Multi-step attack detection method, apparatus, device, storage medium and program product

By constructing a temporal knowledge graph and utilizing attention mechanisms and gated loop units to update the state of security relationships, the problem of low prediction accuracy in multi-step attack detection in existing technologies is solved, achieving efficient and accurate detection of multi-step attacks.

CN122394871APending Publication Date: 2026-07-14PENG CHENG LAB

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
PENG CHENG LAB
Filing Date
2026-04-17
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing multi-step attack detection schemes generally adopt static or weak temporal relationship modeling paradigms, which are difficult to effectively characterize the state evolution of security relationships during continuous attacks, resulting in low prediction accuracy for multi-step attacks.

Method used

By constructing a time-series knowledge graph based on multi-source security log data, generating initial fusion features, and using an attention mechanism for adaptive recalibration, combined with gated recurrent units for recursive updates, a model of the dynamic evolution of the semantics of security relationships over time is established to predict multi-step attacks.

Benefits of technology

It significantly improves the detection accuracy of covert, complex, and time-dependent multi-step attacks, and can more accurately reflect the true development logic and possible future steps of the attack chain.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394871A_ABST
    Figure CN122394871A_ABST
Patent Text Reader

Abstract

The application discloses a multi-step attack detection method and device, equipment, storage medium and program product, and relates to the technical field of network security. The method comprises the following steps: constructing a time sequence knowledge graph according to a time window based on multi-source security log data to represent the security relationship between network entities; generating an initial fusion feature for each type of security relationship; performing self-adaptive recalibration on the feature dimension of the initial fusion feature based on an attention mechanism, strengthening key discriminative information, obtaining an enhanced relationship representation, recursively updating the historical relationship state of the previous time window, and obtaining the evolution relationship embedding of the current time window to represent the process of dynamic evolution of the semantic of the security relationship over time; and performing time sequence reasoning based on the evolution relationship embedding to obtain the prediction result of the multi-step attack. The scheme can more accurately reflect the real logic and potential steps of the attack chain, and overall improves the detection accuracy of hidden, complex and time sequence dependent multi-step attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a multi-step attack detection method, apparatus, device, storage medium, and program product. Background Technology

[0002] As cyberattacks evolve towards more sophisticated, persistent, and multi-step attacks (such as Advanced Persistent Threats (APTs), accurately identifying multi-step attack chains with strong temporal dependencies and logical connections from massive and complex security data has become a core challenge in the current cybersecurity field. Existing solutions have the following limitations in addressing this challenge: First, rule-based intrusion detection systems (IDS) rely on matching known attack signatures to identify threats. This approach is essentially static pattern matching and often lacks effective detection capabilities against continuously evolving unknown attacks, variant attacks, or new attack methods. Second, machine learning-based anomaly detection methods can learn normal behavior baselines from historical logs to identify anomalous deviations. However, these methods often treat individual security events as isolated samples, ignoring the inherent temporal dependencies and causal logic between steps in a multi-step attack. This leads to a high false positive rate in dynamic network environments, and the reasoning process lacks interpretability.

[0003] Furthermore, to model the relationships between network entities, temporal knowledge graph methods based on graph neural networks (GNNs) have emerged. These methods attempt to transform the attack problem into a reasoning task on a knowledge graph. However, the representation of "relationships" in the graph is mostly fixed or coarse-grained, lacking the ability to explicitly model the dynamic evolution of relational semantics over time. For example, it cannot depict the semantic leap process of an "access" behavior that may be normal in the early stages of an attack but gradually evolves into "lateral movement" as context accumulates (such as after credential theft). At the same time, when fusing static prior knowledge with dynamic contextual information, the generated relation representation is susceptible to log noise and semantic redundancy, lacks discriminative power, and is difficult to accurately locate hidden malicious association paths from massive amounts of normal interactions.

[0004] Therefore, existing multi-step attack detection schemes generally adopt static or weak temporal relationship modeling paradigms, which are difficult to effectively characterize the state evolution of security relationships during continuous attacks. This results in problems such as weak temporal modeling capabilities, poor robustness in noisy environments, and low accuracy in predicting potential attack chains when facing highly covert, strongly temporal, and multi-stage network attacks.

[0005] The above content is only used to help understand the technical solution of this application and does not represent an admission that the above content is prior art. Summary of the Invention

[0006] The main objective of this application is to provide a multi-step attack detection method, apparatus, device, storage medium, and program product, aiming to solve the technical problem that existing multi-step attack detection schemes generally adopt static or weak temporal relationship modeling paradigms, which are difficult to effectively characterize the state evolution of security relationships during continuous attacks, resulting in low prediction accuracy of multi-step attacks.

[0007] To achieve the above objectives, this application proposes a multi-step attack detection method, comprising: Based on multi-source security log data, a time-series knowledge graph is constructed according to time windows; the edges in the time-series knowledge graph are used to represent the security relationships between network entities. For each type of security relationship in the temporal knowledge graph, generate initial fusion features for the current time window; The feature dimensions of the initial fused features are adaptively recalibrated based on an attention mechanism to obtain an enhanced relational representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The historical relation state of the previous time window is obtained, and the historical relation state is recursively updated based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; Based on the embedded evolutionary relationship, temporal reasoning is performed to obtain the prediction results of multi-step attacks.

[0008] In one embodiment, the step of adaptively recalibrating the feature dimensions of the initial fused features based on an attention mechanism to obtain the enhanced relation representation includes: The initial fusion features are reshaped into pseudo-image tensors that adapt to the input format of the attention mechanism; By using the channel attention mechanism of the aforementioned attention mechanism, the weights of different feature dimensions of the pseudo-image tensor are learned, and the pseudo-image tensor is weighted in the channel dimension to obtain the first target tensor. The spatial attention mechanism of the attention mechanism is used to learn the relative importance weights of the static prior information and dynamic context information of the pseudo-image tensor, and the first target tensor is weighted in the spatial dimension to obtain the second target tensor. The second target tensor is restored to the form of a feature vector to obtain the relational representation after the initial fusion feature enhancement.

[0009] In one embodiment, the step of recursively updating the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding for the current time window includes: The enhanced relation representation is used as the input feature of the current time window, and the historical relation state is used as historical memory. The retention and forgetting of the historical memory are controlled by the update gate and reset gate of the gated loop unit. The long and short-term dependencies of the secure relation semantics are modeled to obtain the evolutionary relation embedding within the current time window.

[0010] In one embodiment, the step of generating initial fusion features for each type of security relationship in the temporal knowledge graph within the current time window includes: For each type of security relationship in the time-series knowledge graph, a static semantic vector for each type of security relationship is extracted from a predefined external network security knowledge base; Based on events associated with any type of security relationship within the current time window, a dynamic representation vector reflecting the real-time context of the security relationship is generated through an entity aggregation strategy. The static semantic vector is concatenated with the dynamic representation vector to generate the initial fusion feature for the current time window.

[0011] In one embodiment, the step of constructing a time-series knowledge graph based on multi-source security log data according to time windows includes: Standardize the multi-source security log data to obtain standard log data; The standard log data is subjected to entity identification and event normalization processing to obtain event data; The event data is parsed according to time windows, and the network entities in the event data are used as nodes, with the security relationships between the network entities as edges, to construct a time-series knowledge graph; the security relationships are accompanied by event type and timestamp.

[0012] In one embodiment, the step of performing temporal reasoning based on the evolutionary relationship embedding to obtain the prediction result of a multi-step attack includes: Based on the entities within the current time window and the embedded evolutionary relationships, predict the event tuples for the next time window; Based on the event tuple, potential multi-step attack events are identified, and prediction results of multi-step attacks are obtained.

[0013] Furthermore, to achieve the above objectives, this application also proposes a multi-step attack detection device, which includes: The temporal graph construction module is used to construct a temporal knowledge graph based on multi-source security log data and according to time windows; the edges in the temporal knowledge graph are used to represent the security relationships between network entities. The relationship fusion module is used to generate initial fusion features for each type of security relationship in the temporal knowledge graph under the current time window; The relation enhancement module is used to adaptively recalibrate the feature dimensions of the initial fused features based on an attention mechanism to obtain an enhanced relation representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The relation evolution module is used to obtain the historical relation state of the previous time window, and recursively update the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; The reasoning detection module is used to perform temporal reasoning based on the embedded evolutionary relationship to obtain prediction results of multi-step attacks.

[0014] In addition, to achieve the above objectives, this application also proposes a multi-step attack detection device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the multi-step attack detection method as described above.

[0015] In addition, to achieve the above objectives, this application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it implements the steps of the multi-step attack detection method described above.

[0016] In addition, to achieve the above objectives, this application also provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of the multi-step attack detection method described above.

[0017] One or more technical solutions proposed in this application have at least the following technical effects: By constructing a temporal knowledge graph from multi-source security log data according to time windows, a structured and temporal attack chain representation foundation is provided for subsequent analysis, enabling the capture of the temporal characteristics of multi-step attacks. Then, initial fusion features are generated for each type of security relationship, providing an initial, multi-dimensional representation to characterize its semantics. Furthermore, an attention-based mechanism is introduced to adaptively recalibrate the feature dimensions of the initial fusion features, automatically enhancing information dimensions more discriminative for attack detection and suppressing interference from noise and irrelevant features. This significantly improves the quality and robustness of the relationship representation, laying a solid foundation for subsequent accurate evolutionary modeling. Building upon this, by acquiring the historical relationship states from the previous time window, the enhanced relationship representation is used to recursively update the historical relationship states, obtaining the evolutionary relationship embedding for the current time window. This explicitly establishes a temporal memory and update mechanism for relationship states, allowing the dynamic evolution of security relationship semantics over time to be explicitly and continuously modeled and tracked, thus fundamentally changing the static mode of fixed or coarsely updated relationship representations. Finally, temporal reasoning is performed based on evolutionary relationship embeddings that can reflect dynamic semantic evolution to obtain the final prediction result of multi-step attacks. This prediction result can more accurately reflect the real development logic of the attack chain and possible future steps, thereby improving the overall detection accuracy of covert, complex, and temporally dependent multi-step attacks. Attached Figure Description

[0018] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0019] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 This is one of the flowcharts illustrating the multi-step attack detection method provided in the embodiments of this application; Figure 2 This is a schematic diagram of the relationship enhancement process provided in an embodiment of the multi-step attack detection method of this application; Figure 3 The second flowchart illustrates the multi-step attack detection method provided in this application embodiment. Figure 4 This is a schematic diagram of the module structure of the multi-step attack detection device according to an embodiment of this application; Figure 5 This is a schematic diagram of the device structure of the hardware operating environment involved in the multi-step attack detection method in the embodiments of this application.

[0021] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0022] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.

[0023] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.

[0024] Existing multi-step attack detection schemes generally treat attack events as isolated triples or perform reasoning and prediction on static graphs, which cannot reflect the essential characteristics of the dynamic evolution of relational semantics with events in the real process, and make it difficult to identify highly concealed, long-term, and strongly temporal attack paths.

[0025] Based on this, this application provides a solution for network security scenarios, particularly for the detection of multi-step attacks. It takes relational state evolution as the core and uses standardized data flow to form an end-to-end inference pipeline that integrates temporal modeling, dynamic and static relation fusion, gated cyclic unit relation enhancement, and temporal relation reasoning and detection. This solution addresses the problems of existing network security detection technologies, such as ignoring dynamic relational evolution, weak temporal dependencies, poor noise robustness, and uninterpretable reasoning, when modeling attack chains.

[0026] It should be noted that the executing entity in this embodiment can be a computing service device with data processing, network communication, and program execution functions, such as a tablet computer, personal computer, or mobile phone, or an electronic device or multi-step attack detection device capable of performing the above functions. The following description uses a multi-step attack detection device as an example to illustrate this embodiment and the subsequent embodiments.

[0027] This application provides a multi-step attack detection method that explicitly models the dynamic evolution of security relationships and introduces a two-dimensional attention mechanism to improve the quality of relationship representation, thereby supporting accurate analysis and judgment of multi-step attacks. This solves the problems existing in the current detection of complex multi-step attacks (such as advanced persistent threats APTs), such as static relationship modeling, insufficient capture of temporal dependencies, poor robustness in noisy environments, and low accuracy of inference results.

[0028] Specifically, refer to Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the multi-step attack detection method of this application.

[0029] In this embodiment, the multi-step attack detection method includes steps S10 to S50: Step S10: Based on multi-source security log data, construct a time-series knowledge graph according to time windows; the edges in the time-series knowledge graph are used to represent the security relationships between network entities; Step S20: For each type of security relationship in the temporal knowledge graph, generate initial fusion features under the current time window; Step S30: Adaptively recalibrate the feature dimensions of the initial fused features based on an attention mechanism to obtain an enhanced relation representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. Step S40: Obtain the historical relation state of the previous time window, and recursively update the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time. Step S50: Perform temporal reasoning based on the evolutionary relationship embedding to obtain the prediction result of multi-step attack.

[0030] Step S10: Based on multi-source security log data, construct a time-series knowledge graph according to time windows. The core objective of constructing a time-series knowledge graph is to transform raw, heterogeneous security event data into a structured knowledge graph sequence with time-series labels, laying the foundation for subsequent relational evolution analysis.

[0031] The multi-source security log data includes, but is not limited to, raw logs from heterogeneous security data sources such as firewalls, EDR (Endpoint Detection and Response), Syslog, and NetFlow, which are network and network security-related business systems. In some embodiments, the multi-source security log data may also include process behavior logs generated by the Cloud Workload Protection Platform (CWPP), authentication logs from the Identity and Access Management (IAM) system, and security audit logs from the application itself.

[0032] After these multi-source security log data undergo parsing, entity identification (such as IP address, user, host, file hash, and process ID) and event type normalization, they are allocated to consecutive time windows, and a time-series knowledge graph is constructed according to the time windows.

[0033] As a feasible implementation method, an adaptive time window based on event density is used to construct a temporal knowledge graph. By monitoring the arrival rate of security events in real time, if the number of events per unit time exceeds a preset threshold, the window length is automatically shortened to capture a more detailed temporal view; otherwise, the window is extended to integrate richer contextual information.

[0034] Within each time window, the identified entities (nodes) and the security events occurring between them, such as "user A executes process C on host B," are constructed into a knowledge graph: Gt=(Vt,Et), where the type of the edge (Et) represents the security relationship observed within the current time window. The resulting temporal knowledge graph G={G1,G2,...,Gt} can completely record the temporal evolution of network entities and their interactions.

[0035] Step S20: For each type of security relationship in the time-series knowledge graph, generate initial fusion features under the current time window, aiming to generate feature representations that fuse prior knowledge and real-time context for various security relationships such as "file writing" and "network connection".

[0036] As a feasible implementation method, when generating the initial fused features, firstly, static semantic priors can be extracted from general threat intelligence databases such as the CAPEC attack pattern library or industry-specific security frameworks. The relation description text is then encoded using a pre-trained language model such as BERT to obtain static embedding vectors. Secondly, the dynamic context representation can abandon simple entity feature average pooling and instead use Graph Attention Networks (GAT) to aggregate information from all entities and their neighbors involved in the relation in the knowledge graph (Gt) within the current time window, generating dynamic vectors that reflect the current local graph structure context. Finally, the static and dynamic representations of entity relations are fused to obtain the corresponding initial fused features.

[0037] Step S30: Adaptively recalibrate the feature dimensions of the initial fused features based on an attention mechanism to obtain an enhanced relational representation. The attention mechanism automatically identifies and strengthens dimensions in the initial fused features that are crucial for the attack detection stage, while suppressing redundant or noisy dimensions, thereby improving the feature representation capability.

[0038] In one feasible implementation, a self-attention mechanism is employed. This mechanism assembles the initial fused features of all security relationships within the current time window into a feature matrix. The correlation weights between features of different relationship types are calculated using the self-attention mechanism, and the features are recalibrated within a global context. For example, the feature enhancement for "DNS query" fully considers its co-occurrence patterns and correlation strength with other relationships such as "suspicious domain name access" and "encrypted communication" during the same period. After processing by the self-attention layer, each relationship type obtains a context-aware enhanced representation. This enhanced representation not only includes the security relationship's own information but also incorporates collaborative information from other related relationships in the current attack phase, thus enhancing its discriminative power.

[0039] Step S40: Obtain the historical relationship state of the previous time window. Based on the enhanced relationship representation, recursively update the historical relationship state to obtain the evolutionary relationship embedding of the current time window. Explicitly model the evolution process of the intrinsic state of each type of security relationship over time. The recursive update of the historical relationship state can be implemented in ways including, but not limited to, using a gated recurrent unit (GRU).

[0040] As a feasible implementation method, a Long Short-Term Memory (LSTM) network is used as the state evolution engine. For each type of security relationship, its historical relationship state and cell state are maintained. The enhanced relationship representation within the current time window is input into the LSTM network. Through the collaborative work of the input gate, forget gate and output gate, it is determined which information to forget from the historical state and which new information to add. Finally, the evolved relationship embedding and updated cell state within the current time window is output.

[0041] Among these, the forget gate mechanism is particularly suitable for security scenarios, enabling the model to automatically forget early normal behavioral features that are irrelevant to the current attack context, while remembering and accumulating semantic changes related to malicious links. Through the recursive update mechanism of LSTM, the evolutionary relation embedding can continuously and smoothly depict the malicious transformation process of relational semantics, such as from regular authentication to brute-force attacks to account theft.

[0042] Step S50: Based on the embedded evolutionary relationship, perform temporal reasoning to obtain the prediction result of multi-step attacks. Utilize the modeled dynamic evolutionary relationship representation to predict possible future attack steps.

[0043] As a feasible implementation, the entity embeddings of the current time window and the evolutionary relation embeddings of all categories are used as input. An inference framework based on the DistMult decoder is employed. For any possible triple (head entity-relation-tail entity), its score is calculated as the dot product of the embedding vectors, thereby assessing the most likely malicious event in the next time window (i.e., the triple with the highest score). Furthermore, the prediction results are not limited to a single event but can output a sequence of top-ranked potential events and their corresponding probabilities. Network security operations personnel can use this to assess the risk level of multiple potential evolutionary attack paths; when the cumulative probability of a path or the confidence of the latest event exceeds a preset threshold, an alert will be automatically generated, and the complete dynamic attack chain hypothesis from the initial intrusion point to the current prediction node will be visualized.

[0044] In this embodiment, a temporal knowledge graph is constructed from multi-source security log data according to time windows, providing a structured and temporal representation of attack chains for subsequent analysis, enabling the capture of the temporal characteristics of multi-step attacks. Then, initial fusion features are generated for each type of security relationship, providing an initial representation containing multi-dimensional information to characterize its semantics. Furthermore, an attention-based mechanism is introduced to adaptively recalibrate the feature dimensions of the initial fusion features, automatically enhancing information dimensions more discriminative for attack detection and suppressing interference from noise and irrelevant features, thereby significantly improving the quality and robustness of the relationship representation and laying a solid foundation for subsequent accurate evolutionary modeling. Based on this, by acquiring the historical relationship states of the previous time window, the historical relationship states are recursively updated based on the enhanced relationship representation to obtain the evolutionary relationship embedding for the current time window. This explicitly establishes a temporal memory and update mechanism for relationship states, allowing the dynamic evolution of the semantics of security relationships over time to be explicitly and continuously modeled and tracked, thus completely changing the static mode of fixed or coarsely updated relationship representations. Finally, temporal reasoning is performed based on evolutionary relationship embeddings that can reflect dynamic semantic evolution to obtain the final prediction result of multi-step attacks. This prediction result can more accurately reflect the real development logic of the attack chain and possible future steps, thereby improving the overall detection accuracy of covert, complex, and temporally dependent multi-step attacks.

[0045] In one feasible implementation, step S10 may include steps S101 to S103: Step S101: Standardize the multi-source security log data to obtain standard log data; Step S102: Perform entity identification and event normalization processing on the standard log data to obtain event data; Step S103: parse the event data according to the time window, take the network entities in the event data as nodes, and take the security relationships between the network entities as edges to construct a time-series knowledge graph; the security relationships are accompanied by event type and timestamp.

[0046] When constructing a time-series knowledge graph, the first step is to standardize the multi-source security log data to obtain standard log data. Security log data from different sources may differ to some extent in terms of time format, field naming, and numerical units. Through standardization, the original logs from different vendors and with different formats are uniformly converted into a standard and regular data format to facilitate subsequent automated parsing and analysis.

[0047] In this embodiment, the multi-source security log data comes from a wide range of sources. For example, the multi-source security log data can come from configuration change logs of the cloud security posture management (CSPM) platform, HTTP request / response logs from the web application firewall (WAF), process tree and network connection logs from the endpoint detection and response (EDR) system, and NetFlow / IPFIX flow records from the network traffic analysis (NTA) device, etc.

[0048] As a feasible implementation method, a standardized pipeline based on a Security Data Lake is used to standardize multi-source security log data. After the raw log data is fed into the raw storage area of ​​the data lake in real time, the standardization pipeline parses, maps, and cleans each log entry according to a predefined log schema template library. For example, the timestamps of all logs are uniformly converted to ISO 8601 format, the IP address field names from different devices are uniformly mapped to "src_ip" and "dst_ip", and action fields (such as "allow", "deny", and "block") are normalized to uniform enumeration values. After this standardization process, standard log data with consistent field definitions and formats is obtained, providing a unified input interface for subsequent processing.

[0049] Furthermore, entity recognition and event normalization are performed on the standardized log data to obtain event data. Entities and event objects with security semantics are extracted from the standardized semi-structured / unstructured logs as the basis for constructing a knowledge graph.

[0050] Among them, entity recognition refers to extracting objects representing network participants from specific fields of logs; event normalization refers to abstracting and classifying the specific behaviors described in logs into event types with universal security semantics.

[0051] As one implementation method, entity recognition can first be accomplished using predefined regular expression patterns or Named Entity Recognition (NER) models. For example, the "user" entity can be identified from the "user" field in a log, the "process" entity can be identified from the "process_id" and "process_name" fields, the "file" entity can be identified from the "file_path" field, and the "registry_key" entity can be identified from the "registry_key" field. Each entity is assigned a unique ID and type label.

[0052] Secondly, event normalization can be achieved through an event classifier. This classifier takes the log's action, target, protocol, and other fields as input and maps them to a unified security event ontology. For example, (action=create, target type=process, parent process name=powershell.exe) is classified as a "process creation - suspicious parent process" event; (source port=445, protocol=SMB) is classified as a "network connection - SMB attempt" event. After entity identification and event normalization, the original log lines are transformed into structured event data objects, typically represented as a quadruple of (timestamp, source entity, event type, target entity).

[0053] Finally, the event data is parsed according to time windows, with network entities in the event data as nodes and security relationships between network entities as edges, to construct a temporal knowledge graph. This organizes the discrete event stream into a series of graph structures arranged in chronological order, intuitively displaying the dynamic changes in the interaction relationships between network entities. The time window defines the time range covered by each graph.

[0054] In some embodiments, a sliding window approach based on event causal relationships can also be used. In addition to dividing time windows into fixed durations (e.g., 5 minutes), simple causal relationship analysis is performed when constructing the graph within a single time window. For example, if event A (user U logs into host H) occurs before event B (downloading file F from a URL on host H) within the window, then when constructing the graph, not only are edges (U, successful login, H) and (H, file download, F) created, but a causal link pointing to event A is also recorded in the edge attributes. The temporal knowledge graph constructed in this way not only contains entities and the security relationships between them, but also implies preliminary causal logic within the time window.

[0055] Within each time window, all network entities appearing within that window (such as IP addresses, user IDs, hosts, files, etc.) constitute a node set Vt, while all normalized security relationships (i.e., event types, such as "login successful" and "file download") serve as edges Et connecting the corresponding source and target entities. Each edge carries the timestamp of its original event. Ultimately, each graph Gt=(Vt,Et) in the resulting temporal knowledge graph sequence {G1,G2,...,Gt} depicts the overall interaction state of the network within that time window, providing direct input for subsequent analysis of the evolution of security relationships along the time axis.

[0056] In one feasible implementation, step S20 may include steps S201 to S203: Step S201: For each type of security relationship in the time-series knowledge graph, extract the static semantic vector of each type of security relationship from a predefined external network security knowledge base; Step S202: Based on events associated with any type of security relationship within the current time window, generate a dynamic representation vector reflecting the real-time context of the security relationship through an entity aggregation strategy; Step S203: Concatenate the static semantic vector with the dynamic representation vector to generate the initial fusion feature under the current time window.

[0057] For each type of security relationship in the temporal knowledge graph, an initial fusion feature is generated under the current time window, thereby constructing a feature representation for each type of abstract security relationship (such as "process creation" and "network external connection") that combines prior security knowledge and real-time context information, serving as input for subsequent feature enhancement and dynamic evolution.

[0058] Specifically, firstly, for each type of security relationship in the temporal knowledge graph, a static semantic vector for each type of security relationship is extracted from a predefined external cybersecurity knowledge base. This injects stable and universal domain prior knowledge into each type of security relationship, enabling its representation to possess basic semantic security cognition and reducing over-reliance on noise or missing information that may exist in the current data. The predefined external cybersecurity knowledge base is a structured knowledge source that stores information on standardized attack patterns, tactics, and techniques.

[0059] As one implementation method, a localized version of a common attack pattern enumeration and classification knowledge base is pre-loaded. For each type of security relationship defined in the temporal knowledge graph, its complete textual description, associated mitigation measures, related software list, and hierarchical relationship graph with other technologies / tactics are obtained by querying the knowledge base. Subsequently, a pre-trained sentence encoding model is used to encode this rich textual and structured information, generating a dense vector of fixed dimensions. This vector serves as the static semantic vector for this type of security relationship, encapsulating meta-knowledge about the general purpose, common techniques, associated assets, and typical position in the attack chain of this attack behavior, providing a stable and reliable semantic foundation for relationship representation.

[0060] Based on events associated with any type of security relationship within the current time window, a dynamic representation vector reflecting the real-time context of that security relationship is generated through an entity aggregation strategy. By capturing the specific and variable contextual features exhibited by this type of security relationship under the current specific network environment, its representation can reflect the real-time behavioral patterns of network events. The entity aggregation strategy refers to a method for summarizing and abstracting the entity features of all events involving this type of security relationship.

[0061] As one implementation, for the temporal knowledge graph Gt of the current time window, find all edges of type r (e.g., "network connection"). For each such edge, collect the embedding features of its source and target entity nodes, which can be randomly initialized or learned through a graph neural network.

[0062] Then, an attention-based aggregation strategy is adopted to calculate the attention weight of all entity pairs (source entity, target entity) in this type of security relationship. The attention weight can be determined based on the entity's attribute information, which includes the entity's own attributes (such as whether the host role is a server) and / or the attributes of the event corresponding to the entity (such as whether the target port of the connection is a sensitive port).

[0063] Finally, the embedding features of all entity pairs are weighted and summed according to attention weights to generate a comprehensive dynamic vector representation. This dynamic vector representation encapsulates which entities, in what patterns, and frequently participated in such interactions within the current time window, thereby dynamically and finely characterizing the contextual state of relation r at a specific moment.

[0064] Based on this, the static semantic vector and the dynamic representation vector are concatenated to generate the initial fusion feature under the current time window. That is, the stable prior from the general knowledge base (static semantic vector) and the variable context from real-time monitoring data (dynamic representation vector) are fused to form a relation feature with more comprehensive information and greater discriminative potential.

[0065] One specific implementation method is to concatenate the static semantic vector of each type of security relationship within the current time window with the dynamic representation vector of that type of security relationship. Through the concatenation operation, the two vectors are connected in the feature dimension to form a new high-dimensional vector, which is the initial fusion feature.

[0066] In this embodiment, a fusion representation is generated for each type of security relationship. On the one hand, its static semantic embedding is loaded from a pre-trained external knowledge base. On the other hand, based on all times involving the security relationship within the current time window, a dynamic representation reflecting the real-time context is generated through entity aggregation. Subsequently, the static semantic embedding and the dynamic representation are concatenated into a high-dimensional vector as the initial fusion feature within the current time window.

[0067] The static part of the initial fusion features ensures that the relation representation has basic attack semantics, so that it can maintain the correct direction in the early stage of an attack or when the samples are sparse; the dynamic part enables the relation representation to sensitively adapt to the specific behavior pattern of the current network and capture signs of anomalies or deterioration. The two complement each other and work together as the basis for subsequent detection of multi-step attacks.

[0068] Furthermore, referring to Figure 2 In one feasible implementation, step S30 may include steps S301 to S304: Step S301: Reshape the initial fusion features into a pseudo-image tensor that adapts to the input format of the attention mechanism; Step S302: Through the channel attention mechanism of the attention mechanism, learn the weights of different feature dimensions of the pseudo-image tensor, and weight the pseudo-image tensor in the channel dimension to obtain the first target tensor. Step S303: Through the spatial attention mechanism of the attention mechanism, learn the relative importance weights of the static prior information and dynamic context information of the pseudo-image tensor, and weight the first target tensor in the spatial dimension to obtain the second target tensor; Step S304: Restore the second target tensor to the form of a feature vector to obtain the relational representation after initial fusion feature enhancement.

[0069] Based on the Convolutional Block Attention Module (CBAM), a two-dimensional feature adaptive recalibration simulates the focusing ability of human analysts. It automatically selects and strengthens the most critical signals for the current attack stage from the initial fused features that integrate prior knowledge and real-time context, while suppressing noise and redundant information, thereby significantly improving the robustness and discriminativeness of relation representation.

[0070] The convolutional block attention mechanism includes channel attention and spatial attention. The feature vector corresponding to the initial fused features is treated as a multi-channel pseudo-image tensor, and channel attention and spatial attention are applied sequentially: channel attention evaluates the importance of each semantic dimension, automatically enhancing the most discriminative feature channels; spatial attention determines the relative importance of static priors and dynamic context in the current scene. Channel attention and spatial attention work together to adaptively recalibrate the initial fused features, resulting in an enhanced relation representation. This enhanced relation representation effectively suppresses noise interference in the logs, highlights key relation signals relevant to the current attack stage, and significantly improves the robustness and discriminative power of the relation representation.

[0071] Specifically, in the process of adaptively recalibrating the feature dimensions of the initial fused features, the initial fused features are first reshaped into pseudo-image tensors that are adapted to the input format of the attention mechanism. The initial fused features are high-dimensional vectors formed by concatenating static semantic vectors and dynamic representation vectors. The reshaping of the initial fused features means that the high-dimensional feature vectors are converted into a format that can be effectively processed by the attention mechanism.

[0072] As a feasible implementation, the initial fusion feature is a one-dimensional feature of length 2d, formed by concatenating a static semantic vector and a dynamic representation vector. This feature is then converted into a vector of shape (C=d, H=2, W=1), resulting in a multi-channel pseudo-image tensor of shape C×H×W. Each channel C corresponds to a semantic dimension. With height H=2, each row of height H corresponds to a type of component, located in row 0 and row 1, respectively. Row 0 represents the static semantic component, and row 1 represents the dynamic context component. For any channel c, row 0 of channel c is the c-th dimension of the static semantic vector, and row 1 of channel c is the c-th dimension of the dynamic representation vector.

[0073] It should be noted that the pseudo-image tensor is a multi-channel tensor, essentially a data structure carrier used for feature recalibration. In this embodiment, the pseudo-image tensor has the shape of Channel=d, Height=2, and Width=1. Channel=d corresponds to the semantic dimension of the feature, with each channel corresponding to a specific dimension in the feature vector. That is, the number of channels C equals the feature dimension d, for example, d=50. The channel attention mechanism operates on these d semantic dimensions to evaluate which feature dimension is more important. Height=2 represents two sources or components, namely static semantic prior and dynamic context representation. The height H of 2 is used to distinguish between static and dynamic components. The spatial attention mechanism applies to these two components, using convolutional blocks with large kernels to achieve equivalent global interaction and smooth bias in a very small or small semantic space, ensuring that each output position ("static" or "dynamic") can perceive the information of the two input positions, thereby calculating a weight that balances the importance of static and dynamic components. The kernel size of the convolutional block is larger than the spatial size of the pseudo-image tensor.

[0074] Furthermore, based on the reconstructed pseudo-image tensor, a channel attention mechanism is used to learn the weights of different feature channels of the pseudo-image tensor. The pseudo-image tensor is then weighted along the channel dimension to obtain the first target tensor. Based on the channel attention mechanism, the importance of each semantic component in the initial fused features is evaluated, and feature channels with strong discriminative power for the current security context are enhanced.

[0075] In one feasible implementation, channel attention first performs global average pooling and global max pooling on the input pseudo-image tensor (of shape C×H×W) along the spatial dimensions (H and W), respectively, to obtain two feature descriptors of shape (Batch, C, 1, 1). These scalars aggregate the average and maximum response information of each channel feature at all structured locations (i.e., H×W locations, in this embodiment, two components: static and dynamic). Next, these two feature descriptors are input into a multilayer perceptron (MLP) with shared weights. This MLP typically consists of fully connected layers and nonlinear activation functions (such as ReLU), ultimately outputting a channel attention weight vector of dimension (Batch, C, 1, 1). Each scalar value in this channel attention weight vector (corresponding to each of the C channels) is a value between 0 and 1, representing the importance weight of the corresponding feature channel.

[0076] Finally, the calculated channel attention weight vector is multiplied channel by channel with the original structured input tensor to evaluate the importance of each semantic dimension, and all feature channels are differentially scaled to enhance the contribution of key discriminative feature channels, resulting in the first target tensor, which enhances the strength of key semantic components.

[0077] Furthermore, through a spatial attention mechanism, the relative importance weights of static prior information and dynamic context information in the pseudo-image tensor are learned, and the first target tensor is weighted spatially to obtain the second target tensor. Based on channel weighting, the spatial attention mechanism further distinguishes the relative importance of different feature sources in the structural dimension (H, W) of the feature vector. In the pseudo-image tensor, different spatial locations (i.e., H×W locations) correspond to different segments of the original feature vector. In this embodiment, height H=2 corresponds to two types of components: static prior information and dynamic context information. The core of spatial attention is learning the weight allocation of these two types of components in the current security context.

[0078] As one implementation, the spatial attention mechanism takes a first target tensor as input. First, it performs average pooling and max pooling along the channel dimension on the input tensor and concatenates the results to obtain a feature vector of shape (Batch,2,H,W), which is (Batch,2,2,1) in this embodiment. This feature vector aggregates the statistical information of all channels at each structured location. Next, a convolutional layer with a kernel size larger than the spatial size (for example, when the spatial size is 2×1, a 7×1 kernel with padding can be used) is used to convolve the feature vector, ensuring that each spatial location of the output can comprehensively perceive the information of all input locations (i.e., both static and dynamic components), thereby achieving efficient global interaction and weight calculation in a very small structured space. After the convolution output is activated by activation functions such as the Sigmoid function, a spatial attention weight map Ms is generated, which has a shape of (Batch,1,H,W), which is (Batch,1,2,1) in this embodiment. The value at each position in the spatial attention weight map is between 0 and 1, representing the relative importance of the corresponding structured component (static or dynamic). Finally, the spatial attention weight map is multiplied element-wise with the first target tensor to achieve differentiated weighting of different structured components, resulting in the second target tensor.

[0079] The second target tensor is restored to feature vector form, yielding the relational representation after initial fusion feature enhancement. Specifically, the tensor representation refined by the two-dimensional attention mechanism is converted back to the same vector format as the initial fusion features for input into subsequent serialization processing.

[0080] Understandably, the shape or size of the pseudo-image tensor is configurable. In some embodiments, it can be configured to H≥2, for example, setting H to K (H=K, K≥2) to represent K types of context components, used to handle more (K types) of structured feature components. For example, when fusing K types of context such as "static knowledge + network behavior + process behavior + user operation," simply setting H to K, with each row corresponding to one type of context component. The spatial attention mechanism will then learn the complex importance relationships between these K components. Using convolutional kernels larger than the spatial size is an effective way to achieve efficient global interaction in a minimal structured semantic space. It should be noted that the convolutional kernel size and channel attention are also dynamically configurable.

[0081] Compared to the initial fused features, the enhanced vector representation undergoes semantic filtering in the channel dimension and a trade-off in feature sources in the structural (spatial) dimension. Specifically, feature channels highly relevant to the current attack context and more discriminative feature sources (static or dynamic) are enhanced, while noise or minor components are suppressed. This allows for a more focused and robust representation of the critical state of the security relationship at the current moment. For example, through attention mechanisms, it may be learned that in the current attack phase (such as the lateral movement phase), the dynamic contextual feature region representing "the target port of the network connection" is more important than the static descriptive region representing "this technique is typically used for information gathering," thus assigning higher weight to the former.

[0082] Using the enhanced relation representation as a foundation and the relation state obtained from the previous time window update as historical memory, the evolutionary relation embedding for the current time window is calculated through a gated recurrent unit (GRU). This process explicitly models the dynamic changes in the semantics of secure relations over time. For example, the same "access" behavior may be a normal operation in the early stages of an attack, but as the context changes (such as in conjunction with credential theft events), its semantics can gradually evolve into malicious "lateral movement." Through recursive updates, the state evolution of each relation in the attack chain can be continuously tracked.

[0083] Based on this, step S40 may further include step S401: Step S401: The enhanced relation representation is used as the input feature of the current time window, and the historical relation state is used as historical memory. The retention and forgetting of the historical memory are controlled by the update gate and reset gate of the gated loop unit. The long-short-term dependency relationship of the secure relation semantics is modeled to obtain the evolutionary relation embedding within the current time window.

[0084] For any type of security relationship, its enhanced relationship representation is a feature vector recalibrated by an attention mechanism, which focuses on the most critical static semantics and dynamic contextual information of this type of security relationship under the current time window.

[0085] As an example, for each type of security relation defined in the knowledge graph, within the current time window t, its corresponding enhanced relation representation is a multi-dimensional dense vector. This vector is used as the input to the GRU unit at the current moment, carrying condensed information about "what is happening" in the security relation within the current time window t. By maintaining a mapping from a security relation category to GRU units, it is ensured that the state of each type of security relation evolves independently by its own or shared parameter GRU.

[0086] In one feasible implementation, a mapping from security relationship categories to GRU units is achieved through persistent storage of state vectors. Specifically, the historical relationship state is the hidden state calculated and retained by the GRU unit at the end of the previous time window t-1, encoding the entire semantic evolution trajectory of the security relationship from the initial time to time t-1. The purpose is to provide historical, cumulative contextual information for state updates. After completing the calculation for each time window, the final hidden state corresponding to each type of security relationship is written to a persistent storage (such as an in-memory database or cache), with the relationship category ID as the key. Within the current time window, the corresponding historical memory (also called historical state) is retrieved based on the relationship category ID and used as the initial hidden state input for the GRU unit. This enables the detection and reasoning of multi-step attack chains to possess "memory" capabilities, allowing the understanding of the potential intent of the current behavior based on historical behavior.

[0087] By using the update and reset gates of the gated loop unit, the retention and forgetting of historical memory are controlled. Through a learnable gating mechanism, the system dynamically and adaptively determines how much historical information needs to be retained and how to combine the current input with historical information, thereby achieving efficient temporal modeling.

[0088] The output of the reset gate is a vector between 0 and 1, controlling how useful the historical memory is for calculating the current candidate state. A value close to 0 indicates a tendency to forget most historical information and rely more on the current input to construct the new state; a value close to 1 indicates that more historical information is retained, which is crucial in security scenarios. For example, when a completely new and unusual login is detected, the reset gate can reduce reliance on past normal login patterns.

[0089] The update gate determines how much information is retained from the historical state into the new state, controlling the inertia or conservatism of state updates. If it is close to 1, the new state will almost completely inherit the old state, with little influence from the current input, which is suitable for periods when the relational semantics are stable and continuous; if it is close to 0, the new state will be mainly determined by the current input, which is suitable for moments when the relational semantics undergo abrupt changes (such as escalating from "scanning" to "attack").

[0090] The goal of gated computing is to integrate historical memory with current observations to generate a current relational state representation that can simultaneously capture long-term patterns and short-term changes.

[0091] As a feasible implementation, after obtaining the reset gate and update gate, the GRU unit calculates the final state in the following manner to obtain the evolutionary relationship embedding within the current time window. Specifically, candidate hidden states are first calculated. Here, the reset gate is first applied to the historical state to obtain a filtered historical memory, which is then combined with the current input and a new candidate state is generated through a nonlinear transformation, representing the new state suggested based on the current input and some historical information.

[0092] Then, the final hidden state, i.e., the evolutionary relation embedding, is calculated, which is also the final state update of the GRU unit. The update gate acts as a harmonizer here, weighting the candidate state (i.e., the current proposal) with the previous state (i.e., the historical memory). When the relation semantics need to respond quickly to changes, the update gate is smaller, and the final hidden state is closer to the current input; when the semantics are stable, the update gate is larger, and the final hidden state is closer to the historical memory, thus maintaining the continuity of the state.

[0093] Through the process, for each type of security relationship, its evolutionary relationship embedding in the current time window is calculated. The evolutionary relationship is represented by an embedding vector, which not only contains the enhanced information of the current time window, but also incorporates the filtered and relevant long-term historical semantics through the gating mechanism of the GRU unit, so as to accurately represent the dynamic and evolutionary stage of the security relationship in the attack chain.

[0094] Understandably, the output of the current time window will serve as the historical relationship state for the next time window and will be used for the final time-series inference prediction.

[0095] In one feasible implementation, step S50 may include steps S501 to S502: Step S501: Based on the entities within the current time window and the evolutionary relationship embedding, predict the event tuples within the next time window; Step S502: Based on the event tuple, potential multi-step attack events are determined, and the prediction result of multi-step attacks is obtained.

[0096] Based on the embedded evolutionary relationship, temporal reasoning is performed. By utilizing the modeled, dynamically evolving relational semantics, future security events can be predicted, and discrete predicted events can be correlated and integrated into coherent attack path hypotheses.

[0097] By leveraging the dynamic semantics of security relationships represented by entities and their evolutionary relationships embedded within the knowledge graph of the current time window, the most likely specific security interaction events to occur within a future time window of a preset duration can be inferred. Here, the event tuple is the smallest unit describing a security event, typically in the form of (head entity, relation, tail entity), but can also contain more attributes.

[0098] As one implementation method, firstly, the embedding representations of all entities in the temporal knowledge graph within the current time window t are obtained. These entity embeddings can be learned through a graph neural network or randomly initialized and used in training. Simultaneously, the evolutionary relation embeddings of all security relation categories within the current time window are obtained. Then, a translation-based scoring function, such as an extended form of TransE, is used as the decoder. For any candidate future event (h1, r, h2), based on the embedding vectors corresponding to the entity embeddings and evolutionary relation embeddings, the event's reasonableness score is calculated, scoring all possible combinations of (entity, relation, entity). Here, h1 is the head entity, r is the relation, and h2 is the tail entity; the event tuple is represented as a triple.

[0099] Finally, the top K tuples with the highest scores, or all tuples with scores exceeding a certain dynamic threshold, are selected as the prediction set for the most likely event tuples in the next time window (t+1), thus realizing micro-reasoning from the current state to the future state.

[0100] Furthermore, based on the event tuples in the next window of the predicted current time window, potential multi-step attack events are identified, resulting in a prediction of multi-step attacks. Discrete candidate future events are correlated, evaluated, and integrated according to attack chain logic to form a complete multi-step attack path prediction with threat level. Potential multi-step attack events refer to attack sequences composed of multiple single-step events (i.e., tuples) that are related by time or causal logic.

[0101] As a feasible implementation, a dynamic attack graph or attack path hypothesis pool is maintained. Whenever a new batch of event tuples is predicted, potential multi-step attack events are determined by performing the following operations: First, association and expansion: Each newly predicted event tuple is matched with existing paths in the attack graph. For example, if the "head entity" (host A) of a newly predicted event (host A, lateral movement, host B) is the same as the "tail entity" of the last event of an existing path, then the event will be appended to the end of the path, thus expanding the path by one step.

[0102] Secondly, scoring and ranking: For each attack path, a comprehensive risk score is assumed to be calculated. This risk score can be weighted based on the prediction confidence of all events in the path, the path length, the criticality level of the attack techniques (relationships) involved in the MITRE ATT&CK framework, and whether high-value target entities appear in the path.

[0103] Finally, the prediction results are generated: the top N attack paths with the highest risk scores are selected as the prediction results for multi-step attacks. Each path result should include: the path sequence (a list of event tuples arranged by time), the overall risk score, and the main attack tactics involved in the path (such as initial access, execution, lateral movement, etc.). In addition, for a single path with an extremely high score (such as exceeding the alarm threshold), or a critical victim entity that is targeted by multiple paths in a short period of time, an immediate alarm can be triggered.

[0104] In one embodiment, refer to Figure 3 The multi-step attack detection method provided in this application includes several key stages, specifically including: parsing multi-source security log data and constructing a temporal knowledge graph; fusion of static and dynamic representations; relationship enhancement based on attention mechanism; relationship evolution through gated loop units; temporal relationship reasoning and detection; and multi-step attack alerts.

[0105] In the multi-source security log data parsing and temporal knowledge graph construction stage, the main task is to parse the acquired multi-source security log data, including standardization processing, entity recognition and event normalization processing, to obtain event data. The event data is then parsed according to time windows, and the network entities in the event data are used as nodes, with the security relationships between network entities as edges, to construct a temporal knowledge graph with event types and timestamps.

[0106] In the stage of fusing static and dynamic representations, a fused representation is generated for each type of security relationship. On the one hand, static semantic embeddings of security relationships are loaded from an external knowledge base. On the other hand, for any type of security relationship, a dynamic representation reflecting the real-time context is generated through entity aggregation based on all events involving that security relationship within the current time window. Finally, the loaded static semantic embeddings and dynamic representations are concatenated into a high-dimensional vector, which serves as the initial fused feature for that type of security relationship within the current time window.

[0107] In the relation enhancement stage based on the attention mechanism, the initially fused features obtained from the concatenation are reshaped into a multi-channel pseudo-image tensor. The reshaped pseudo-image tensor is then weighted sequentially using channel attention and spatial attention mechanisms to enhance features across different dimensions. Channel attention is used to evaluate the importance of each semantic dimension, automatically enhancing the feature channels with strong discriminative power; spatial attention is used to determine the relative importance of static priors and dynamic context. Channel attention and spatial attention work synergistically to adaptively recalibrate the initial fused features, thereby strengthening the key discriminative information in the initial fused features and obtaining an enhanced relation representation. This enhanced relation representation can more effectively and robustly represent the key state of the security relationship at the current moment.

[0108] In the relation evolution stage via the gated recurrent unit (GRU), the enhanced relation representation is used as input to the current time window, and the relation state obtained from the previous time window update is used as historical memory. The evolved relation embedding of the current time window is calculated through the GRU. This process explicitly models the dynamic semantic changes of security relations over time. Through recursive updates of entity relation states based on time windows, the state evolution of various security relations in the attack chain can be continuously tracked.

[0109] Furthermore, in the temporal relation reasoning and detection stage, based on all entity embeddings and evolutionary relation embeddings within the current time window, a relation prediction decoder (such as ConvTransE) is used to predict the most likely security event tuples in the next time window, such as event triples: (attacker IP, lateral movement, target host). Potential multi-step attack events are determined based on the predicted event tuples. It should be noted that each predicted event tuple has a corresponding prediction confidence level.

[0110] Finally, as Figure 3 As shown, if the prediction confidence exceeds the preset threshold, a high-risk alarm for multi-step attacks is triggered, and a prompt message containing the complete potential attack path of the multi-step attack event is output.

[0111] In this embodiment, the relation state is explicitly and iteratively modeled temporally using GRU, so that the semantics of the security relation (such as from "normal access" to "lateral movement") can dynamically evolve as the attack chain progresses. This fundamentally overcomes the defects of static or coarse-updated relation representation in the prior art, thereby significantly improving the detection accuracy and predictive foresight of complex multi-step attacks with strong temporal dependence and phased evolution.

[0112] Secondly, an adaptive recalibration of the channel and spatial dimensions of the fusion features of entity relations is introduced based on the convolutional block attention mechanism. This can automatically enhance the static semantic embedding from the external knowledge base and the dynamics of the real-time context, while suppressing the interference of log noise and redundant information, thus greatly enhancing the discriminative power of relation representation and its robustness in noisy environments.

[0113] Furthermore, by constructing a temporal knowledge graph and integrating static semantics of external knowledge, it provides rich structured prior and real-time contextual information for multi-step attack detection. It can not only predict high-risk multi-step attack events in the next time window, but also generate complete and interpretable potential attack paths. This provides network security operations personnel with clear criteria for judging multi-step attack chains, enhancing the interpretability and action guidance value of the detection results.

[0114] Finally, the entire framework achieves automated analysis from raw security logs to attack prediction in an end-to-end manner. Compared with relying on complex manual rules or difficult-to-interpret black box models, it is more adaptable to the needs of modern security operations centers for automated and intelligent threat perception while ensuring detection performance.

[0115] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the multi-step attack detection method of this application. Any simple modifications based on this technical concept are within the protection scope of this application.

[0116] This application also provides a multi-step attack detection device; please refer to [reference needed]. Figure 4 The multi-step attack detection device includes: The temporal graph construction module 10 is used to construct a temporal knowledge graph based on multi-source security log data and according to time windows; the edges in the temporal knowledge graph are used to represent the security relationships between network entities. Relationship fusion module 20 is used to generate initial fusion features for each type of security relationship in the temporal knowledge graph under the current time window; The relation enhancement module 30 is used to adaptively recalibrate the feature dimensions of the initial fused features based on an attention mechanism to obtain an enhanced relation representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The relation evolution module 40 is used to obtain the historical relation state of the previous time window, and recursively update the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; The reasoning detection module 50 is used to perform temporal reasoning based on the embedded evolutionary relationship to obtain the prediction result of multi-step attacks.

[0117] In one embodiment, the relationship enhancement module 30 is further configured to: The initial fusion features are reshaped into pseudo-image tensors that adapt to the input format of the attention mechanism; By using the channel attention mechanism of the aforementioned attention mechanism, the weights of different feature dimensions of the pseudo-image tensor are learned, and the pseudo-image tensor is weighted in the channel dimension to obtain the first target tensor. The spatial attention mechanism of the attention mechanism is used to learn the relative importance weights of the static prior information and dynamic context information of the pseudo-image tensor, and the first target tensor is weighted in the spatial dimension to obtain the second target tensor. The second target tensor is restored to the form of a feature vector to obtain the relational representation after the initial fusion feature enhancement.

[0118] In one embodiment, the relationship evolution module 40 is further configured to: The enhanced relation representation is used as the input feature of the current time window, and the historical relation state is used as historical memory. The retention and forgetting of the historical memory are controlled by the update gate and reset gate of the gated loop unit. The long and short-term dependencies of the secure relation semantics are modeled to obtain the evolutionary relation embedding within the current time window.

[0119] In one embodiment, the relationship fusion module 20 is further configured to: For each type of security relationship in the time-series knowledge graph, a static semantic vector for each type of security relationship is extracted from a predefined external network security knowledge base; Based on events associated with any type of security relationship within the current time window, a dynamic representation vector reflecting the real-time context of the security relationship is generated through an entity aggregation strategy. The static semantic vector is concatenated with the dynamic representation vector to generate the initial fusion feature for the current time window.

[0120] In one embodiment, the time series graph construction module 10 is further configured to: Standardize the multi-source security log data to obtain standard log data; The standard log data is subjected to entity identification and event normalization processing to obtain event data; The event data is parsed according to time windows, and the network entities in the event data are used as nodes, with the security relationships between the network entities as edges, to construct a time-series knowledge graph; the security relationships are accompanied by event type and timestamp.

[0121] In one embodiment, the inference detection module 50 is further configured to: Based on the entities within the current time window and the embedded evolutionary relationships, predict the event tuples for the next time window; Based on the event tuple, potential multi-step attack events are identified, and prediction results of multi-step attacks are obtained.

[0122] The multi-step attack detection device provided in this application employs the multi-step attack detection method described in the above embodiments. This addresses the technical problem that existing multi-step attack detection schemes generally use static or weakly temporal relationship modeling paradigms, which struggle to effectively characterize the state evolution of security relationships during a sustained attack, leading to low accuracy in predicting multi-step attacks. Compared to the prior art, the beneficial effects of the multi-step attack detection device provided in this application are the same as those of the multi-step attack detection method described in the above embodiments, and other technical features in the multi-step attack detection device are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.

[0123] This application provides a multi-step attack detection device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the multi-step attack detection method in the first embodiment described above.

[0124] The following is for reference. Figure 5 The diagram illustrates a structural schematic suitable for implementing a multi-step attack detection device according to embodiments of this application. The multi-step attack detection device in embodiments of this application may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 5 The multi-step attack detection device shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

[0125] like Figure 5As shown, a multi-step attack detection device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.) that can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access memory (RAM) 1004. The RAM 1004 also stores various programs and data required for the operation of the multi-step attack detection device. The processing unit 1001, ROM 1002, and RAM 1004 are interconnected via a bus 1005. An input / output (I / O) interface 1006 is also connected to the bus. Typically, the following systems can be connected to the I / O interface 1006: input devices 1007 including, for example, a touchscreen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; output devices 1008 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1003 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows the multi-step attack detection device to communicate wirelessly or wiredly with other devices to exchange data. While the figure shows multi-step attack detection devices with various systems, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.

[0126] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.

[0127] The multi-step attack detection device provided in this application employs the multi-step attack detection method described in the above embodiments. This addresses the technical problem that existing multi-step attack detection schemes generally use static or weakly temporal relationship modeling paradigms, which struggle to effectively characterize the state evolution of security relationships during a continuous attack, leading to low accuracy in predicting multi-step attacks. Compared to the prior art, the beneficial effects of the multi-step attack detection device provided in this application are the same as those of the multi-step attack detection method provided in the above embodiments, and other technical features of this multi-step attack detection device are the same as those disclosed in the previous embodiment method, and will not be repeated here.

[0128] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.

[0129] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0130] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, which are used to execute the multi-step attack detection method described in the above embodiments.

[0131] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems or devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.

[0132] The aforementioned computer-readable storage medium may be included in a multi-step attack detection device; or it may exist independently and not be assembled into a multi-step attack detection device.

[0133] The aforementioned computer-readable storage medium carries one or more programs, which, when executed by a multi-step attack detection device, cause the multi-step attack detection device to: Based on multi-source security log data, a time-series knowledge graph is constructed according to time windows; the edges in the time-series knowledge graph are used to represent the security relationships between network entities. For each type of security relationship in the temporal knowledge graph, generate initial fusion features for the current time window; The feature dimensions of the initial fused features are adaptively recalibrated based on an attention mechanism to obtain an enhanced relational representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The historical relation state of the previous time window is obtained, and the historical relation state is recursively updated based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; Based on the embedded evolutionary relationship, temporal reasoning is performed to obtain the prediction results of multi-step attacks.

[0134] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof, including object-oriented programming languages ​​such as Java, Smalltalk, and C++, and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0135] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0136] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.

[0137] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described multi-step attack detection method. This addresses the technical problem that existing multi-step attack detection schemes generally employ static or weakly temporal relationship modeling paradigms, which struggle to effectively characterize the state evolution of security relationships during a sustained attack, leading to low accuracy in predicting multi-step attacks. Compared to the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the multi-step attack detection method provided in the above embodiments, and will not be elaborated upon here.

[0138] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the multi-step attack detection method described above.

[0139] The computer program product provided in this application addresses the technical problem that existing multi-step attack detection schemes generally employ static or weakly temporal relationship modeling paradigms, which struggle to effectively characterize the state evolution of security relationships during a sustained attack, resulting in low prediction accuracy for multi-step attacks. Compared to existing technologies, the beneficial effects of the computer program product provided in this application are the same as those of the multi-step attack detection methods provided in the above embodiments, and will not be elaborated upon here.

[0140] The above description is only a part of the embodiments of this application and does not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.

Claims

1. A multi-step attack detection method, characterized in that, The multi-step attack detection method includes: Based on multi-source security log data, a time-series knowledge graph is constructed according to time windows; the edges in the time-series knowledge graph are used to represent the security relationships between network entities. For each type of security relationship in the temporal knowledge graph, generate initial fusion features for the current time window; The feature dimensions of the initial fused features are adaptively recalibrated based on an attention mechanism to obtain an enhanced relational representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The historical relation state of the previous time window is obtained, and the historical relation state is recursively updated based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; Based on the embedded evolutionary relationship, temporal reasoning is performed to obtain the prediction results of multi-step attacks.

2. The multi-step attack detection method as described in claim 1, characterized in that, The step of adaptively recalibrating the feature dimensions of the initial fused features based on an attention mechanism to obtain the enhanced relation representation includes: The initial fusion features are reshaped into pseudo-image tensors that adapt to the input format of the attention mechanism; By using the channel attention mechanism of the aforementioned attention mechanism, the weights of different feature dimensions of the pseudo-image tensor are learned, and the pseudo-image tensor is weighted in the channel dimension to obtain the first target tensor. The spatial attention mechanism of the attention mechanism is used to learn the relative importance weights of the static prior information and dynamic context information of the pseudo-image tensor, and the first target tensor is weighted in the spatial dimension to obtain the second target tensor. The second target tensor is restored to the form of a feature vector to obtain the relational representation after the initial fusion feature enhancement.

3. The multi-step attack detection method as described in claim 1, characterized in that, The step of recursively updating the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding for the current time window includes: The enhanced relation representation is used as the input feature of the current time window, and the historical relation state is used as historical memory. The retention and forgetting of the historical memory are controlled by the update gate and reset gate of the gated loop unit. The long and short-term dependencies of the secure relation semantics are modeled to obtain the evolutionary relation embedding within the current time window.

4. The multi-step attack detection method as described in claim 1, characterized in that, The step of generating initial fusion features for each type of security relationship in the temporal knowledge graph under the current time window includes: For each type of security relationship in the time-series knowledge graph, a static semantic vector for each type of security relationship is extracted from a predefined external network security knowledge base; Based on events associated with any type of security relationship within the current time window, a dynamic representation vector reflecting the real-time context of the security relationship is generated through an entity aggregation strategy. The static semantic vector is concatenated with the dynamic representation vector to generate the initial fusion feature for the current time window.

5. The multi-step attack detection method as described in claim 1, characterized in that, The steps for constructing a time-series knowledge graph based on multi-source security log data and according to time windows include: Standardize the multi-source security log data to obtain standard log data; The standard log data is subjected to entity identification and event normalization processing to obtain event data; The event data is parsed according to time windows, and the network entities in the event data are used as nodes, with the security relationships between the network entities as edges, to construct a time-series knowledge graph; the security relationships are accompanied by event type and timestamp.

6. The multi-step attack detection method as described in any one of claims 1 to 5, characterized in that, The step of performing temporal reasoning based on the embedded evolutionary relationship to obtain the prediction result of multi-step attacks includes: Based on the entities within the current time window and the embedded evolutionary relationships, predict the event tuples for the next time window; Based on the event tuple, potential multi-step attack events are identified, and prediction results of multi-step attacks are obtained.

7. A multi-step attack detection device, characterized in that, The multi-step attack detection device includes: The temporal graph construction module is used to construct a temporal knowledge graph based on multi-source security log data and according to time windows; the edges in the temporal knowledge graph are used to represent the security relationships between network entities. The relationship fusion module is used to generate initial fusion features for each type of security relationship in the temporal knowledge graph under the current time window; The relation enhancement module is used to adaptively recalibrate the feature dimensions of the initial fused features based on an attention mechanism to obtain an enhanced relation representation; the attention mechanism is used to strengthen the key discriminative information in the initial fused features. The relation evolution module is used to obtain the historical relation state of the previous time window, and recursively update the historical relation state based on the enhanced relation representation to obtain the evolutionary relation embedding of the current time window; the evolutionary relation embedding represents the process of the semantics of the security relation dynamically evolving over time; The reasoning detection module is used to perform temporal reasoning based on the embedded evolutionary relationship to obtain prediction results of multi-step attacks.

8. A multi-step attack detection device, characterized in that, The device includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the multi-step attack detection method as described in any one of claims 1 to 6.

9. A storage medium, characterized in that, The storage medium is a computer-readable storage medium, and a computer program is stored on the storage medium. When the computer program is executed by a processor, it implements the steps of the multi-step attack detection method as described in any one of claims 1 to 6.

10. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the steps of the multi-step attack detection method as described in any one of claims 1 to 6.