CN-121283759-B - Cross-layer security event real-time association and attack path tracing method, system and equipment based on unified entity map

Abstract

The invention discloses a cross-layer security event real-time association and attack path tracing method, system and equipment based on a unified entity map, wherein the method comprises the following steps of firstly, constructing and dynamically maintaining the unified entity map; the method comprises the steps of carrying out real-time event association based on graph calculation, carrying out automatic tracing on a bidirectional attack path, breaking a data island through unified entity graphs and cross-layer entity alignment fusion, forming a global entity view covering multiple layers, greatly improving the integrity and accuracy of attack cognition, realizing real-time processing of data access, graph update and event association by means of a streaming architecture, capturing cross-layer attack signs in time, obviously shortening average detection and response time, automatically reconstructing an attack chain through an automatic bidirectional tracing mechanism, analyzing potential transverse moving paths, freeing manual work, reducing emergency response thresholds and cost, identifying abnormality through entity behavior association, and having the potential of resisting unknown threats without depending on a fixed rule base.

Inventors

• LI KAIMING
• JIN HAN
• TANG WEIMIN

Assignees

• 北京国御网络安全技术有限公司

Dates

Publication Date

20260508

Application Date

20251029

Claims (6)

1. 1. A cross-layer security event real-time association and attack path tracing method based on a unified entity map comprises the following steps of constructing and dynamically maintaining the unified entity map, relating to real-time events based on map calculation, automatically tracing a bidirectional attack path, and is characterized in that: the first step specifically comprises the following steps: step 1.1, constructing a standardized cross-layer security ontology model, wherein the standardized cross-layer security ontology model predefines the core entity type and the relation type of the atlas; Step 1.2, accessing multi-source heterogeneous security data in real time through a multi-source data interface, analyzing the multi-source heterogeneous security data in real time by utilizing a stream processing engine, and extracting and standardizing analyzed data into entity nodes and relationship edges in a map according to a standardized cross-layer security ontology model; Step 1.3, performing cross-layer entity alignment and fusion based on a time window and a confidence score to obtain a unified entity map, wherein the cross-layer entity alignment and fusion specifically comprises the following steps: Step 1.3.1 entity triggering, namely when a new network space entity is created, starting a dynamic time window by taking the entity and a current time stamp as centers; step 1.3.2, collecting evidence, namely collecting all multi-source logs containing the entity attribute in an opened dynamic time window, wherein the entity attribute comprises an IP address, an MAC address and a host name; step 1.3.3 confidence scores, namely assigning a confidence score to each evidence chain; Step 1.3.4, merging the corresponding independent entity nodes into unified entity nodes containing multidimensional attributes when the total fused score of the entities pointed by the evidence chains exceeds a preset threshold; the second step specifically comprises the following steps: step 2.1, splitting the security alarm generated in real time into network space entity nodes and relationship edges, and adding a unified entity map, wherein key entity nodes are fused according to the method of step 1.3; Step 2.2, when a new high-risk alarm is added into a unified entity map, traversing the map from an entity associated with the alarm in an earlier direction in time, searching a preamble alarm conforming to attack logic, scoring a potential associated path obtained through traversing, and if the accumulated score of the path exceeds a preset threshold, judging that independent alarms on the path form a composite attack alarm; the third step specifically comprises the following steps: step 3.1, triggering a tracing task when one of the following two conditions occurs, namely, a high-priority compound attack alarm is generated and a collapse entity is manually designated; And 3.2, performing bidirectional traversal tracing on the unified entity map based on time and causal relation, wherein the bidirectional traversal tracing specifically comprises the steps of starting from the subsidence entity and the occurrence time point, traversing reversely along the relation in the map to trace back the complete path from the attack entrance to the subsidence point, and traversing forward from the subsidence entity to analyze the authority, the access relation and the connection relation owned by the entity.
2. 2. The method for real-time association and attack path tracing of cross-layer security events based on unified entity patterns according to claim 1 is characterized in that in the step 1.1, core entity types comprise a network layer entity, a host layer entity, an identity layer entity and a cloud native entity, wherein the network layer entity comprises an IP address, a domain name, a MAC address, a network session and a Web access request, the host layer entity comprises a host, a process, a file, a registry item and a planning task, the identity layer entity comprises a user account number, a user group and an API key, the cloud native entity comprises a cloud host instance, a container, a K8s Pod, a cloud storage bucket and an IAM role, the relationship types are used for defining interaction behavior and attribution relationship among the entities, and the relationship types are added with time stamps, duration and data transmission quantity.
3. 3. The method for cross-layer security event real-time association and attack path tracing based on unified entity map according to claim 1 is characterized in that in step 1.2, the multi-source data interface comprises a Kafka interface, a Sysyslog interface, an API interface and a file monitoring interface, the multi-source heterogeneous security data source comprises a terminal detection and response equipment log, a firewall log, an identity authentication system log, a Web application firewall log and a cloud platform monitoring log, and the stream processing engine is a Flink engine.
4. 4. The method for cross-layer security event real-time correlation and attack path tracing based on unified entity map of claim 1, wherein in step 2.2, the basis of path scoring includes event severity, time proximity, and causal relationship between entities.
5. 5. The cross-layer security event real-time association and attack path tracing system based on the unified entity map comprises a multi-source heterogeneous data access module (1), a standardization and materialization processing module (2), a cross-layer entity alignment and fusion module (3), a real-time event association module (4), a bidirectional attack path automation tracing module (5) and a result output and display module (6), and is characterized in that the standardization and materialization processing module (2) respectively establishes data connection with the multi-source heterogeneous data access module (1) and the cross-layer entity alignment and fusion module (3), the real-time event association module (4) respectively establishes data connection with the cross-layer entity alignment and fusion module (3) and the bidirectional attack path automation tracing module (5), the bidirectional attack path automation tracing module (5) establishes data connection with the result output and display module (6), and the multi-source heterogeneous data access module (1), the standardization and materialization processing module (2), the cross-layer entity alignment and fusion module (3), the real-time event association module (4), the bidirectional attack path automation tracing module (5) and the result output and the display module (6) are used for realizing the method as claimed in any one of the modules (1).
6. 6. The cross-layer security event real-time association and attack path tracing equipment based on the unified entity map comprises a memory body (7), a computer program (8) and a processor body (9), and is characterized in that the memory body (7) stores the computer program (8) capable of running on the processor body (9), the method according to any one of claims 1 to 4 is realized when the processor body (9) executes the computer program (8), the memory body (7) can adopt a non-transitory computer readable storage medium, specifically comprises a solid state disk, a mechanical hard disk, a read-only memory, a random access memory, a smart memory card, a secure digital card and a flash memory card, the computer program (8) is a code set for realizing the method, and the processor body (9) adopts a hardware unit with data operation and program execution capability, specifically comprises a central processing unit, a microprocessor and a digital signal processor.

Description

Cross-layer security event real-time association and attack path tracing method, system and equipment based on unified entity map Technical Field The invention relates to the technical field of network security, in particular to a cross-layer security event real-time association and attack path tracing method, system and equipment based on a unified entity map. Background Currently, cyber-space security is increasingly active against complex attacks such as advanced persistent threats (ADVANCED PERSISTENT THREAT, APT) have become a major form of threat. The attack has the typical characteristics of long period and strong concealment, and often adopts a strategy of combining transverse movement and longitudinal penetration, and the attack behavior spans multiple technical levels and covers a network layer, a host layer, an application layer and a cloud native environment. In the existing safety protection system, although the safety information and event management platform can collect massive logs in a centralized way, the safety information and event management platform mainly depends on preset association rules. These rules are mostly written based on experience, and it is difficult to cover all attack scenarios, resulting in a large number of alarm islands when faced with cross-layer, multi-stage unknown attacks. The security analyst needs to expend a great deal of effort to manually associate and trace to the source, so that the response efficiency is greatly reduced. Part of the technical schemes attempt to introduce knowledge patterns to organize security data. However, the scheme has the following general limitations that 1, a data model is not unified, an independent model is often adopted aiming at data of different sources such as network flow, terminal logs, cloud platform API call logs and the like, so that cross-source entities such as IP addresses, hostnames and user accounts are difficult to align and fuse effectively to form a data barrier, 2, cross-layer event association capability is lacking, the existing tracing analysis is generally limited to a single dimension of a network layer or a host layer, cross-layer association capability is lacking, the problem that tracing is usually finished after reaching a certain IP, process or file and further tracing is needed by manual intervention is frequently caused, 3, the real-time performance is lacking, most of map construction processes adopt a batch processing or quasi-real-time mode, weak association among behaviors is difficult to capture at the first time when an attack occurs, and optimal response time is missed, 4, the association and tracing capability is limited, the existing map analysis method is focused on static entity relation inquiry in multiple sides, and a special real-time association algorithm aiming at dynamic and cross-layer attack behaviors and an automatic path reconstruction mechanism are lacking. Disclosure of Invention The invention aims to provide a cross-layer security event real-time association and attack path tracing method, system and equipment based on a unified entity map so as to solve the problems in the background technology. The invention provides a cross-layer security event real-time association and attack path tracing method based on a unified entity map, which comprises the following steps of constructing and dynamically maintaining the unified entity map; the first step specifically comprises the following steps: 1.1, constructing a standardized cross-layer security ontology model, wherein the standardized cross-layer security ontology model predefines the core entity type and the relation type of the atlas; 1.2 accessing multi-source heterogeneous security data in real time through a multi-source data interface, analyzing the multi-source heterogeneous security data in real time by utilizing a stream processing engine, and extracting and standardizing analyzed data into entity nodes and relationship edges in a map according to a standardized cross-layer security ontology model; 1.3, performing cross-layer entity alignment and fusion based on a time window and confidence scores to obtain a unified entity map; the second step specifically comprises the following steps: 2.1, splitting the security alarm generated in real time into network space entity nodes and relationship edges, and adding a unified entity map, wherein key entity nodes are fused according to the method of the step 1.3; 2.2 when new high-risk alarms are added into a unified entity map, traversing the map from the entity associated with the alarms in an earlier direction in time, searching for the preamble alarms conforming to attack logic, scoring potential associated paths obtained through traversing, and if the accumulated scores of the paths exceed a preset threshold, judging that independent alarms on the paths form a composite attack alarm; the third step specifically comprises the following steps: 3.1 triggering a tracing task whe