CN-122027191-A - Network information security supervision method

Abstract

The invention discloses a network information security supervision method, and relates to the technical field of network information. The method comprises the steps of obtaining access data of a user in a preset time window and conducting semantic feature extraction to obtain a semantic behavior feature chain, inputting the semantic behavior feature chain into a Markov model, outputting the semantic behavior feature chain to obtain a network behavior risk index, judging the semantic behavior feature chain based on the network behavior risk index to obtain an abnormal behavior feature chain, constructing a time sequence behavior topological graph based on the abnormal behavior feature chain, conducting risk path search on the time sequence behavior topological graph based on a heuristic Di Jie Style algorithm to obtain a cross-domain attack chain, conducting feature extraction on the cross-domain attack chain to obtain cross-domain attack chain features, inputting the cross-domain attack chain features into a multi-attribute decision model, and outputting to obtain an optimal disposal strategy, so that supervision on network information safety is achieved.

Inventors

• Jian Zuyong
• JIANG MINGXI
• ZHONG JIA

Assignees

• 航锦(武汉)人工智能科技有限公司

Dates

Publication Date

20260512

Application Date

20251219

Claims (10)

1. 1. A network information security supervision method is characterized by comprising the following steps: Step S1, access data of a user in a preset time window is obtained, semantic feature extraction is carried out, and a semantic behavior feature chain is obtained; s2, inputting the semantic behavior feature chain into a Markov model, and outputting to obtain a network behavior risk index; Step 3, constructing a time sequence behavior topological graph based on the abnormal behavior characteristic chain, and searching a risk path of the time sequence behavior topological graph through a Di Jie Style algorithm based on a heuristic method to obtain a cross-domain attack chain; And S4, extracting features of the cross-domain attack chain to obtain cross-domain attack chain features, inputting the cross-domain attack chain features into the multi-attribute decision model, and outputting to obtain an optimal treatment strategy, thereby realizing the supervision of network information security.
2. 2. The method for supervising network information security according to claim 1, wherein the step of obtaining access data of the user within a predetermined time window comprises the following specific steps: and collecting a continuous access sequence generated by the network access user in the network environment within a preset time window, wherein the access sequence comprises a plurality of independent access actions arranged according to time stamps, and each independent access action records access target resources, operation types and time information.
3. 3. The method for supervising network information security according to claim 2, wherein the obtaining the semantic behavior feature chain comprises the following steps: extracting features of the independent access actions to obtain semantic behavior features, wherein the semantic behavior features comprise semantic features, resource sensitivity levels, jump depths and operation confidence; The semantic features map core verbs in independent access actions into operation intention labels by inquiring a predefined operation type rule base, and the resource sensitivity level is divided into three levels of public, internal and secret by resource links in the independent access actions; obtaining a semantic behavior feature chain, wherein the semantic behavior feature chain comprises semantic behavior features which are arranged in time sequence of the access user in a preset time window.
4. 4. The method for supervising network information security according to claim 3, wherein the step of inputting the semantic behavior feature chain into a Markov model and outputting the semantic behavior feature chain to obtain a network behavior risk index comprises the following steps: Mapping semantic behavior features into behavior states s, s= (sum, sens, conf), wherein s represents the behavior states in the Markov model, sum represents the semantic features, sens represents the resource sensitivity level, and conf represents the operation confidence level; Collecting a set of historical single system normal behavior chains of normal users, wherein each behavior chain = , Representing the T-th behavior state in the kth behavior chain, T representing the number of behavior states in each behavior chain, T being an index of the behavior states, K representing the number of behavior chains contained in the historical normal behavior chain set, counting the slave behavior states Transition to behavioral state Calculating a behavior state transition probability based on the accumulated number of times; Recording a jump depth value when each behavior state transition occurs through a normal behavior chain set of the historical single system, and calculating jump depth weight based on the jump depth value ; For the semantic behavior feature chain to be detected, calculating the network behavior risk index of the semantic behavior feature chain: ; Wherein, the Representing a risk index of the network behaviour, Representing initial behavior state of semantic behavior feature chain to be detected Is used to determine the base probability of (1), Indicating when the last state is The next state is Is used to determine the base transition probability of (1), Indicating jump depth as The jump depth weight at time, T is the number of behavior states.
5. 5. The method for supervising network information security according to claim 4, wherein the calculating the behavior state transition probability based on the accumulated number of times comprises the steps of: Statistical slave behavior state Transition to behavioral state Is a cumulative number of times: ; Wherein, the Representing behavior states Transition to behavioral state Is used for the number of times of accumulation, Representing the nth behavior state in the kth historical normal behavior chain, Representing the (t+1) th behavior state in the kth historical normal behavior chain, T representing the number of behavior states contained in the behavior chain, () Indicating an indication function when When the utility model is in the standing state, =1, Otherwise =0, K represents the total number of chains of the historical normal behavioral chain; calculating behavior state transition probability: ; Wherein, the Representing the current behavior state as At this point, the next behavior state transitions to Is a function of the probability of (1), Representing the laplace smoothing factor, defaulting to 1, n represents the total number of behavioral states.
6. 6. The method for supervising network information security according to claim 5, wherein the constructing a time sequence behavior topological graph based on the abnormal behavior feature chain comprises the following steps: Calculating the contribution degree of each behavior state transition step in the abnormal behavior feature chain to the network behavior risk index AnomalyScore: ; Wherein, the The degree of contribution is indicated as such, Indicating when the last state is The next state is Is used to determine the base transition probability of (1), Indicating jump depth as Jump depth weight at time; Traversing all transfer steps from t=2 to T will contribute Contribution (T) to the feature segment with the highest contribution Determining an abnormal origin; collecting user identification of the anomaly origin and anomaly timestamp And source of abnormal system With abnormal time stamps The method comprises the steps of taking a user identifier as a query key, inquiring logs of all monitored service systems, obtaining all behavior records of a user in the extended preset time window, converting all collected behavior records into semantic behavior characteristics with uniform format, and forming a cross-domain behavior characteristic set to be analyzed; Based on the cross-domain behavior feature set, a time sequence behavior topological graph G= (V, E) is constructed, V is a graph node, E represents a directed edge, the value of the graph node is a semantic behavior feature, and the directed edge is created between adjacent nodes according to time sequence.
7. 7. The method for supervising network information security according to claim 6, wherein the step of searching risk paths in the time-series behavior topological graph by using a heuristic-based Dijiestra algorithm to obtain a cross-domain attack chain comprises the following specific steps: Computing slave nodes Transfer to node Transfer confidence score of (c): ; Wherein, the The transfer suspicion score is represented as, Representing nodes Is a function of the service system attributes of the (c), Representing nodes Is a function of the service system attributes of the (c), () Indicating an indication function when And When the phases are equal to each other, ( , ) The value of (1), otherwise 0, Representing nodes Is a function of the level of resource sensitivity of the system, Representing nodes Is a function of the level of resource sensitivity of the system, - The amount of change in sensitivity is indicated, Representing nodes Is used to determine the operational confidence of the system, 、 And Are all indicative of the adjustable weight parameter, And Respectively nodes And Is used for the time stamp of (a), The weight of the control time decay is represented, Indicating the rate of deceleration of the plug, Representing a time decay factor; for each directed edge Weighting each edge The edge weight calculation formula is as follows: ; Wherein, the Representing directed edges Is used for the weight of the (c), Representing a transfer suspicion score, a higher score representing a greater risk of the transfer, To prevent and eliminate zero constant, take the value as , Representing a confidence penalty coefficient; Setting the actual cost, the evaluation function value and the heuristic function value of each node V, then, entering the heuristic Dijiestra algorithm into a circulation, and selecting the path with the minimum evaluation function value as a cross-domain attack chain by backtracking the precursor node recorded by each node after the operation of the heuristic Dijiestra algorithm is finished 。
8. 8. The method for supervising network information security according to claim 7, wherein the step of extracting features of the cross-domain attack chain to obtain cross-domain attack chain features comprises the following specific steps: Cross-domain attack chain =[ ], Representing the first in a cross-domain attack chain Each node performs feature extraction on each attack order sub-chain in the cross-domain attack chain to obtain the cross-domain attack chain features , Wherein As an entry point risk value, As a result of the number of critical transitions, Representing the maximum value of the sensitivity of the target, The length of the attack chain is set to be, Representing the system span.
9. 9. The method for supervising network information security according to claim 8, wherein the step of inputting the cross-domain attack chain feature into the multi-attribute decision model and outputting the cross-domain attack chain feature to obtain the optimal treatment policy comprises the following specific steps: Calculating a comprehensive threat index: ; wherein CTI is the comprehensive threat index, 、 、 、 、 Respectively representing the risk value of the entry point, the number of critical transitions, the target sensitivity maximum, the attack chain length and the weight of the system span, Representing the maximum value of the historical attack chain length, Representing a maximum value of the historical system span, Representing the maximum number of critical transitions in the historical attack chain, Representing the maximum value of the resource sensitivity level in the history attack chain; Treatment action set a= Response measures corresponding to different intensities: Representing enhanced monitoring, Indicating the operation delay, Representing secondary authentication, Representing session restrictions, Indicating that the session is frozen, Representing a network block; For each action Setting treatment efficacy E [0,1] and disposal costs E [0,1 ]. Based on treatment efficacy and treatment cost, calculating a composite utility value, selecting an action corresponding to the largest composite utility value As is the optimal treatment strategy.
10. 10. The method for supervising network information security according to claim 9, wherein the calculating the comprehensive utility value based on the treatment efficacy and the treatment cost comprises the following steps: computing actions Is a comprehensive utility value U # ): ; Wherein, the Representing actions Is used to determine the value of the integrated utility of (c), Representing actions Is used for the treatment of the cancer, Represents the target sensitivity maximum for the cross-domain attack chain, Representing actions Is added to the disposal cost of the (c) to be disposed, Representing the security preference coefficients.

Description

Network information security supervision method Technical Field The invention relates to the technical field of network information, in particular to a network information security supervision method. Background With the increasingly organized, persistent and cross-domain characteristics of network attacks, complex attacks such as advanced persistent threats tend to gradually penetrate and finally reach the attack goal through a series of heuristic operations with low intensity and distributed among a plurality of service systems. The single behavior in the attack chain is not provided with obvious malicious features under the traditional detection view, but the cross-system and time-sequence logic association of the single behavior conceals the real attack intention. Therefore, how to accurately identify these scattered and inherently associated potential attack sequences from massive and heterogeneous user behavior logs becomes a key challenge in the current network information security supervision field. The traditional method firstly utilizes a predefined threat rule base to match and alarm user behaviors in real time in each independent service system (such as an OA office system, an HR human resource system and a database). The independent alarm events generated by the different systems are then time-sequentially spliced and logically correlated to discover potential mobile attack paths. However, the conventional method relies on predefined detection rules for a single system, and is limited to the interior of an isolated system in terms of analysis, and cannot effectively characterize and quantify risks involved in a behavior when crossing different service systems, so that serious hysteresis and omission exist in detection with low-rate and cross-system characteristics. Disclosure of Invention Aiming at the defects of the prior art, the invention provides a network information security supervision method to solve the problems existing in the background art. In order to achieve the purpose, the invention is realized by the following technical scheme that the network information security supervision method comprises the following steps: Step S1, access data of a user in a preset time window is obtained, semantic feature extraction is carried out, and a semantic behavior feature chain is obtained; s2, inputting the semantic behavior feature chain into a Markov model, and outputting to obtain a network behavior risk index; Step 3, constructing a time sequence behavior topological graph based on the abnormal behavior characteristic chain, and searching a risk path of the time sequence behavior topological graph through a Di Jie Style algorithm based on a heuristic method to obtain a cross-domain attack chain; And S4, extracting features of the cross-domain attack chain to obtain cross-domain attack chain features, inputting the cross-domain attack chain features into the multi-attribute decision model, and outputting to obtain an optimal treatment strategy, thereby realizing the supervision of network information security. Preferably, the acquiring the access data of the user in the preset time window includes the following specific steps: and collecting a continuous access sequence generated by the network access user in the network environment within a preset time window, wherein the access sequence comprises a plurality of independent access actions arranged according to time stamps, and each independent access action records access target resources, operation types and time information. Preferably, the obtaining the semantic behavior feature chain includes the following steps: extracting features of the independent access actions to obtain semantic behavior features, wherein the semantic behavior features comprise semantic features, resource sensitivity levels, jump depths and operation confidence; The semantic features map core verbs in independent access actions into operation intention labels by inquiring a predefined operation type rule base, and the resource sensitivity level is divided into three levels of public, internal and secret by resource links in the independent access actions; obtaining a semantic behavior feature chain, wherein the semantic behavior feature chain comprises semantic behavior features which are arranged in time sequence of the access user in a preset time window. Preferably, the inputting the semantic behavior feature chain into a markov model and outputting to obtain a network behavior risk index includes the following steps: Mapping semantic behavior features into behavior states s, s= (sum, sens, conf), wherein s represents the behavior states in the Markov model, sum represents the semantic features, sens represents the resource sensitivity level, and conf represents the operation confidence level; Collecting a set of historical single system normal behavior chains of normal users, wherein each behavior chain =,Representing the T-th behavior state in the kth behavio