Research On Attack Path Detection Technology Based On Traceability Knowledge Graph

With the rapid development of information technology and the wide application of networks,the forms of network attacks are becoming more and more diverse and complex.Traditional network security devices are facing increasing challenges in detecting network attacks,and it is difficult to completely prevent network attacks from happening.Therefore,after a network attack occurs,how to quickly detect the attack path that has occurred will help intercept potential network attacks and reduce losses.Among them,causal analysis based on system logs has become an important solution to attack path detection.However,massive system logs lead to a large-scale causal relationship graph,which is prone to search path explosion,resulting in a decrease in detection accuracy.In contrast,although the attack path detection method based on machine learning is effective,the black-box nature of the algorithm or model makes it lack of interpretability.In view of the above problems,based on the traceability knowledge graph,this thesis studies the system log reduction method and the explainable attack path detection method.First,use the traceability knowledge graph to represent the system log,and denoise and reduce the traceability knowledge graph.then use the attention mechanism to realize the detection and classification of the attack sequence in order to find the attack path.The research work of this thesis mainly has the following three points:(1)Aiming at the problem of large graph size and search path explosion caused by massive system logs,this thesis first uses the traceability knowledge graph to represent the system log,and then combines various previous research methods to denoise the traceability knowledge graph,and finally based on key features.The edge of the traceability knowledge graph is weighted,and the traceability knowledge graph is reduced through the edge weight,thereby further alleviating the problem of search path explosion.By comparing the number of edges and nodes before and after the scale reduction of the traceability knowledge graph,it is found that the average reduction of the edges is about 93%,and the average reduction of the nodes is about 86%.At the same time,the reduced traceability knowledge graph still contains complete attack information,which verifies this thesis.The effectiveness of the proposed method.(2)Aiming at the difficulty of attack path detection and the lack of interpretability of machine learning algorithms,this thesis introduces an attention mechanism to identify important system operations in path sequences to explain attack sequences.At the same time,this thesis also constructs a vector representation of the path sequence so that the classification model can classify and detect the attack sequence.Experimental results show that the method proposed in this thesis has a detection precision rate of 95.03% and a recall rate of 92.72% in six attack data detection tasks in the DARPA TC E3 dataset.This shows that the method proposed in this thesis is effective.(3)Design and implement an attack path detection system based on traceability knowledge graph,which integrates research algorithms into different modules,has a good user interaction interface and data visualization display function,and is convenient for users to use.The input of the system is system log data,and the output is attack sequence after algorithm processing and analysis.