Unknown malicious traceability analysis method for cross-platform behavior graph fusion

By constructing an adversarial sandbox and graph neural network model, the problem of multi-process determination in modular collaborative attacks was solved, and the fusion and tracing of cross-platform behavioral graphs was realized, ensuring the accuracy and completeness of threat tracing.

CN122339817APending Publication Date: 2026-07-03NANJING SWIFT SAFETY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANJING SWIFT SAFETY TECH CO LTD
Filing Date
2026-05-06
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

When faced with modular collaborative attacks, existing technologies struggle to identify multiple collaborative processes as the same attacker, leading to multiple false starting points in the source tracing analysis results. This prevents the formation of a complete attack source tracing chain, affecting the accuracy and effectiveness of threat source tracing.

Method used

By constructing an adversarial sandbox, cross-platform multi-process collaborative behavior data is collected and reorganized into a set of collaborative behavior events containing subjects, actions, objects, and associated markers. A subject attribution-enhanced heterogeneous behavior graph is constructed, and a graph neural network model is used to determine subject attribution. The data is then merged into a unified attack subject subgraph, and false starting points are tracked and eliminated to form a single-source attack chain.

Benefits of technology

It achieves unified attribution determination for multi-process collaborative behavior, outputs a clear source process and a complete attack chain, and improves the accuracy and effectiveness of threat attribution.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339817A_ABST
    Figure CN122339817A_ABST
Patent Text Reader

Abstract

This disclosure provides a method for unknown malicious source tracing analysis based on cross-platform behavior graph fusion. The method includes: inducing the collection of collaborative behaviors of multiple processes across platforms through an adversarial sandbox; semantically reorganizing the collected raw behavior data into a set of collaborative behavior events; constructing a subject-attribution-enhanced heterogeneous behavior graph by adding collaborative attribution edges; performing subject attribution determination on the subject-attribution-enhanced heterogeneous behavior graph based on a graph neural network model, merging the dispersed collaborative processes into a unified attack subject subgraph set; identifying high-risk behavior subgraphs and their stage propagation chains from the unified attack subject subgraph set; performing reverse tracing along the time sequence, resource transfer sequence, and control transfer sequence; and combining cross-platform same-source comparison to shrink into a single-source attack chain, outputting a source tracing conclusion. This method can solve the technical problems of multiple false starting points and the inability to form a single attack source attribution in the source tracing results.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of cybersecurity technology, and in particular to a method for tracing and analyzing unknown malicious activity across platforms through behavioral graph fusion. Background Technology

[0002] As cyberattack methods continue to evolve, malware is showing a trend towards modularization and collaboration, particularly with the increasing prevalence of modular loader-type malicious frameworks. In these attacks, malicious functionality is broken down into multiple independent modules, each handled by a different process. For example, a downloader is responsible for acquiring the malicious payload, a decryptor for restoring encrypted code, and an executor for carrying out the final destructive action. These processes collaborate stealthily through shared memory, anonymous pipes, and other covert methods.

[0003] Existing technologies typically employ sandboxing to collect behavioral data from suspicious programs and construct behavioral graphs for malicious analysis. However, these methods have significant drawbacks when facing modular collaborative attacks: because multiple collaborative processes often lack direct parent-child creation relationships, while the behavioral graph can comprehensively record the behavioral events of each process, it struggles to determine whether these disparate processes belong to the same attacking entity. This leads to multiple false starting points in the attribution analysis results, where each critical process is misjudged as an independent attack source, failing to attribute dispersed collaborative behaviors to a single attack source and thus preventing the formation of a complete attack attribution chain. This problem is particularly pronounced in multi-process collaborative attack scenarios, severely impacting the accuracy and effectiveness of threat attribution.

[0004] Therefore, there is an urgent need for a method that can achieve unified subject attribution determination for multi-process collaborative attacks, cross-platform behavior chain fusion expression, and unknown malicious source tracing analysis, in order to solve the technical problem in the existing technology that the source tracing results have multiple false starting points due to the overlapping of behavior attributions, and cannot form a single attack source attribution. Summary of the Invention

[0005] In view of this, in order to solve the problems brought about by the existing technology, this application provides an unknown malicious source tracing analysis method for cross-platform behavior graph fusion.

[0006] Firstly, this disclosure provides a method for tracing and analyzing unknown malicious activity through cross-platform behavior graph fusion, the method comprising: S1: By inducing cross-platform, multi-process collaborative behavior through adversarial sandbox, the collected raw behavioral data is semantically reorganized into a set of collaborative behavioral events containing subjects, actions, objects, and associated tags. S2: Construct a subject-attribution enhanced heterogeneous behavior graph based on the set of collaborative behavior events. The heterogeneous behavior graph contains process nodes and resource nodes. Add collaborative attribution edges to connect nodes belonging to the same candidate attack subject to form a subject-attribution enhanced heterogeneous behavior graph. S3: Based on the graph neural network model, perform subject attribution determination on the subject attribution enhanced heterogeneous behavior graph, merge the scattered collaborative processes into a unified attack subject subgraph set, and identify high-risk behavior subgraphs and their stage propagation chains from the unified attack subject subgraph set; S4: Based on the unified attack subject subgraph set, the high-risk behavior subgraph, and the stage propagation chain, reverse tracing is performed along the time sequence, resource transfer sequence, and control transfer sequence. Combined with cross-platform same-source comparison, the chain is narrowed down to a single source attack chain, and the source tracing conclusion is output.

[0007] Optionally, S1 includes: Construct a cross-platform adversarial sandbox operating environment with camouflage capabilities and anti-detection parameters; Deploy a set of inducement resources containing virtual files and pseudo-services in the cross-platform adversarial sandbox; The sample to be tested is placed into the adversarial sandbox environment, the kernel-level monitoring chain is started, and the original cross-platform behavior records are collected. Perform unified semantic reorganization on the original cross-platform behavior records, and map the behavior records of different platforms into an event structure of subject, action, object, time, platform, and associated markers to generate the collaborative behavior event set; The association markers include at least parent-child start markers, resource transfer markers, and implicit collaboration markers.

[0008] Optionally, S2 includes: The events in the collaborative behavior event set are standardized and reorganized into a heterogeneous behavior tuple set containing subject, object, action type and association tag; Based on the set of heterogeneous behavior tuples, a heterogeneous behavior graph is constructed; The heterogeneous behavior graph includes a heterogeneous set of nodes such as process nodes, file nodes, memory area nodes, pipe nodes, network endpoint nodes, and system object nodes, and a set of basic relation edges constructed based on the action types in the heterogeneous behavior tuple set. In the heterogeneous behavior graph, a set of candidate clusters for subject affiliation is constructed around the shared memory access chain, the anonymous pipe send / receive chain, the module transmission chain, and the control command response chain; By adding cooperative attribution edges to the heterogeneous behavior graph, a subject-attribution-enhanced heterogeneous behavior graph is formed.

[0009] Optionally, the construction principle of the candidate cluster to which the subject belongs is: High-risk process nodes are selected as seed nodes, and then expanded outward according to resource continuity, time continuity and action complementarity, so that multiple processes that appear to be scattered are included in the local scope of the same candidate attack subject. The resource continuity refers to the establishment of sequential connections between multiple processes around the same file, memory area, or pipe; the temporal continuity refers to the subsequent action being triggered within a preset time window after the previous action has ended; and the action complementarity refers to the fact that multiple processes respectively undertake different functional links in the attack chain.

[0010] Optionally, S3 includes: The local subgraph is segmented around the candidate clusters of the subject affiliation, neighborhood information is supplemented, and a set of input samples for the graph neural network is generated. A heterogeneous graph neural network model is adopted, and the subject attribution confidence result is output through node message propagation, edge relation weighting and candidate cluster-level aggregation. Based on the subject attribution confidence results, the subject attribution candidate clusters are merged and reconstructed to generate a unified attack subject subgraph set; Graph-level classification and subgraph risk scoring are performed on the subgraphs in the unified attack subject subgraph set to identify unknown malicious patterns and high-risk behavior subgraphs and stage propagation chains.

[0011] Optionally, the heterogeneous graph neural network model, through node message propagation, edge relation weighting, and candidate cluster-level aggregation, outputs the subject attribution confidence result, including: For each node in the candidate cluster of the subject affiliation, receive messages from its neighboring nodes and update the node representation; When using a heterogeneous graph neural network model to perform subject attribution determination, the basic relation edges and cooperative attribution edges are initialized with differentiated weights, and the cooperative attribution edges are given higher initial weights than the basic relation edges during the attribution determination stage. After multiple rounds of message propagation, the model performs weighted aggregation of the hidden representations of the nodes within the candidate cluster of subject affiliation to form the affiliation representation value of the candidate cluster, and then outputs the subject affiliation confidence result.

[0012] Optionally, S4 includes: Starting from the high-risk behavior subgraph, backtracking is performed along the time sequence, resource transfer sequence, and control transfer sequence to determine the set of candidate key nodes; Based on the candidate key node set, key node anchoring, multi-path rollback and main chain merging are performed on each platform to construct a single-platform reverse source chain set. Perform structural-level same-source comparison on the single-platform reverse source chain of each platform, merge the same-source segments into the same chain, and shrink them into a single source attack chain; Output the source process, the composition of the collaborative modules, the cross-platform propagation path, the results of excluding false starting points, and the comprehensive tracing conclusion.

[0013] Optionally, the structural-level homology comparison performed on the single-platform reverse source chains of each platform includes: By calling the node representation values ​​and subgraph representation values ​​generated by the graph neural network model in the unified attack subject subgraph, structural-level comparisons are performed on key nodes and key segments in different platforms. When local segments in two platforms are in the same stage position, resource transfer mode, control establishment method, and downstream dangerous action distribution, they are classified as cross-platform same-source nodes.

[0014] In a second aspect, this disclosure provides an electronic device including a memory and at least one processor, the memory storing a computer program, and the processor executing the computer program to implement the method of the first aspect described above.

[0015] Thirdly, this disclosure provides a computer storage medium storing a computer program that, when executed, implements the method described in the first aspect.

[0016] The beneficial effects of this disclosure are that, compared with the prior art, this disclosure has the following advantages: 1) To address the problem of aliasing behavior attribution making it impossible to determine whether cooperating processes belong to the same attack subject, a candidate cluster of subject attribution is constructed around the shared memory access chain, anonymous pipe send / receive chain, module transmission chain, and control command response chain. Cooperative attribution edges are added to the heterogeneous behavior graph, so that behaviors that were originally scattered in multiple processes due to the lack of parent-child creation relationship are included in the local subgraph of the same candidate attack subject. This fundamentally breaks the traditional behavior graph association mode centered on parent-child relationship and realizes unified subject attribution determination for multi-process cooperative behavior.

[0017] 2) To address the issue of multiple false starting points and the inability to form a single attack source in the source tracing results, a heterogeneous graph neural network model is used in the subject attribution determination stage to perform node message propagation, edge relationship weighting, and candidate cluster-level aggregation on the subject attribution candidate clusters. This outputs the subject attribution confidence result and merges the scattered collaborative processes into a unified attack subject subgraph. Then, in the reverse source tracing stage, the tracing is performed along the time sequence, resource transfer sequence, and control transfer sequence. Combined with cross-platform same-source comparison, the reverse source chains of each platform are condensed into a single source attack chain. Finally, all false starting point nodes that are earlier in time but lack substantial collaborative support are eliminated, and a clear source process and a complete attack chain are output. Attached Figure Description

[0018] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.

[0019] Figure 1 A flowchart of the unknown malicious source tracing analysis method for cross-platform behavior graph fusion provided in this disclosure embodiment is shown; Figure 2 A flowchart illustrating the subject attribution determination process based on a graph neural network, as provided in an embodiment of this disclosure, is shown.

[0020] The accompanying drawings have illustrated specific embodiments of this disclosure, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concepts of this disclosure to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0021] The present disclosure will be further described below with reference to the accompanying drawings. The following embodiments are only used to illustrate the technical solutions of the present disclosure more clearly, and should not be used to limit the scope of protection of the present disclosure.

[0022] The components of the embodiments of the invention described and illustrated herein can typically be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to illustrate selected embodiments of the invention. All other embodiments obtained by those skilled in the art based on the embodiments of the invention without inventive effort are within the scope of protection of the invention.

[0023] In the following, the terms “comprising,” “having,” and their cognates, which may be used in various embodiments of the invention, are intended only to indicate a particular feature, number, step, operation, element, component, or combination thereof, and should not be construed as excluding, firstly, the presence of one or more other features, numbers, steps, operations, elements, components, or combinations thereof, or adding the possibility of one or more features, numbers, steps, operations, elements, components, or combinations thereof.

[0024] Unless otherwise specified, all terms used herein (including technical and scientific terms) shall have the same meaning as commonly understood by one of ordinary skill in the art to which the various embodiments of the invention pertain. Terms (such as those defined in commonly used dictionaries) shall be interpreted as having the same meaning as in their contextual meaning in the relevant technical field and shall not be interpreted as having an idealized or overly formal meaning, unless clearly defined in the various embodiments of the invention.

[0025] Figure 1This is a flowchart of an unknown malicious source tracing analysis method for cross-platform behavior graph fusion provided in this disclosure embodiment, such as... Figure 1 As shown, the process may include the following steps:

[0026] S1: By inducing cross-platform, multi-process collaborative behavior through an adversarial sandbox, the collected raw behavioral data is semantically reorganized into a set of collaborative behavioral events containing subjects, actions, objects, and associated tags.

[0027] The test sample is triggered to exhibit multi-process collaborative behavior in a cross-platform environment through an adversarial sandbox and induced resources, and the collected raw behavioral data is reorganized into a set of collaborative behavioral events. This is achieved through the following sub-steps.

[0028] S1.1: Construct a cross-platform adversarial sandbox operating environment with camouflage capabilities and anti-detection parameters.

[0029] For the Windows, Linux, and Android platforms that the test samples may run on, corresponding adversarial sandbox instances are constructed. An adversarial sandbox is a runtime environment with three core capabilities: first, camouflage capability, which actively simulates the hardware and software characteristics of a real terminal, making it difficult for malicious code to recognize that it is in an analysis environment; second, inducement capability, which actively delivers target resources that can be exploited by malicious code, inducing it to activate hidden attack modules; and third, deep monitoring capability, which continuously records key behaviors at the driver level or system kernel level without the sample's awareness.

[0030] For the Windows platform, the adversarial sandbox pre-configures common office directories, browser cache directories, startup items, scheduled task interfaces, and pseudo-registration items to simulate the daily usage patterns of a real user. For the Linux platform, the sandbox pre-configures common user directories, system service entry points, startup script paths, and pseudo-daemon processes to mislead the sample into believing it is in a real server environment. For the Android platform, the sandbox pre-configures a contact database, SMS database, storage card mount directory, accessibility service entry points, and simulated application components to simulate the system state of a real mobile device.

[0031] When constructing the above environment, anti-detection parameters also need to be set based on platform differences. The processor core count is set to 2 to 16 cores, memory capacity to 4GB to 32GB, disk space to 80GB to 512GB, system installation duration is masqueraded as 7 to 720 days, and the number of user files is set to 500 to 50,000. For common malware checks such as process lists, driver lists, registry traces, virtual network adapter characteristics, sensor information, screen resolution, and system uptime, the adversarial sandbox provides feedback consistent with that of a real terminal.

[0032] To quantify the degree of credibility of the current sandbox environment in faking samples, an environment faking credibility is constructed: ; in, The higher the value, the closer the environmental camouflage is to the real environment; For the first Class environment characteristics; The total number of environmental characteristic items, ranging from 20 to 200; For the first The weight coefficients of the class feature terms range from 0.1 to 5; For the first The true fit of the class feature terms, with a value ranging from 0 to 1, is obtained by comparison using preset rules; This is a stability constant, ranging from 0.0001 to 0.01. This function strengthens the ratio of successfully disguised features to features that may still reveal the sandbox identity, thereby filtering out obviously easily identifiable operating environments.

[0033] The calculated environmental camouflage credibility C is compared with a preset threshold, which ranges from 0.5 to 0.9. If C is lower than the threshold, the anti-detection parameters such as the number of processor cores, memory capacity, and system installation time are adjusted and the sandbox environment is rebuilt until C meets the requirements before proceeding to the next step S1.2.

[0034] With the above configuration, the adversarial sandbox can significantly increase the probability of exposure of subsequent multi-process collaborative behaviors. Through the above camouflage processing, the sample can be made to trust the current environment, thereby fully unfolding its attack chain.

[0035] S1.2: Deploy a collection of induced resources containing virtual files and pseudo-services in a cross-platform adversarial sandbox.

[0036] Based on the cross-platform induction runtime environment formed in step S1.1, induction resources are further deployed. Induction resources refer to objects that do not directly damage the system but are sufficient to attract malicious code to continue advancing the attack chain, including virtual files, fake services, induction registration items, simulated control terminals, fake browser sessions, fake credential caches, and fake shared directories.

[0037] Specifically, on the Windows platform, a document directory named "Financial Statements" and "Account Backup" is created, along with a pseudo service item and an auto-start item. On the Linux platform, a pseudo SSH configuration file, a pseudo scheduled task entry point, and a pseudo log directory are deployed. On the Android platform, a pseudo application environment simulating contacts, SMS records, photo thumbnails, and granted permissions is generated.

[0038] To ensure sufficient attraction of induced resources, it is necessary to control resource distribution density, resource similarity, and resource triggering depth. Induction strength is expressed as: ; in, Induction intensity; To induce resource density, it represents the number of induced objects in a unit directory level or unit service set, with a value ranging from 5 to 500; To induce semantic similarity of resources, the value ranges from 0 to 1, representing the degree of similarity between the resource name, content, path and the real business scenario; The trigger depth is the number of subsequent action layers that a sample can trigger after accessing the resource, and its value ranges from 1 to 10. To induce resource redundancy, the value ranges from 0 to 1; values ​​that are too high will make the resources appear mechanical. The intensity of artificial history traces indicates whether a resource has historical usage traces such as edit time, access time, cache residue, etc., and the value ranges from 0 to 1. , , For adjustment coefficients, Take 1 to 10, Take 0.1 to 3, The value is between 0.1 and 2. This function suppresses mechanical repetition and fake resources without historical traces, provided that there are enough resources, they are similar enough, and they can continue to elicit more actions.

[0039] The calculated induction intensity G is compared with a preset threshold, which ranges from 0.6 to 0.95. If G is lower than the threshold, the induction resource density is increased, the semantic similarity is improved, or the historical trace strength is enhanced, and the induction resource set is redeployed until G meets the requirements before proceeding to the next step S1.3.

[0040] By deploying resources with high inducibility strength, the complete behavioral exposure of modular malicious samples can be effectively facilitated. For example, if a sample is first downloaded by a downloader and then probes for the existence of documents that can be stolen and startup items that can be hijacked, if the sandbox is pre-deployed with high inducibility strength resources, the downloader will continue to create shared memory segments, deliver temporary files, and start executor processes, thereby exposing subsequent collaborative behaviors.

[0041] S1.3: Place the sample to be tested into the induction environment and start the kernel-level monitoring chain to collect the original cross-platform behavior records.

[0042] The sample to be tested is run in the environment with the deployed inducement resources obtained in step S1.2, and the kernel-level monitoring chain in the adversarial sandbox is started simultaneously. The monitoring content includes at least: process creation, thread spawning, handle inheritance, shared memory establishment, anonymous pipe communication, module loading, remote thread injection, file delivery, registration item writing, system service calls, and network connection.

[0043] The application of adversarial sandboxes can be summarized as follows: first, make the sample believe the environment is realistic, then intercept critical system activities at the driver level. Taking Windows as an example, when the downloader process creates the decryptor process, the sandbox driver records the parent process identifier, child process image path, creation time, and startup parameters; when shared memory is established between the two, the sandbox records the shared area identifier, allocation size, mapping objects, and access order; if the executor is subsequently injected and started by a remote thread, the sandbox continues to record the injection source process, target process, write address range, and startup entry offset. In this way, the collaborative behaviors that were originally scattered across multiple processes are completely linked together.

[0044] On the network side, the sandbox does not directly disconnect external connections. Instead, it redirects backlink traffic to the simulated control terminal, which then issues a predefined control response, allowing the sample to continue executing subsequent stages. The same principle applies to Linux and Android platforms, except that the monitored objects expand from registry entries and services to startup scripts, daemons, and application components.

[0045] To quantify the degree of cooperative behavior exposure of samples in the current environment, a cooperative behavior exposure index is defined: ; in, For the exposure index of collaborative behavior; For the first Key collaborative behaviors; The total number of key collaborative behavior categories, ranging from 8 to 30; This is the importance coefficient for this type of behavior, with a value ranging from 0.5 to 6; The percentage of times this type of behavior is triggered, with a value ranging from 0 to 1; This represents the chain extension level of this type of behavior, indicating how many subsequent actions are triggered after this behavior is triggered, with a value ranging from 0 to 8; This represents the number of observations of this type of behavior in the current sample; This is the minimum effective observation threshold for this type of behavior, with a value ranging from 1 to 20; This is the compression factor, ranging from 0.1 to 2. This function prioritizes reinforcing key collaborative behaviors that have already been triggered and can still elicit subsequent actions, rather than simply accumulating the number of events.

[0046] The calculated collaborative behavior exposure index E is used as the quantitative basis for the sufficiency of sample behavior. If E is lower than the preset threshold, which ranges from 10 to 50, the monitoring time is extended, such as by 10 to 30 minutes, or behavioral records are collected again after supplementing the inducement resources, until E meets the requirements. If E continues to fail to meet the standard, the sample is marked as a low-exposure sample and a warning is issued.

[0047] Through the above monitoring, a raw cross-platform behavior record set is obtained, including the behavior logs of objects such as processes, threads, files, memory, pipes, and networks under each platform.

[0048] S1.4: Perform unified semantic reorganization on the original cross-platform behavior records and generate a set of collaborative behavior events.

[0049] The raw cross-platform behavior records collected in step S1.3 are subjected to unified semantic reorganization. Specifically, processes, threads, handles, registry entries, and service items in Windows, processes, threads, file descriptors, shared memory segments, and daemons in Linux, and processes, components, Binder calls, storage objects, and permission calls in Android are uniformly mapped into an event structure of subject, action, object, time, platform, and associated tags.

[0050] Among them, the association markers include at least three types: parent-child start-up markers, resource transfer markers, and implicit cooperation markers. Parent-child start-up markers are used to indicate whether one process is explicitly started by another process; resource transfer markers are used to indicate whether objects such as files, shared memory, anonymous pipes, and network payloads are transferred between multiple processes; implicit cooperation markers are used to indicate that although there is no direct start-up relationship, multiple processes cooperate around the same resource or the same timing goal.

[0051] For example, downloader process A writes the encrypted payload file and creates an anonymous pipe, decryptor process B reads the pipe and releases the memory image, and executor process C then retrieves the instruction segment from the shared memory area to start a remote thread. Although A, B, and C may not have a completely consistent parent-child relationship, they can be unified into the same cooperative behavior chain through resource transfer markers and implicit cooperative markers.

[0052] This ultimately forms a set of collaborative behavior events, which serves as the direct input for the subsequent step S2, constructing the subject-attribution enhanced heterogeneous behavior graph.

[0053] In the technical solution of this disclosure embodiment, by constructing an adversarial sandbox and deploying inducement resources, combined with kernel-level monitoring and unified semantic reorganization, modular malicious samples can fully expose their multi-process collaborative behavior in a cross-platform environment, transforming the originally scattered process actions into a set of collaborative behavior events with associated tags, providing a data foundation for subsequent subject attribution determination, and avoiding the problem of missing behavior due to sample hiding or insufficient inducement.

[0054] S2: Construct a subject-attribution enhanced heterogeneous behavior graph based on the set of collaborative behavior events. The heterogeneous behavior graph contains process nodes and resource nodes. Add collaborative attribution edges to connect nodes belonging to the same candidate attack subject to form a subject-attribution enhanced heterogeneous behavior graph.

[0055] Using a set of collaborative behavior events as input, a heterogeneous behavior graph is constructed, comprising process nodes, file nodes, memory area nodes, pipe nodes, network endpoint nodes, and system object nodes. Subject affiliation candidate clusters are then constructed around shared memory access chains, anonymous pipe send / receive chains, module transmission chains, and control command response chains. By adding collaborative affiliation edges, a subject affiliation-enhanced heterogeneous behavior graph is formed. This is implemented through the following sub-steps.

[0056] S2.1: Standardize and reorganize collaborative behavioral events into a set of heterogeneous behavioral tuples containing subjects, objects, action types, and associated tags.

[0057] The set of collaborative behavior events obtained in step S1 is uniformly split and standardizedly reorganized. The core is to transcribe each collaborative behavior event into a heterogeneous behavior tuple that can be directly used for graph construction. Each collaborative behavior event is split into at least six basic elements: behavior subject identifier, behavior object identifier, behavior action type, occurrence time, platform context, and collaborative association marker. Among these, the behavior subject corresponds to active execution units such as processes and threads; the behavior object corresponds to the affected objects such as files, memory areas, pipes, network endpoints, and system objects; and the behavior action type corresponds to operation categories such as creation, injection, read / write, derivation, communication, inheritance, loading, and rejoin.

[0058] The standardization process requires addressing three engineering challenges. First, the same type of behavior is represented by different names on different platforms. For example, handle inheritance in Windows, file descriptor passing in Linux, and Binder object transfer in Android can all be categorized as object control transfer operations. Second, the same resource may be accessed repeatedly by different processes at different stages, so it cannot be viewed in isolation as a single log entry. Third, some behaviors do not directly demonstrate malice but can form a chain of actions with preceding and following actions. For example, process A writes to shared memory, process B reads that shared memory shortly afterward, and then launches process C.

[0059] To this end, a standardized rule base is established to map original collaborative behavior events into unified tuples: subject ID, action ID, object ID, timestamp, platform ID, and associated tag value. Timestamps are aligned to a unified time base with millisecond or microsecond precision; action categories are finitely discretely encoded, divided into 8 to 20 categories; and associated tags are bit-field encoded, with independent encoding bits assigned to the parent-child initiation, resource transfer, and implicit collaboration tags, supporting the overlay of multiple tags.

[0060] To determine whether an event is suitable as a valid tuple for subsequent graph construction, an event validity function is defined: ; in, For the validity of the event; The semantic completeness of the event ranges from 0 to 1, indicating whether the event simultaneously possesses subject, action, object, time, and platform information; The number of preceding related events in the original behavior sequence of this event is obtained based on preliminary statistics of time window and resource association, with a value range of 0 to 50. The strength of the collaboration marker ranges from 0 to 1 and is obtained by combining three types of markers: parent-child initiation, resource transfer, and implicit collaboration. This represents the event ambiguity level, with a value ranging from 0 to 1. The larger the value, the more likely the event is to be a normal system background action. This represents the event's historical reproducibility, ranging from 0 to 20, indicating the number of times this type of event occurs repeatedly within the same attack chain. , , , , These are weighting coefficients, all dimensionless constants ranging from 0.1 to 5. This function prioritizes events that are semantically complete, traceable, have collaborative meaning, and are repeatable and verifiable, while suppressing ambiguous background actions.

[0061] The calculated event validity score Q is compared with a preset threshold, which ranges from 0.3 to 0.7. Only events with Q greater than the threshold are retained, while events with validity scores lower than the threshold are discarded.

[0062] After the filtering is completed, a set of standardized heterogeneous behavior tuples is obtained, which provides direct input for subsequent node construction.

[0063] S2.2: Construct a heterogeneous set of nodes and a set of basic relation edges.

[0064] Based on the standardized set of heterogeneous behavioral tuples, the basic framework of the subject-attribution enhanced heterogeneous behavioral graph is constructed. First, according to resource and execution attributes, the nodes in the graph are divided into seven categories: process nodes, thread nodes, file nodes, memory area nodes, pipe nodes, network endpoint nodes, and system object nodes. System object nodes include registration items, service items, startup items, scheduled task items, permission objects, and device objects, etc.

[0065] Nodes should not be generated simply by name during construction; instead, object stability identification rules should be used. Process nodes are determined by the process mirror path, creation time window, parent process source, and key module summary; file nodes are determined by the canonical path, file size range, summary information, and last modification time; memory area nodes are determined by the process to which they belong, starting address range, mapping type, and access permissions; and pipe nodes are determined by the creating process, pipe identifier, direction, and duration. This approach is necessary because the same type of object may be generated multiple times in the attack chain. Without stability identification, subsequent actions that should be continuous will be broken up.

[0066] After completing the nodes, construct basic relationship edges based on the action types in step S2.1. Creation, derivation, injection, read / write, inheritance, loading, communication, and backlink all form directed relationship edges. In addition to the start and end nodes, each edge also needs to include the action type, occurrence time, platform flag, duration, and relationship confidence value.

[0067] To measure whether a stable basic relationship edge can be established between two nodes, a relationship confidence function is defined: ; in, For relation confidence values; The action matching strength ranges from 0 to 1, indicating whether the action is reasonable in terms of node type, such as process to thread derivation, process to file writing, and process to network endpoint reconnection. The time proximity is a factor ranging from 0 to 1, calculated from the difference between the time of the action and the time of related actions before and after it. The more continuous the time, the higher the value. For platform consistency, the value ranges from 0 to 1, indicating whether the node and action are in the same running platform context; The upstream association number represents the number of preceding actions that can support the relationship, with a value ranging from 0 to 30. The environmental noise level, with a value ranging from 0 to 1, is estimated from system background processes and routine service activities. The resource reuse interference level, with a value ranging from 0 to 1, indicates whether the same object is repeatedly accessed by a large number of irrelevant subjects; , , , , This is a dimensionless adjustment coefficient, ranging from 0.1 to 6. This function prioritizes retaining relation edges with reasonable actions, continuous time, consistent platform, and sufficient upstream support, while suppressing pseudo-connections in high-noise and high-reuse scenarios.

[0068] The calculated relation confidence value R is used as the weight of the basic relation edge. The edge is established in the heterogeneous behavior graph only when R is greater than a preset threshold, which ranges from 0.5 to 0.8; relation edges below the threshold are not established.

[0069] This completes the formation of a heterogeneous node set and a basic relation edge set, providing input for the construction of candidate clusters for subject affiliation in the next sub-step.

[0070] S2.3: Construct a set of candidate clusters for subject affiliation based on the shared memory access chain, anonymous pipe send / receive chain, module transmission chain, and control command response chain.

[0071] Based on the existing heterogeneous graph skeleton, instead of performing local analysis based solely on a single process, we construct candidate clusters for subject attribution around four types of key collaborative chains.

[0072] The first type is the shared memory access chain, where multiple processes continuously write, map, read, and execute around the same memory area node; the second type is the anonymous pipe send / receive chain, where one process writes to the pipe, another process reads within a short window and triggers subsequent actions; the third type is the module transfer chain, where payload files, dynamic libraries, script fragments, or decryption results are transferred between multiple execution entities; and the fourth type is the control command response chain, where after the network endpoint receives control commands, multiple local processes execute them in segments.

[0073] The construction principle of the candidate cluster for the subject of attack is to incorporate multiple seemingly dispersed processes into the local scope of the same candidate attack subject. A graph aggregation algorithm based on constraint expansion is adopted: first, high-risk process nodes are selected as seed nodes, and then expansion is performed outwards according to resource continuity, temporal continuity, and action complementarity. High-risk process nodes are defined as those that meet one of the following conditions: ① exhibit dangerous actions such as remote thread injection, excessively large block loading, or anonymous pipe control distribution; ② have a high relation confidence value in the basic relation edges, for example… ③ Structural similarity to known malicious behavior patterns. Resource continuity indicates whether multiple processes establish sequential connections around the same file, memory area, or pipe; temporal continuity indicates whether subsequent actions are triggered within a reasonable time window after the completion of the preceding action, with the time window ranging from 1 millisecond to 300 seconds; action complementarity indicates whether multiple processes respectively undertake different functional stages such as downloading, decryption, execution, persistence, and communication. Each group of nodes obtained according to the above constraint expansion algorithm constitutes an initial candidate cluster.

[0074] To measure the reasonableness of merging a group of nodes into the same candidate cluster for subject affiliation, a subject affiliation candidate cluster aggregation strength function is defined: ; in, The aggregation strength of the candidate cluster to which the subject belongs; This represents resource continuity, with a value ranging from 0 to 1, indicating whether multiple nodes perform continuous operations around the same resource chain. For time continuity, the value ranges from 0 to 1, indicating whether there is a stable sequential connection between multiple actions in time. The complementarity of actions ranges from 0 to 1, indicating whether multiple processes perform functions at different stages of the attack chain. The common upstream number, ranging from 0 to 20, represents the number of times these nodes can be traced back to the same upstream process or the same control terminal; The degree of functional conflict ranges from 0 to 1, indicating whether the behavior of these nodes is more similar to the ordinary system activities that are unrelated to each other. This represents the number of valid nodes within the cluster, ranging from 1 to 50. , , , , , This is a dimensionless coefficient, ranging from 0.1 to 5. This function uses shared resources, continuous time, collaborative division of labor, and a common upstream source as core evidence of a single attack entity, rather than simply examining whether a single process is suspicious.

[0075] The aggregation strength K of each initial candidate cluster is compared with a preset threshold, which ranges from 0.5 to 0.8. Clusters with K greater than the threshold are retained, and clusters with K less than the threshold are discarded. Finally, the set of candidate clusters to which the subject belongs is output.

[0076] S2.4: Add cooperative home edges to the heterogeneous behavior graph to form a subject-home-enhanced heterogeneous behavior graph.

[0077] Based on the candidate cluster set of subject attribution, collaborative attribution edges are added to the original heterogeneous behavior graph to form the final subject attribution-enhanced heterogeneous behavior graph. Collaborative attribution edges differ from basic relation edges. Basic relation edges indicate what actions have occurred, while collaborative attribution edges indicate that these seemingly scattered nodes belong to the same candidate attack subject. Therefore, collaborative attribution edges focus on connecting process nodes with process nodes, process nodes with thread nodes, process nodes with memory area nodes, and process nodes with pipe nodes—objects that embody collaborative control.

[0078] The process of generating collaborative attribution edges is as follows: First, pairwise association evaluation is performed on nodes within each candidate cluster, and then node pairs exceeding the threshold are added to the collaborative attribution edge. Next, a second evaluation is performed on node pairs that cross clusters but share critical control endpoints, critical payloads, or critical resource chains, supplementing cross-cluster collaborative attribution edges. Finally, a closed-loop check is performed on the collaborative attribution edges, eliminating weak edges that can only form single-point connections and cannot support the closed structure of a local attack entity. The collaborative attribution edge threshold is set between 0.55 and 0.85; too low a threshold will lead to irrelevant nodes being mistakenly merged, while too high a threshold will break up the true collaborative process.

[0079] After forming the subject-attribution enhanced heterogeneous behavior graph, two types of edges exist simultaneously in the graph: one type describes the basic relationship edges of specific actions, and the other type describes the cooperative attribution edges of the attacking subject. In this way, the behaviors of the downloader, decryptor, executor, and controller, which were originally scattered in multiple processes, are incorporated into the local subgraph of the same candidate attacking subject. This output will be directly used by the graph neural network model in step S3 for subsequent subject attribution determination and unknown malicious pattern identification.

[0080] In the technical solution of this disclosure embodiment, a heterogeneous behavior graph is constructed based on the set of cooperative behavior events. A candidate cluster of subject affiliation is constructed through shared memory access chain, anonymous pipe send / receive chain, module transmission chain, and control command response chain. Cooperative affiliation edges are added to the graph, so that behaviors that were originally scattered in multiple processes due to the lack of parent-child creation relationship are incorporated into the local subgraph of the same candidate attack subject. This solves the problem that traditional behavior graphs cannot reduce cooperative processes to a single attack subject, forming a subject affiliation enhanced heterogeneous behavior graph, which provides structured input for subsequent affiliation determination based on graph neural network.

[0081] S3: Based on the graph neural network model, perform subject attribution determination on the subject attribution enhanced heterogeneous behavior graph, merge the scattered collaborative processes into a unified attack subject subgraph set, and identify high-risk behavior subgraphs and their stage propagation chains from the unified attack subject subgraph set.

[0082] Using a subject-attribution enhanced heterogeneous behavior graph as input, a graph neural network model is employed to determine subject attribution for candidate clusters, merging dispersed collaborative processes into a unified attack subject subgraph, and further identifying unknown malicious patterns, high-risk behavior subgraphs, and their stage propagation chains. This is achieved through the following sub-steps.

[0083] S3.1: Divide the local subgraph around the candidate cluster to which the subject belongs and supplement the neighborhood information to generate the input sample set for the graph neural network.

[0084] The subject-attribution enhanced heterogeneous behavior graph formed in step S2 is then processed into input samples suitable for graph neural network processing. This does not involve processing the entire graph... Figure 1 Instead of feeding all data into the model at once, the model first segments several local subgraphs around the candidate subject affiliation clusters. Then, it supplements each local subgraph with its first-order and second-order neighborhood information to form candidate affiliation determination samples. Each sample contains at least three parts: node attributes, relationship edge attributes, and subject affiliation candidate cluster boundary information. Node attributes include node type, node activity duration, resource access frequency, number of calls, number of upstream sources, and number of downstream diffusions; relationship edge attributes include action category, action duration, time interval, platform identifier, relationship confidence value, and collaborative affiliation edge strength; subject affiliation candidate cluster boundary information is used to indicate which nodes in the current subgraph belong to the initial subject affiliation candidate cluster and which nodes belong to the extended neighborhood.

[0085] Graph neural networks cannot directly understand the semantic meaning of terms like "downloader," "decryptor," and "executor"; they receive structured numerical values. Therefore, it is necessary to first transform various attributes into unified numerical features. Taking a process node as an example, its features consist of creation time, continuous runtime, number of derived threads, number of files accessed, number of memory areas accessed, number of network connections established, and number of times it is referenced by other processes. Taking a shared memory edge as an example, its features consist of creation time, difference in access order, consistency of read / write direction, and number of cross-process propagation layers.

[0086] To evaluate whether a local subgraph has sufficient information density, a subgraph representation sufficiency function is defined: ; in, The sufficiency of the subgraph representation; The effective node percentage, with a value ranging from 0 to 1, represents the proportion of nodes in a local subgraph that participate in real collaborative behavior to the total number of nodes in that subgraph. This represents the number of valid relation edges, ranging from 1 to 500. This represents the relation type coverage, with a value ranging from 0 to 1, indicating the completeness of the coverage of key edge types such as creation, injection, read / write, inheritance, communication, and loading. The time continuity is represented by a value ranging from 0 to 1, and is calculated from the time interval between adjacent key edges. This represents the background noise level, with a value ranging from 0 to 1. This represents the number of closed-loop associations, ranging from 0 to 50, indicating the number of resource transfer loops or control response loops that occur in this local subgraph. , , , , This is a dimensionless adjustment coefficient, ranging from 0.1 to 6. This function prioritizes retaining local subgraphs with valid nodes, rich relationships, continuous time, and signs of closed-loop collaboration, avoiding the intrusion of a large amount of background system behavior into the model and causing interference.

[0087] In actual processing, the representation sufficiency F of each local subgraph is calculated, and only subgraphs with F greater than a preset threshold are used as input samples for the graph neural network model. The preset threshold ranges from 0.4 to 0.7. Subgraphs with F below the threshold are not subject to subject attribution determination for the time being, and are evaluated after supplementing information later.

[0088] S3.2: A heterogeneous graph neural network model is used to output the subject attribution confidence result through node message propagation, edge relation weighting and candidate cluster-level aggregation.

[0089] After obtaining the input samples for the graph neural network, the subject attribution determination begins. Figure 2 A flowchart illustrating the subject attribution determination process based on a graph neural network, as provided in this disclosure, is shown below. Figure 2 As shown, a heterogeneous graph neural network model is employed, using a three-stage processing approach: node message propagation, edge relation weighting, and aggregation at the candidate cluster level for subject attribution. Instead of directly assessing the suspicion of a single process, it examines whether multiple nodes within a candidate cluster gradually exhibit a cooperative, closed structure befitting a unified attacking entity after multiple rounds of neighborhood interactions. After these three stages of processing, the model outputs the final attribution determination based on a quantitative indicator, defined as follows.

[0090] The first phase is node message propagation. For each node in the candidate cluster of the subject's affiliation, the model receives messages from its neighboring nodes. Process nodes primarily receive messages from thread nodes, file nodes, shared memory nodes, and network endpoint nodes; file nodes primarily receive messages from write processes, read processes, and load processes; and network endpoint nodes primarily receive messages from back-to-back processes and command response processes.

[0091] The second stage involves edge weighting. Since basic relationship edges and collaborative attribution edges have different meanings, they cannot be simply treated with equal weight. Basic relationship edges represent objectively occurring operations, while collaborative attribution edges represent enhanced relationships that may belong to the same attacking entity. Therefore, the two types of edges are initialized with differentiated weights in the model. Collaborative attribution edges are given a higher initial weight during the attribution determination stage, and the specific value is adaptively adjusted during training. The confidence value for basic relationship edges is set between 0.6 and 0.95, and the confidence value for collaborative attribution edges is set between 0.4 and 0.85, subsequently adaptively adjusted during training.

[0092] The third stage is the aggregation at the candidate cluster level. After 2 to 6 rounds of message propagation, the model performs weighted aggregation of the hidden representations of the nodes within the candidate cluster to form the attribution representation value of the candidate cluster, and then outputs the confidence result of the subject attribution.

[0093] Based on the above three-stage processing, in order to quantify the credibility of a candidate cluster of subjects being identified as a unified attack subject, an attribution confidence function is defined: ; in, As the confidence value for subject attribution; The neighborhood consistency score, ranging from 0 to 1, represents the degree of similarity in representation among nodes within the candidate cluster to which the subject belongs after multiple rounds of message propagation. This represents the continuity of resource transfer, with a value ranging from 0 to 1, indicating whether the shared memory access chain, anonymous pipe send / receive chain, and module transfer chain are continuous from beginning to end. The strength of the collaborative closed loop ranges from 0 to 1, indicating whether there is a closed loop structure such as downloading, decrypting, executing, connecting back or receiving commands, segmented execution, and feedback of results. The stage connection number, ranging from 0 to 20, represents the number of effective connections between different stages in the attack chain; Subject conflict degree, with a value ranging from 0 to 1, indicates whether nodes that clearly do not belong to the same attacking subject have been mixed into the current cluster; The background clutter level ranges from 0 to 1, representing the degree of deviation between the nodes within the candidate cluster to which the current subject belongs and the core attack chain in terms of resource transfer, control timing, and phase connection. The larger the value, the more irrelevant nodes are mixed in. , , , , , This is a dimensionless coefficient, ranging from 0.1 to 5. The model outputs the calculated attribution confidence value A as the final subject attribution confidence result. This function comprehensively considers whether the internal structure resembles a whole, whether resources are continuously transferred, whether an attack loop is formed, and whether the transitions between stages are smooth, rather than just looking at the parent-child process relationship.

[0094] After node message propagation, edge relation weighting, and candidate cluster-level aggregation, the model outputs the attribution confidence value A of each subject to the candidate cluster. This value directly serves as the core basis for determining whether to merge and reconstruct the candidate clusters in the subsequent step S3.3.

[0095] Through the three-stage processing described above, the model outputs the subject attribution confidence value for each candidate cluster. Simultaneously, it generates node representations for each node, edge importance for each relation edge, and subgraph representations for each candidate cluster. These intermediate results will be used in the subsequent reverse tracing process in step S4.

[0096] S3.3: Based on the subject attribution confidence results, merge and reconstruct the candidate clusters to generate a unified attack subject subgraph set.

[0097] Based on the subject attribution confidence results, the original subject attribution candidate clusters are re-merged and their boundaries are reorganized. If multiple subject attribution candidate clusters share key resources, control terminals, module payloads, or have continuous phase connections, and their attribution confidence values ​​all exceed a set threshold, they are merged into the same unified attack subject subgraph set. This threshold is set to 0.60 to 0.90.

[0098] During the re-merging process, nodes are not simply spliced ​​together; three processes are performed. The first is inter-cluster boundary disambiguation, which identifies resource nodes and intermediate execution nodes that appear repeatedly in multiple clusters to prevent the same object from being recorded twice. The second is critical path preservation, which prioritizes retaining the main paths supporting the attack phase transitions, such as download, decryption, execution, persistence, and backlink paths. The third is conflict node removal, which removes nodes that, although locally connected to the main subgraph, cannot form a stable cooperative response through multiple rounds of propagation. It should be noted that the merging threshold and the cooperative attribution edge threshold in step S2.4 are progressive: cooperative attribution edges are used to include scattered nodes into the same candidate cluster for subject attribution during the graph construction phase, while the merging threshold is used to merge high-confidence candidate clusters for subject attribution after attribution determination. To avoid overly scattered merging, the merging threshold should not be lower than the upper limit of the cooperative attribution edge threshold; a setting of 0.75 to 0.90 is recommended.

[0099] To quantify the stability of the merged attack subgraph, a subgraph stability function is defined: ; in, For the stability of the main subgraph; This represents the proportion of critical resources shared among clusters, with a value ranging from 0 to 1. The critical path retention rate, ranging from 0 to 1, represents the degree to which critical nodes and critical edges are retained on the main attack chain after merging. The number of candidate clusters to which the merged entity belongs, with a value ranging from 1 to 20; The attribution confidence mean, with a value ranging from 0 to 1, is calculated from the output of step S3.2; The degree of structural conflict ranges from 0 to 1, indicating whether mutually exclusive execution logic exists after merging. The number of complete loop closures, ranging from 0 to 20, represents the number of times a complete attack loop is formed after merging. , , , , This is a dimensionless coefficient, ranging from 0.1 to 6. This function ensures that the merged unified attack subject subgraph can cover multiple truly collaborative processes without crudely splicing in irrelevant nodes.

[0100] The calculated stability B of the main subgraph is used as the quality evaluation index of the merged subgraph. When B exceeds the preset threshold, which ranges from 0.5 to 0.8, the merging result is confirmed to be valid and a unified attack main subgraph is output. If B is below the threshold, the merging operation is rolled back, the candidate cluster boundary is re-evaluated, and a new merging scheme is tried.

[0101] S3.4: Perform graph-level classification and subgraph risk scoring on the subgraphs in the unified attack subject subgraph set to identify unknown malicious patterns and high-risk behavior subgraphs and stage propagation chains.

[0102] After obtaining the unified attack subject subgraph set, the process moves to the unknown malicious pattern identification stage. The pre-trained graph neural network model is still used, but the target shifts from attribution determination to risk identification. A dual-output structure is employed: one output is used for graph-level classification to determine whether the current unified attack subject exhibits an unknown malicious family pattern; the other output is used for subgraph risk scoring to identify which local behavioral segments are most dangerous. During model execution, node representation values, edge importance, and subgraph representation values ​​are simultaneously produced; these outputs will serve as key evidence for reverse attribution in step S4.

[0103] In the graph-level classification phase, the model focuses on whether the overall structure exhibits characteristics of a malicious attack chain, such as whether there is multi-stage coordination, rapid execution after resource delivery, segmented action propagation after control command response, and abnormal persistence and backlink loops. In the subgraph risk scoring phase, the model calculates the risk value for each key local segment in the unified attack subject subgraph to identify high-risk behavior subgraphs, such as shared memory decryption and remote thread injection subgraphs, or control-end backlinks and anonymous pipeline distribution execution subgraphs.

[0104] The model also outputs the contribution of each node to the overall risk, denoted as the node risk contribution. Furthermore, the high-risk subgraphs are linked together according to their temporal and resource transfer relationships to form a phased propagation chain. This propagation chain typically includes an initial entry phase, a payload deployment phase, a functional decoupling phase, an execution control phase, and a result feedback phase. Thus, when performing reverse tracing in subsequent step S4, one no longer faces a bunch of scattered nodes, but rather a high-risk propagation chain already organized in phases.

[0105] To quantify the unknown malicious risk of a unified attacking entity, a risk scoring function is defined: ; in, Score the risk of unknown malicious activity; This is the graph-level anomaly score, ranging from 0 to 1, which represents the degree of deviation of the current main subgraph from the known benign structural pattern. The high-risk subgraph density, ranging from 0 to 1, represents the proportion of high-risk local segments in the main subgraph. The propagation completeness of the stage ranges from 0 to 1, indicating whether a complete stage chain is formed from the initial entry to the feedback loop. This is a count of critical malicious actions, ranging from 0 to 50, such as the number of actions like remote thread injection, excessive block loading, and anonymous pipeline control distribution. The degree of cross-platform isomorphism ranges from 0 to 1, indicating whether the pattern exhibits similar structural features on different platforms. The benign camouflage level, ranging from 0 to 1, represents the degree to which it mimics normal program behavior in appearance; The sparsity of evidence ranges from 0 to 1, indicating whether there are too few key subgraphs supporting the judgment. , , , , , This is a dimensionless coefficient, ranging from 0.1 to 5. This function considers whether the overall situation is abnormal, how many dangerous local areas are present, whether the attack phase is complete, and whether the key actions are concentrated enough, rather than drawing conclusions based on just one high-risk action.

[0106] The calculated risk score M is used as the quantification value of unknown malicious risk of the unified attack subject subgraph. When M exceeds the preset threshold, which ranges from 0.6 to 0.9, it is judged as an unknown malicious mode and the corresponding graph-level classification label is output. When M is below the threshold, it is marked as low risk or suspected benign.

[0107] Through the above processing, step S3 finally outputs a unified set of attack subjects, a high-risk behavior subgraph and its stage propagation chain, and produces intermediate results such as node representation values, edge importance, and subgraph representation values, providing input for the cross-platform tracing and inversion and result output of step S4.

[0108] In the technical solution of this disclosure embodiment, a heterogeneous behavior graph with enhanced subject attribution is used as input. A heterogeneous graph neural network model is used to perform node message propagation, edge relationship weighting, and candidate cluster-level aggregation on the subject attribution candidate clusters, and output the subject attribution confidence result. The scattered collaborative processes are merged into a unified attack subject subgraph, and graph-level classification and subgraph risk scoring are further performed on the subgraph to identify unknown malicious patterns and their high-risk behavior subgraphs and stage propagation chains. This realizes the attribution determination from multi-process scattered behavior to a single attack subject, and solves the technical problem in the prior art that the source tracing result has multiple false starting points due to the overlapping of behavior attribution.

[0109] S4: Based on the unified attack subject subgraph set, the high-risk behavior subgraph, and the stage propagation chain, reverse tracing is performed along the time sequence, resource transfer sequence, and control transfer sequence. Combined with cross-platform same-source comparison, the chain is narrowed down to a single source attack chain, and the source tracing conclusion is output.

[0110] Taking a unified set of attack subjects, a high-risk behavior subgraph, and a phased propagation chain as input, the system performs reverse tracing along the time sequence, resource transfer sequence, and control transfer sequence. Combined with cross-platform same-origin comparison, it narrows down the attack chain to a single source, ultimately outputting the source process, the composition of cooperating modules, the cross-platform propagation path, the results of excluding false starting points, and the source tracing conclusion. This is achieved through the following sub-steps.

[0111] S4.1: Starting from the high-risk behavior subgraph, backtrack in reverse order along the time sequence, resource transfer sequence, and control transfer sequence to determine the set of candidate key nodes.

[0112] Using the unified set of attack subjects output in step S3 as the overall analysis object, a reverse tracing working view is established for each unified attack subject. Here, reverse tracing is not simply a matter of going backwards chronologically, but rather a backtracking along three main lines: chronological order, resource transfer order, and control transfer order. Specifically, it starts with dangerous terminal actions in the high-risk behavior subgraph, such as remote thread injection, control terminal reconnection, loading of unusually large blocks, and anonymous pipe instruction dispatch. Then, it traces backwards level by level along the stage propagation chain to find the direct and indirect predecessor nodes that triggered these actions.

[0113] During the backtracking process, three types of key nodes are identified first. The first type is the earliest triggering node, which is the node within the same attacking entity that first triggers subsequent chain actions, such as the process node that first initiates shared memory writes or the network endpoint node that first establishes a faked backlink. The second type is the first payload release node, which is the node that first changes ciphertext, modules, script fragments, or memory images from a pending execution state to an executable state. The third type is the first control establishment node, which is the node that first implements external control commands into the local entity's chain, such as the first valid command backlink, the first control pipe message received, or the first cross-process control injection triggered.

[0114] The graph neural network model trained in step S3 is not used in this sub-step for retraining or re-performing forward propagation. Instead, it directly calls upon its already generated node representations, edge importance, candidate cluster attribution confidence results, and high-risk subgraph scores. In other words, reverse source tracing does not blindly backtrack from the original behavioral graph, but rather from the key graph structure reinforced by the graph neural network model. This avoids misidentifying a large number of background nodes as false sources.

[0115] For example, in a unified attack entity, the executor process ultimately initiates remote thread injection. If only reversed chronologically, it might trace back to multiple ordinary file read / write actions; however, if combined with the node risk contribution given by the graph neural network model in step S3, it becomes clear that the node that truly deserves priority backtracking is the one where the decryptor process reads shared memory and releases the module, rather than ordinary system cache read / write nodes.

[0116] To quantify whether a node should be included in the candidate set of key nodes, a key node priority function is constructed: ; in, Prioritize key nodes; The node risk contribution, with a value ranging from 0 to 1, is calculated from the subgraph risk scoring results of the graph neural network model in step S3. This is the reverse path coverage, with a value ranging from 0 to 1, indicating how many high-risk propagation chains can be covered starting from this node; The strength of the stage precursor, ranging from 0 to 1, indicates whether the node is at the forefront of a certain stage transition; This represents the number of downstream dangerous actions, ranging from 0 to 50, indicating how many dangerous actions can be triggered if we continue from this node. This represents background similarity, with a value ranging from 0 to 1, indicating whether the node's behavior is too similar to the background actions of a normal system. The pseudo-starting point interference degree, with a value ranging from 0 to 1, indicates the degree to which the node, although early in time, lacks substantial subsequent support; , , , , This is a dimensionless adjustment coefficient, ranging from 0.1 to 5. The function prioritizes nodes with high risk contribution, covering multiple hazard chains, located at the forefront of stage transitions, and capable of triggering substantial dangerous actions downstream, while excluding pseudo-starting points that appear early but are merely background activities.

[0117] The calculated priority P of key nodes are sorted from high to low. The top 3 to 20 nodes with the highest priority are included in the candidate key node set, and the remaining nodes are not included for the time being.

[0118] Through the above processing, a set of candidate key nodes is obtained, laying the foundation for the subsequent construction of the reverse source chain on a single platform.

[0119] S4.2: Perform key node anchoring, multi-path rollback and main chain merging for each platform to build a single-platform reverse source chain set.

[0120] After obtaining the set of candidate key nodes, reverse source chain construction is performed for each platform. This is done using key node anchoring, multi-path rollback, and main chain merging.

[0121] Critical node anchoring refers to first fixing three types of nodes based on the candidate critical node set: the earliest triggering node, the first load release node, and the first control establishment node. Then, tracing back from these three types of nodes reveals their resource predecessors, control predecessors, and time predecessors, respectively. A resource predecessor refers to the node that delivers files, memory areas, pipeline data, or module loads to the current node; a control predecessor refers to the node that triggers control over the current node; and a time predecessor refers to the previous stage node within a reasonable time window that forms a strong connection with the current node.

[0122] During multi-path backtracking, path selection needs to be performed using the edge importance values ​​provided by the graph neural network model. In step S3, the graph neural network model already assigned different edge importance values ​​to edges in high-risk subgraphs during graph-level classification and subgraph scoring. This step uses these weights to re-evaluate the reverse paths: paths with high edge importance are prioritized and retained, while paths with low edge importance but only coincidentally close in time are downgraded.

[0123] For example, in a Windows platform, process A downloads the encrypted payload, process B restores the module from shared memory, and process C loads the module and connects back to the control terminal. Graph neural network models typically assign high edge importance to the chain of shared memory writes, shared memory reads, and module loading. Therefore, when reversing, the main chain of A, B, and C should be preserved first, rather than preserving a system service chain that occurs simultaneously but only accesses ordinary log files.

[0124] To measure whether a particular reverse path can serve as the source chain for a single platform, a reverse main chain credibility function is defined: ; in, To verify the credibility of the reverse main chain; The mean edge importance value ranges from 0 to 1 and is obtained from the edge importance value of the graph neural network model in step S3. For time continuity, the value ranges from 0 to 1, indicating whether the time connection between adjacent nodes on the path is smooth; This represents the continuity of resource delivery, with a value ranging from 0 to 1, indicating whether the payload of a file, memory area, pipe, or module is continuously forwarded. The value ranges from 0 to 1, representing the continuity of control transmission, indicating whether control triggering forms a hierarchical relay. The number of main chain supporting nodes, with a value ranging from 1 to 100; The path branching degree, with a value ranging from 0 to 1, indicates whether the path has too many invalid branches; This represents the background blending level, with a value ranging from 0 to 1. , , , , , This is a dimensionless adjustment coefficient, ranging from 0.1 to 6. This function compresses the most structurally continuous, resource-coherent, and control-clearest single-platform source chain from numerous reverse paths, and it receives key support from graph neural networks.

[0125] For each platform, calculate the credibility S of each candidate reverse path, and select the path with the highest S value as the main reverse source chain of that platform; if the S values ​​of multiple paths all exceed a preset threshold, the preset threshold ranges from 0.6 to 0.85, then all of them are retained as candidate chains.

[0126] After this process, each platform will form one or more single-platform reverse source chains. If some chains differ only in a few intermediate nodes, but their starting nodes are the same as those of the key resource chains, then the main chains will be merged to generate a set of single-platform reverse source chains.

[0127] S4.3: Perform structural-level same-source comparison on the single-platform reverse source chain of each platform, merge the same-source segments into the same chain, and shrink them into a single source attack chain.

[0128] After establishing reverse source chains on each platform, cross-platform same-origin comparisons are performed. The core of this comparison isn't about filenames, process names, or path text, as the implementations on different platforms are often completely different. For example, Windows might establish persistence through registry entries and scheduled tasks, Linux might achieve the same functionality through startup scripts and daemons, and Android might achieve the same functionality through component invocation and service keep-alive. If only superficial objects are considered, it's easy to misjudge same-origin behavior as heterogeneous behavior.

[0129] Therefore, this sub-step continues to utilize the graph neural network model results from step S3. Specifically, it calls the node representation values ​​and subgraph representation values ​​generated by the graph neural network model in the unified attack subject subgraph to perform a structural-level comparison of key nodes and key segments across different platforms. The comparison object here is not the original logs, but the structural semantic representation aggregated by the graph neural network. This means that as long as local behavioral segments in two platforms are sufficiently similar in resource transfer methods, stage positions, and downstream dangerous action triggering capabilities, they can be identified as cross-platform same-origin nodes or same-origin subchains.

[0130] In actual execution, three types of core nodes are first selected from the reverse source chain of each platform: the initial trigger node, the first load release node, and the first control establishment node. Then, local segments of a fixed depth are extracted around each type of core node, with first- to third-order neighborhoods being preferred. Next, the graph-level risk patterns and stage structure positions formed in step S3 are compared among these local segments. If local segments in two platforms, although different in object form, have consistent stage positions, resource transfer patterns, control establishment methods, and downstream dangerous action distributions, they are classified as cross-platform common-source nodes.

[0131] For example, in Windows, a node manifests as a startup item triggering a downloader, shared memory decryption, and module loading and reconnection, while in Linux, a node manifests as a startup script triggering a downloader, shared memory decryption, and module loading and reconnection. Although the apparent mechanisms are different, after aggregation by a graph neural network model, their structural semantic positions are highly consistent, and therefore they should be identified as a common origin chain.

[0132] To quantify whether key chains on two platforms belong to the same source, a cross-platform homology function is defined: ; in, For cross-platform homogeneity; The structural position consistency is represented by a value ranging from 0 to 1, indicating whether the relative positions of two local segments are consistent in the attack phase chain. This represents the consistency of resource delivery patterns, with a value ranging from 0 to 1. To control the consistency of the established patterns, the value ranges from 0 to 1; The number of common hazardous actions ranges from 0 to 30. This represents the platform's apparent difference degree, with a value ranging from 0 to 1, indicating the degree of apparent difference in object names, path formats, and system call formats. The heterogeneous conflict degree, with a value ranging from 0 to 1, represents the degree to which two chains are locally similar but have inconsistent overall upstream and downstream logic; , , , , This is a dimensionless constant, ranging from 0.1 to 6. This function allows structural homology to override surface differences, thereby finding true cross-platform homology initiation chains.

[0133] For any two reverse source chains on different platforms, calculate their cross-platform homology H. If H exceeds a preset threshold (ranging from 0.60 to 0.88), they are considered homologous, and the corresponding platform fragments are merged into the same single-source attack chain. If H is below the threshold, they are considered heterologous, and each is retained as an independent source chain. This allows for the extraction of a unique single-source attack chain from the scattered single-platform reverse source chains across multiple platforms.

[0134] S4.4: Output source process, composition of collaborative modules, cross-platform propagation path, results of omitting false starting points, and comprehensive tracing conclusions.

[0135] After obtaining the single-source attack chain, the final result is solidified and output. First, the source process is determined based on the node at the forefront of the single-source attack chain that is supported by cross-platform same-source comparison. This source process is not necessarily the earliest appearing process, but rather the process that first triggers the effective attack phase transition and can continuously deliver payloads or control to the next stage.

[0136] Identify the components of the coordinating modules based on the functional location of key segments at each stage of a single-source attack chain. These typically include a download module, a decryption module, an execution module, a control module, and a feedback module, but merged modules may also occur, such as a combined download / decryption module or a combined execution / feedback module.

[0137] The cross-platform propagation path is output according to the platform order and propagation sequence. For example, the downloader is released first on the Windows side, then a control back connection is established on the Linux side, and then the secondary module is activated through a component on the Android side, ultimately forming a cross-platform propagation chain.

[0138] All nodes that were included in the candidate critical nodes in step S4.1 but did not enter the single source attack chain were uniformly marked as pseudo-starting point exclusion results, and the reasons for their exclusion were explained, such as: although the time was early, there were no resources to follow up; although there were control actions, there was no downstream closed loop; although there was local high risk, there were different sources across platforms.

[0139] To give the final conclusion a quantifiable overall level of credibility, a comprehensive source tracing credibility function is defined: ; in, To ensure the credibility of the overall traceability; This represents the completeness of a single-source attack chain, with a value ranging from 0 to 1, indicating whether the initial triggering, payload release, control establishment, and subsequent execution phases have all been covered. The average homology across platforms ranges from 0 to 1 and is obtained from the homology comparison results in step S4.3. The main chain stability is determined by a value ranging from 0 to 1, and is obtained by combining the results of reverse source chain analysis from a single platform with cross-platform merging results. To effectively support the number of evidences, the value ranges from 1 to 100, including the number of evidences related to key nodes, high-risk subgraphs, stage transitions, and homologous matching. The sufficiency of excluding false starting points ranges from 0 to 1, indicating whether the system has sufficiently demonstrated why other early nodes should not be identified as the source. The residual conflict level, ranging from 0 to 1, represents the number of unexplained conflicts that still exist in the current conclusion. The sparsity of evidence ranges from 0 to 1, indicating whether there are too few key subgraphs supporting the judgment. , , , , , This is a dimensionless coefficient, ranging from 0.1 to 6. The function uses the completeness of the chain, cross-platform consistency, sufficient evidence, and the complete exclusion of spurious starting points as the core criteria for a reliable final tracing conclusion.

[0140] The calculated overall source tracing confidence level T is output as the confidence level of the final source tracing conclusion and appended to the source tracing report. When T is lower than a preset threshold (ranging from 0.6 to 0.8), it is marked as low confidence and prompts for manual review; when T is higher than the threshold, the source tracing conclusion is automatically determined to be reliable and can be directly used for subsequent security responses.

[0141] Through the above processing, step S4 completes the cross-platform tracing and inversion, transforming the reverse analysis results into tracing conclusions that can be directly used in engineering, rather than remaining at a vague judgment that may originate from a few nodes.

[0142] In the technical solution of this disclosure embodiment, based on a unified set of attack subjects, a high-risk behavior subgraph, and a stage propagation chain, reverse tracing is performed along the time sequence, the resource transfer sequence, and the control transfer sequence. The earliest triggering node, the first payload release node, and the first control establishment node are determined by combining the node representation values ​​and edge importance produced by the graph neural network. Through cross-platform same-source comparison, the reverse source chains of each platform are condensed into a single source attack chain. Finally, the source process, the composition of the collaborative modules, the cross-platform propagation path, the pseudo-starting point exclusion results, and the source tracing conclusion are output, realizing the complete source tracing of modular collaborative attacks.

[0143] According to embodiments of this disclosure, an electronic device is also provided, which may include a processor, a communications interface, a memory, and a communication bus, wherein the processor, the communications interface, and the memory communicate with each other via the communication bus. The processor can invoke logical instructions stored in the memory to execute the methods provided in the above embodiments.

[0144] Furthermore, the logical instructions in the aforementioned memory can be implemented as software functional units and sold or used as independent products, and can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0145] On the other hand, this disclosure also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform the methods provided in the above embodiments.

[0146] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0147] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0148] It should be understood that the above embodiments are only used to illustrate the technical solutions of this disclosure, and not to limit them; although this disclosure has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the foregoing embodiments, or make equivalent substitutions for some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this disclosure.

Claims

1. An unknown malicious provenance analysis method for cross-platform behavior graph fusion, characterized in that, The method includes: S1: By inducing cross-platform, multi-process collaborative behavior through adversarial sandbox, the collected raw behavioral data is semantically reorganized into a set of collaborative behavioral events containing subjects, actions, objects, and associated tags. S2: Construct a subject-attribution enhanced heterogeneous behavior graph based on the set of collaborative behavior events. The heterogeneous behavior graph contains process nodes and resource nodes. Add collaborative attribution edges to connect nodes belonging to the same candidate attack subject to form a subject-attribution enhanced heterogeneous behavior graph. S3: Based on the graph neural network model, perform subject attribution determination on the subject attribution enhanced heterogeneous behavior graph, merge the scattered collaborative processes into a unified attack subject subgraph set, and identify high-risk behavior subgraphs and their stage propagation chains from the unified attack subject subgraph set; S4: Based on the unified attack subject subgraph set, the high-risk behavior subgraph, and the stage propagation chain, reverse tracing is performed along the time sequence, resource transfer sequence, and control transfer sequence. Combined with cross-platform same-source comparison, the chain is narrowed down to a single source attack chain, and the source tracing conclusion is output.

2. The method of claim 1, wherein, S1 includes: Construct a cross-platform adversarial sandbox operating environment with camouflage capabilities and anti-detection parameters; Deploy a set of inducement resources containing virtual files and pseudo-services in the cross-platform adversarial sandbox; The sample to be tested is placed into the adversarial sandbox environment, the kernel-level monitoring chain is started, and the original cross-platform behavior records are collected. Perform unified semantic reorganization on the original cross-platform behavior records, and map the behavior records of different platforms into an event structure of subject, action, object, time, platform, and associated markers to generate the collaborative behavior event set; The association markers include at least parent-child start markers, resource transfer markers, and implicit collaboration markers.

3. The method according to claim 1, characterized in that, S2 includes: The events in the collaborative behavior event set are standardized and reorganized into a heterogeneous behavior tuple set containing subject, object, action type and association tag; Based on the set of heterogeneous behavior tuples, a heterogeneous behavior graph is constructed; The heterogeneous behavior graph includes a heterogeneous set of nodes such as process nodes, file nodes, memory area nodes, pipe nodes, network endpoint nodes, and system object nodes, and a set of basic relation edges constructed based on the action types in the heterogeneous behavior tuple set. In the heterogeneous behavior graph, a set of candidate clusters for subject affiliation is constructed around the shared memory access chain, the anonymous pipe send / receive chain, the module transmission chain, and the control command response chain; By adding cooperative attribution edges to the heterogeneous behavior graph, a subject-attribution-enhanced heterogeneous behavior graph is formed.

4. The method according to claim 3, characterized in that, The construction principle of the candidate cluster to which the subject belongs is as follows: High-risk process nodes are selected as seed nodes, and then expanded outward according to resource continuity, time continuity and action complementarity, so that multiple processes that appear to be scattered are included in the local scope of the same candidate attack subject. The resource continuity refers to the establishment of sequential connections between multiple processes around the same file, memory area, or pipe; the temporal continuity refers to the subsequent action being triggered within a preset time window after the previous action has ended; and the action complementarity refers to the fact that multiple processes respectively undertake different functional links in the attack chain.

5. The method according to claim 1, characterized in that, S3 includes: The local subgraph is segmented around the candidate clusters of the subject affiliation, neighborhood information is supplemented, and a set of input samples for the graph neural network is generated. A heterogeneous graph neural network model is adopted, and the subject attribution confidence result is output through node message propagation, edge relation weighting and candidate cluster-level aggregation. Based on the subject attribution confidence results, the subject attribution candidate clusters are merged and reconstructed to generate a unified attack subject subgraph set; Graph-level classification and subgraph risk scoring are performed on the subgraphs in the unified attack subject subgraph set to identify unknown malicious patterns and high-risk behavior subgraphs and stage propagation chains.

6. The method according to claim 5, characterized in that, The heterogeneous graph neural network model, through node message propagation, edge relation weighting, and candidate cluster-level aggregation, outputs subject attribution confidence results, including: For each node in the candidate cluster of the subject affiliation, receive messages from its neighboring nodes and update the node representation; When using a heterogeneous graph neural network model to perform subject attribution determination, the basic relation edges and cooperative attribution edges are initialized with differentiated weights, and the cooperative attribution edges are given higher initial weights than the basic relation edges during the attribution determination stage. After multiple rounds of message propagation, the model performs weighted aggregation of the hidden representations of the nodes within the candidate cluster of subject affiliation to form the affiliation representation value of the candidate cluster, and then outputs the subject affiliation confidence result.

7. The method according to claim 1, characterized in that, S4 includes: Starting from the high-risk behavior subgraph, backtracking is performed along the time sequence, resource transfer sequence, and control transfer sequence to determine the set of candidate key nodes; Based on the candidate key node set, key node anchoring, multi-path rollback and main chain merging are performed on each platform to construct a single-platform reverse source chain set. Perform structural-level same-source comparison on the single-platform reverse source chain of each platform, merge the same-source segments into the same chain, and shrink them into a single source attack chain; Output the source process, the composition of the collaborative modules, the cross-platform propagation path, the results of excluding false starting points, and the comprehensive tracing conclusion.

8. The method according to claim 7, characterized in that, The structural-level homology comparison performed on the single-platform reverse source chains of each platform includes: By calling the node representation values ​​and subgraph representation values ​​generated by the graph neural network model in the unified attack subject subgraph, structural-level comparisons are performed on key nodes and key segments in different platforms. When local segments in two platforms are in the same stage position, resource transfer mode, control establishment method, and downstream dangerous action distribution, they are classified as cross-platform same-source nodes.

9. An electronic device, characterized in that, The electronic device includes a memory and at least one processor, the memory storing a computer program, and the processor executing the computer program to implement the unknown malicious source tracing analysis method for cross-platform behavior graph fusion as described in any one of claims 1-8.

10. A computer storage medium, characterized in that, It stores a computer program, which, when executed, implements the unknown malicious source tracing analysis method for cross-platform behavior graph fusion according to any one of claims 1-8.