CN-122027231-A - Lateral movement attack detection method and system based on dynamic time diagram and cooperative feedback

Abstract

The invention belongs to the technical field of network security and intrusion detection, and discloses a method and a system for detecting transverse movement attack based on a dynamic time diagram and cooperative feedback. Aiming at the technical problems of behavior concealment, detection distortion caused by flow tidal effects, lack of cooperation of preprocessing and detection modules and the like in the detection of the lateral movement of an intranet, the method comprises the steps of firstly adaptively adjusting a time window and generating a time sequence diagram snapshot through a flow density sensing algorithm, then executing neighborhood time sequence attention coding to generate a time sequence enhanced embedded vector of a node, calculating the existence probability of an edge by utilizing a mixed framework comprising linear and nonlinear decoding branches, adjusting a balance coefficient in real time by combining with a preliminary abnormal duty ratio to judge an abnormal link, and finally reversely adjusting the granularity of a next round of window according to a detection result to realize closed loop optimization of detection performance and calculation efficiency. The invention obviously improves the detection precision and the environment suitability, and is suitable for the defending scene of the complex intranet lateral movement attack.

Inventors

• ZHANG RU
• BAI ZHILONG
• LIU JIANYI
• YANG ZHEN

Assignees

• 北京邮电大学

Dates

Publication Date

20260512

Application Date

20260119

Claims (9)

1. 1. A lateral movement attack detection method and system based on dynamic time diagram and cooperative feedback are characterized by comprising the following steps: step S1, flow density sensing and dynamic window construction, collecting weblog data, and calculating flow density indexes of a current network in real time, wherein the size of a time window is self-adaptively adjusted based on a comparison result of the flow density indexes and a density threshold interval determined based on historical flow distribution, and a time sequence diagram snapshot is generated; Step S2, neighborhood time sequence attention coding, namely performing dynamic neighborhood sampling on a target node in the time sequence diagram snapshot, calculating importance weights of neighbor nodes by utilizing an attention mechanism by combining time sequence interaction characteristics of node embedding vectors and sampling neighbor nodes, and generating time sequence enhancement embedding vectors of the target node by fusing dynamic attribute vectors of the nodes; S3, mixing decoding and abnormal link judgment, and performing preliminary probability calculation on the current window by utilizing a linear decoding branch in the mixed decoding model to obtain a preliminary abnormal edge duty ratio According to Adjusting balance coefficients of the hybrid decoding model in real time And executing final abnormality judgment by using the adjusted mixed decoding model, judging the candidate edges with the existence probability lower than the self-adaptive abnormality threshold as abnormal edges; And S4, collaborative feedback optimization, counting the duty ratio index of the abnormal edge judged in the current time window, and reversely adjusting the time granularity of the next round of dynamic time window according to the duty ratio index to realize closed-loop optimization of detection precision and calculation efficiency.
2. 2. The method according to claim 1, wherein "calculating the traffic density index of the current network" in the step S1 specifically includes: counting the standardized weight sum of newly added edges in the sliding monitoring window and the interactive edge number of the key nodes; And weighting the interaction edge number of the key nodes by using a preset key node weight coefficient, fusing a weighted result with the standardized weight sum, and calculating by combining the window length to obtain the current flow density index.
3. 3. The method according to claim 1, wherein the "adaptive adjustment of the size of the time window" in step S1 follows the following rule: when the current flow density index is higher than the upper limit of the density threshold interval, calculating the ratio of the upper limit value to the current flow density index as a first adjustment coefficient, and scaling down the current window size; when the current flow density index is lower than the lower limit of the density threshold interval, calculating the ratio of the lower limit value to the current flow density index as a second adjusting coefficient, and expanding the current window size proportionally; The adjusted window size is limited between a preset minimum window length and a preset maximum window length, and a preset time overlapping rate is kept between two adjacent windows.
4. 4. The method according to claim 1, wherein the step S2 of "dynamic neighborhood sampling" specifically includes: Acquiring the degree of a target node, and adaptively determining the sampling number according to the degree and a preset functional relation, wherein the sampling number and the node degree are in positive correlation, and an upper limit of the sampling number is set; And for the target nodes with degrees exceeding the upper limit of the sampling number, preferentially sampling the neighbor nodes with interaction frequencies higher than a preset threshold or with interaction time closest to the current moment.
5. 5. The method according to claim 1, wherein the calculating the importance weights of the neighboring nodes by using the attention mechanism in the step S2 specifically includes: extracting time sequence interaction characteristics between a source node and a neighbor node, wherein the characteristics comprise an interaction frequency index and an interaction interval change rate index; And fusing the time sequence interaction characteristics with the embedded vectors of the nodes, and normalizing after processing by a nonlinear activation function to obtain the attention weight of each neighbor node to the target node.
6. 6. The method according to claim 1, wherein the "hybrid decoding model" in step S3 specifically includes: establishing a hybrid architecture consisting of a linear inner product decoding branch and a nonlinear multi-layer perceptron decoding branch; and introducing a dynamic balance coefficient to carry out weighted fusion on the outputs of the two branches, wherein the balance coefficient is adjusted in real time according to the abnormal edge occupation ratio index of the current window, and the higher the abnormal edge occupation ratio is, the larger the weight of the decoding branch of the nonlinear multi-layer perceptron is.
7. 7. The method according to claim 1, wherein the step S4 of "reversely adjusting the time granularity of the next round of dynamic time window" specifically includes: if the abnormal edge duty ratio index is higher than a preset high risk threshold, reducing the size of a next round of window according to a preset first self-adaptive adjustment coefficient so as to improve the time resolution of detection; if the abnormal edge duty ratio index is lower than a preset low risk threshold, increasing the size of a next round of window according to a preset second self-adaptive adjustment coefficient so as to reduce the calculation cost.
8. 8. A lateral movement attack detection system based on dynamic time diagrams and collaborative feedback, comprising: the flow sensing module is used for calculating the real-time flow density, adaptively adjusting the size of a time window and outputting a time sequence diagram snapshot; The diagram coding module is used for executing dynamic neighborhood sampling and time sequence attention weighted coding and generating an enhanced embedded vector of the node; the mixed detection module is used for identifying abnormal connection based on a mixed decoding strategy and counting the abnormal edge ratio; and the cooperative controller is used for generating a window adjustment control signal according to the abnormal edge duty ratio and feeding back the window adjustment control signal to the flow sensing module.
9. 9. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program, the processor implementing the method of any of claims 1 to 7 when executing the program.

Description

Lateral movement attack detection method and system based on dynamic time diagram and cooperative feedback Technical Field The invention belongs to the technical field of network security and intrusion detection, and particularly relates to the core technical directions of graph neural network, time sequence data modeling, anomaly detection and the like, which are particularly suitable for transverse movement attack detection and defense scenes of Advanced Persistent Threats (APTs) in complex environments such as enterprise intranets, government networks and the like. Background With the deep digital transformation, the scale of the enterprise network is continuously enlarged, and the interaction relationship among nodes (such as a host, a server and a user terminal) is increasingly complex, so that a multiplicable machine is provided for the lateral mobile attack. Lateral Movement (Laternal Movement) is a key element in the Advanced Persistent Threat (APT) attack chain. After an attacker gains initial access rights through the network boundary, the attacker typically uses credential abuse (e.g., pass-the-Hash, pass-the-Ticket), system vulnerabilities, or legal protocols (e.g., SMB, RDP, winRM) to gradually penetrate inside the network, jumping to key asset nodes to steal sensitive data. Such attacks are extremely threatening, with the major challenges: Behavior concealment-an attacker often adopts a local material (Living off the Land, lotL) strategy, and uses a system self-contained tool (such as PowerShell, WMI) to execute operation, so that the behavior is mixed in massive normal business and manager operation, and is difficult to identify through a single feature. Path dynamics-the attack path is not fixed, and an attacker can adjust the penetration direction in real time according to the detected network topology, so that the traditional static defense model is difficult to capture the evolution of the intention. The time sequence dependence and sparsity are that the transverse movement is often represented as a permeation process of low frequency and long period, or sudden dense connection is generated at key time, and the evolution rule on the time sequence has extremely high requirements on the detection precision and real-time performance. Currently, existing network security defense technologies have significant bottlenecks in dealing with lateral movement: Feature signature based detection (SIDS): a library of known attack patterns is heavily relied upon with little defensive capability against new means of attack or variety attacks (e.g. "zero day attacks"). Conventional anomaly-based detection (AIDS) is mostly based on frequency statistics or static diagram analysis methods. Such methods typically only focus on behavioral anomalies or isolated topological features at a single point in time, ignoring the time-series evolution information. For example, if an attacker slowly permeates by mimicking the interaction frequency of a normal user, static analysis often cannot distinguish between "legal cross-department access" and "malicious springboard jumps". Detection techniques based on dynamic or time diagrams, while attempting to combine graph structure and timing information, have key limitations: The temporal window division is stiff, mostly using fixed length sliding windows or equally spaced slices. Because the intranet flow has obvious tidal effect (such as huge difference of day and night flow), the fixed window can cause abnormal characteristics to be submerged by normal flow when the flow is high, and data is excessively fragmented when the flow is low to generate a large number of empty pictures, so that model training and detection are seriously interfered. The decoding mechanism is single, the existing model is multi-dependent on local similarity (such as inner product decoding), and complex nonlinear attack camouflage modes are difficult to fit. The closed loop cooperation between the modules is lacking, and the data preprocessing (window generation) and the detection module are independent. The system cannot dynamically optimize the granularity of the input data according to the currently detected threat level (such as the abnormal edge ratio), so that the balance between the detection precision and the calculation efficiency is difficult to achieve. In summary, designing a lateral movement attack detection method capable of accurately capturing timing-topology dual anomalies, adapting to flow fluctuation and realizing inter-module collaborative optimization has become a technical problem to be solved in the current network security field. Disclosure of Invention Aiming at the technical problems of strong behavior concealment, path dynamic change, detection distortion caused by the tidal effect of network flow, calculation resource waste caused by lack of cooperation of pretreatment and detection links and the like in the internal network lateral movement detection in the prior art, t