Search

CN-122027314-A - Scene library-based network security event identification method, device, equipment and medium

CN122027314ACN 122027314 ACN122027314 ACN 122027314ACN-122027314-A

Abstract

The application discloses a scene library-based network security event identification method, device, equipment and medium, relating to the field of data security, comprising the steps of constructing a target scene library; the method comprises the steps of obtaining abnormal behavior data, carrying out session recombination on the abnormal behavior data based on a preset association mode to generate session sequence data with context association, wherein the preset association mode comprises attribute association, rule association and behavior association, matching the session sequence data with a target scene library and an ATT & CK framework, and judging that a corresponding network security event occurs if the session sequence data is matched with at least two continuous attack stages corresponding to any attack scene in the target scene library and the tactical sequence matched in the ATT & CK framework is consistent with the standard tactical evolution sequence recorded in the ATT & CK framework and corresponding to any attack scene. The application improves the accuracy of network security event identification.

Inventors

  • XU GAOYANG
  • QI WEIGANG
  • MOU LIMING
  • ZHONG QINGHONG
  • LI JING

Assignees

  • 成都卫士通信息安全技术有限公司

Dates

Publication Date
20260512
Application Date
20260305

Claims (10)

  1. 1. A method for identifying network security events based on a scene library, comprising the steps of: The method comprises the steps of constructing a target scene library, wherein the target scene library comprises a plurality of attack scenes, any attack scene corresponds to a plurality of attack stages arranged according to an attack life cycle sequence, and any attack stage corresponds to one or more abnormal behavior modes; the method comprises the steps of obtaining abnormal behavior data, carrying out session recombination on the abnormal behavior data based on a preset association mode to generate session sequence data with context association, wherein the preset association mode comprises attribute association, rule association and behavior association, the attribute association is used for recombining discrete abnormal behavior data into a continuous behavior sequence with the same session identifier based on a preset network five-tuple, the rule association is used for recombining discrete abnormal behavior data into a logic-related continuous behavior sequence based on association rules among historical abnormal behavior data, and the behavior association is used for recombining the discrete abnormal behavior data into the continuous behavior sequence belonging to the same attack activity according to behavior feature similarity; And matching the session sequence data with the target scene library and the ATT & CK framework, and if the session sequence data is matched with at least two continuous attack stages corresponding to any attack scene in the target scene library and the tactical sequence matched in the ATT & CK framework is consistent with the standard tactical evolution sequence recorded in the ATT & CK framework and corresponding to any attack scene, judging that a corresponding network security event occurs.
  2. 2. The method for identifying network security events based on scene library as claimed in claim 1, wherein the process of updating the target scene library comprises: Adding a general basic attack scene and/or a target attack scene defined according to user requirements into the target scene library; Analyzing the historical session sequence data to determine a candidate session sequence which is not judged to have network security events and has the occurrence frequency exceeding a preset threshold value from the historical session sequence data, and comparing the candidate session sequence with known attack scenes in the target scene library; And if the candidate session sequence is associated with the known attack scene, supplementing the known attack scene based on the candidate session sequence, and if the candidate session sequence is not associated with the known attack scene, taking the candidate session sequence as a new attack scene and adding the new attack scene to the target scene library.
  3. 3. The method for identifying network security events based on a scene library according to claim 1, wherein before the session reorganization of the abnormal behavior data is performed based on a preset association method, the method further comprises: Performing data cleaning, data enrichment and format unification on the acquired abnormal behavior data; The data cleaning is used for eliminating repeated abnormal behavior data, invalid abnormal behavior data and false alarm abnormal behavior data, and the data enrichment is used for supplementing associated context information for a target field in the abnormal behavior data.
  4. 4. The scene library-based network security event recognition method of claim 1, wherein session reorganization of the abnormal behavior data based on attribute association comprises: Extracting network quintuple information from the abnormal behavior data, wherein the network quintuple comprises a source IP address, a source port, a destination IP address, a destination port and a transmission protocol; and classifying the abnormal behavior data with consistent network quintuple information into the same candidate data set, screening out target abnormal behavior data with time stamps within a preset time window from the candidate data set, and recombining the target abnormal behavior data into a continuous behavior sequence with the same session identifier, wherein the session identifier comprises the network quintuple information and the time window identifier.
  5. 5. The scene library-based network security event recognition method of claim 1, wherein performing session reorganization on the abnormal behavior data based on rule association comprises: analyzing the historical abnormal behavior data by using a preset data mining algorithm to obtain association rules for representing the logic precedence relationship and the association strength among the historical abnormal behavior data; And carrying out logic relevance matching on the obtained abnormal behavior data according to the relevance rule so as to reorganize the abnormal behavior data successfully matched by the logic relevance into a logic-related continuous behavior sequence.
  6. 6. The scene library-based network security event recognition method of claim 1, wherein session reorganization of the abnormal behavior data based on behavior association comprises: Extracting behavior characteristics from the abnormal behavior data, and calculating the similarity of the behavior characteristics among different abnormal behavior data according to the behavior characteristics; and recombining a plurality of abnormal behavior data with the similarity calculation result exceeding a preset similarity threshold value into a continuous behavior sequence belonging to the same attack activity.
  7. 7. The scene library-based network security event recognition method of claim 1, further comprising: Constructing an expected attack sequence based on an ATT & CK framework, wherein the expected attack sequence comprises a plurality of tactics arranged in a logic sequence and is used for representing an attack activity flow; taking the first tactic in the expected attack sequence as a current tactic to be matched, and matching the session sequence data with the behavior characteristics corresponding to the current tactic to be matched; if the matching is successful, updating the current tactic to be matched to the next tactic in the expected attack sequence, and returning to the step of matching the session sequence data with the behavior characteristics corresponding to the current tactic to be matched; If the preset characteristics representing failure or termination of the attack activity are identified from the session sequence data, stopping the current matching flow aiming at the expected attack sequence, and recording information related to the failure or termination of the attack activity; If the matching fails and the preset feature is not identified from the session sequence data, stopping the current matching flow aiming at the expected attack sequence, and judging that the session sequence data is not matched with the expected attack sequence.
  8. 8. A network security event recognition device based on a scene library, comprising: The system comprises a scene library construction module, a scene library construction module and a scene library analysis module, wherein the scene library construction module is used for constructing a target scene library, the target scene library comprises a plurality of attack scenes, any attack scene corresponds to a plurality of attack stages arranged according to an attack life cycle sequence, and any attack stage corresponds to one or more abnormal behavior modes; The system comprises a data generation module, a behavior correlation module and a data processing module, wherein the data generation module is used for acquiring abnormal behavior data, carrying out session recombination on the abnormal behavior data based on a preset correlation mode to generate session sequence data with context correlation, the preset correlation mode comprises attribute correlation, rule correlation and behavior correlation, the attribute correlation is used for recombining discrete abnormal behavior data into a continuous behavior sequence with the same session identifier based on a preset network five-tuple, the rule correlation is used for recombining the discrete abnormal behavior data into a logic-related continuous behavior sequence based on correlation rules among historical abnormal behavior data, and the behavior correlation is used for recombining the discrete abnormal behavior data into the continuous behavior sequence belonging to the same attack activity according to behavior feature similarity; And the event judging module is used for matching the session sequence data with the target scene library and the ATT & CK framework, and judging that a corresponding network security event occurs if the session sequence data is matched with at least two continuous attack phases corresponding to any attack scene in the target scene library and the tactical sequence matched in the ATT & CK framework is consistent with the standard tactical evolution sequence recorded in the ATT & CK framework and corresponding to any attack scene.
  9. 9. An electronic device, comprising: A memory for storing a computer program; a processor for executing the computer program to implement the scene library-based network security event identification method as claimed in any of claims 1 to 7.
  10. 10. A computer readable storage medium for storing a computer program which when executed by a processor implements the scene library based network security event identification method of any of claims 1 to 7.

Description

Scene library-based network security event identification method, device, equipment and medium Technical Field The present application relates to the field of data security, and in particular, to a method, apparatus, device, and medium for identifying network security events based on a scene library. Background With the deep advancement of enterprise digital transformation, a data security monitoring system is increasingly complex, and various security devices such as a firewall, an intrusion detection system, terminal security software, database audit and the like generate massive alarm information every day, wherein the daily alarm quantity can reach tens of thousands. However, network security events in which there is a real threat tend to be inundated with a large number of invalid alarms. The network security event recognition technology in the current industry mainly comprises a signature detection method, an anomaly detection method and an artificial intelligent model-based recognition method. However, signature detection methods lack the ability to identify unknown attacks and variant attacks, and cannot cope with evolving network threats. The abnormality detection method has the problem of high false alarm rate, and a large number of invalid abnormality alarms further increase the workload of safety analysis. The identification method based on the artificial intelligent model is a main direction of the development of the prior art, but has obvious defects, on one hand, most systems adopt a single model to process all types of network security events, a large amount of marked data is needed for model training, the differentiated performance characteristics of the network security events in different attack stages are not fully considered, the identification effect on multi-step and compound complex attacks is poor, on the other hand, the scene analysis capability on the whole life cycle of the network security events is lacking, the association relation between discrete alarm information cannot be effectively mined, the complete attack chain is difficult to restore, the problem of missing report is easy to occur, and early discovery and timely early warning on the network security events cannot be realized. Disclosure of Invention In view of the above, the present application aims to provide a method, apparatus, device and medium for identifying network security events based on a scene library, which can realize high accuracy, low false alarm, interpretable and self-adaptive complex attack scene identification in a multi-source alarm environment. The specific scheme is as follows: In a first aspect, the present application provides a method for identifying network security events based on a scene library, including: The method comprises the steps of constructing a target scene library, wherein the target scene library comprises a plurality of attack scenes, any attack scene corresponds to a plurality of attack stages arranged according to an attack life cycle sequence, and any attack stage corresponds to one or more abnormal behavior modes; the method comprises the steps of obtaining abnormal behavior data, carrying out session recombination on the abnormal behavior data based on a preset association mode to generate session sequence data with context association, wherein the preset association mode comprises attribute association, rule association and behavior association, the attribute association is used for recombining discrete abnormal behavior data into a continuous behavior sequence with the same session identifier based on a preset network five-tuple, the rule association is used for recombining discrete abnormal behavior data into a logic-related continuous behavior sequence based on association rules among historical abnormal behavior data, and the behavior association is used for recombining the discrete abnormal behavior data into the continuous behavior sequence belonging to the same attack activity according to behavior feature similarity; And matching the session sequence data with the target scene library and the ATT & CK framework, and if the session sequence data is matched with at least two continuous attack stages corresponding to any attack scene in the target scene library and the tactical sequence matched in the ATT & CK framework is consistent with the standard tactical evolution sequence recorded in the ATT & CK framework and corresponding to any attack scene, judging that a corresponding network security event occurs. Optionally, the process of updating the target scene library includes: Adding a general basic attack scene and/or a target attack scene defined according to user requirements into the target scene library; Analyzing the historical session sequence data to determine a candidate session sequence which is not judged to have network security events and has the occurrence frequency exceeding a preset threshold value from the historical session sequence data, and co