Intrusion detection by attack path generation

The method employs a graphical neural network to analyze network communication streams, generating anomaly scores to identify and isolate malicious machines, effectively halting cyberattack propagation in networks.

FR3169234A1Pending Publication Date: 2026-06-05COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES

Patent Information

Authority / Receiving Office
FR · FR
Patent Type
Applications
Current Assignee / Owner
COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES
Filing Date
2024-12-04
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing cybersecurity systems struggle to identify the attack path taken by an attacker in a network efficiently and resourcefully, making it difficult to limit and stop the propagation of cyberattacks like advanced persistent threats.

Method used

A method using a graphical neural network to analyze communication streams between machines in a network, generating anomaly scores based on subgraphs, and isolating machines identified as malicious to halt the attack propagation.

Benefits of technology

Effectively detects and halts the spread of cyberattacks by identifying and isolating machines involved in the attack path, enhancing network security with improved efficiency and resource utilization.

✦ Generated by Eureka AI based on patent content.
Patent Text Reader

Abstract

Intrusion Detection by Attack Path Generation This description relates to a method for detecting intrusion on a network (102) comprising: a) the identification, by a processing device, of a second machine that has exchanged a first communication stream directly with a first machine; b) the determination of a first subgraph comprising the first stream and other streams among the plurality of machines and the second machine; c) the provision of the first subgraph to a graphical neural network; d) the generation of a first anomaly score on the basis of the first subgraph; e) the determination of whether the second machine is a malicious machine; f) if the second machine is determined to be a malicious machine, the verification of a stopping condition; and g) if the stopping condition is not verified, the resumption of the method from step a), with the second machine taking the place of the first machine.Figure for the abridged version: Fig. 1.
Need to check novelty before this filing date? Find Prior Art

Description

Title of the invention: Intrusion detection by attack path generation. Technical field

[0001] This description relates generally to cybersecurity, and more specifically to intrusion detection within a computer network. Prior art

[0002] Cyberattacks such as, for example, advanced persistent threats (ATPs), allow an attacker to take control of a machine connected to a network and use it to infiltrate another machine on the network, and so on. In this type of attack, identifying an infiltrated machine is not enough to thwart the attack. Indeed, it is important to identify the path taken by the attacker in order to limit and / or stop the propagation of the attack. However, there is a technical problem in identifying this path in a simple and resource-efficient way. Summary of the invention

[0003] One embodiment provides a method for detecting intrusion on a first machine connected to a network comprising a plurality of machines, the method comprising: a) the identification, by a processing device, of a second machine that has exchanged a first communication stream directly with the first machine; b) the determination, by the processing device, of a first subgraph comprising the first stream and other streams exchanged directly between other machines among the plurality of machines and the second machine; c) the provision, by the processing device, of the first subgraph to a graphical neural network; d) the generation, by the graphical neural network, of a first anomaly score on the basis of the first sub-graph; e) the determination, by the processing device and on the basis of the value of the first anomaly score, of whether the second machine is a malicious machine; (f) if the second machine is determined to be a malicious machine, the processing unit checks for a halting condition on the second machine; and (g) if the stopping condition is not met, the process resumes from step (a), with the second machine replacing the first machine and a list being incremented with an identifier for the second machine; or (h) if the stopping condition is met, the isolation of the machines identified in the list.

[0004] According to one embodiment, each node of the second subgraph corresponds to a communication flow exchanged between the second machine and one of the other machines that have exchanged directly with the second machine, two nodes of the second subgraph being linked when the two corresponding flows originate from the same machine, or are directed towards the same machine.

[0005] According to one embodiment, the determination, by the processing device, of a first subgraph includes the transformation of a directed graph whose nodes correspond to the second machine and to the other machines that have exchanged directly with the second machine, and whose each edge connecting two nodes of the directed graph corresponds to the communication flow exchanged between the two machines corresponding to the two nodes.

[0006] According to one embodiment, the graphical neural network is configured to generate a first vector representation by converting the first subgraph to a reduced-dimensional vector representation.

[0007] According to one embodiment, each node of the first subgraph is associated with a set of features, and in which the graph neural network is configured to convert the first subgraph into the first vector representation further on the basis of each set of features associated with each edge.

[0008] According to one embodiment, each set of features associated with a node of the first subgraph includes an indication of the protocol and / or connection time and / or number of packets and / or activity of the secure SSL socket layer, and / or activity of the HTTP hypertext transfer protocol and / or activity of the DNS domain name system and / or activity of the communication flow violation corresponding to the node.

[0009] According to one embodiment, the anomaly score of the first subgraph corresponds to the distance between the first vector representation and a sphere, or a hypersphere, in the reduced dimension space.

[0010] According to one embodiment, the second machine is determined to be a malicious machine if its anomaly score is greater than a threshold value.

[0011] According to one embodiment, the above process further comprises: - the determination, by the processing device, of a third machine having respectively exchanged a second communication stream directly with the first machine; - the completion of steps b) to e), with the third machine taking the place of the first machine; - the comparison of the anomaly score obtained for the third machine with the first anomaly score; and - if the second and third machines are determined to be malicious machines, the comparison between the first anomaly score and the anomaly score obtained for the third machine; - the verification, by the processing unit, of a stopping condition on the machine among the second and third machines with the highest anomaly score; and - if the stopping condition is not verified, the resumption of the process from step a), the machine among the second and third machines with the highest anomaly score taking the place of the first machine and the incrementing of a list with an identifier of the machine among the second and third machines with the highest anomaly score.

[0012] According to one embodiment, the stopping condition is checked if the second machine does not belong to the network.

[0013] One embodiment provides a device comprising: - a memory containing instructions for carrying out the above process, the device being further configured to receive characteristics associated with a plurality of streams and stored in an external memory, the plurality of streams being exchanged between a plurality of machines connected to a network.

[0014] One embodiment provides a system comprising the above device and a graphical artificial neural network configured to: - receive a first subgraph as input; - generate a vector representation of the first subgraph in a reduced-dimensional space; and - calculate a distance between the vector representation and a sphere, or hypersphere, in reduced-dimensional space.

[0015] According to one embodiment, the center and radius of the sphere, or hypersphere, are obtained following a training phase of the graphic neural network.

[0016] According to one embodiment, the graphical artificial neural network comprises at least one convolutional graphical neural layer.

[0017] One embodiment provides a method for training the artificial neural network of the above system, the training method comprising: - the provision of a plurality of subgraphs representing exchanges of communication flows between a plurality of machines, the exchanged communication flows not including any anomalies; - the generation, for each of the subgraphs and based on the characteristics of each of the communication flows, of a vector representation, and - the determination, by application of a method of type description of deep support vector data, of a center and a radius defining a sphere, or a hypersphere, in the space of vector representations, the center and the radius being such that the sphere, or the hypersphere, encapsulates each of the vector representations. Brief description of the drawings

[0018] These features and advantages, as well as others, will be described in detail in the following description of particular embodiments, given by way of non-limiting example, in relation to the accompanying figures, among which:

[0019] [Fig.1] represents an example of a network susceptible to a cyberattack;

[0020] the [Fig.2] The [Fig.2] is a block diagram representing a processing device;

[0021] [Fig. 3A] represents a structure of a directed graph representing exchanges of communication flow between several machines on the network;

[0022] [Fig.3B] illustrates another structure of a graph representing the exchange of communication flows between several machines in the network, according to an embodiment of the present description;

[0023] [Fig.4A] illustrates, in the form of graphs, several types of cyberattacks on a network;

[0024] [Fig.4B] illustrates, in the form of another graph, the cyberattacks represented in [Fig.4A];

[0025] Fig. 5 illustrates two iterations carried out in an intrusion detection process, according to one embodiment of the present description;

[0026] [Fig. 6] is a flowchart illustrating steps carried out in the intrusion detection process, according to one embodiment of the present description; and

[0027] [Fig.7] illustrates an example of the architecture of the graphical neural network configured for intrusion detection, according to an embodiment of the present description. Description of the implementation methods

[0028] The same elements have been designated by the same reference numerals in the different figures. In particular, the structural and / or functional elements common to the different embodiments may have the same reference numerals and may have identical structural, dimensional and material properties.

[0029] For the sake of clarity, only the steps and elements useful for understanding the described embodiments have been represented and are detailed.

[0030] Unless otherwise specified, when referring to two interconnected elements, this means directly connected without intermediate elements other than conductors, and when referring to two connected (in English "coupled") elements between them, this means that these two elements can be connected or linked via one or more other elements.

[0031] In the following description, when reference is made to absolute position qualifiers, such as the terms "front", "back", "top", "bottom", "left", "right", etc., or relative position qualifiers, such as the terms "above", "below", "superior", "inferior", etc., or to orientation qualifiers, such as the terms "horizontal", "vertical", etc., reference is made, unless otherwise specified, to the orientation of the figures.

[0032] Unless otherwise specified, the expressions "approximately", "roughly", and "on the order of" mean to within 10% or 10°, preferably to within 5% or 5°.

[0033] Figure 1 represents an example of a system 100 comprising a network 102 susceptible to a cyberattack. For example, network 102 is a local area network comprising several interconnected machines, or computers. For example, the machines in network 102 are connected via a wired network or via a wireless network. In particular, the machines in network 102 are configured to communicate with each other by exchanging communication streams. For example, the entire network 102 is connected to an external network 104, such as intermet. For example, a firewall 106 is set up, for example on each of the machines on network 102, in order to control the data flows coming from the external network 104. For example, a router 107 is set up between the firewall 106 and the local network 102.Router 107, for example, is configured to direct packets from network 104 to local network 102.

[0034] The system 100 further includes a processing device 108 (NIDS) configured to determine whether communication flows are normal, i.e., they do not present any anomalies, or abnormal, i.e., they present one or more anomalies compromising the security of the system 100. The processing device 108 is further configured to report any detected anomaly to a system administrator 110.

[0035] By way of example, the communication flows taking place between machines on network 102 are recorded and stored in a database 112, such as, for example, a server. By way of example, each communication flow between two machines on network 102 is stored in association with one or more defining characteristics, such as, for example, the types of protocols used, the connection time of the packets in the flow, the number of originating packets, the activity of the Secure Sockets Layer (SSL), the activity of the Hypertext Transfer Protocol (HTTP), the activity of the Domain Name System (DNS), the violation activity, etc.

[0036] According to one embodiment, the processing device 108 is configured to determine, when abnormal or malicious behavior is detected on a machine on network 102, an attack path, including other machines on network 102, that was followed by the attacker. In particular, the attack path identifies each machine on network 102 that was infiltrated by the attacker in order to reach the machine on which the abnormal or malicious behavior is detected. By way of example, the processing device 108 is further configured to isolate each machine from the attack path. By way of example, isolating a machine includes disconnecting it from both the local network 102 and the external network 104.

[0037] Figure 2 is a block diagram showing the processing device 108 in more detail according to an example. The processing device 108 is, for example, configured to implement an intrusion detection method, according to an embodiment of the present description.

[0038] The processing device 108 includes, for example, one or more processors 202 under the control of instructions stored in an instruction memory (IM) 204. In another example, the processing device 108 includes one or more neural network acceleration units (NPUs - "Neural Processing Unit"), or graphics processing units (GPUs - "Graphics Processing Units"), under the control of instructions stored in the instruction memory 204.

[0039] By way of example, the processing device 108 further includes a communication interface 206 (INTERFACE). The communication interface 206 is, for example, configured to receive data related to communication flows that have taken place in the network 102 and are recorded in the data bank 112. The communication interface 206 is, for example, further configured to provide the data related to the communication flows to one or more processors 202. One or more processors 202, under the control of instructions in the instruction memory 204, is, for example, configured to implement an intrusion detection method, based on the data provided by the communication interface 206.

[0040] According to one embodiment, the instruction memory 204 includes instructions 208 (IDS) which, when executed by the processor(s) 202, make it possible to identify an attack path from an origin machine on which abnormal or malicious behavior has been detected. The instructions 208, in particular, allow data processing by a graphical neural network. Specifically, during the execution of the instructions 208, data associated with the communication flows in the network 102 are converted into graphs.

[0041] By way of example, memory 204, or another separate memory device, stores a graphic neural network (GNN) 210, so that a computer emulation of this artificial neural network is possible.

[0042] For example, the graphical neural network 210 is fully defined in memory 204, including the definition of the structure of the graphical neural network, i.e., the number of neurons in the input and output layers and in the hidden layers, the number of hidden layers, the activation functions applied by the neural circuits, etc. In addition, parameters of the artificial neural network 210, learned during training, such as its parameters and weights, are, for example, stored in memory 204. In particular, the graphical neural network is trained to assign an anomaly score to graphs representing exchanges of communication flows between the machines of the network 102, and in particular with an origin machine on which abnormal or malicious behavior is detected.For example, the higher the anomaly score, the more the graph provided to the graphical neural network represents an abnormal or malicious exchange of communication flows. It is, of course, possible that the anomaly score is calculated so that a score close to 0 represents an abnormal or malicious exchange of communication flows, and a higher score represents a normal exchange of communication flows.

[0043] In another example, the artificial neural network 210 implemented by the processor(s) 202 is implemented at least partially by one or more hardware circuits (not shown).

[0044] By way of example, the communication interface 206, or another interface of the processing device 108, is configured to provide the identification of one or more attack paths, determined by the device 108, under the execution of instructions 208, to the system administrator 110. In another example, the processing device 108 is configured to isolate any machine on the local network 102 identified as belonging to an attack path.

[0045] By way of example, the processing device 108 is configured to determine one or more attack paths, based on the indication of an origin machine for which abnormal or malicious behavior has been detected, offline. In other words, the processing device 108 is configured to execute the instructions 208 without being connected to the local network 102, and / or the external network 104.

[0046] Figure 3A represents the structure of a directed graph 300 depicting communication flow exchanges between several machines in network 102. In particular, graph 300 illustrates the exchange of flows F1, F2, F3, F4, F5, F6, and F7 between machines U1, U2, U3, U4, and U5 in network 102. Each machine corresponds to a node in graph 300, and each flow between two machines corresponds to an edge of graph 300. The direction of the edges corresponds to the direction of the represented flow. For example, flows F1 and F2 are transmitted to machines U5 and U2 respectively by machine U1. Thus, an edge 302 connects a node 304 representing machine U1 to a node 306 representing machine U5. Similarly, an edge 308 connects node 304 representing machine U1 to a node 310 representing machine U2. Both edges 302 and 308 are directed edges, whose direction runs from node 304 to nodes 306 and 310. For example, machine U3 receives the communication flow F5 from machine U4. Graph 300 then includes a node 312 corresponding to machine U3 connected to a node 314, corresponding to machine U4, by an edge 316, representing the flow F5. The direction of edge 316 goes from node 314 to node 312.

[0047] Figure 3B represents another structure of a graph 318 representing communication flow exchanges between several machines of network 102, according to an embodiment of the present description. In particular, graph 318 represents the same flow exchanges Fl to F5 as graph 300. In particular, graph 318 is undirected, that is to say, its edges have no direction.

[0048] The nodes of graph 318 represent the flows Fl to F5. Two nodes are connected by an edge if the two associated flows both originate from the same machine, or both are directed towards the same machine. For example, since flows Fl and F4 are both directed towards machine U5, nodes 320 and 322, respectively associated with flows Fl and F4, are connected by an undirected edge 324. Similarly, since flows Fl and F2 both originate from machine Ul, node 320 is connected to a node 326, corresponding to flow F2, by an undirected edge 328.

[0049] In general, to represent the exchange of communication flows between a set of machines connected to each other via a network, such as network 102, a graphical representation G is defined as G=(V,E,R,X) where V is the set of nodes of the graph, E is the set of edges, R represents the attributes of the edges, and X denotes the set of characteristics of the nodes. In particular, the set V is a set [vv 1 of cardinality N, being the 1 lvFh ' 'ni node corresponding to the flow Fl, etc. The set E is an LP set Ide cardinality N', N' being the total number of edges in the graph G. The set R is a set of cardinality N', representing attributes of the edges, that is to say the Features extracted from the streams. Each feature is, for example, a vector, or a single value, comprising attributes, for example weights, representing the features between the nodes.

[0050] By way of example, the characteristics of the flows are processed and transformed by the processing device 108 into a format compatible with neural networks graphics. As an example, the processing includes a standard normalization of all features so that the graphics neural network 210 manipulates data with the same scale. The processing also includes, for example, encoding non-numeric features, such as protocol types, to transform them into a numeric format. The set X is a set Xy] of cardinality N' denotes the set of features of the nodes of the set V. In particular, each element xi includes values ​​associated with the attributes attached to the nodes. For example, the element xi represents the features of the flow F^. In particular, each element Xi-i e{1, , A^'} is a vector of size Nf, where Nj is the number of features extracted from the flows. The structure of the graph G is associated with an adjacency matrix An of size N' x N' and such that Ay = Similarity (F^ Fj^) if the nodes corresponding to the flows F{ and Fj are connected by an edge, and such that Aq = 0 if the nodes corresponding to the flows F{ and Fj are not connected by an edge. The similarity function provides additional details about highly similar flows, particularly in the case of repetitive behaviors. For example, the elements of the set R include a similarity score.

[0051] In addition, a weight is associated with each edge. For example, for an edge IW E {1, , N'} connecting, for example, nodes vî and vj, the associated weight is a value such that [Math 1] xtx. ^fx(k)x <k) oùx^Æ) etXj(k) représentent respectivement the k-th component of the vectors x', xj, that is to say the k-th characteristic extracted from the flows vi and vj.

[0052] The graph structure described in relation to [Fig.3B] is described in the publication "Efficient Network Representation for GNN-based Intrusion Detection" published in Applied Cryptography and Network Security in 2023, by Friji, H. Oliviereau, A. and Sarkiss, M.

[0053] Figure 4A illustrates, in the form of graphs 400, 402, 404, and 406, an example of a multi-stage cyberattack on a network. In particular, a local network comprises five machines with IP (Internet Protocol) addresses IP2, IP2, IP3, and IP5. An attacker, for example, carries out several types of cyberattacks via a machine with IP address IP0, belonging, for example, to the local network or to an external network to which the local network is connected.

[0054] Graph 400 represents a recognition phase by information collection, carried out via the IPO machine to the addresses IPI, IP2, IP3 and IP4.

[0055] By way of example, for this recognition phase, machine IP0 generates and transmits flows Fl, F2, F3 and F4 respectively to machines IPI, IP2, IP3 and IP4. The machines with addresses IP0 to IP4 are represented by the nodes of graph 400 and the flows Fl, F2, F3 and F4 are represented by the edges of graph 400.

[0056] Next, the attacker performs an SQL injection (Structured Query Language) attack, via the machine with IP address 0, generating flows f], Fj, and Fp targeting the machine with IP address 1. The SQL injection attack is represented by a 402 graph. The 402 graph comprises two nodes, representing the machines with IP addresses 0 and 1. The 402 graph further comprises three edges, representing the flows f, F, and Fp, respectively, all directed from the node representing the machine with IP address 0 to the node representing the machine with IP address 1.

[0057] The attacker, for example, also carries out a cyberattack from the machine with IP address 0, targeting the machine with IP address 4, aiming to obtain a password, for example, necessary to connect to the local network. As an example, the machine with IP address 0 transmits streams f\, F4, F^, and F^ to IP address 4. This attack is represented by a 404 graph. The 404 graph comprises two nodes, representing the machines with IP addresses 0 and 4. The 404 graph further comprises four edges, representing respectively the streams f\, F^, F3^, and F*, all directed from the node representing the machine with IP address 0 to the node representing the machine with IP address 4.

[0058] The attacker, for example, spoofs their IP address to avoid detection of their intrusion attempts. The attacker then sends communication streams to the machine with IP address 4 from a spoofed IP address 0' in order to repeat their attack to obtain the password. For example, the attacker transmits streams p'^ F^, F^ F^, and F4 from IP address 0' to IP address 4. This new attack is represented by a 406 graph. The 406 graph has two nodes, representing the machines with IP addresses 0' and 4. The 406 graph also has four edges, representing the streams f'^ F^, F4, and F'^, respectively, all directed from the node representing the machine with IP address 0' to the node representing the machine with IP address 4.

[0059] Figure 4B illustrates, in the form of a 407 graph, the attacks represented by graphs 400, 402, 404, and 406. In particular, the structure of graph 407 corresponds to the graph structure described in relation to Figure 3B. While in graphs 400, 402, 404, and 406, the nodes correspond to the machines of the network, the nodes of the Graph 407 represents the exchanged flows. The nodes of graph 407 then represent the flows Fl, F2, F3, F4, f], F2v F\, f\, F2- Fl Fi Fl Fl Fl F?, Fl^t Fl For concern 11^ 4 4 4 4 4 4 4 4 4 4 4 For clarity on [Fig.4B], not all edges are illustrated.

[0060] Graph 407 comprises four subgraphs, 408, 410, 412, and 414, representing respectively the attacks represented by graphs 400, 402, 404, and 406. Since the flows F1, F2, F3, and F4 all originate from IP address 0, the nodes representing them are interconnected. As the flows F1, F2, and F3 are transmitted to the IP address 1PI, the nodes representing them are connected to the node representing the flow F1, which is also transmitted to the IP address 1PI. Furthermore, although not shown in Figure 4B, the nodes representing the flows F1, F2, and F3 are all connected to each of the nodes representing the flows F2, F3, and F4. Indeed, all these flows originate from IP address 0. Similarly, the nodes representing the flows Fl4, F^, F^, F^, F^, F^, F^, F^, F^, F^, Fl, F^, and f'I are all connected because these flows target the same IP4 address. The edges representing the flows f', F2, F3, F3.and F^ are further connected to all nodes Fl, F2, F3, F4, f], F2; and 4 4 4 4 4 1 1. F3 because these flows are all emitted from the same IP address.

[0061] The nodes representing the flows f'I Fl F^, F* and Fj are all connected to each other because these flows are transmitted from the same IP address 0'. Similarly, these nodes are all connected to the node representing the flow F4. Thus, the nodes representing the flows f], Fl Fl F* and F^ are not connected to the nodes representing the flows Fl, F2, F3, f\, F2 and F3 because these flows are neither transmitted from the same address, nor towards the same address.

[0062] A weight, as described in relation to [Fig.3B], is associated with each edge of graph 407. In particular, the weight of an edge connecting two nodes is calculated from one or more characteristics of the flows represented by the two nodes.

[0063] Figure 5 illustrates two iterations carried out in an intrusion detection process, according to an embodiment of the present description.

[0064] As an example, abnormal or malicious behavior is detected on a machine E. The processing device 108 is configured to identify, under the command of instructions 208, the other machines on the local network 102 that have exchanged communication flows with machine E.

[0065] By way of example, in a first iteration 500, the processing unit 108 is configured to identify machines that have exchanged communication streams in the period preceding the detection of abnormal behavior on machine E. For example, the period is between one hour and several weeks. For example, machines A, B, C, and D are identified as having exchanged communication streams with machine E. For each of the machines A, B, C, and D, a subgraph is determined. Each subgraph comprises one of the machines A, B, C, or D, represented by a node connected to one or more neighboring nodes representing other machines that have exchanged communication flows with machines A, B, C, or D. For example, a 502 subgraph comprises two nodes corresponding to machines A' and A'', each connected to the node corresponding to machine A by an edge oriented towards the node representing machine A. Similarly, a 504 subgraph comprises a node representing machine B and three other nodes corresponding to machines B', B'', and B''', each connected to the node corresponding to machine B by an edge oriented towards that node. Likewise, a 506 subgraph comprises a node corresponding to machine C' and connected to the node representing machine C. Finally, a 508 subgraph comprises nodes representing machines D' and D'' connected to the node representing machine D.As an example, the processing device 108 is configured to, when instructions 208 are executed and from the communication streams stored in the data bank 112, construct subgraphs 502, 504, 506 and 508.

[0066] The subgraphs 502, 504, 506 and 508 are for example processed by the graphic neural network 210. As an example, the graphic neural network 210 is configured to transform, in a step 510 (SUB GRAPH) the directed subgraphs 502, 504, 506 and 508 into graphs having a structure such as described in relation to Figures 3B and 4B, that is to say a structure for which the nodes of the graphs represent the communication flows, two nodes being connected if the corresponding flows are in the direction of the same machine or if they are leaving from the same machine.

[0067] In a step 512 (EMB), the neural network 210 is configured to extract the characteristics of the communication flows associated with the nodes of the graphs constructed during the execution of step 510. As an example, during the execution of step 512, the graph neural network 210 is configured to traverse each of the graphs constructed during the execution of step 510 in order to capture structural and relational information between the nodes and edges of the graphs. The graph neural network is then configured to produce vector representations for each subgraph, encapsulating the characteristics of the nodes and edges and the important relationships. In particular, the vector representations include the weights associated with the edges and attributes associated with the nodes, i.e., taking into account the elements of the sets R and X, as described in relation to [Fig.3B], are calculated during the execution of step 510.

[0068] The graphical neural network 210 is then configured to determine, in a step 514 (AS), for each of the subgraphs 502, 504, 506, and 508, an anomaly score. By way of example, the anomaly score corresponds to a distance between The vector representation associated with the subgraph at the center of a sphere, or hypersphere. In one embodiment, the sphere or hypersphere is a sphere or hypersphere in the space of vector representations whose radius and center are determined during a training phase of the 210 graph neural network. In particular, the sphere, or hypersphere, is determined by applying a Deep Support Vector Data Description (SVDD) method. The SVDD method allows for the inclusion of normal data by minimizing the radius of the sphere or hypersphere while including the maximum number of training points. The radius and center determined during training are then used to evaluate whether the new data is normal or not.In particular, the center and radius of the sphere or hypersphere, obtained by training the 210 graph neural network combined with the implementation of an SVDD-type method, are such that the sphere, or hypersphere, encapsulates the majority of vector representations associated with normal, or non-malicious, communication flow exchanges. For example, anomaly scores are numbers between 0 and 1 inclusive. The anomaly score corresponds to the probability that the considered subgraph exhibits an abnormal behavioral structure and / or contains at least one malicious communication flow. For example, the anomaly scores obtained for subgraphs 502, 504, 506, and 508 are 0.85, 0.1, 0.5, and 0.2, respectively. Thus, in the illustrated example, machine E was most likely infiltrated via machine A.For example, a graph is considered malicious when its anomaly score exceeds a threshold value, for example, 0.5. The threshold value determines, for instance, the sensitivity of the intrusion detection method; the value of 0.5 is given only as an example. Specifically, the threshold value is an adjustable parameter used to control detection sensitivity.

[0069] The processing device 108 is then, for example, configured to perform a second iteration 516 (SECOND ITERATION) when instructions 208 are executed. For example, the second iteration is performed if the machine identified in the first iteration as the most likely source of the intrusion belongs to the local network 102. For example, if the machine identified in the first iteration as the most likely source of the intrusion does not belong to the local network 102, the process terminates after the first iteration.

[0070] In the event that the second iteration takes place, it is carried out in the same way as the first iteration, replacing machine E with machine A. For example, in the second iteration, the processing device 108 identifies two machines A_l' and A_2' having exchanged communication streams with machine A', as well as two machines A_l” and A_2” having exchanged communication streams with machine A'. A subgraph 518 then comprises machines A', A_l', and A_2', and a subgraph 520 comprises machines A”, A_l” and A_2”. As an example, following the second iteration, the anomaly score obtained for graph 518 is higher than that obtained for subgraph 520. Thus, in the illustrated example, machine A was most likely infiltrated via machine A'.

[0071] Figure 6 is a flowchart illustrating steps carried out in the intrusion detection process, according to one embodiment of the present description.

[0072] In step 600 (INITIALIZATION), a machine E on the local network 102 exhibiting abnormal or malicious behavior is detected. For example, the detection is performed by the system administrator 110. The system administrator 110 identifies machine E with the processing device 108. In another example, the detection is performed directly by the processing device 108, for example, based on an analysis of the characteristics of the communication flows recorded in the database 112.

[0073] The processing device 108 is then configured to control the execution of instructions 208. During step 600, an initialization step of the algorithm executed by instructions 208 is performed. For example, the initialization step includes assigning the machine E to a first variable and initializing a list. For example, during the initialization step, an identification value, for example an IP address, of machine E is assigned to the first variable. For example, during the initialization step, the list is an empty list, or a list containing the identification value of machine E.

[0074] In a step 601 (END CONDITION?), the device 108 is configured to check whether a stopping condition is met. For example, the stopping condition is met if the first variable has the value of an identification value of a machine that is not in the local network 102. In another example, the stopping condition is met when the size of the list reaches a threshold value, for example, when the list contains between 10 and 1000 identification values.

[0075] If the stopping condition is not met (branch N at the output of step 601), the process continues in step 602 (ANOMALY SCORE FOR NEIGHBORING NODE), performed by the processing device 108, when instructions 208 are executed. The processing device 108 is then configured to identify at least one machine on the local network 102 or the external network 104 that has directly exchanged one or more communication streams with the machine assigned to the first variable, i.e., with machine E. Each other machine Having directly exchanged one or more communication streams with machine E is defined as a neighboring machine of machine E. As an example, the processing device 108 is configured to select neighboring machines of machine E that have exchanged one or more communication streams with the latter in a predetermined previous time period.

[0076] During step 602, the processing device 108 is further configured to generate one or more subgraphs, each subgraph comprising a machine neighboring machine E, and the machines in its vicinity. The processing device 108 is then configured to convert each subgraph into a graph having a structure in which the nodes represent the communication flows, as described in relation to Figures 3B and 4B. The processing device 108 is then configured to provide each graph having the structure described in [Fig. 3B] or 4B to the graphical neural network 210. The graphical neural network 210 is configured to, and has been previously trained to, generate an anomaly score for each subgraph.

[0077] In a step 603 (SELECT NEXT NODE), the processing device 108 is configured to select, based on the anomaly scores generated during the execution of step 602, one or more machines from among the neighboring machines determined during the execution of step 602. For example, the processing device 108 is configured to select the neighboring machine for which the anomaly score of the associated subgraph is the highest, indicating that this neighboring machine is the one most likely to have been infiltrated by the attacker in order to attack machine E. For example, the processing device 108 is configured to select the neighboring machine for which the anomaly score of the associated subgraph is the highest.

[0078] The processing device 108 is then configured to, in step 604 (ADD TO PATH), increment the list with, for example, the identification value of the selected neighboring machine. The list then constitutes an attack path.

[0079] In a step 605 (VALIDATION?), the processing device 108 is configured, for example, to analyze, for instance, based on additional information about the local network 102 and the external network 104, the attack path generated during the execution of step 602. The processing device 108 is further configured to validate or invalidate this attack path. The validation step consists, for example, of verifying the logic of the current scheme for constructing the attack path using events received by the network 102, for example, alerts from other intrusion detection systems, historical data, network anomalies, etc. For example, when another intrusion detection system has already detected abnormal flows from a machine Identified by the attack path, the attack path is, for example, validated. The validation step allows, for example, the system administrator 110, to get an idea of ​​the convergence of the attack path.

[0080] For example, when the attack path is not validated (branch N exiting block 605), the process terminates in step 606 (END). For example, during the execution of step 606, the processing device 108 is configured to provide the invalidated attack path to the system administrator 110. For example, following the invalidation of an attack path, the algorithm's execution is restarted, for example, by an engineer, step by step. Since the algorithm is iterative, this allows the engineer to follow the path's progress, machine by machine. If the algorithm diverges, the engineer can check the anomaly scores and the subgraphs used to recalculate them in order to determine the machine causing the attack path divergence.

[0081] When the attack path, or at least one of the attack paths, is validated (branch Y at the output of block 605), the processing device 108 is configured to assign the neighboring machine selected during the execution of step 603 to the first variable. The process then resumes in an embodiment of step 601, in order to determine whether the stopping condition is met for the machine identified by the first variable. For example, if this new machine belongs to a network external to the local network 102, the stopping condition is met.

[0082] If the stopping condition is met (branch Y exiting block 601), the process terminates in step 608 (RETURN PATH). For example, during step 608, the processing device 108 is configured to provide the attack path to the system administrator 110. For example, the system administrator then checks whether the machines identified by the attack path exhibit abnormal or malicious behavior. The system administrator 110 disconnects, for example, all the machines identified by the attack path from the local network 102. The system administrator 110 also disconnects, for example, all the machines identified by the attack path from the external network 104. For example, in parallel with providing the attack path to the system administrator 110, the device 108 is configured to isolate the identified machines from the local network 102.In another example, the processing device 108 is configured to generate an alert, for example on all machines identified by the attack path.

[0083] By way of example, the implementation of step 603 further includes the selection of at least one other neighboring machine having, for example, a high anomaly score. For example, the processing device 108 is configured to select all machines neighboring machine E whose anomaly score of the associated subgraph is greater than, or less than, a threshold value. By way of example, the threshold value is such A higher anomaly score means that the probability of the neighboring machine being infiltrated is greater than 0.5. In another example, the threshold value corresponds to the radius of the sphere, or hypersphere. In this case, during step 604, the processing device 108 is configured to generate as many lists as there are selected machines and to add, in addition to the already identified machine E, one selected neighboring machine per list. Each list then constitutes a possible attack path. The validation step 605 then involves validating at least one attack path, or invalidating all attack paths.

[0084] The detection process then operates in several iterations, starting from a machine on which malicious behavior is detected. Each iteration identifies one or more machines that have likely been infiltrated. Successive iterations then establish the attack path used by the attacker to infiltrate the machine on which malicious behavior is detected.

[0085] Figure 7 illustrates an example of the architecture of the graphic neural network 210 configured for intrusion detection, according to an embodiment of the present description.

[0086] In particular, [Fig. 7] illustrates how the 210 graphical neural network and the SVDD-type method are combined. A 700 block (AUTO ENCODER) corresponds to a reconstruction architecture, such as an autoencoder. A 700' block (ENCODER) corresponds to an encoder architecture.

[0087] The graph neural network 210 is configured to receive as input a graph having a structure such as that described in relation to Figures 3B and 4B. In another example, the graph neural network 210 is configured to receive the characteristics of the flows stored in the data bank 112, the characteristics then including the origin and direction of each flow. The graph neural network 210 is then configured to generate a representation of the graph 702 (Z), for example in the form of a vector of numerical values, in a reduced-dimensional space (in English, "embedding"). By way of example, the generation of the representation is carried out by applying a graph data embedding method.In particular, the generation of the vector representation is implemented by an attention-based feature extractor and a spatial feature extractor, through which the graph neural network 210 traverses the graph to capture structural and relational information between nodes and edges, while encapsulating important features and relationships. The auto-encoder 700 further includes a configured decoder 705 (DECODER). to generate a reconstructed graph 707 (RECONSTRUCTION), based on the representation of graph 702.

[0088] The graphical neural network is then configured to determine a distance between this representation and a sphere, or a hypersphere, 706 in the representation space. In particular, the parameters defining the sphere or hypersphere, i.e., its center and radius, are determined during the training of the graphical neural network 210. The anomaly score is then determined on the basis of this distance.

[0089] In particular, the graph neural network 210 comprises layers 702 of graph convolutional neural networks (GNNs). For example, the outputs of each convolutional layer are activated by an activation function 704 (RELU). For example, the activation function is a Rectified Linear Unit (ReLU) type activation function. The weights of the convolutional layers are, for example, initialized during the training phase of the graph neural network 210 using an encoder-decoder architecture, the encoder being the model of the convolutional layers 703.

[0090] The training phase of the graphics neural network 210 includes, for example, the identification of the sphere, or hypersphere, 706 encapsulating the representations associated with normal communication flow exchanges, that is, without anomalies. In particular, the objective of training the neural network 210 is, for example, to identify the sphere, or hypersphere 706, in such a way that its volume is minimal. In other words, the identification of the sphere, or hypersphere 706, is carried out with the objective that it encapsulates any representation associated with normal flow exchanges while not encapsulating representations of abnormal or malicious flow exchanges. According to one embodiment, the identification of the sphere, or hypersphere, 706 is carried out by applying an SVDD-type method with a classification objective to a class corresponding to representations of normal flow.As an example, the learning of the graphical neural network 210 is performed using training data, all representing communication flow exchanges without anomalies. As another example, the learning is further performed by applying a stochastic gradient descent backpropagation method. The weights of the convolutional layers and a center C and a radius R defining the sphere, or hypersphere, 706 are then fixed to values ​​that will be used during the inference phase. These values ​​are reached, for example, when the learning process converges to a local minimum.

[0091] By way of example, block 700 is driven before block 700'. The weights obtained for layers 703 of autoencoder T 700 are then used as initialization of The 700' encoder. This is symbolized by an arrow going from the encoder part of block 700 to the encoder part of block 700'. In another example, the 700' encoder is omitted.

[0092]

[0093] One advantage of the described embodiments is that performing the process in several iterations makes it possible to track the infiltrated machines. The detection of the attack path is transparent to the system administrator.

[0094] Various embodiments and variations have been described. A person skilled in the art will understand that certain features of these various embodiments and variations could be combined, and other variations will become apparent to a person skilled in the art.

[0095] Finally, the practical implementation of the embodiments and variants described is within the reach of a person skilled in the art, based on the functional indications given above.

Claims

Demands

1. A method for detecting intrusion on a first machine (E) connected to a network (102) comprising a plurality of machines, the method comprising: a) the identification, by a processing device (108), of a second machine (A, B, C, D) that has exchanged a first communication stream directly with the first machine; b) the determination, by the processing device (108), of a first subgraph (502, 504, 506, 508) comprising the first stream and other streams exchanged directly between other machines among the plurality of machines and the second machine; c) the provision, by the processing device (108), of the first subgraph to a graphical neural network (210); d) the generation, by the graphical neural network, of a first anomaly score on the basis of the first subgraph;e) the determination, by the processing device and on the basis of the value of the first anomaly score, of whether the second machine is a malicious machine; f) if the second machine is determined to be a malicious machine, the verification, by the processing unit, of a stopping condition on the second machine; and g) if the stopping condition is not met, the resumption of the process from step a), with the second machine taking the place of the first machine and a list being incremented with an identifier of the second machine; or h) if the stopping condition is met, the isolation of the machines identified in the list.

2. A method according to claim 1, wherein each node of the second subgraph corresponds to a communication flow exchanged between the second machine and one of the other machines that have exchanged directly with the second machine, two nodes of the second subgraph being linked when the two corresponding flows are either from the same machine, or towards the same machine.

3. A method according to claim 2, wherein the determination, by the processing device (108), of a first subgraph (502, 504, 506, 508) comprises the transformation of a directed graph whose nodes correspond to the second machine and to the other machines that have exchanged directly with the second machine, and each edge connecting two nodes of the directed graph corresponds to the flow of communication exchanged between the two machines corresponding to the two nodes.

4. A method according to claim 3, wherein the graphical neural network (210) is configured to generate a first vector representation by converting the first subgraph to a reduced-dimensional vector representation.

5. A method according to claim 4, wherein each node of the first subgraph is associated with a set of features, and wherein the graph neural network (210) is configured to convert the first subgraph into the first vector representation further on the basis of each set of features associated with each edge.

6. A method according to claim 5, wherein each set of features associated with a node of the first subgraph includes an indication of the protocol and / or connection time and / or packet count and / or SSL secure socket layer activity, and / or HTTP hypertext transfer protocol activity and / or DNS domain name system activity and / or communication flow violation activity corresponding to the node.

7. A method according to any one of claims 4 to 6, wherein the anomaly score of the first subgraph corresponds to the distance between the first vector representation and a sphere, or a hypersphere, in reduced-dimensional space.

8. A method according to any one of claims 1 to 7, wherein the second machine is determined to be a malicious machine if its anomaly score is greater than a threshold value.

9. A method according to any one of claims 1 to 8, further comprising: - the determination, by the processing device (108), of a third machine (A, B, C, D) having respectively exchanged a second communication stream directly with the first machine; - the performance of steps b) to e), the third machine taking the place of the first machine; - comparing the anomaly score obtained for the third machine with the first anomaly score; and - if the second and third machines are determined to be malicious machines, comparing the first anomaly score with the anomaly score obtained for the third machine; - checking, by the processing unit, a stopping condition on the machine among the second and third machines with the highest anomaly score; and - if the stopping condition is not checked, restarting the process from step a), with the machine among the second and third machines with the highest anomaly score taking the place of the first machine and incrementing a list with an identifier of the machine among the second and third machines with the highest anomaly score.

10. A method according to any one of claims 1 to 9, wherein the stopping condition is checked if the second machine does not belong to the network (102).

11. Device comprising: - a memory (204) comprising instructions for carrying out the process according to any one of claims 1 to 10, the device further being configured to receive features associated with a plurality of streams and stored in an external memory (112), the plurality of streams being exchanged between a plurality of machines connected to a network (102).

12. System comprising the device according to claim 11 and a graphical artificial neural network configured to: - receive as input a first subgraph; - generate a vector representation of the first subgraph in a reduced-dimensional space; and - calculate a distance between the vector representation and a sphere, or hypersphere, in the reduced-dimensional space.

13. System according to claim 12, wherein the center and radius of the sphere, or hypersphere, are obtained following a training phase of the graphic neural network (210).

14. System according to claim 12 or 13, wherein the graphic artificial neural network (210) comprises at least one convolutional graphic neural layer.

15. Method for training the artificial neural network (210) according to any one of claims 12 to 14, the training method comprising: - the provision of a plurality of subgraphs representing exchanges of communication flows between a plurality of machines, the exchanged communication flows not including any anomalies; - the generation, for each of the subgraphs and on the basis of the characteristics of each of the communication flows, of a vector representation, and - the determination, by application of a method of the type of description of deep support vector data, of a center and a radius defining a sphere (706), or a hypersphere, in the space of the vector representations, the center and the radius being such that the sphere, or the hypersphere, encapsulates each of the vector representations.