US 12,445,477 B2
Apparatus for inferring cyberattack path based on attention, and apparatus and method for training intelligent attack path prediction model
Ki-Jong Koo, Daejeon (KR); Dae-Sung Moon, Daejeon (KR); Joo-Young Lee, Daejeon (KR); Ik-Kyun Kim, Daejeon (KR); and Kyung-Min Park, Daejeon (KR)
Assigned to Electronics and Telecommunications Research Institute, Daejeon (KR)
Filed by ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE, Daejeon (KR)
Filed on Aug. 5, 2022, as Appl. No. 17/882,090.
Claims priority of application No. 10-2021-0104942 (KR), filed on Aug. 10, 2021.
Prior Publication US 2023/0047450 A1, Feb. 16, 2023
Int. Cl. H04L 9/40 (2022.01); G06N 3/08 (2023.01)
CPC H04L 63/1433 (2013.01) [G06N 3/08 (2013.01)] 18 Claims
OG exemplary drawing
 
1. An apparatus for training an intelligent attack path prediction model, comprising:
memory in which at least one program is recorded; and
a processor for executing the program,
wherein the program performs generating and collecting a virtual network topology and host asset information required for predicting cyberattack vulnerabilities in a computer network system;
extracting at least one of global feature data and specific feature data from the collected network topology and host asset information; and
training a neural network model for predicting attack vulnerabilities in the network system by using at least one of the extracted global feature data and specific feature data as training data,
wherein the extracting at least one of the global feature data and the specific feature data includes
reading a CVE (Common Vulnerabilities and Exposures) file, generated by reflecting a vulnerability level of a software component, and generating asset dictionaries for encoding intelligent attack graph learning data;
extracting feature data required for model training from preconstructed intelligent attack graph learning data;
generating global feature data for each topology to be used for model training; and
generating positive attack path data and negative attack path data with which the intelligent attack path prediction model is to be trained,
wherein the asset dictionaries include a service dictionary, a port dictionary, and a product dictionary, and
wherein generating the global feature data for each topology to be used for model training includes
forming a service vector, a port vector, and a product vector;
forming N channels corresponding to a number of hosts;
assigning a service, a port, and a product, among software components, read from a service list to dimensions of respective vectors;
concatenating an OS (Operating System), service, product, and port vectors in an order in which the OS (Operating System), service, product, and port vectors are listed so as to form a matrix for each host; and
concatenating the N channels so as to form a tensor.