CN-122027306-A - Network security detection method and system based on artificial intelligence

Abstract

The invention relates to the technical field of network security, in particular to a network security detection method and system based on artificial intelligence, comprising the steps of collecting multi-source security data in a target network environment, carrying out entity analysis and relationship matching to generate interactive relationship data among identity entities, service entities and resource entities, and constructing an association graph and a continuous graph structure snapshot sequence; the method comprises the steps of performing incremental calculation on adjacent time window graph structures to form access structure expansion sub-graphs corresponding to identity nodes, establishing legal expansion mode sets based on historical normal operation samples, performing structure matching on the current access structure expansion sub-graphs, screening abnormal structure sub-graphs, mapping the abnormal structure sub-graphs into attack stage labels, constructing a stage directed path graph, and judging whether an attack closed structure is formed or not through reachable path detection, so that identification and alarm of progressive permission expansion and transverse movement behaviors are realized.

Inventors

• Pei Jiaxi
• LIU XINGRONG

Assignees

• 若昊新程(北京)科技有限公司

Dates

Publication Date

20260512

Application Date

20260228

Claims (10)

1. 1. The network security detection method based on artificial intelligence is characterized by comprising the following steps: s1, acquiring multi-source security data in a target network environment, and carrying out entity analysis and relationship matching on the multi-source security data to generate interactive relationship data among an identity entity, a service entity and a resource entity; s2, constructing an association graph comprising identity nodes, service nodes and resource nodes based on the interactive relation data, and performing slicing processing on the association graph according to a preset time window to generate a continuous graph structure snapshot sequence; S3, performing incremental calculation on graph structure snapshots of adjacent time windows in the graph structure snapshot sequence, identifying newly-added nodes and newly-added edges, and determining access structure expansion subgraphs of all identity nodes in the current time window relative to the previous time window based on the newly-added nodes and the newly-added edges; S4, establishing a legal expansion mode set based on an access structure expansion sub-graph sample in a history normal operation period, performing structure matching on the access structure expansion sub-graph of the current time window and the legal expansion mode set, and screening out abnormal structure sub-graphs which do not accord with the legal expansion mode; S5, mapping interaction relation data corresponding to the abnormal structure subgraph into attack stage labels according to a preset behavior rule, and constructing a stage directed path graph based on node connection relations in the abnormal structure subgraph; S6, detecting whether an reachable path from the node corresponding to the initial access stage to the stage corresponding to the sensitive resource node exists in the stage directed path diagram, if so, judging that the abnormal structure subgraph forms an attack closed structure, and outputting network security threat alarm information.
2. 2. The network security detection method based on artificial intelligence according to claim 1, wherein in S1, the collecting multi-source security data in the target network environment includes: respectively acquiring a network traffic log, an identity authentication log and a resource access log from network equipment, a host system and a cloud platform component; Carrying out format analysis and field extraction on the obtained log data, and converting the log data into a uniform data structure format; Performing time synchronization processing on the converted log data based on the time stamp, and performing grouping processing according to a preset time granularity; and taking the log data after the time synchronization processing as multi-source security data.
3. 3. The network security detection method based on artificial intelligence according to claim 1, wherein in S1, the performing entity resolution and relationship matching on the multi-source security data includes: Extracting an identity identification field, a service identification field and a resource identification field from the multi-source security data, and carrying out normalization processing on the fields; Performing entity alignment on the identity identification field, the service identification field and the resource identification field based on a preset entity mapping rule to generate uniform identity entity, service entity and resource entity identification; constructing access relation records among entities according to identity entity, service entity, resource entity identification and corresponding time information; And organizing the access relation record into interactive relation data among the identity entity, the service entity and the resource entity.
4. 4. The network security detection method based on artificial intelligence according to claim 1, wherein in S2, the constructing an association graph including identity nodes, service nodes and resource nodes based on the interaction relationship data comprises: Generating identity nodes according to the identity entity identifiers in the interaction relation data, generating service nodes according to the service entity identifiers, and generating resource nodes according to the resource entity identifiers; According to the access relation record in the interactive relation data, an identity-service edge is established between the corresponding identity node and the service node, and a service-resource edge is established between the corresponding service node and the resource node; the access time information and the access result information are used as side attributes; And organizing the identity nodes, the service nodes, the resource nodes and the corresponding edge relations thereof into an association graph.
5. 5. The network security detection method based on artificial intelligence according to claim 1, wherein in S3, the incremental calculation is performed on the graph structure snapshots of adjacent time windows in the sequence of graph structure snapshots, and identifying the newly added node and the newly added edge includes: respectively extracting node sets and edge sets in a first graph structure snapshot and a second graph structure snapshot corresponding to adjacent time windows; Performing set difference operation on the node set of the second graph structure snapshot and the node set of the first graph structure snapshot to obtain a newly added node set; performing set difference operation on the edge set of the second graph structure snapshot and the edge set of the first graph structure snapshot to obtain a newly added edge set; and taking the newly added node set and the newly added edge set as the structure increment result of the current time window.
6. 6. The method for detecting network security based on artificial intelligence according to claim 1, wherein in S4, the establishing a legal extension pattern set based on the access structure extension sub-graph sample during the history normal operation includes: Extracting structural features from an access structure extension sub-graph sample in a history normal operation period, wherein the structural features comprise the number of newly added nodes, the node connectivity variation and the newly added edge distribution features; Vectorizing the structural features to generate structural feature vectors; Performing mode clustering or boundary learning based on the structural feature vector to form legal structural mode representation; the legal structure pattern representations are organized into a legal extension pattern set.
7. 7. The method for detecting network security based on artificial intelligence according to claim 1, wherein in S4, the structure matching the access structure extension subgraph of the current time window with the legal extension pattern set includes: Extracting structural features of the access structure expansion subgraph of the current time window, and generating corresponding structural feature vectors; Carrying out similarity calculation or distance calculation on the structural feature vector and legal structural mode representation in the legal expansion mode set; And when the similarity is lower than a preset threshold value or the distance is higher than the preset threshold value, judging the access structure expansion subgraph as an abnormal structure subgraph which does not accord with the legal expansion mode.
8. 8. The network security detection method based on artificial intelligence according to claim 1, wherein in S5, the mapping into attack stage labels according to the preset behavior rules comprises: extracting an access behavior type, access result information and an access object type from interaction relation data corresponding to the abnormal structure subgraph; Constructing a behavior feature vector, wherein the behavior feature vector comprises an access behavior type, an access result state and an access object attribute; matching the behavior feature vector with a preset behavior rule table, wherein the behavior rule table comprises a corresponding relation between behavior features and attack stage labels; And labeling the corresponding attack stage labels for the interaction relation data according to the matching result.
9. 9. The method according to claim 1, wherein in S6, the step of detecting whether an reachable path from a node corresponding to an initial access phase to a phase corresponding to a sensitive resource node exists in the phase directed path graph includes: determining a starting node marked as an initial access stage in the stage directed path diagram and a target node marked as a sensitive resource access stage; performing graph traversal search on the initial node based on the adjacency relation of the phase directed path graph to acquire a node set which can be reached from the initial node; judging whether the target node is contained in the reachable node set or not; when the target node is included in the reachable set of nodes, it is determined that there is a reachable path.
10. 10. An artificial intelligence based network security inspection system for use in an artificial intelligence based network security inspection method according to any one of claims 1 to 9, the system comprising the following modules: The data processing module is used for collecting multi-source security data in the target network environment, carrying out entity analysis and relationship matching on the multi-source security data, and generating interactive relationship data among the identity entity, the service entity and the resource entity; the map construction module is used for constructing an association map comprising identity nodes, service nodes and resource nodes based on the interactive relation data, and carrying out slicing processing on the association map according to a preset time window to generate a continuous map structure snapshot sequence; the structure increment analysis module is used for performing increment calculation on the graph structure snapshots of adjacent time windows in the graph structure snapshot sequence, identifying newly added nodes and newly added edges, and determining access structure expansion subgraphs of each identity node in the current time window relative to the previous time window; The legal pattern analysis module is used for establishing a legal expansion pattern set based on the access structure expansion sub-graph sample in the history normal operation period, carrying out structure matching on the access structure expansion sub-graph of the current time window and the legal expansion pattern set, and screening out abnormal structure sub-graphs which do not accord with the legal expansion pattern; the stage path construction module is used for mapping attack stage labels aiming at interaction relation data corresponding to the abnormal structure subgraph and constructing a stage directed path graph based on node connection relations in the abnormal structure subgraph; And the path detection module is used for detecting whether an reachable path from the node corresponding to the initial access stage to the stage corresponding to the sensitive resource node exists in the stage directed path diagram, and outputting network security threat warning information when the reachable path exists.

Description

Network security detection method and system based on artificial intelligence Technical Field The invention relates to the technical field of network security, in particular to a network security detection method and system based on artificial intelligence. Background With the wide application of cloud computing and cloud native architecture, enterprise network environments exhibit highly dynamic and service features, and the interactive relationship between identity, service and resources is increasingly complex. In this context, the network security detection technology gradually evolves from an intrusion detection mode based on feature matching to a detection mode based on abnormal behavior analysis. In the prior art, abnormal access behaviors are usually identified in a fixed time window through statistical analysis of network flow characteristics, access frequency or service call relations, and a static service call graph or an access baseline model is also introduced into part of schemes for identifying abnormal nodes or abnormal access paths. The above-described techniques have a role in identifying high frequency anomalous behavior or significant illicit access. Under the cloud primary environment, an attacker gradually expands the access range in a low-frequency and legal form in a multi-time window by stealing legal identity certificates, so as to form progressive lateral movement behaviors. In the prior art, judgment is carried out based on single access behaviors or statistical results in a short time window, and the structural modeling capability of the identity access capability in the evolution process along with time is lacked, so that the legal identity-driven progressive permission expansion behavior is difficult to identify. Disclosure of Invention In order to make up for the defects, the invention provides a network security detection method and system based on artificial intelligence, aiming at solving the problem that legal identity driven progressive permission expansion behavior is difficult to identify. In a first aspect, the present invention provides a network security detection method based on artificial intelligence, including the following steps: s1, acquiring multi-source security data in a target network environment, and carrying out entity analysis and relationship matching on the multi-source security data to generate interactive relationship data among an identity entity, a service entity and a resource entity; s2, constructing an association graph comprising identity nodes, service nodes and resource nodes based on the interactive relation data, and performing slicing processing on the association graph according to a preset time window to generate a continuous graph structure snapshot sequence; S3, performing incremental calculation on graph structure snapshots of adjacent time windows in the graph structure snapshot sequence, identifying newly-added nodes and newly-added edges, and determining access structure expansion subgraphs of all identity nodes in the current time window relative to the previous time window based on the newly-added nodes and the newly-added edges; S4, establishing a legal expansion mode set based on an access structure expansion sub-graph sample in a history normal operation period, performing structure matching on the access structure expansion sub-graph of the current time window and the legal expansion mode set, and screening out abnormal structure sub-graphs which do not accord with the legal expansion mode; S5, mapping interaction relation data corresponding to the abnormal structure subgraph into attack stage labels according to a preset behavior rule, and constructing a stage directed path graph based on node connection relations in the abnormal structure subgraph; S6, detecting whether an reachable path from the node corresponding to the initial access stage to the stage corresponding to the sensitive resource node exists in the stage directed path diagram, if so, judging that the abnormal structure subgraph forms an attack closed structure, and outputting network security threat alarm information. By adopting the technical scheme, the method and the device realize that the association graph is built based on the interaction relationship among the identity entity, the service entity and the resource entity, the graph structure snapshot sequence is generated through time window slicing, the structure increment calculation is carried out between adjacent time windows to form the access structure expansion subgraph corresponding to the identity node, the legal expansion mode set is built based on the access structure expansion subgraph sample in the history normal operation period, the structure matching is carried out on the current access structure expansion subgraph, the modeling and the judgment are carried out on the change trend of the identity access capability at the structure level, in this way, the detection process is converted fr