Semantic Recognition for Attack Behavior Based on Heterogeneous Attributed Graph

Journal of Information Security Reserach ›› 2022, Vol. 8 ›› Issue (3): 292-.

Previous Articles Next Articles

Semantic Recognition for Attack Behavior Based on Heterogeneous Attributed Graph

Online:2022-03-01 Published:2022-03-01

基于异构属性图的自动化攻击行为语义识别方法

薛见新１王星凯12 张润滋1 顾杜娟1 刘文懋1

^１(绿盟科技集团股份有限公司　北京 100089)
²(清华大学自动化系　北京 100084)

通讯作者: 薛见新, 工学博士, 主研领域：网络安全，安全知识图谱,手机：18600645215, 单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦,邮编：100089, E-mail：xuejianxin@nsfocus.com
作者简介:薛见新, 工学博士, 主研领域：网络安全，安全知识图谱,手机：18600645215, 单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦,邮编：100089, E-mail：xuejianxin@nsfocus.com 王星凯，工学博士，主研领域：网络安全，单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦，邮编：100089，E-mail：wangxingkai@nsfocus.com；张润滋，工学博士，主研领域：网络安全、AISecOps，单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦，邮编：100089，E-mail：zhangrunzi@nsfocus.com 顾杜娟，工学博士，主任研究员，主研领域：网络安全、安全知识图谱，单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦，邮编：100089，E-mail：gudujuan@nsfocus.com 刘文懋，工学博士，主研领域：云安全、容器安全，单位：绿盟科技，通信地址：北京海淀北洼路4号益泰大厦，邮编：100089，E-mail：liuwenmao@nsfocus.com

Abstract

Abstract: Abstract In order to bridge the semantic gap between security device logs and attack behaviors, an automatic attack behavior semantic recognition method based on heterogeneous attributed graph is proposed. Firstly, heterogeneous graph is used to model the threat of system logs. Then, taking the attack context as the semantics and combined with the knowledge map representation, the vector representation of nodes and edges in the graph is obtained. Meanwhile, hierarchical clustering is used to aggregate similar logs, and the most representative logs are found as the behavior representation of the whole class. Finally, the experimental verification of this method shows that this method has high accuracy in the abstraction of system normal behavior and malicious behavior. More importantly, in the stage of attack investigation and evidence collection, it can greatly reduce the workload of security operation.

Key words: Attack provenance, Security Operations, Heterogeneous attributed graph, Attack behavior, Semantic recognition

摘要： 当前安全运营人员面对的是海量的设备日志，需要根据其专家知识或经验来进行调查溯源，这大大的降低了安全运营的效率，同时也为安全运营设置了较高的知识门槛。为了解决这一问题，本文提出了一种基于异构图的自动化攻击行为语义识别方法，能够实现底层安全日志到上层攻击行为之间的映射。首先，利用异构图对系统日志进行威胁建模；然后，以攻击行为上下文为语义并结合知识图谱表示学习得到图中节点与边的向量表示；接着，利用层次聚类把相似的日志聚合到一起，从中找出最具代表性日志作为整个类的行为表示。最后，对本文提出的方法进行了实验验证，可以看出本文方法在系统正常行为与恶意行为的识别上都具有较高的精度，本文方法可以大大提高安全运营的效率。

关键词: 关键词攻击溯源, 安全运营, 异构属性图, 攻击行为, 语义提取

薛见新, 王星凯, 张润滋, 顾杜娟, 刘文懋, . 基于异构属性图的自动化攻击行为语义识别方法[J]. 信息安全研究, 2022, 8(3): 292-.

References

[1] 彭祯方, 邢国强, 陈兴跃. 人工智能在网络安全领域的应用及技术综述[J]. 信息安全研究, 2022, 8(2): 110-116

[2] Pasquier T, Han X, Moyer T, et al. Runtime Analysis of Whole-System Provenance[C]// ACM Conference on Computer and Communications Security (CCS'18). New York: ACM, 2018:1601-1616

[3] Pasquier T, Han X, Moyer T, et al. Practical Whole-System Provenance Capture. Symposium on Cloud Computing[C]// Proceedings of the 2017 Symposium on Cloud Computing. New York: ACM, 2017:405-418

[4] Milajerdi S, Gjomemo R, Eshete B, et al. HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows [C]// 2019 IEEE Symposium on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 1137-1152

[5] King S T, Chen P M. Backtracking intrusions[C]// Proceedings of the 19th ACM Symposium on Operating Systems Principles 2003. New York: ACM, 2003: 223-236

[6] Kwon Y, Wang F, Wang W, et al. MCI:Modeling-based Causality Inference in Audit Logging for Attack Investigation[C]// Network and Distributed System Security Symposium. Rosten, VA: ISOC 2018

[7] Kwon Y, Kim D, Sumner W N, et al. LDX: Causality Inference by Lightweight Dual Execution[C]// ACM SIGARCH Computer Architecture News 2016. New York: ACM 2016:503-515

[8] Hassan W U, Noureddine M A, Datta P, et al. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis[C]// Network and Distributed System Security Symposium. Rosten, VA: ISOC 2020

[9] King S T, Mao Z M, Lucchetti D G, et al. Enriching intrusion alerts through multi-host causality[C]//Network & Distributed System Security Symposium. Rosten, VA: ISOC 2005.

[10] Haas S, Sommer R, Fischer M. zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection[C]// ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology. Cham:Springer 2020

[11] Ji Y, Lee S, Fazzini, et al. Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking[C]//In Proceedings of The 27th USENIX Security Symposium. Berkeley: USENIX Association 2018: 1705-1722

[12] Liu Y , Zhang M , Li D , et al. Towards a Timely Causality Analysis for Enterprise Security[C]// Network and Distributed System Security Symposium. Rosten, VA: ISOC 2018

[13] Hassan W U, Guo S, Li D, et al. NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage[C]// Network and Distributed System Security Symposium. Rosten, VA: ISOC 2019

[14] Milajerdi S M, Eshete B, Gjomemo R, et al. POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting[C]// ACM Conference on Computer and Communications Security (CCS'19). New York: ACM, 2019: 1795–1812

[15] Hassan W U, Bates A, Marino D. Tactical Provenance Analysis for Endpoint Detection and Response Systems[C]// 2020 IEEE Symposium on Security and Privacy (SP). Piscataway, NJ: IEEE, 2020:1172-1189

[16] Bordes A, Usunier N, Garcia-Duran A, et al. Translating Embeddings for Modeling Multi-relational Data[C]// Conference and Workshop on Neural Information Processing Systems. New York:Curran Associates Inc. 2013

[17] Yankai L, Zhiyuan L, Maosong S, et al. Learning Entity and Relation Embeddings with Entity Description for Knowledge Graph Completion[C]// Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence. Menlo Park: AAAI 2015:2181-2187

[18] Wang Z, Zhang J, Feng J, et al. Knowledge Graph Embedding by Translating on Hyperplanes[C]// Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence. Menlo Park: AAAI Press 2014:1112-1119

[19] Jain A K, Murty M N, Flynn P J. Data Clustering: A Review[J]. Acm Computing Surveys, 1999, 31(3): 264-323

[20] Eshete B, Gjomemo R, Hossain M N, et al. Attack Analysis Results for Adversarial Engagement 1 of the DARPA Transparent Computing Program[J]. arXiv preprint 2016

[21] Grover A , Leskovec J. node2vec: Scalable Feature Learning for Networks[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Ming. New York: ACM 2016:855-864

[22] Dong Y, Chawla N V, Swami A. metapath2vec: Scalable Representation Learning for Heterogeneous Networks [C]// Proceedings of the 23nd ACM SIGKDD International Conference on Knowledge Discovery and Data Ming. . New York: ACM 2017:125-144

Semantic Recognition for Attack Behavior Based on Heterogeneous Attributed Graph

基于异构属性图的自动化攻击行为语义识别方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 1

Recommended Articles

Metrics