CN-122027347-A - IP gray scale reputation flexibility assessment method

Abstract

The invention discloses an IP gray scale reputation flexibility evaluation method, and belongs to the technical field of network security protection and intrusion detection. Aiming at the defect of comprehensive consideration of benign behaviors in the traditional reputation mechanism, only the malicious behavior level is evaluated, so that the traditional reputation mechanism is degenerated into a malicious or non-malicious binary detection mechanism. Therefore, the invention provides a reputation evaluation mechanism for simultaneously carrying out double-index modeling on benign and malignant behaviors. The method comprises the steps of S1 collecting and preprocessing user behavior logs and event streams, S2 carrying out fuzzy logic-based macro-reputation evaluation, extracting multidimensional indexes such as sample numbers, historical behavior relative entropy and the like in a time window, carrying out fuzzification, constructing a benign and malignant fuzzy rule base by combining expert knowledge, carrying out reasoning, adopting a gravity center method with exponential decay to carry out defuzzification, obtaining a macroscopic reputation of amplifying malicious punishment, S3 carrying out time constraint incremental sub-graph matching-based micro-reputation evaluation, respectively constructing a benign business pattern diagram and a malignant TTPs pattern diagram containing repeated event merging, carrying out concurrent incremental matching on user real-time event streams, dynamically calculating threat values and benign values to comprehensively obtain micro-reputation, S4 carrying out normalization and weighted aggregation on the macro-micro-reputation, and introducing a time attenuation coefficient to combine the reputation to obtain a comprehensive reputation value of a final user. The invention combines long-time historical behavior habit with real-time event flow dynamic response, not only effectively overcomes the ambiguity characteristic of APT attack and reduces the risks of false report and missing report caused by single malicious detection, but also effectively prevents white washing attack through a history discount mechanism, and provides high-robustness and fine-granularity dynamic access control support for key network infrastructure.

Inventors

• LIU YUAN
• LIN YIJI
• TIAN YIMING
• YANG QINGLIN
• Li Pengdeng

Assignees

• 广州大学黄埔研究院

Dates

Publication Date

20260512

Application Date

20260331

Claims (5)

1. 1. The IP gray scale reputation flexibility evaluation method comprises the following steps: S1, preprocessing logs and structures; S2, evaluating the macroscopic credit based on fuzzy logic; S3, evaluating the micro reputation based on incremental sub-graph matching; and S4, aggregating macroscopic and microscopic credit evaluation.
2. 2. The IP gray scale reputation flexibility evaluation method according to claim 1, wherein the step S1 specifically comprises the following steps: S1.1, collecting information. The required event logs, such as Windows security logs, are collected in real time in the system to be evaluated. The security log comprises all behavior event logs of all users; S1.2, preprocessing data. The behavior events are preprocessed through a rule method, and the processed results enable the log to present benign events and malignant events. The processing procedure makes a rule judgment on the effective field of the event, for example, for Windows security log, if the "security" field of the event is larger than a specific value, for example, security >4, then the event is judged to be a suspicious event, otherwise, the event is judged to be a benign event.
3. 3. The IP gray scale reputation flexibility evaluation method according to claim 1, wherein the step S2 specifically comprises the following steps: s2.1 parameter input. For a time unit t, a specific index needs to be considered. The method comprises the following steps: { total number of malicious samples, number of samples in time t, comparison of historical number of samples, comparison of fine granularity time and historical number of samples, relative entropy of historical behavior, long similarity in historical use }. The total number of malicious samples represents the number of malicious events which exist in log data and are identified by S1.2, the number of samples represents the number of benign samples, the comparison of the number of historical samples represents the distinguishing degree of the number of samples of the current day and the past period event, and fine granularity time is also the same. In addition, the relative entropy of the historical behavior measures the difference value of the user behavior and the historical behavior at the current time, and the long similarity of the historical use is used for measuring the similarity degree of the long entropy and the past period of the user behavior. S2.2 blurring. The fuzzy logic needs to fuzzify the input parameters, namely, fuzzily membership mapping is carried out on the parameters. The clear parameters are mapped into the fuzzy degree through the triangular membership function, and the fuzzy degree is specifically divided into three grades of low, medium and high. Fuzzy reasoning can be performed more intuitively and interpretably by discrete degrees of membership. Wherein, the triangle membership function is expressed as: Wherein the method comprises the steps of Indicating the membership grade, i.e. low, medium, high, Representing input parameters, i.e. . Trigonometric function parameters The left, maximum and right minima of the triangular membership function are shown, respectively. It should be noted that in terms of the output membership function, i.e., the current user reputation, two types of output membership degrees are designed, benign and malignant, respectively. Expressed as: Wherein the method comprises the steps of As an adjustment coefficient of the output membership function. S2.3, setting a rule base. Fuzzy rules can be formulated to perform fuzzy reasoning through the fuzzy numerical values of the fuzzy logic. The behavior rules of the APT attacker can be analyzed aiming at the characteristics of the APT attack and the expert knowledge of TTPs. Correspondingly, for common business processes, benign behavior rules of the user can be analyzed, and the rule base is expressed as 。 S2.4 rule reasoning. In fuzzy inference, according to any fuzzy rule The activation function thereof can be obtained. Since the fuzzy rule herein adopts an AND rule, the activation function is expressed as follows according to Mamdani reasoning: Wherein the method comprises the steps of Representation rules Conditional parameters of (1), get rules in case of AND The activation degree of all conditions is minimum. By means of the activation function, rules are calculated Is expressed as: determining the rule by calculating the minimum value of the activation degree and the output membership degree of the rule The effect on the output membership functions follows. Finally, aggregating the influence values of all rules to obtain the influence values under all output spaces The most influencing rule is the aggregated output membership, i.e. the output space is The lower reputation level membership may be expressed as: s2.5, defuzzifying to obtain the macroscopic reputation. The above steps can obtain the output space as And outputting the membership degree of the credit. For fuzzy reasoning, the fuzzy output membership needs to be defuzzified. By aggregating all output spaces And the output membership degree can obtain the reputation output value of the current user. The method adopts a defuzzification formula which is more suitable for macroscopic reputation and is obtained by improvement based on a gravity center method, and is specifically expressed as follows: Wherein the method comprises the steps of Is an exponential decay term, a decay coefficient The gravity center method with exponential decay can improve the influence caused by malicious behaviors and indexes, namely, malicious users only need to do slight bad things and the malicious degree can be greatly improved.
4. 4. The IP gray scale reputation flexibility evaluation method according to claim 1, wherein the step S3 specifically comprises the following steps: S3.1 constructing a benign model diagram. For benign users, they are more concerned with the operational habits and behavior patterns of the service. And acquiring benign business processes according to normal behaviors of the current user, such as common services and ports required by the business of the current user. However, normal business processes typically have repetitive behavioral events, and the aggregation of multiple business processes into a single benign pattern graph is accomplished by merging the repetitive nodes, merging the multiple business event nodes into a single node. Benign pattern map is represented as . Wherein the method comprises the steps of Representing a benign event pattern, Representing the average interval time of repeating benign event patterns, wherein for any benign event pattern All have corresponding benign values For expressing the benign extent of an event. S3.2, constructing a malignant pattern diagram. And constructing a pattern diagram according to the ATT & CK knowledge of the open source. The data structure obtained by the ATT & CK is a TTP attack path, wherein TTPs is a common APT attack path, and information probing, lateral movement, rights promotion, implementation destruction, etc. are common. TTPs can be implemented by a variety of methods depending on the specific attack means, and multiple TTPs attack paths can be obtained from the public ATT & CK. Similar to the normal pattern graph, TTPs attack flows typically have repetitive behavioral events that aggregate multiple attack paths into a single attack pattern graph by merging repetitive nodes. For a specific cacheline pattern graph is represented as Wherein the set of vertices Representing mode events, particularly as . Edge set The longest interval time representing a repeating pattern event, expressed as For any mode event of a mode graph All have threat values For representing the threat level of the current mode event. S3.3 incremental pattern matching under time constraint. Pattern diagram for aggregation Pattern matching is performed with the event log of the user. The user's real-time event stream may be represented as an event Inter-event interval time . The scheme adopts concurrent matching, namely, aiming at any event in suspicious event streams of users Will be in association with the initial mode event Matching is performed to achieve real-time matching and without missing events. In the course of user behavior, new behavior may result in incremental expansion of suspicious event flows. In the matching process, if the suspicious event and the mode event and the interval time between the suspicious event and the mode event meet the matching rule, namely Then the matching is successful, and the threat value is recorded . It should be noted that for the following In other words, it represents the time from the last successful event to the current event, if in the suspicious event stream, the suspicious user performs a normal operation To disguise itself as causing unsuccessful matching, the time will extend to the next matching time, i.e . If the suspicious time has timed out, i.e The match fails. And S3.4, dynamically calculating the matching degree. According to the matching of S3.3, threat value vectors of users obtained by matching are obtained and expressed as And benign value vector . Wherein each threat value represents the threat level represented by the user by the TTPs actions that were successfully matched. S3.5, comprehensively evaluating the microscopic credit. The threat value vector for the current match is given a micro-angle reputation value for the event itself angle, expressed as: The weight of threat event can be increased by negative index, so that suspicious users can judge the low reputation value of suspicious users only by partial suspicious behaviors, wherein Is the attenuation coefficient.
5. 5. The IP gray scale reputation flexibility evaluation method according to claim 1, wherein the step S4 specifically comprises the following steps: S4.1, normalization of the macro reputation and the micro reputation is calculated. To ensure that macroscopic and microscopic user reputation are in a unified category, a more fair aggregation is achieved. The scheme adopts Min-Max for normalization, namely the normalized reputation of the Min-Max and the Max are respectively expressed as follows: Wherein the method comprises the steps of Represents a macroscopically normalized reputation, Represents the microscopic normalized reputation of the user, And (3) with Representing minima and maxima of the macroscopic reputation respectively, And Representing minima and maxima, respectively, of the microscopic reputation. S4.2 aggregates the reputation values of both. The user can be subjected to comprehensive reputation evaluation through the normalized reputation value, and the aggregated reputation formula is specifically expressed as follows: Wherein the method comprises the steps of Expressed as macroscopic and microscopic weights while guaranteeing normalization. S4.3, discounting the historical reputation value. According to the steps, the aggregated reputation value at the current time can be obtained, namely expressed as . And for the credit, the history credit is integrated to effectively prevent the white washing attack. Then for the total time For time of The reputation sign of the integrated time needs to be redefined as . The composite historical reputation yields a reputation representation: Wherein, the And (3) representing a time attenuation coefficient, and considering the historical reputation value through discount to make the reputation calculation pay more attention to the reputation of the current time and reduce the influence proportion of the historical reputation.

Description

IP gray scale reputation flexibility assessment method Technical Field The invention belongs to the technical field of network security protection and intrusion detection, and particularly relates to an IP gray scale reputation flexibility evaluation method aiming at advanced persistent threat attack. The method is oriented to a key information infrastructure network, a smart grid and an industrial Internet of things, combines a fuzzy logic reasoning and time constraint incremental sub-graph matching technology, performs macroscopic and microscopic two-way comprehensive measurement on user network behaviors, and aims to provide reliable support for threat detection, intrusion tracing and fine-granularity dynamic access control of a system. Background With the rapid development of network information technology, the security of key infrastructure and industrial Internet of things is increasingly emphasized. In the existing network security protection system, the advanced persistent threat (ADVANCED PERSISTENT THREAT, APT) has been the main attack means for threatening the security of the core service system because of its high persistence, concealment and accuracy. APT attacks generally follow the evolving paradigm of Tactics, techniques, and Procedures (TTPs), and attackers often experience multiple stages of pre-probing, mid-penetration, post-destruction, etc., complex attacks that implement multi-tool combinations on target systems. In this context, user "reputation" is introduced as a dynamic measure into the field of network security to characterize the degree of trustworthiness of an entity in a system. The accurate reputation evaluation not only can assist in threat detection, intrusion traceability and other core security tasks, but also can provide support for fine-granularity dynamic access control, so that the transverse diffusion and the deep penetration of APT attacks are effectively restrained. However, how to design a reputation measurement mechanism which combines benign business behaviors and potentially malicious behaviors of a user becomes a great technical challenge for defending against APT attacks currently. Considerable limitations exist in the conventional reputation evaluation and APT detection technology, and high security requirements of key infrastructures are difficult to meet. Firstly, the traditional reputation evaluation often relies on weighted summation of single malicious behavior events such as honeypot logs, threat alarms and the like, the uncertainty association of behavior characteristics in different contexts is difficult to process in the mode, and the joint reasoning of multi-dimension indexes cannot be realized, meanwhile, the reputation evaluation method based on machine learning partially increases the detection dimension, but consumes huge calculation power, and real-time and low-delay reputation calculation is difficult to realize for massive concurrent event streams. More importantly, the above method focuses mainly on unidirectional determination of "malicious degree", while tolerance to malicious behavior in critical infrastructure is very low, which results in that slight violations may be rated as very low reputation, so that reputation mechanism loses the meaning of elasticity and dynamic evaluation. In addition, the advanced APT attacker is very good at disguising, and the daily behavior mode of the advanced APT attacker is highly similar to that of a normal user, so that the traditional pure malicious index is very easy to report. User behavior analysis based on TTP detection, while an important means of identifying APT, is typically based on single-dimensional detection of only sub-graph matches of attack events. This mechanism essentially models an "attack paradigm" and completely ignores the "benign behavior contribution" that users produce in normal business interactions, lacking the comprehensiveness of global assessment. At the same time, high-level attackers often become aware that defenders are using TTP matching rules, circumventing detection by deliberately spacing manufacturing behaviors or interleaving camouflage operations. Therefore, the existing defense system needs to introduce a new theoretical foundation to compensate the defect of unidirectional evaluation. On one hand, because the user behavior has high uncertainty, the introduction of fuzzy logic reasoning based on behavior analysis becomes an effective approach. The fuzzy logic can convert the multidimensional behavior characteristics into fuzzy sets, quantify risks through rule reasoning, and provide balance between benign and malignant dimensions, on the other hand, for TTP characteristics of APT attacks, an incremental sub-graph matching technology based on time constraint is adopted, events are gradually accumulated in user behavior flows, and time window limitation is applied. The method can greatly reduce the calculation cost of the full graph matching and can accurately disti