CN-122001651-A - APT attack accurate detection and defense system and method based on multidimensional feature tensor modeling and dynamic decomposition

Abstract

The invention discloses an APT attack accurate detection and defense system and method based on multidimensional feature tensor modeling and dynamic decomposition, which relate to the field of attack detection and defense and comprise a multidimensional feature acquisition and tensor construction unit, a dynamic tensor decomposition and feature extraction unit, a tensor feature fusion decision engine unit, a tensor security and encryption unit and a dynamic response and tracing controller unit, wherein a tensor model adapting to APT multidimensional heterogeneous features is constructed, high-order correlation modeling of physical layer, network layer and application layer features is realized, the extraction capacity of hidden attack features is improved, an improved Tucker decomposition algorithm is designed, the computational complexity is reduced, the evolution characteristics of an attack mode are adapted, the real-time detection requirement is met, the tensor decomposition core features are used as encryption key seeds by introducing a tensor security enhancement mechanism, the hardware trust root security model and the data integrity are combined, and the tensor tracing label is embedded, so that the accurate positioning of an attack source is realized.

Inventors

• GAO JIANIAN
• ZHANG HAOLIANG
• TAO LI

Assignees

• 海南柒译国际信息科技有限公司

Dates

Publication Date

20260508

Application Date

20260205

Claims (10)

1. 1. An APT attack accurate detection and defense system based on multidimensional feature tensor modeling and dynamic decomposition, which is characterized by comprising: The multi-dimensional feature acquisition and tensor construction unit is used for acquiring heterogeneous feature data of a physical layer, a network layer and an application layer in real time and constructing a third-order tensor model based on three dimensions of time-feature-equipment; the dynamic tensor decomposition and feature extraction unit is used for decomposing the third-order tensor by adopting an improved Tucker decomposition algorithm, extracting a core feature tensor and a factor matrix, and dynamically updating the core feature tensor through a local updating mechanism; The tensor feature fusion decision engine unit is used for matching the extracted core feature tensor with a pre-stored attack stage template and outputting attack existence judgment and attack grading score by combining a lightweight neural network model; The tensor security and encryption unit is used for generating a dynamic encryption key based on the core characteristic tensor and integrating a hardware trust root to encrypt the acquired characteristic data, tensor decomposition result and decision instruction; And the dynamic response and traceability controller unit is used for executing a hierarchical defense strategy according to the attack hierarchical scores and carrying out attack source positioning and propagation path analysis based on traceability labels embedded in the factor matrix.
2. 2. The multi-dimensional feature tensor modeling and dynamic decomposition-based APT attack accurate detection and defense system according to claim 1 is characterized in that physical layer data comprise signal phase jump, frequency spectrum sparsity and energy spectrum density, network layer data comprise packet interval distribution, session duration, port occupancy rate, protocol type, flow mutation rate and transverse transmission times, and application layer data comprise instruction sequence similarity, abnormal login times, file tamper trace, process starting log, data uploading frequency and access right change.
3. 3. The system for accurately detecting and defending an APT attack based on multidimensional feature tensor modeling and dynamic decomposition according to claim 2, wherein the third-order tensor is expressed as T e R (t×f×d), where T is the number of time slices, F is the total number of feature types, D is the total number of device nodes, and stored in a sparse tensor format.
4. 4. The system for accurately detecting and defending an APT attack based on multidimensional feature tensor modeling and dynamic decomposition according to claim 3, wherein the improved Tucker decomposition algorithm adopted by the dynamic tensor decomposition and feature extraction unit is expressed as: ; Wherein, the As a function of the core tensor, 、 、 A factor matrix of time, features and device dimensions, respectively.
5. 5. The system for accurately detecting and defending an APT attack based on multidimensional feature tensor modeling and dynamic decomposition according to claim 4, wherein in the dynamic tensor decomposition and feature extraction unit, when the feature variation exceeds a set threshold or a new attack feature is detected, only the affected tensor slice and the corresponding factor matrix are updated locally, and the core tensor is updated according to a weighted average formula, which is expressed as: ; Wherein, the As the weight coefficient of the light-emitting diode, As a result of the history core tensor, The tensor is updated locally.
6. 6. The multi-dimensional feature tensor modeling and dynamic decomposition-based APT attack accuracy detection and defense system of claim 5, wherein the workflow of the tensor feature fusion decision engine unit comprises: calculating cosine similarity between the core feature vector and each attack stage template, and judging that the matching is successful if the cosine similarity is more than or equal to 0.8; And inputting the successfully matched characteristics into a lightweight neural network model, and outputting attack grading scores of 0 to 10 minutes, wherein the attack grading scores are more than or equal to 8 minutes to trigger defense responses, and the attack stage comprises four stages of reconnaissance, penetration, attack and maintenance, and the matching degree interval is respectively 0.8 to 0.85, 0.85 to 0.9, 0.9 to 0.95 and more than or equal to 0.95.
7. 7. The system for accurately detecting and defending an APT attack based on multi-dimensional feature tensor modeling and dynamic decomposition according to claim 6, wherein said tensor security and encryption unit comprises: TPM or TEE hardware trust root, encryption key is generated by tensor core feature, adopts hierarchical design of stream encryption and asymmetric encryption, and key update and tensor update are linked.
8. 8. The system for accurately detecting and defending the APT attack based on the multidimensional feature tensor modeling and dynamic decomposition according to claim 7, wherein a TPM or TEE hardware trust root is integrated and used for storing a tensor model signature, a core key and a defending strategy and carrying out signature encryption on collected feature data, a tensor decomposition result and a decision instruction; tensor associated encryption, namely generating 128-bit dynamic keys by hash of the singular value of the core tensor G through SHA-256, wherein RC4 stream encryption is adopted by a physical layer, RSA-2048 asymmetric encryption is adopted by a link layer, and a key updating period is linked with local updating of the tensor.
9. 9. The system for accurately detecting and defending an APT attack based on multidimensional feature tensor modeling and dynamic decomposition of claim 8, wherein the dynamic response and trace-source controller unit performs a hierarchical defense strategy according to the attack hierarchical score comprising: Triggering response actions of different grades according to attack scores, wherein the response actions comprise a reconnaissance stage (3-5 minutes) for storing alarms and logs, a penetration stage (5-8 minutes) for limiting access rights of equipment, an attack stage (8-10 minutes) for cutting off an attack link and isolating the equipment, and a maintenance stage (more than or equal to 10 minutes) for comprehensively blocking and collecting evidence for analysis; The traceability tag embedded in the tensor factor matrix reversely locates attack starting time, core characteristics and equipment nodes through the factor matrix, and outputs attack source location and propagation path information by combining network topology.
10. 10. An APT attack accurate detection and defense method based on multi-dimensional feature tensor modeling and dynamic decomposition, adopting the APT attack accurate detection and defense system based on multi-dimensional feature tensor modeling and dynamic decomposition as claimed in any one of claims 1-9, characterized by comprising the steps of: s1, collecting heterogeneous characteristic data of a physical layer, a network layer and an application layer, and constructing a time-characteristic-equipment third-order tensor; s2, performing improved Tucker decomposition on the third-order tensor, extracting a core tensor and a factor matrix, and triggering local update when the feature variation is more than or equal to 30%; s3, matching the extracted core feature tensor with a pre-stored attack stage template, and outputting attack existence judgment and attack grading scores by combining a lightweight neural network model; S4, generating a dynamic encryption key based on the core feature tensor, and encrypting the acquired feature data, tensor decomposition results and decision instructions by an integrated hardware trust root; S5, executing a grading defense strategy according to the attack grading scores, analyzing the traceability labels in the factor matrix, reversely positioning attack starting time, core characteristics and equipment nodes, and outputting attack source information.

Description

APT attack accurate detection and defense system and method based on multidimensional feature tensor modeling and dynamic decomposition Technical Field The invention relates to the technical field of attack accurate detection and defense, in particular to an APT attack accurate detection and defense system and method based on multidimensional feature tensor modeling and dynamic decomposition. Background The key infrastructures such as the smart grid, government internal network, industrial control system and the like face serious APT attack threat, and the attack has the core characteristics of multi-dimensional characteristic isomerism, dynamic evolution of attack modes and long-term latent concealment, and core data are stolen or system operation is destroyed usually in a cross-layer penetration mode, a characteristic camouflage mode and the like. The existing protection technology has obvious short plates, namely only single dimension characteristics (such as network traffic and terminal behaviors) are focused or traditional vector/matrix modeling is adopted, high-order associated information among the characteristics is lost, cross-dimension cooperative characteristics of APT attacks are difficult to capture, an adaptive scheme is not designed for an AP attack life cycle by the existing tensor technology, dynamic variation of an attack mode cannot be handled by an immobilized model, and a soft and hard integrated closed-loop mechanism of tensor modeling, characteristic extraction, attack detection and defense response is lacked, so that detection accuracy is low, calculation cost is high, response is lag, and real-time protection requirements of key infrastructures cannot be met. Disclosure of Invention In order to solve the problems, the invention provides an APT attack accurate detection and defense system and method based on multi-dimensional feature tensor modeling and dynamic decomposition, which are used for realizing high-order correlation modeling of physical layer, network layer and application layer features and improving extraction capacity of hidden attack features by constructing a tensor model adapting to APT multi-dimensional heterogeneous features, and designing an improved Tucker decomposition algorithm, so that the calculation complexity is reduced, the evolution characteristics of an APT attack mode are adapted, and the real-time detection requirement is met. In order to achieve the above object, the present invention provides an APT attack accurate detection and defense system based on multidimensional feature tensor modeling and dynamic decomposition, comprising: The multi-dimensional feature acquisition and tensor construction unit is used for acquiring heterogeneous feature data of a physical layer, a network layer and an application layer in real time and constructing a third-order tensor model based on three dimensions of time-feature-equipment; the dynamic tensor decomposition and feature extraction unit is used for decomposing the third-order tensor by adopting an improved Tucker decomposition algorithm, extracting a core feature tensor and a factor matrix, and updating the core feature tensor through a local updating mechanism; The tensor feature fusion decision engine unit is used for matching the extracted core feature tensor with a pre-stored attack stage template and outputting attack existence judgment and attack grading score by combining a lightweight neural network model; The tensor security and encryption unit is used for generating a dynamic encryption key based on the core characteristic tensor and integrating a hardware trust root to encrypt the acquired characteristic data, tensor decomposition result and decision instruction; And the dynamic response and traceability controller unit is used for executing a hierarchical defense strategy according to the attack hierarchical scores and carrying out attack source positioning and propagation path analysis based on traceability labels embedded in the factor matrix. Preferably, the physical layer data comprises signal phase jump, frequency spectrum sparsity and energy spectrum density, the network layer data comprises packet interval distribution, session duration, port occupancy rate, protocol type, flow mutation rate and transverse transmission times, and the application layer data comprises instruction sequence similarity, abnormal login times, file tamper trace, process starting log, data uploading frequency and access authority change. Preferably, the third-order tensor is expressed as T epsilon R (T×F×D), where T is the number of time slices, F is the total number of feature types, and D is the total number of device nodes, and is stored in a sparse tensor format. Preferably, the improved Tucker decomposition algorithm adopted by the dynamic tensor decomposition and feature extraction unit is expressed as: ; Wherein, the As a function of the core tensor,、、A factor matrix of time, features and device dimensions,