtain a third directed graph; the node type mapping function is used to map the node corresponding to the attacker entity to the attacker category, the node corresponding to the vulnerability entity to the vulnerability category, the node corresponding to the attack tool entity to the attack tool category, the node corresponding to the attack action entity to the attack action category, and the node corresponding to the target host entity to the target host category. Based on network attack behavior data, an edge type mapping function is set for the third directed graph to obtain an attack knowledge graph. The edge type mapping function is used to map the directed edges corresponding to the attacker's exploitation of vulnerabilities to exploitation type, the directed edges corresponding to the attacker's use of attack tools to use type, the directed edges corresponding to the attack actions that trigger the target host's impact to trigger type, and the directed edges corresponding to the vulnerabilities that cause risks to the target host to cause type.

4. The method of claim 1, wherein, The evolutionary process based on network attack behavior is described by setting up a finite state machine for attack behavior evolution, including: Initialize the finite state machine; Based on the evolution of network attack behavior, a finite set of states of a finite state machine is set to obtain the first finite state machine; the finite set of states corresponds to the security posture of the entire life cycle of a network attack, including the initial secure state, the vulnerability exposure state, the attack in progress state, the privilege escalation state, the system under control state, and the system destruction state. Based on the evolution of network attack behavior, a second finite state machine is obtained by setting the input symbol set of the first finite state machine; the input symbol set is generated by mapping attack action entities in the attack knowledge graph. Based on the evolution of network attack behavior, a third finite state machine is obtained by setting the state transition function of the second finite state machine; the state transition function is used to clarify the mapping rules between the current state of the target host, the input symbols, and the target state of the target host. Based on the evolution of network attack behavior, the initial state of the third finite state machine is set to obtain the fourth finite state machine; the initial state is the initial safe state in the finite state set. Based on the evolution of network attack behavior, the set of accepting states of the fourth finite state machine is set to obtain the attack behavior evolution finite state machine; the set of accepting states includes high-risk states and compromised states in the finite state set.

5. The method of claim 1, wherein, The generation of an attack path containing a state transition sequence based on the observed events, the attack knowledge graph, and the attack behavior evolution finite state machine includes: The observed event set is mapped to the attack knowledge graph to obtain the mapping result; Based on the mapping result, the attack behavior is driven to evolve into a finite state machine to perform state transitions, resulting in an attack path containing a state transition sequence.

6. The method according to claim 1, characterized in that, Upon observing a network attack event, the generation of an observation event includes: Upon observing a network attack event, obtain the attack initiating entity, attack action type entity, and attack effect entity from the network attack event; Based on the attack initiating entity, the attack action type entity, and the attack effect entity, an observation event is generated.

7. A modeling device for network attack behavior, characterized in that, The device includes: A construction module is used to set the entities related to network attack behavior and the relationships between entities into a directed graph to obtain an attack knowledge graph; the attack knowledge graph includes a set of nodes, a set of directed edges, a node type mapping function, and an edge type mapping function; the nodes are entities related to network attacks, the directed edges are the relationships between the entities, the node type mapping function represents the category of the nodes, and the edge type mapping function represents the relationship type of the edges; An evolution module is used to set up a finite state machine for attack behavior evolution based on the evolution process of network attack behavior. The finite state machine for attack behavior evolution includes a finite set of states, a set of input symbols, a state transition function, an initial state, and a set of accepting states. The finite set of states includes the states of entities at various stages of the network attack lifecycle. The set of input symbols includes entities in the attack knowledge graph that perform attack actions. The state transition function represents the transition of an entity from its current state to the target state after being attacked. The initial state is a safe state. The set of accepting states includes high-risk states and compromised states. The observation module is used to generate an observation event after a network attack event is observed; and to generate an attack path containing a state transition sequence based on the observation event, the attack knowledge graph, and the attack behavior evolution finite state machine. The judgment module is used to determine whether the attack behavior in the observed event has ended. If the judgment result is that it has ended, a risk score for the attack path is generated based on the weight function of each attack action in the attack path. If the risk score is not less than a preset risk threshold, the network attack event is determined to be a high-risk event, and an alarm message is generated.

8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.