CN-122001678-A - Terminal abnormality detection system based on graphic neural network

Abstract

The invention discloses a terminal anomaly detection system based on a graph neural network, which comprises the steps of collecting a terminal side process, a file, a registry, an account, network connection and external IP, constructing a terminal heterogeneous behavior graph sequence, executing causal disturbance baseline extraction, generating a causal constraint set, synthesizing a dynamic safety semantic element path set according to the causal constraint set, generating a node pre-scoring sequence, executing Bayes on-line variable point detection, generating a state mutation posterior probability sequence, an operation length sequence and receptive field modulation parameters, generating a node graph anomaly scoring sequence based on an improved FreeGAD algorithm, constructing a reverse fact normal evolution graph, generating a verification scoring sequence, and generating a terminal anomaly alarm result according to the node graph anomaly scoring sequence, the state mutation posterior probability sequence, the verification scoring sequence and the operation length sequence. The invention realizes collaborative anomaly detection of heterogeneous association modeling, time sequence variable point feedback, self-adaptive graph scoring and inverse fact verification of the terminal.

Inventors

• WU JIN
• TIAN HONGLI
• ZHANG HANCHENG

Assignees

• 上海易苏信息科技有限公司

Dates

Publication Date

20260508

Application Date

20260324

Claims (10)

1. 1. The terminal abnormality detection system based on the graph neural network is characterized by comprising: the heterogeneous security object modeling module is used for acquiring a terminal side process, a file, a registry, an account, network connection and external IP and constructing a terminal heterogeneous behavior diagram sequence; the causal disturbance baseline extraction module is used for executing node attribute disturbance and edge connection disturbance on the terminal heterogeneous behavior graph sequence, extracting causal invariant core semantic subgraphs which are stable across disturbance, and generating a causal constraint set; the dynamic meta-path synthesis module is used for generating a dynamic safety semantic meta-path set according to the causal constraint set and the terminal heterogeneous behavior graph sequence; the pre-scoring generation module is used for extracting candidate topological subgraphs according to the dynamic safety semantic element path set, sampling abnormal anchor points and normal anchor points, and executing structure alignment to generate a node pre-scoring sequence; the variable point feedback modulation module is used for executing Bayes on-line variable point detection on the node pre-scoring sequence to generate a running length sequence, a state mutation posterior probability sequence and receptive field modulation parameters; the self-adaptive graph scoring module is used for adjusting the candidate topological subgraphs according to the receptive field modulation parameters, executing structural alignment based on an improved FreeGAD algorithm and generating a node graph abnormal scoring sequence; The anti-fact verification module is used for constructing an anti-fact normal evolution diagram according to the terminal heterogeneous behavior diagram sequence, the running length sequence and the dynamic safety semantic element path set, calculating structural semantic divergence of the anti-fact normal evolution diagram and the terminal heterogeneous behavior diagram sequence, and generating a verification scoring sequence; The joint judgment module is used for generating a terminal abnormal alarm result according to the node diagram abnormal scoring sequence, the state mutation posterior probability sequence, the verification scoring sequence and the running length sequence, and outputting a receptive field parameter at the next moment to the pre-scoring generation module.
2. 2. The terminal anomaly detection system based on the graph neural network according to claim 1, wherein the heterogeneous security object modeling module specifically comprises: Collecting terminal side processes, files, registries, accounts, network connections and external IP at each collection time, and collecting the terminal side processes, files, registries, accounts, network connections and external IP as an object set sequence according to the belonged terminal and the collection time; Performing information bottleneck compression on object states at continuous acquisition moments in an object set sequence, calculating mutual information of each process, files, registries, accounts, network connection and external IP (Internet protocol) on the object state distribution at the continuous acquisition moments, reserving objects meeting preset mutual information constraint, and generating a compressed object set sequence; According to the concurrent interaction relation of a plurality of objects in the same acquisition time, writing the process, the file, the registry, the account, the network connection and the external IP related to one concurrent interaction into the same superside in the compressed object set sequence to generate a time sequence supergraph; Aiming at nodes and superedges in the time sequence supergraph, calculating causal tendency weights according to attribute change tracks and connection change tracks in continuous acquisition moments, and generating a time sequence supergraph sequence; And executing time alignment on the sequence of the time sequence hypergraph according to the acquisition time sequence, and outputting a time alignment result as a terminal heterogeneous behavior graph sequence to a causal disturbance baseline extraction module.
3. 3. The terminal anomaly detection system based on a graph neural network according to claim 1, wherein the causal disturbance baseline extraction module specifically comprises: Reading a terminal heterogeneous behavior diagram sequence, and respectively executing node attribute disturbance and edge connection disturbance to generate an original diagram sequence, a node attribute disturbance diagram sequence and an edge connection disturbance diagram sequence; inputting the original graph sequence, the node attribute disturbance graph sequence and the edge connection disturbance graph sequence into a shared graph encoder according to the same acquisition time, and outputting hidden layer representation distribution vectors corresponding to the acquisition time; Respectively calculating Wasserstein distances for hidden layer representation distribution vectors corresponding to an original graph sequence, a node attribute disturbance graph sequence and an edge connection disturbance graph sequence at the same acquisition time to generate a cross-disturbance semantic drift sequence; Calculating semantic drift gradient according to the cross-disturbance semantic drift sequence; retaining subgraphs with Wasserstein distances meeting preset distance constraints and semantic drift gradients meeting preset gradient constraints in the same acquisition time, and generating a cross-disturbance stable subgraph sequence; And performing continuous superposition extraction on the cross-disturbance stable sub-graph sequence according to the acquisition time to obtain a causal unchanged core semantic sub-graph, and writing node attributes and edge connection relations in the causal unchanged core semantic sub-graph into a causal constraint set.
4. 4. The terminal anomaly detection system based on the graph neural network according to claim 1, wherein the dynamic element path synthesis module specifically comprises: mapping node attributes and edge connection relations in the causal constraint set to a terminal heterogeneous behavior diagram sequence according to acquisition time to generate a constraint mapping sequence; extracting a dynamic safety semantic element path sequence according to the constraint mapping sequence in the terminal heterogeneous behavior diagram corresponding to each acquisition time; Inputting the dynamic safety semantic element path sequence and the causal invariant core semantic subgraph into a shared graph encoder according to the same acquisition time, outputting corresponding hidden layer representation distribution vectors, calculating Wasserstein distance between the dynamic safety semantic element path sequence and the causal invariant core semantic subgraph, and generating a path semantic drift sequence; calculating semantic drift gradient according to the path semantic drift sequence; And reserving a dynamic safety semantic element path of which the Wasserstein distance meets the preset distance constraint and the semantic drift gradient meets the preset gradient constraint, and performing continuous connection on the reserved result according to the acquisition time to generate a dynamic safety semantic element path set.
5. 5. The terminal anomaly detection system based on a neural network according to claim 1, wherein the pre-score generation module specifically comprises: Mapping the dynamic safety semantic element path of each acquisition time to a corresponding terminal heterogeneous behavior diagram, and intercepting nodes, edge connection and superedges covered by the dynamic safety semantic element path to generate a candidate topological sub-graph sequence; Inputting the candidate topological sub-graph sequence and the dynamic safety semantic element path set into a shared graph encoder according to the same acquisition time, outputting hidden layer representation distribution vectors corresponding to the candidate topological sub-graph and the dynamic safety semantic element path, and calculating an optimal transmission coupling matrix to generate a coupling matrix sequence; according to the coupling matrix sequence, counting probability mass transfer quantity corresponding to each node in each acquisition time candidate topological sub-graph, and generating a node semantic drift contribution sequence; In the same acquisition time, selecting nodes with the node semantic drift contribution meeting the preset abnormal contribution constraint as abnormal anchor points, and selecting nodes with the node semantic drift contribution meeting the preset normal contribution constraint as normal anchor points to obtain an abnormal anchor point sequence and a normal anchor point sequence; respectively calculating manifold Dirichlet energy of each node under the guidance of an abnormal anchor point and a normal anchor point according to the candidate topological sub-graph sequence, the abnormal anchor point sequence and the normal anchor point sequence to generate a double-anchor point energy sequence; And calculating the corresponding manifold Dirichlet energy difference value according to the node semantic drift contribution sequence and the dual-anchor energy sequence to obtain a node pre-scoring sequence.
6. 6. The terminal anomaly detection system based on the graph neural network according to claim 1, wherein the variable point feedback modulation module specifically comprises: performing order arrangement on the node pre-scoring sequence, and performing Bayes on-line variable point detection to generate a state mutation posterior probability sequence and an operation length sequence; Calculating the state mutation posterior probability change rate and the running length attenuation rate between continuous acquisition moments according to the state mutation posterior probability sequence and the running length sequence; Determining the theoretical sampling hop count and the theoretical neighborhood width corresponding to each node according to the state mutation posterior probability, the running length, the state mutation posterior probability change rate and the running length attenuation rate corresponding to each acquisition time; Taking the theoretical sampling hop count and the theoretical neighborhood width as basic values of the prospective receptive field modulation parameters, setting the theoretical sampling hop count and the theoretical neighborhood width corresponding to the next acquisition time as preset maximum values at the acquisition time when the state mutation posterior probability change rate or the running length attenuation rate meets the preset gradient constraint, and generating the prospective receptive field modulation parameters; According to the receptive field modulation parameter at the previous acquisition time and the prospective receptive field modulation parameter at the current acquisition time, performing exponential moving average calculation to generate a smooth receptive field modulation parameter; and executing corresponding association on the smooth receptive field modulation parameters according to the belonged nodes and the acquisition time to obtain the receptive field modulation parameters.
7. 7. The terminal anomaly detection system based on a graph neural network according to claim 1, wherein the adaptive graph scoring module specifically comprises: Mapping the theoretical sampling hop count and the theoretical neighborhood width in the receptive field modulation parameters to a candidate topological sub-graph sequence, and constructing a space attenuation function; the space attenuation function is acted on edge connection and superedge in the candidate topological sub-graph sequence to generate a weighted candidate topological sub-graph sequence; adopting an improved FreeGAD algorithm to process the weighted candidate topological sub-graph sequence, the abnormal anchor point sequence and the normal anchor point sequence to generate a structure alignment result sequence; Respectively calculating manifold dirichlet energy of each node under the guidance of an abnormal anchor point and a normal anchor point according to the weighted candidate topological subgraph sequence, the abnormal anchor point sequence and the normal anchor point sequence to generate a double-anchor point energy sequence; Calculating manifold dirichlet energy difference values corresponding to all nodes according to the dual-anchor energy sequences, and acting on the structure alignment result sequences to generate modulation structure alignment result sequences; And carrying out weighted fusion on the alignment result sequence of the modulation structure and the node pre-scoring sequence according to the belonged node and the acquisition time to generate a node diagram abnormal scoring sequence.
8. 8. The terminal anomaly detection system based on the neural network according to claim 7, wherein the improved FreeGAD algorithm specifically comprises: Inputting each node in the weighted candidate topological sub-graph sequence into an online network, and inputting an abnormal anchor point sequence and a normal anchor point sequence into a target network to respectively obtain a node hidden layer representation distribution vector sequence, an abnormal anchor point hidden layer representation distribution vector sequence and a normal anchor point hidden layer representation distribution vector sequence; Respectively calculating optimal transmission coupling matrixes for each node hidden layer representation distribution vector sequence, an abnormal anchor point hidden layer representation distribution vector sequence and a normal anchor point hidden layer representation distribution vector sequence, and counting corresponding probability mass transfer quantities according to each optimal transmission coupling matrix to obtain an abnormal anchor point probability mass transfer sequence and a normal anchor point probability mass transfer sequence; Constructing an optimal transmission triplet edge loss according to the abnormal anchor point probability mass transfer sequence and the normal anchor point probability mass transfer sequence; reading the energy difference value of the manifold Dirichlet under the guidance of the abnormal anchor point and the normal anchor point of each node, and writing the energy difference value into the edge loss of the optimal transmission triplet as a regular term to obtain the total loss; Updating the parameters of the online network according to the total loss, and updating the parameters of the target network in an exponential moving average manner; And recalculating the alignment difference value of each node about the abnormal anchor point and the normal anchor point by using the updated online network and the target network to obtain a structure alignment result sequence.
9. 9. The terminal anomaly detection system based on the graph neural network according to claim 1, wherein the counterfactual verification module specifically comprises: mapping the running length to a terminal heterogeneous behavior diagram sequence according to the nodes and the acquisition time to generate a running length mapping sequence; According to the run length mapping sequence, intercepting terminal heterogeneous behavior graphs with the quantity corresponding to the run length, extracting nodes, edge connection and superedges according to the dynamic safety semantic element path set, and generating a path sub-graph sequence before the change point; node attributes and edge connection relations which meet a causal constraint set and continuously coincide with causal invariant core semantic subgraphs are reserved in the path subgraph sequence before the variable points, and a normal constraint subgraph sequence is obtained; Mapping the normal constraint sub-graph sequence to a terminal heterogeneous behavior graph corresponding to the acquisition time according to the acquisition time, and replacing the node attribute and the edge connection relation of the corresponding position by the node attribute and the edge connection relation in the normal constraint sub-graph sequence to generate a counterfactual normal evolution graph sequence; Inputting the counterfactual normal evolution graph sequence and the terminal heterogeneous behavior graph sequence into a shared graph encoder according to the same acquisition time, outputting corresponding hidden layer representation distribution vectors, and calculating Wasserstein distances to obtain a structural semantic divergence sequence; and associating the structural semantic divergence sequence with the run length sequence according to the belonged node and the acquisition time to obtain a verification scoring sequence.
10. 10. The terminal anomaly detection system based on the neural network according to claim 1, wherein the joint determination module is specifically: Correlating the node diagram abnormal scoring sequence, the state mutation posterior probability sequence, the verification scoring sequence and the running length sequence according to the belonged node and the acquisition time to generate a node time joint recording sequence; According to the node time joint record sequence, intercepting node time joint records of which the number corresponds to the current running length before the current acquisition time under the same affiliated node, and generating a node history comparison sequence; Comparing node diagram abnormal scores, state mutation posterior probabilities and verification scores corresponding to the current acquisition time item by item with similar values in a node history comparison sequence, and counting times which are not smaller than the history values respectively to generate a node diagram abnormal score comparison sequence, a state mutation posterior probability comparison sequence and a verification score comparison sequence; Performing corresponding accumulation on the node diagram abnormal score comparison sequence, the state mutation posterior probability comparison sequence and the verification score comparison sequence according to the belonged node and the acquisition time to generate a node joint judgment value sequence; In the same acquisition time, performing descending order arrangement on each node joint judgment value in the node joint judgment value sequence according to the affiliated terminal, and performing ascending order arrangement on the corresponding running length value to generate a terminal alarm ordering sequence; In the terminal alarm sequencing sequence, the nodes with the same subordinate terminal lower node joint judgment value arranged in front and the running length arranged in front are written into the alarm records of the subordinate terminal, and the terminal abnormal alarm result is generated.

Description

Terminal abnormality detection system based on graphic neural network Technical Field The invention relates to the technical field of anomaly detection, in particular to a terminal anomaly detection system based on a graph neural network. Background Along with the continuous increase of the number of terminal devices, a multi-source heterogeneous, cross-level and continuous evolution safety behavior relation is formed among terminal side processes, files, registries, accounts, network connection and external addresses, and the terminal abnormality detection is gradually developed into a correlation analysis mode oriented to multi-source data fusion by an identification mode based on single-point logs, single characteristics and static rules. In the prior art, a scheme based on characteristic engineering is used for converting a terminal event into a statistical characteristic and inputting the statistical characteristic into a detection model, the method is suitable for known threat recognition, a scheme based on a behavior sequence is used for recognizing abnormal moments around a scoring curve, state transition and mutation process, a scheme based on graph modeling is used for describing entity relations through node and edge connection, and abnormal structural deviation is mined by using a graph neural network or graph abnormality detection method. In the technical route, the graph modeling scheme is more suitable for expressing the association propagation relationship among the terminal security objects, and has been used for telnet analysis, abnormal access chain identification, lateral movement detection and attack path tracking. The partial scheme maps the processes, the files, the accounts and the network connection into different patterns, extracts the associated features by means of semantic paths, sorts the abnormal scores according to time, and identifies behavior mutation moments by matching with variable point analysis. The method has certain applicability in a single host or a medium-small scale network scene, but in a large-scale terminal network scene, the attack behavior is often accompanied by multi-entity concurrent interaction, cross-object cascade diffusion and continuously-changed local topology, and complex security semantics are difficult to stably cover by fixed neighborhood modeling, static path definition and single scoring judgment. The existing scheme mainly has the following defects that firstly, high-order association and dynamic interaction between heterogeneous objects of a terminal are difficult to fully describe through fixed edge connection or static semantic paths, so that structure deviation information expression is insufficient, secondly, graph anomaly detection and time sequence change point identification are usually carried out in a tandem connection mode, time sequence state change is difficult to reversely adjust a graph searching range, anomaly tracing depth and detection timeliness are difficult to consider, thirdly, legal software upgrading, batch service change and centralized network activity are easy to cause severe fluctuation of a full graph structure, an existing smooth suppression mode is difficult to distinguish real attack disturbance from normal evolution disturbance, missing report and false report are easy to generate, fourthly, a scoring threshold value is mainly static setting, and risk judging standards are difficult to dynamically adjust according to continuous stability of nodes. Therefore, how to provide a terminal abnormality detection system based on a graph neural network is a problem that needs to be solved by those skilled in the art. Disclosure of Invention The invention aims to provide a terminal anomaly detection system based on a graph neural network, which realizes anomaly detection of heterogeneous association modeling, time sequence variable point feedback, self-adaptive graph scoring and inverse fact verification synergy of a terminal. According to an embodiment of the invention, a terminal abnormality detection system based on a graph neural network comprises: the heterogeneous security object modeling module is used for acquiring a terminal side process, a file, a registry, an account, network connection and external IP and constructing a terminal heterogeneous behavior diagram sequence; the causal disturbance baseline extraction module is used for executing node attribute disturbance and edge connection disturbance on the terminal heterogeneous behavior graph sequence, extracting causal invariant core semantic subgraphs which are stable across disturbance, and generating a causal constraint set; the dynamic meta-path synthesis module is used for generating a dynamic safety semantic meta-path set according to the causal constraint set and the terminal heterogeneous behavior graph sequence; the pre-scoring generation module is used for extracting candidate topological subgraphs according to the dynamic safety semantic element p