An abnormality detection method based on business behavior portrait and attack chain feature fusion

By constructing a full-process collaborative analysis mechanism that integrates multi-source data collection and entity association, dual-mode baseline profiling, and dynamic feature fusion calculation, and combining business behavior profiling with attack chain characteristics, the problem of not being able to identify advanced and covert attacks disguised as legitimate businesses in existing technologies has been solved, achieving highly accurate anomaly detection and adaptive capabilities.

CN122394843APending Publication Date: 2026-07-14ELECTRIC POWER RES INST OF GUANGXI POWER GRID CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ELECTRIC POWER RES INST OF GUANGXI POWER GRID CO LTD
Filing Date
2026-03-31
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing anomaly detection technologies cannot keep up with the rapid evolution of attack methods and the differences between different business systems, making it difficult to accurately identify advanced and covert attack behaviors disguised as legitimate business operations.

Method used

By constructing a collaborative analysis mechanism that integrates multi-source data collection and entity association, dual-mode baseline profiling, dynamic feature fusion calculation, and comprehensive anomaly risk scoring, and combining business behavior profiling with attack chain characteristics, we can achieve accurate identification and risk quantification of advanced and covert attack behaviors.

Benefits of technology

It significantly improves detection accuracy, can identify covert attacks that comply with business permissions but whose behavior sequences conform to the attack chain pattern, provides interpretable alarm results, has good adaptive capabilities, and reduces long-term maintenance and rule update costs.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394843A_ABST
    Figure CN122394843A_ABST
Patent Text Reader

Abstract

The application discloses an abnormality detection method based on service behavior portrait and attack chain feature fusion, relates to the technical field of network attack detection, and comprises the following steps: acquiring multi-source heterogeneous data and associating atomic operation events of service entities, constructing a composite behavior track with time sequence and causal relationship, performing dynamic and static dual portrait processing on key service entities, constructing a behavior dual-mode baseline of each key service entity, respectively calculating behavior feature deviation and key index distribution deviation to obtain overall behavior deviation degree, comparing the composite behavior track with predefined attack chain features, evaluating the probability that the service behavior corresponding to the composite behavior track belongs to malicious behavior to obtain attack chain compliance degree, weighting and fusing the overall behavior deviation degree and the attack chain compliance degree, identifying abnormal behavior modes of the service entities with service abnormalities and attack intentions, and performing comprehensive abnormality risk score processing. The method has the effect of accurately identifying hidden attack behaviors.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the technical field of network attack detection, and in particular to an anomaly detection method based on the fusion of business behavior profiles and attack chain features. Background Technology

[0002] Currently, with the deep integration of critical information infrastructure and information networks in sectors such as power, finance, and energy, the cyberattacks facing their core business systems are becoming increasingly complex and covert. Advanced persistent threats (APTs) and supply chain attacks are becoming increasingly sophisticated, with attackers often using legitimate business activities as cover to achieve long-term infiltration and lateral movement.

[0003] Existing anomaly detection technologies typically rely on user behavior baselines to determine whether operation frequency, time, and permissions deviate from the normal model, or on known attack characteristics. These technologies often have the following limitations: First, they separate the business perspective from the attack perspective: Traditional business anomaly detection is largely based on user behavior baselines, focusing on whether operation frequency, time, and permissions deviate from the normal model, but it struggles to identify attack intent disguised as legitimate business. Meanwhile, attack characteristic-based detection methods (such as IDS) usually rely on known attack signatures or network traffic anomalies, are insensitive to business processes and contexts, are prone to generating numerous false positives, and struggle to detect "slow" or "low-frequency" attacks exploiting legitimate business channels. Second, they suffer from limited feature diversity and poor scenario adaptability: Existing methods use single-dimensional features, focusing either solely on business logs or network traffic, lacking the ability to perform multi-dimensional, fine-grained correlation analysis of business entities (users, devices, data), operational logic, and the behavioral characteristics of each stage of the attack chain (reconnaissance, intrusion, lateral movement, sabotage). This disconnect makes the detection model unable to adapt to the rapid evolution of attack methods and the differences between different business systems, making it difficult to accurately identify attack behaviors "disguised as business operations". Summary of the Invention

[0004] To address the problem that existing technologies are unable to adapt to the rapid evolution of attack methods and the differences between various business systems, making it difficult to accurately identify attacks disguised as business operations, this application provides an anomaly detection method based on the fusion of business behavior profiles and attack chain features. This method can achieve accurate, interpretable identification and risk quantification of advanced and covert attacks disguised as legitimate business operations by constructing a full-process collaborative analysis mechanism of "multi-source data collection and entity association - dual-mode baseline profile construction - dynamic feature fusion calculation - comprehensive anomaly risk scoring - model closed-loop adaptive optimization".

[0005] Firstly, the above-mentioned inventive objective of this application is achieved through the following technical solution: An anomaly detection method based on the fusion of business behavior profiles and attack chain features, the method comprising: Acquire multi-source heterogeneous data and associate it with atomic operation events of business entities to construct a composite behavioral trajectory with temporal and causal relationships; The key business entities are subjected to dual profiling, including static business entity profiling and dynamic business behavior profiling, to construct a dual-model baseline for the behavior of each key business entity. Calculate the behavioral feature deviation and key indicator distribution deviation between the composite behavioral trajectory and the behavioral dual-mode baseline, and obtain the overall behavioral deviation degree based on the calculation results; The composite behavior trajectory is compared with the predefined attack chain features. Based on the comparison results, the probability that the business behavior corresponding to the composite behavior trajectory is malicious is evaluated, and the attack chain conformity is obtained. The overall behavioral deviation and the attack chain conformity are weighted and fused. Based on the weighted fusion result, abnormal behavior patterns of business entities with business anomalies and attack intentions are identified and a comprehensive abnormal risk score is performed.

[0006] In a preferred embodiment, this application can be further configured such that the method also includes: The results of abnormal behavior pattern recognition and the corresponding abnormal risk scores are manually verified, and incremental learning and parameter tuning are performed on the baseline profile and feature fusion based on the feedback information from the manual verification.

[0007] In a preferred embodiment, this application can be further configured as follows: the acquisition of multi-source heterogeneous data and its association with atomic operation events of business entities to construct a composite behavioral trajectory with temporal and causal relationships specifically includes: The raw log data related to atomic operation events of business entities is extracted from the multi-source heterogeneous data. According to the behavioral sequence of the atomic operation events, the raw log data is correlated with temporal and behavioral causal relationships to construct a composite behavioral trajectory with temporal and causal relationships. The expression of the composite behavioral trajectory is as follows: (1) in, Represents a set of composite behavioral trajectories. - They represent the first The related behaviors and actions of an atomic operation event.

[0008] In a preferred embodiment, this application can be further configured as follows: the dual profiling process of performing static profiling and dynamic profiling of key business entities to construct a dual-model baseline of behavior for each key business entity specifically includes: Acquire historical normal behavior data and extract the inherent attributes of entities from the historical normal behavior data to create static profiles of key business entities; The historical behavior data is input into a pre-trained time series model to perform business behavior trajectory analysis of key business entities and distribution statistics of key behavior indicators, thereby creating a dynamic profile of business behavior. Based on the static profile and the dynamic profile of business behavior, a dual-mode baseline of behavior habits and key behavioral indicators is constructed for each key business entity.

[0009] In a preferred embodiment, this application can be further configured as follows: inputting the historical behavior data into a pre-trained time series model to perform business behavior trajectory analysis of key business entities and distribution statistics of key behavior indicators, and to create a dynamic profile of business behavior, specifically including: The time-series model is used to analyze the behavioral habit characteristics and business behavior trajectories of the historical behavioral data in parallel, and a business behavior profile is created based on the business behavior trajectory and behavioral habit characteristics. The key behavioral indicators of the key business entities are defined, and the distribution probability of the key behavioral indicators in the historical behavioral data is statistically analyzed. Based on the statistical results of the indicator distribution probability, a business behavior profile is created.

[0010] In a preferred embodiment, this application can be further configured as follows: the step of calculating the behavioral feature deviation and key indicator distribution deviation between the composite behavioral trajectory and the behavioral dual-mode baseline, and obtaining the overall behavioral deviation degree based on the calculation results, specifically includes: The cosine distance between the behavior representation vector of the composite behavior trajectory and the baseline vector of the behavior dual-mode baseline is calculated to obtain the behavior deviation. Calculate the distribution deviation between the distribution of key behavioral indicators of the composite behavioral trajectory and the distribution of key baseline indicators of the dual-mode behavioral baseline to obtain the indicator distribution deviation degree; The overall behavioral deviation of the key business entity is determined by comprehensively considering the behavioral deviation and the indicator distribution deviation.

[0011] In a preferred embodiment, this application can be further configured as follows: comparing the composite behavioral trajectory with predefined attack chain features, and assessing the probability that the business behavior corresponding to the composite behavioral trajectory belongs to malicious behavior based on the comparison result, to obtain the attack chain conformity, specifically includes: Attack chain features are defined for each stage of the attack lifecycle. The composite behavioral trajectory is compared with the predefined attack chain features, and a behavioral feature vector that conforms to the attack chain features is generated based on the comparison results. The behavioral feature vector is classified as a malicious behavior feature. Based on the classification results, the probability that the business behavior corresponding to the composite behavioral trajectory belongs to malicious behavior is evaluated, and the attack chain conformity is obtained.

[0012] In a preferred embodiment, this application can be further configured as follows: defining attack chain features for each stage of the attack's entire lifecycle, comparing the composite behavioral trajectory with predefined attack chain features, and generating a behavioral feature vector that conforms to the attack chain features based on the comparison result, specifically including: Obtain traditional security event characteristics and derived characteristics mapped to the business layer for each common attack stage throughout the entire attack lifecycle, and predefine attack chain characteristics for the traditional security event characteristics and the derived characteristics; The behavioral features of the composite behavioral trajectory are compared with the predefined attack chain features. Behavioral features that reach the similarity threshold are selected as attack chain features, and a behavioral feature vector that conforms to the attack chain features is generated.

[0013] In a preferred embodiment, this application can be further configured as follows: the weighted fusion processing of the overall behavioral deviation and the attack chain conformity, the identification of abnormal behavior patterns of business entities with attack intent based on the weighted fusion result, and the comprehensive abnormal risk scoring processing specifically include: The overall behavior deviation is weighted and smoothed, the attack chain conformity is weighted and a judgment threshold is set, and the overall behavior deviation and the attack chain conformity are weighted and fused. Based on the weighted fusion results, abnormal behavior patterns of business entities that simultaneously deviate abnormally from the behavior baseline and conform to attack patterns are identified. A comprehensive abnormal risk score is then applied to these abnormal behavior patterns, and the expression for the abnormal risk score is as follows: (2) in, This represents the overall abnormal risk score. , This represents the weight values ​​assigned to the overall behavioral deviation and attack chain conformity. These represent the behavioral deviation and the index distribution deviation within the overall behavioral deviation, respectively. Indicates the degree of conformity of the attack chain. This represents the threshold for determining the conformity of the attack chain.

[0014] Secondly, the above-mentioned inventive objective of this application is achieved through the following technical solutions: An anomaly detection system based on the fusion of business behavior profiling and attack chain features, the system comprising: The multi-source heterogeneous data acquisition and business entity association module is used to extract and associate atomic operation events with users, hosts and applications as core entities from multi-source heterogeneous data, and construct composite behavior trajectories with temporal and causal relationships. The dual-mode baseline profile collaborative construction module is used to build business behavior habit profiles and attack chain feature normal range profiles for key business entities in parallel based on historical normal data, forming a behavioral dual-mode baseline; The real-time feature extraction and dual-stream alignment module is used to synchronously analyze real-time composite behavior trajectories, extract business deviation features that deviate from the business baseline, and extract attack chain conformance features that conform to the attack chain features at each stage. The feature fusion and dynamic scoring module is used to perform weighted fusion of business deviation features and attack chain conformity features to identify behavioral models that simultaneously possess business anomalies and attack intentions, and to perform a comprehensive anomaly risk score. The closed-loop feedback and model iteration module is used to perform incremental learning and parameter optimization on the baseline profile and feature fusion based on the verification feedback information.

[0015] In summary, this application includes at least one of the following beneficial technical effects: 1. Significantly Improved Detection Accuracy: By fusing business profiles and attack chain features using an AND logic, false positives caused by simple business operation fluctuations and false negatives caused by single attack features are effectively filtered out. Simulation verification shows that in APT attack scenarios, the detection accuracy ( On average, it improves performance by more than 35% compared to a single method; 2. Possesses highly covert attack detection capabilities: It can identify "low, slow, and small" attacks that strictly adhere to business permissions but whose behavior sequence and purpose conform to the attack chain pattern, filling the blind spots of traditional detection methods; 3. Strong interpretability: The alarm results can provide a dual chain of evidence, showing both "how the business deviates from the baseline" and "which stage of the attack chain it matches," greatly assisting security analysts in making judgments and tracing the source. 4. Strong adaptability: The model can adapt to the normal evolution of the business system and changes in attack methods through feedback mechanisms, reducing the long-term maintenance and rule update costs. Attached Figure Description

[0016] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the accompanying drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. In all the drawings, similar elements or parts are generally identified by similar reference numerals. In the drawings, the elements or parts are not necessarily drawn to scale.

[0017] Figure 1This is a flowchart illustrating the implementation of the anomaly detection method based on the fusion of business behavior profiles and attack chain features in this embodiment.

[0018] Figure 2 This is a flowchart illustrating the implementation of step S2 of the anomaly detection method in this embodiment.

[0019] Figure 3 This is a flowchart illustrating the implementation of dynamic profiling of business behavior using the anomaly detection method in this embodiment.

[0020] Figure 4 This is a flowchart illustrating the implementation of step S3 of the anomaly detection method in this embodiment.

[0021] Figure 5 This is a flowchart illustrating the implementation of step S4 of the anomaly detection method in this embodiment.

[0022] Figure 6 This is a flowchart illustrating the implementation of step S41 of the anomaly detection method in this embodiment.

[0023] Figure 7 This is a flowchart illustrating the implementation of step S5 of the anomaly detection method in this embodiment.

[0024] Figure 8 This is a structural block diagram of the anomaly detection system based on the fusion of business behavior profiles and attack chain features in this embodiment. Detailed Implementation

[0025] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0026] It should be understood that, when used in this specification and the appended claims, the terms "comprising" and "including" indicate the presence of the described features, integrals, steps, operations, elements and / or components, but do not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or collections thereof.

[0027] It should also be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the invention. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.

[0028] It should also be further understood that the term "and / or" as used in this specification and the appended claims refers to any combination of one or more of the associated listed items and all possible combinations, and includes such combinations.

[0029] In one embodiment, such as Figure 1 As shown, this application discloses an anomaly detection method based on the fusion of business behavior profiles and attack chain features, specifically including the following steps: S1: Acquire multi-source heterogeneous data and associate it with atomic operation events of business entities to construct a composite behavioral trajectory with temporal and causal relationships.

[0030] Specifically, raw log data related to atomic operation events of business entities is extracted from multi-source heterogeneous data. Based on the behavioral sequence of the atomic operation events, the raw log data is correlated with temporal and causal relationships to construct a composite behavioral trajectory with both temporal and causal relationships. The expression for the composite behavioral trajectory is as follows: (1) in, Represents a set of composite behavioral trajectories. - They represent the first Each atomic operation event includes related actions such as logging in, querying, modifying, or transmitting, and is accompanied by contextual information such as timestamps, source / target entities, operation objects, and results.

[0031] The multi-source heterogeneous data in this embodiment includes business system logs, database operation logs, network traffic, and terminal behavior logs. Business entities include users, accounts, hosts, applications, and data objects. Through entity parsing and session reconstruction techniques, the original logs are associated with behavioral trajectories centered on business entities.

[0032] S2: Perform dual profiling processing on key business entities, including static business entity profiling and dynamic business behavior profiling, and construct a dual-model baseline for the behavior of each key business entity.

[0033] Specifically, such as Figure 2 As shown, step S2 includes: S21: Obtain historical normal behavior data and extract the inherent attributes of entities from the historical normal behavior data to create static profiles of key business entities.

[0034] Specifically, behavioral trajectory data within historical normal cycles is obtained as historical normal behavior data. The inherent attributes of each core business entity, such as key position users and core servers, are extracted from the historical normal behavior data, such as roles, regular permissions, frequently accessed time periods, and typical operation object sets, to obtain a static profile of the key business entity.

[0035] S22: Input historical behavior data into the pre-trained time series model to perform business behavior trajectory analysis of key business entities and distribution statistics of key behavior indicators, and create dynamic profiles of business behavior.

[0036] Specifically, LSTM neural networks or Transformer encoders are used as time-series models to learn from historical behavioral data, studying the normal patterns of entity behavior sequences to create a dynamic behavioral baseline profile. Figure 3 As shown, it specifically includes: S221: Analyze the behavioral habits and business behavior trajectories of historical behavioral data in parallel using time-series models, and create business behavior profiles based on business behavior trajectories and behavioral habits.

[0037] Specifically, the behavioral habit characteristics and business behavior trajectories of historical behavioral data are analyzed in parallel using time-series models, and business behavior profiles are created based on these trajectories and behavioral habit characteristics.

[0038] S222: Define key behavioral indicators for key business entities, and calculate the distribution probability of key behavioral indicators in historical behavioral data. Based on the statistical results of indicator distribution probability, create a business behavior profile.

[0039] Specifically, key behavioral indicators for critical business entities are defined, including the total daily operation volume, the proportion of sensitive operations, and the frequency of cross-system access for each key business entity. The distribution probability of key behavioral indicators in historical behavioral data is statistically analyzed to form a statistical baseline, and business behavior profiles are created based on the statistical baseline.

[0040] S23: Based on static profiles and dynamic profiles of business behavior, construct a dual-mode baseline for the behavioral habits and key behavioral indicators of each key business entity.

[0041] Specifically, based on static profiles and dynamic business behavior profiles, a dual-model baseline is constructed for the behavioral habits and key behavioral indicator distributions of each key business entity, forming a complete business profile. The quantitative expression of the business profile is shown below: (3) in, This represents a complete business profile. This represents an implicit representation vector used to characterize behavioral habits. The statistical baseline representing the distribution of key behavioral indicators. This represents the inherent attributes of the entity corresponding to the static image.

[0042] S3: Calculate the behavioral feature deviation and key indicator distribution deviation between the composite behavioral trajectory and the behavioral dual-mode baseline, and obtain the overall behavioral deviation based on the calculation results.

[0043] Specifically, such as Figure 4 As shown, step S3 includes: S31: Calculate the cosine distance between the behavior representation vector of the composite behavior trajectory and the baseline vector of the behavior dual-mode baseline to obtain the behavior deviation.

[0044] Specifically, the behavioral habits of composite behavioral trajectories are analyzed through a pre-trained time series model and converted into behavioral representation vectors. The cosine distance between these vectors and the baseline vectors of the behavioral dual-mode baseline is calculated to obtain the behavioral deviation.

[0045] S32: Calculate the distribution deviation between the distribution of key behavioral indicators of the composite behavioral trajectory and the distribution of key baseline indicators of the behavioral dual-mode baseline to obtain the indicator distribution deviation.

[0046] Specifically, the distribution of key behavioral indicators in the composite behavioral trajectory is statistically analyzed using a pre-trained time series model, and the degree of deviation between the distribution of key behavioral indicators and the baseline key indicator distribution is calculated. In this embodiment, Mahalanobis distance is used to represent the deviation of the indicator distribution.

[0047] S33: Based on the behavioral deviation degree and the indicator distribution deviation degree, comprehensively judge the overall behavioral deviation degree of key business entities.

[0048] Specifically, the overall behavioral deviation of key business entities is comprehensively judged based on behavioral deviation and indicator distribution deviation.

[0049] S4: Compare the composite behavior trajectory with the predefined attack chain features, and evaluate the probability that the business behavior corresponding to the composite behavior trajectory is malicious based on the comparison results, so as to obtain the attack chain conformity.

[0050] Specifically, such as Figure 5 As shown, step S4 includes: S41: Define attack chain features for each stage of the attack lifecycle, compare the composite behavioral trajectory with the predefined attack chain features, and generate a behavioral feature vector that conforms to the attack chain features based on the comparison results.

[0051] Specifically, such as Figure 6 As shown, step S41 includes: S411: Obtain the traditional security event characteristics and derived characteristics mapped to the business layer for each general attack stage throughout the attack lifecycle, and predefine the attack chain characteristics for the traditional security event characteristics and derived characteristics.

[0052] Specifically, based on attack chain frameworks such as ATT&CK, the general stages of the attack lifecycle, such as reconnaissance, resource preparation, initial intrusion, privilege escalation, lateral movement, and target achievement, are defined. A set of observable attack chain characteristics is designed for each stage, including traditional security event characteristics such as brute-force logs and abnormal port scanning traffic, as well as derived characteristics mapped to the business layer, such as: Lateral movement phase: Extract features such as "number of times accessing unrelated business systems within a short period of time" and "attempts to access high-privilege accounts".

[0053] Data leakage stage: Extract features such as "downloading large amounts of sensitive data during non-working hours" and "transferring abnormally large files to external addresses".

[0054] S412: Compare the behavioral features of the composite behavioral trajectory with the predefined attack chain features, select the behavioral features that reach the similarity threshold as the attack chain features, and generate a behavioral feature vector that conforms to the attack chain features.

[0055] Specifically, the behavioral features of the composite behavioral trajectory are compared with the features of a predefined attack chain. Behavioral features that reach a preset similarity threshold at each attack stage are selected as attack chain features. For each behavioral trajectory... Calculate its performance in each attack phase. eigenvectors This indicates the degree to which the trajectory "resembles" the behavior of a certain stage of the attack chain.

[0056] S42: Classify the behavioral feature vectors for malicious behavior features, evaluate the probability that the business behavior corresponding to the composite behavioral trajectory belongs to malicious behavior based on the classification results, and obtain the attack chain conformity.

[0057] Specifically, the attack chain feature vector of the current composite behavior attack chain... The input is fed into a lightweight classifier such as a gradient boosting tree, which divides the behavioral feature vectors into malicious behavioral features and normal behavioral features. Based on the classification results, it is evaluated whether the business behavior corresponding to the composite behavioral trajectory belongs to malicious behavior. For example, the ratio between the number of behavioral feature vectors that meet the malicious behavior characteristics and the total number of behavioral feature vectors is used as the probability of evaluating whether the business behavior belongs to malicious behavior, thus obtaining the attack chain conformity.

[0058] S5: Perform weighted fusion processing on the overall behavioral deviation degree and attack chain conformity degree, identify abnormal behavior patterns of business entities with attack intent based on the weighted fusion results, and perform comprehensive abnormal risk scoring processing.

[0059] Specifically, such as Figure 7 As shown, step S5 includes: S51: Perform weighted matching and smoothing on the overall behavior deviation, perform weighted matching on the attack chain conformity and set a judgment threshold, and perform weighted fusion processing on the overall behavior deviation and the attack chain conformity.

[0060] Specifically, the overall behavior deviation is weighted and smoothed using the tanh function. At the same time, the attack chain conformity is weighted and a threshold for attack conformity is set. The overall behavior deviation and attack chain conformity are weighted and fused, and the sum of the weights of the overall behavior deviation and attack chain conformity is equal to 1.

[0061] S52: Based on the weighted fusion results, identify abnormal behavior patterns of business entities that simultaneously deviate abnormally from the behavior baseline and conform to the attack pattern. Perform a comprehensive abnormal risk score on the abnormal behavior patterns. The abnormal risk score expression is as follows: (2) in, This represents the overall abnormal risk score. , This represents the weight values ​​assigned to the overall behavioral deviation and attack chain conformity. These represent the behavioral deviation and the index distribution deviation within the overall behavioral deviation, respectively. Indicates the degree of conformity of the attack chain. This represents the threshold for determining the conformity of the attack chain.

[0062] In this embodiment, after weighted fusion, normalization is performed using the sigmoid function to ensure that the range of abnormal risk scores is within (0, 1).

[0063] By comprehensively scoring anomaly risks, a high score is only generated when the behavior deviates from the business baseline and highly conforms to the attack chain pattern.

[0064] This embodiment also includes: manually verifying the abnormal behavior pattern recognition results and the corresponding abnormal risk scores, and performing incremental learning and parameter tuning on the baseline profile and feature fusion based on the manual verification feedback information.

[0065] The results of abnormal behavior pattern recognition and the corresponding abnormal risk scores are manually verified, including the results of missed and false alarms. The parameters of missed and false alarms are labeled and fed into the pre-trained time series model for closed-loop training. The business baseline profile is dynamically updated by online learning to adapt to the legitimate changes in business patterns. The weight values ​​allocated to the overall behavior deviation degree and attack chain conformity degree are automatically optimized to maintain the best detection performance under different business scenarios and attack types.

[0066] In one verification embodiment, it is assumed that in a power dispatching system, the lateral movement behavior of an attacker who has obtained a legitimate account is detected.

[0067] S100 / S200: The baseline profile of user "Zhang San" (dispatcher) is: log in during working hours (8:00-18:00), mainly operate "screen browsing" and "report generation", and rarely access the "relay protection setting modification" module.

[0068] S300: One day, an attacker, using the account "Zhang San," accessed multiple unrelated high-privilege modules sequentially within a short period (e.g., within 5 minutes), including the "User Management Backend," "Database Audit System," and "Core Control Command Issuance." This behavior will generate high signature values ​​in the "Privilege Escalation" and "Lateral Movement" stages of the attack chain feature extraction. .

[0069] S400: behavioral deviation and The value may increase due to abnormal operation module sequence.

[0070] Attack conformity It will rise as it conforms to the lateral movement pattern.

[0071] After fusion computing, It may reach a score of 0.9 (high score), triggering an alarm.

[0072] In contrast, traditional detection methods based on business baselines may miss detections due to legitimate user permissions; traditional detection methods based on attack signatures may fail due to the lack of malicious traffic signatures. This invention, by combining both methods, accurately identifies this attack disguised as a legitimate business operation.

[0073] It should be understood that the sequence number of each step in the above embodiments does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

[0074] In one embodiment, an anomaly detection system based on the fusion of business behavior profiles and attack chain features is provided. This anomaly detection system corresponds one-to-one with the anomaly detection method based on the fusion of business behavior profiles and attack chain features described in the above embodiments. Figure 8 As shown, this anomaly detection system based on the fusion of business behavior profiles and attack chain features includes a multi-source heterogeneous data acquisition and business entity association module, a dual-mode baseline profile collaborative construction module, a real-time feature extraction and dual-stream alignment module, a feature fusion and dynamic scoring module, and a closed-loop feedback and model iteration module. Detailed descriptions of each functional module are as follows: The multi-source heterogeneous data acquisition and business entity association module is used to extract and associate atomic operation events with users, hosts, and applications as core entities from multi-source heterogeneous data, and construct composite behavior trajectories with temporal and causal relationships.

[0075] The dual-mode baseline profiling collaborative construction module is used to construct business behavior habit profiles and attack chain feature normal range profiles for key business entities in parallel based on historical normal data, forming a behavioral dual-mode baseline.

[0076] The real-time feature extraction and dual-stream alignment module is used to synchronously analyze real-time composite behavior trajectories, extract business deviation features that deviate from the business baseline, and extract attack chain conformance features that conform to the attack chain features of each stage.

[0077] The feature fusion and dynamic scoring module is used to perform weighted fusion of business deviation features and attack chain conformity features to identify behavioral models that simultaneously possess business anomalies and attack intentions, and to perform a comprehensive anomaly risk score.

[0078] The closed-loop feedback and model iteration module is used to perform incremental learning and parameter optimization on the baseline profile and feature fusion based on the verification feedback information.

[0079] Specific limitations regarding the anomaly detection system based on the fusion of business behavior profiling and attack chain features can be found in the limitations of the anomaly detection method based on the fusion of business behavior profiling and attack chain features mentioned above, and will not be repeated here. Each module in the aforementioned anomaly detection system based on the fusion of business behavior profiling and attack chain features can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the corresponding operations of each module.

[0080] Those skilled in the art will recognize that the units of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application of the technical solution and the constraints involved. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of the invention.

[0081] In the embodiments provided by the present invention, it should be understood that the division of units is only a logical functional division. In actual implementation, there may be other division methods, such as multiple units can be combined into one unit, one unit can be split into multiple units, or some features can be ignored.

[0082] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0083] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0084] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention, and they should all be covered within the scope of the claims and specification of the present invention.

Claims

1. An anomaly detection method based on the fusion of business behavior profiles and attack chain features, characterized in that, The method includes: Acquire multi-source heterogeneous data and associate it with atomic operation events of business entities to construct a composite behavioral trajectory with temporal and causal relationships; The key business entities are subjected to dual profiling, including static business entity profiling and dynamic business behavior profiling, to construct a dual-model baseline for the behavior of each key business entity. Calculate the behavioral feature deviation and key indicator distribution deviation between the composite behavioral trajectory and the behavioral dual-mode baseline, and obtain the overall behavioral deviation degree based on the calculation results; The composite behavior trajectory is compared with the predefined attack chain features. Based on the comparison results, the probability that the business behavior corresponding to the composite behavior trajectory is malicious is evaluated, and the attack chain conformity is obtained. The overall behavioral deviation and the attack chain conformity are weighted and fused. Based on the weighted fusion result, abnormal behavior patterns of business entities with business anomalies and attack intentions are identified and a comprehensive abnormal risk score is performed.

2. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The method further includes: The results of abnormal behavior pattern recognition and the corresponding abnormal risk scores are manually verified, and incremental learning and parameter tuning are performed on the baseline profile and feature fusion based on the feedback information from the manual verification.

3. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The process of acquiring multi-source heterogeneous data and associating it with atomic operation events of business entities to construct a composite behavioral trajectory with temporal and causal relationships specifically includes: The raw log data related to atomic operation events of business entities is extracted from the multi-source heterogeneous data. According to the behavioral sequence of the atomic operation events, the raw log data is correlated with temporal and behavioral causal relationships to construct a composite behavioral trajectory with temporal and causal relationships. The expression of the composite behavioral trajectory is as follows: (1) in, Represents a set of composite behavioral trajectories. - They represent the first The related behaviors and actions of an atomic operation event.

4. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The process of performing dual profiling of key business entities—both static and dynamic—to construct a dual-model baseline for the behavior of each key business entity, specifically includes: Acquire historical normal behavior data and extract the inherent attributes of entities from the historical normal behavior data to create static profiles of key business entities; The historical behavior data is input into a pre-trained time series model to perform business behavior trajectory analysis of key business entities and distribution statistics of key behavior indicators, thereby creating a dynamic profile of business behavior. Based on the static profile and the dynamic profile of business behavior, a dual-mode baseline of behavior habits and key behavioral indicators is constructed for each key business entity.

5. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 4, characterized in that, The step of inputting the historical behavior data into a pre-trained time series model to perform business behavior trajectory analysis of key business entities and distribution statistics of key behavior indicators, and to create a dynamic profile of business behavior, specifically includes: The time-series model is used to analyze the behavioral habit characteristics and business behavior trajectories of the historical behavioral data in parallel, and a business behavior profile is created based on the business behavior trajectory and behavioral habit characteristics. The key behavioral indicators of the key business entities are defined, and the distribution probability of the key behavioral indicators in the historical behavioral data is statistically analyzed. Based on the statistical results of the indicator distribution probability, a business behavior profile is created.

6. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The calculation of behavioral feature deviation and key indicator distribution deviation between the composite behavioral trajectory and the behavioral dual-mode baseline, and the obtaining of the overall behavioral deviation degree based on the calculation results, specifically includes: The cosine distance between the behavior representation vector of the composite behavior trajectory and the baseline vector of the behavior dual-mode baseline is calculated to obtain the behavior deviation. Calculate the distribution deviation between the distribution of key behavioral indicators of the composite behavioral trajectory and the distribution of key baseline indicators of the dual-mode behavioral baseline to obtain the indicator distribution deviation degree; The overall behavioral deviation of the key business entity is determined by comprehensively considering the behavioral deviation and the indicator distribution deviation.

7. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The step of comparing the composite behavioral trajectory with predefined attack chain features, and assessing the probability that the business behavior corresponding to the composite behavioral trajectory is malicious based on the comparison results, to obtain the attack chain conformity, specifically includes: Attack chain features are defined for each stage of the attack lifecycle. The composite behavioral trajectory is compared with the predefined attack chain features, and a behavioral feature vector that conforms to the attack chain features is generated based on the comparison results. The behavioral feature vector is classified as a malicious behavior feature. Based on the classification results, the probability that the business behavior corresponding to the composite behavioral trajectory belongs to malicious behavior is evaluated, and the attack chain conformity is obtained.

8. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 7, characterized in that, The process of defining attack chain features for each stage of the attack's entire lifecycle, comparing the composite behavioral trajectory with predefined attack chain features, and generating a behavioral feature vector that conforms to the attack chain features based on the comparison results, specifically includes: Obtain traditional security event characteristics and derived characteristics mapped to the business layer for each common attack stage throughout the entire attack lifecycle, and predefine attack chain characteristics for the traditional security event characteristics and the derived characteristics; The behavioral features of the composite behavioral trajectory are compared with the predefined attack chain features. Behavioral features that reach the similarity threshold are selected as attack chain features, and a behavioral feature vector that conforms to the attack chain features is generated.

9. The anomaly detection method based on the fusion of business behavior profiles and attack chain features according to claim 1, characterized in that, The weighted fusion processing of the overall behavioral deviation and the attack chain conformity, and the identification of abnormal behavior patterns of business entities with attack intent based on the weighted fusion result, and the comprehensive abnormal risk scoring processing, specifically includes: The overall behavior deviation is weighted and smoothed, the attack chain conformity is weighted and a judgment threshold is set, and the overall behavior deviation and the attack chain conformity are weighted and fused. Based on the weighted fusion results, abnormal behavior patterns of business entities that simultaneously deviate abnormally from the behavior baseline and conform to attack patterns are identified. A comprehensive abnormal risk score is then applied to these abnormal behavior patterns, and the expression for the abnormal risk score is as follows: (2) in, This represents the overall abnormal risk score. , This represents the weight values ​​assigned to the overall behavioral deviation and attack chain conformity. These represent the behavioral deviation and the index distribution deviation within the overall behavioral deviation, respectively. Indicates the degree of conformity of the attack chain. This represents the threshold for determining the conformity of the attack chain.

10. An anomaly detection system based on the fusion of business behavior profiles and attack chain features, characterized in that, The system includes: The multi-source heterogeneous data acquisition and business entity association module is used to extract and associate atomic operation events with users, hosts and applications as core entities from multi-source heterogeneous data, and construct composite behavior trajectories with temporal and causal relationships. The dual-mode baseline profile collaborative construction module is used to build business behavior habit profiles and attack chain feature normal range profiles for key business entities in parallel based on historical normal data, forming a behavioral dual-mode baseline; The real-time feature extraction and dual-stream alignment module is used to synchronously analyze real-time composite behavior trajectories, extract business deviation features that deviate from the business baseline, and extract attack chain conformance features that conform to the attack chain features at each stage. The feature fusion and dynamic scoring module is used to perform weighted fusion of business deviation features and attack chain conformity features to identify behavioral models that simultaneously possess business anomalies and attack intentions, and to perform a comprehensive anomaly risk score. The closed-loop feedback and model iteration module is used to perform incremental learning and parameter optimization on the baseline profile and feature fusion based on the verification feedback information.