| CPC H04L 63/1458 (2013.01) [H04L 63/1425 (2013.01)] | 7 Claims |
|
1. A method for detecting a complex multi-step attack in an electric power system, comprising:
collecting interaction behavior data of a network entity;
preprocessing the interaction behavior data of the network entity based on a heterogeneous graph to obtain input data; and
inputting the input data into a complex multi-step attack detection module to obtain an attack detection result;
wherein the preprocessing the interaction behavior data of the network entity based on a heterogeneous graph comprises:
extracting information from the interaction behavior data of the network entity to construct a node and an edge, which comprises establishing the heterogeneous graph by using each of a user, a host, a file, and a website in the interaction behavior data of the network entity as the node and using a connection relationship between nodes as the edge;
firstly defining a concept of the heterogeneous graph by using a source Internet Protocol (IP) address as a source node, a destination IP address as a destination node, and a connection relationship between the source node and the destination node as the edge, wherein a meta relationship is represented by a triplet of <source node, edge, destination node>; there are a plurality of types of source nodes, destination nodes, and edges; a timestamp of event occurrence time is allocated to each triplet to reflect a dynamic feature, thereby forming a quadruple notation of <source node, edge, destination node, timestamp>; and specifically, following content is comprised:
extracting information from the interaction behavior data of the network entity to construct node types and edge types, wherein the node types comprise the user, the host, the file, and the website, and the edge types comprise logging in to the host by the user, logging out of the host by the user, opening the file by the host, writing the file by the host, uploading the file to the website, downloading the file from the website, and accessing the website by the user; and
extracting information from the interaction behavior data of the network entity to construct a node feature and an edge feature, wherein node features of the user comprise a username, a user group, and a user mailbox; node features of the host comprise a device identity (ID) of the host, a device model of the host, a region of the host, and a quantity of times that a Universal Serial Bus (USB) flash disk of the host is used; node features of the file comprise file creation time, file modification time, a file type, and a file name; and edge features of logging in to the host by the user and logging out of the host by the user comprise an authentication status code, an authentication event, and an authentication type; and
determining that final input data is related features and timestamp information of the destination node and an adjacent source node of the destination node, wherein the input data is in a form of <ID of the source node, ID of the destination node, type of the source node, type of the destination node, feature of the source node, feature of the destination node, edge type, edge feature, timestamp>;
inputting the timestamp information of the destination node and the adjacent source node of the destination node in the heterogeneous graph into a Time2Vec layer to obtain a first time embedding representation, which comprises:
taking the destination IP address in a network behavior log as the destination node and the source IP address in the network behavior log as the source node, and subtracting the timestamp information of the source node adjacent to the destination node from the timestamp information of the destination node to obtain a time difference sequence; representing the source node src and its corresponding timestamp ts by T(src@ts), and the destination node dst and its corresponding timestamp td by T(dst@td); and calculating a relative time interval according to ΔT(dst@ts, src@td)=T(dst@ts)−T(src@td), wherein the relative time interval is represented by the time difference sequence ΔT;
inputting the time difference sequence into the Time2Vec layer to obtain a time representation in a form of an embedding vector, inputting the ΔT into the Time2Vec layer to obtain first time embedding representations of the source node and the destination node at a current time point, and inputting the embedding vector into a linear layer to linearly map the embedding vector back to an original dimension as a time feature of the destination node, in other words, the first time embedding representation; and
inputting data that fuses node feature information and the first time embedding representation into a Heteformer layer, wherein a Heteformer is a deep learning model for processing the heterogeneous graph; the Heteformer layer is used to extract semantic information contained in a heterogeneous node and a heterogeneous edge in the heterogeneous graph to form a node embedding representation for each node, and provide an input for a downstream task; a specific calculation process of the Heteformer layer comprises: allocating different weights based on different node types and edge types, learning, by using a self-attention mechanism, neighbor information that contributes the most to a complex multi-step attack detection task, and aggregating the neighbor information to obtain a second node embedding representation as the input data.
|