CN114637892A - Summary graph generation method for syslog dependency graphs for attack investigation and recovery - Google Patents

Abstract

The invention provides a method for generating a summary graph of a system log dependency graph for attack investigation and restoration, which comprises the following steps: determining a system entity dependency relationship graph of an attack event to be investigated and restored, wherein the dependency relationship graph comprises system entity nodes related to the attack event and a calling relationship between the system entity nodes; the system entity node comprises a process node and a resource node; executing hierarchical random walking on the process nodes in the dependency graph, and determining the behavior representation of the process nodes; clustering the process nodes based on the behavior representation, and dividing the dependency graph into at least one first subgraph based on a clustering result; compressing each first subgraph to obtain at least one second subgraph; and generating a summary corresponding to each second sub-graph, and obtaining a summary graph corresponding to the dependency graph. The invention is convenient for viewing the outline of the related system activity and the outline information of the subgraph related to the attack by dividing the dependency graph into a plurality of subgraphs and providing each subgraph with a concise outline to generate the outline graph.

Description

Summary graph generation method for syslog dependency graphs for attack investigation and recovery

technical field

The present invention relates to the technical field of network security, in particular to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration.

Background technique

In response to cyber attacks, causal analysis based on system monitoring has become an important method for attack investigation.

The causal analysis method uses the system entity dependency graph to represent system call events. Based on the system entity dependency graph, the context information of the attack can be investigated by reconstructing the event chain leading to the POI (Point of Interesting) event. Such context information can Effectively reveal incidents related to attacks. However, due to the dependency explosion problem, it is difficult to efficiently extract the required contextual information from a huge graph, requiring extensive manual inspection.

Aiming at the problem of dependency explosion, existing methods mainly include technologies such as automatic filtering of irrelevant events in dependency graphs and revealing attack-related events. Although these attack investigation techniques based on system entity dependency graphs have achieved good results, there are still manual attacks. The investigation makes the scope of practical application more limited.

SUMMARY OF THE INVENTION

In view of the problems existing in the prior art, the present invention provides a method for generating a summary graph of a system log dependency graph for attack investigation and restoration.

In a first aspect, the present invention provides a method for generating a summary graph of a system log dependency graph for attack investigation and restoration, including:

Determine the system entity dependency graph of the attack event to be investigated and restored, the system entity dependency graph including the system entity nodes associated with the attack event to be investigated and restored and calls between the system entity nodes relationship; wherein, the system entity nodes include process nodes and resource nodes, and the calling relationship between the system entity nodes represents system activities;

Perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

Clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency graph into at least one first subgraph based on a result of the clustering;

compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, and the at least one second sub-picture is in one-to-one correspondence with the at least one first sub-picture;

A summary corresponding to each of the second subgraphs in the at least one second subgraph is generated, and a summary graph corresponding to the system entity dependency graph is obtained.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, the hierarchical random walk is performed on the process nodes in the system entity dependency graph to determine The behavior representation of the process node, including:

Take each process node in the system entity dependency graph as a starting point to randomly walk for a preset length to generate a walking route;

Based on the walking route, a word vector model is used to obtain the behavior representation of the process node.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, the compression of each first subgraph in the at least one first subgraph is performed, Get at least one second subgraph, including:

Determine the first mode in the target subgraph in the at least one first subgraph, the first mode includes: a mode in which the same process node generates at least two identical process node sets to access the same resource node, so The process node set includes at least one child process node, and the resource node includes a file node or a network node;

The same sub-process nodes in the first mode are merged, and the edges connecting the sub-process nodes are merged to complete the compression of the target sub-graph, and a second sub-graph corresponding to the target sub-graph is obtained.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, the compression of each first subgraph in the at least one first subgraph is performed, Get at least one second subgraph, including:

Determine a second mode in the target subgraph in the at least one first subgraph, where the second mode includes: a mode in which the same process node accesses different resource nodes at least twice, the resource nodes include file nodes or network node;

The different resource nodes in the second mode are merged, the compression of the target subgraph is completed, and a second subgraph corresponding to the target subgraph is obtained.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, when the at least one first subgraph is compressed, each first subgraph is compressed. Before, the method further includes:

In the case that at least two process nodes access the same resource node, and the at least two process nodes are from different first subgraphs, creating at least one replica node of the resource node;

Allocate the resource node and the at least one replica node to the first subgraph where the at least two process nodes are located in a one-to-one correspondence, and create an orientation between the resource node and the at least one replica node edge to connect the resource node and the replica node.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, before performing a hierarchical random walk on the process nodes in the system entity dependency graph, The method also includes:

Merge each process node in the system entity dependency graph with parallel edges between the resource nodes in the system entity dependency graph, where the parallel edges include: having the same read operation or the same The edge of the type of write operation.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, before performing a hierarchical random walk on the process nodes in the system entity dependency graph, The method also includes:

The resource nodes with only input edges but no output edges in the system entity dependency graph are deleted.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, the summary includes at least one of the following:

main process;

time span;

target information flow;

Wherein, the main process represents the parent process node of the system activity included in the second subgraph;

the time span represents the time interval between the earliest start time and the latest end time of the system activity included in the second subgraph;

The target information flow represents the information flow whose priority ranking is located in the top preset number of places in the ranking of all the information flows among the information flows corresponding to the system activities included in the second sub-graph.

Optionally, according to a method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, the merging of the different resource nodes in the second mode includes:

The different resource nodes in the second mode are merged into one node as a merged resource node, and the attribute of the merged resource node is a union of the attributes of the different resource nodes.

In a second aspect, the present invention also provides an apparatus for generating a summary graph of a system log dependency graph for attack investigation and restoration, including:

The first determination module is used to determine the system entity dependency graph of the attack event to be investigated and restored, the system entity dependency graph including the system entity node associated with the attack event to be investigated and restored and the The calling relationship between system entity nodes; wherein, the system entity node includes a process node and a resource node, and the calling relationship between the system entity nodes represents system activities;

a second determining module, configured to perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

a subgraph dividing module, configured to cluster the process nodes based on the behavior representation of the process nodes, and divide the system entity dependency graph into at least one first subgraph based on the result of the clustering ;

A sub-picture compression module, configured to compress each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, the at least one second sub-picture and the at least one first sub-picture One-to-one correspondence between subgraphs;

A summary graph generation module, configured to generate a summary corresponding to each second subgraph in the at least one second subgraph, and obtain a summary graph corresponding to the system entity dependency graph.

In a third aspect, the present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, when the processor executes the program, In one aspect, the steps of a method for generating a summary graph of a system log dependency graph for attack investigation and restoration are described.

In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the system for attack investigation and recovery as described in the first aspect The steps of the summary graph generation method for the log dependency graph.

In a fifth aspect, the present invention also provides a computer program product, including a computer program, which, when executed by a processor, realizes the generation of a summary graph of a system log dependency graph for attack investigation and restoration as described in any of the above steps of the method.

The method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, by determining the system entity dependency graph of the attack event to be investigated and restored, executes the analysis on the process nodes in the system entity dependency graph. The layer walks randomly, determines the behavior representation of the process node, and divides the system entity dependency graph into at least one first subgraph based on the behavior representation of the process node, and compresses each first subgraph to obtain at least one second subgraph, Finally, a summary of each second subgraph is generated, so as to obtain a summary graph corresponding to the system entity dependency graph; the summary graph is generated by dividing the system entity dependency graph into multiple subgraphs and providing a concise summary for each subgraph. Each subgraph only contains closely related processes that complete system tasks together. The generated summary diagram maintains the semantics of system activities in the system entity dependency diagram by hiding less important details, and visualizes it in the form of a summary, which not only can Reduce the size of system entity dependency graphs and make it easier to view a summary of related system activity and a summary of attack-related communities.

Description of drawings

In order to explain the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are the For some embodiments of the invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.

Fig. 1 is one of the schematic flow charts of the method for generating a schematic diagram provided by the present invention;

2 is a schematic diagram of a system entity dependency relationship diagram of a method for generating a summary diagram provided by the present invention;

3 is one of the schematic diagrams of overlapping nodes of the method for generating a summary graph provided by the present invention;

Fig. 4 is the second schematic diagram of overlapping nodes of the method for generating a summary graph provided by the present invention;

5 is the third schematic diagram of overlapping nodes of the method for generating a summary graph provided by the present invention;

6 is a schematic diagram of a schematic diagram of a method for generating a schematic diagram provided by the present invention;

7 is a schematic diagram of a first mode of a method for generating a schematic diagram provided by the present invention;

Fig. 8 is the second mode schematic diagram of the summary graph generation method provided by the present invention;

Fig. 9 is the second schematic flow chart of the method for generating a schematic diagram provided by the present invention;

10 is a schematic diagram of the number of subgraphs monitored by the method for generating a summary graph provided by the present invention;

11 is a schematic diagram of the size distribution of subgraphs monitored by the summary graph generation method provided by the present invention;

FIG. 12 is a schematic diagram of node compression ratio distribution of a method for generating a summary graph provided by the present invention;

13 is a schematic diagram of the edge compression ratio distribution of the method for generating a summary image provided by the present invention;

14 is a schematic structural diagram of an apparatus for generating a schematic diagram provided by the present invention;

FIG. 15 is a schematic diagram of the physical structure of the electronic device provided by the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the technical solutions in the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

The terms "first", "second" and the like in the description and claims of the present invention are used to distinguish similar objects, and are not used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the present application can be practiced in sequences other than those illustrated or described herein, and distinguish between "first", "second", etc. The objects are usually of one type, and the number of objects is not limited. For example, the first object may be one or more than one. In addition, "and/or" in the description and claims indicates at least one of the connected objects, and the character "/" generally indicates that the associated objects are in an "or" relationship.

In order to facilitate a clearer understanding of the embodiments of the present invention, some related background knowledge is first introduced as follows.

In response to cyber attacks, causal analysis based on system monitoring has become an important method for attack investigation. System Monitor observes system calls and generates kernel-level audit events as a system audit log. These logs enable causal analysis to identify entry points of intrusions (backtraces) and branches of attacks (forward traces), which has proven effective in assisting attack investigations and system recovery.

While causality analysis has yielded promising results in some areas, existing methods require extensive manual inspection, which hinders their widespread adoption. Causal analysis methods consider system entities (eg, files, processes, and network connections) involved in causal dependencies within the same system-level invocation event (eg, a process to read a file). Based on these dependencies, these methods use a system-entity system dependency graph to represent system call events, where nodes are system entities, edges are events, and edge-to-edge connections refer to dependencies derived from system events.

Using the system entity dependency graph, contextual information about an attack can be investigated by reconstructing the chain of events leading to POI (Point of Interesting) events (eg, alert events reported by an intrusion detection system). Such contextual information can effectively reveal attack-related events. However, efficiently extracting the required contextual information from a huge graph (often containing more than 100K edges) is difficult due to the dependency explosion problem.

In order to overcome the defect of dependency explosion in the use of system entity dependency graph in attack investigation, the existing methods are mainly techniques for automatically filtering irrelevant events and revealing attack-related events. While these techniques have achieved great results, manual attack investigation is still essential for three main reasons:

(1) There is always a residual risk in the system that, although small, cannot be accurately revealed by these automated techniques, especially those that rely heavily on system configuration files;

(2) Threats are constantly evolving to evade defensive technologies, such as emerging attack tactics and technologies recently developed by adversaries;

(3) Existing techniques mainly rely on heuristic rules, which can lead to information loss, and some techniques need to be changed inside the system to discover attack behaviors, such as binary detection, which have poor generality and hinder their practical application.

The following describes the method and apparatus for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention with reference to FIGS. 1 to 14 .

Fig. 1 is one of the schematic flow charts of the method for generating a schematic diagram provided by the present invention. As shown in Fig. 1 , the method includes the following procedures:

Step 100: Determine the system entity dependency graph of the attack event to be investigated and restored, and the system entity dependency graph includes the system entity node associated with the attack event to be investigated and restored and the relationship between the system entity nodes. The calling relationship between the system entity nodes; wherein, the system entity nodes include process nodes and resource nodes, and the calling relationship between the system entity nodes represents system activities;

Step 110, performing a hierarchical random walk on the process nodes in the system entity dependency graph to determine the behavior representation of the process nodes;

Step 120, clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency graph into at least one first subgraph based on the result of the clustering;

Step 130, compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, the at least one second sub-picture and the at least one first sub-picture one by one correspond;

Step 140: Generate a summary corresponding to each second subgraph in the at least one second subgraph, and obtain a summary graph corresponding to the system entity dependency graph.

In order to overcome the defect of dependency explosion in the use of system entity dependency graph in attack investigation, the present invention divides the system entity dependency graph into communities (subgraphs), each community only contains closely related processes, and generates for each community The corresponding summary maintains the semantics of system activities in the system entity dependency diagram by hiding less important details, and visualizes it in the form of a summary, which not only reduces the size of the system entity dependency diagram, but also facilitates viewing related systems. A summary of the activity and a summary of the community associated with the attack.

Optionally, a system entity dependency graph of the attack event to be investigated and restored may be determined.

Optionally, the system entity dependency graph may include the system entity nodes associated with the attack event to be investigated and restored and the calling relationship between the various system entity nodes.

Optionally, the system entity nodes may include process nodes and resource nodes.

Optionally, resource nodes may include file nodes and network nodes.

Optionally, the calling relationship between system entity nodes can represent system activities.

Optionally, a hierarchical random walk may be performed on the process nodes in the system entity dependency graph to determine the behavior representation of the process nodes.

Optionally, the process nodes may be clustered based on their behavioral representations, so as to group process nodes with similar behavioral representations into the same class.

Optionally, in order to calculate overlapping clusters of process nodes according to their behavioral representations, a soft clustering method FCM (Fuzzy C-means, Fuzzy C-means) may be used to cluster process nodes.

Specifically, unlike the hard clustering method (i.e., K-means), which classifies process nodes into only one cluster, FCM outputs the membership degree of each process node in each cluster by minimizing the objective function.

Optionally, the system entity dependency graph may be divided into at least one first subgraph based on the result of process node clustering, so that closely related process groups may be determined as subgraphs centered on process nodes.

Optionally, each first sub-picture in the at least one first sub-picture may be compressed to obtain at least one second sub-picture.

For example, redundant edges or redundant nodes existing in the first subgraph may be merged or deleted.

For example, edges included in the first subgraph with the same read operation or the same write operation may be merged.

For example, read-only file nodes that do not contain useful attack-related information in the first subgraph can be deleted.

Optionally, there is a one-to-one correspondence between the acquired at least one second sub-image and the at least one first sub-image, that is, by compressing one first sub-image, the compressed first sub-image can be obtained and used as the second sub-image. .

Optionally, a summary corresponding to each second subgraph in the at least one second subgraph may be generated, and a summary graph corresponding to the system entity dependency graph may be obtained.

Optionally, the summary corresponding to each second subgraph may be used to represent summary information of related system activities corresponding to the second subgraph.

Optionally, after the summary corresponding to each second subgraph is generated, the summary graph corresponding to the system entity dependency graph may be obtained.

Optionally, system audit events, including process events, file events, and network events, can be collected using system audit tools running on mainstream operating systems (eg, Windows, Linux, Mac OS, and Android). For each entity and each event collected, some attributes that are critical to security analysis can be recorded (for example, the entity's PID (Process Identifier), file name and IP (Internet Protocol); events start time, end time and operation), as shown in Table 1 and Table 2.

Table 1 System entity attributes

Entity Attributes Process PID,Name,User,Cmd File Name,Path Network IP,Port,Protocol

Table 2 System event attributes

Optionally, given a POI event (eg, an alert about a file download), a system entity dependency graph can be built by tracking system entity dependencies by performing a reverse causal analysis.

For example, Fig. 2 is a schematic diagram of a system entity dependency diagram of the method for generating a summary graph provided by the present invention. As shown in Fig. 2, starting from a POI event, the causal analysis iteratively finds occurrences along some dependency paths of the POI event and occurs in the POI event. The events that occur before the POI event, these discovered events (ie edges) can form the system entity dependency graph of the POI event.

Optionally, closely related process groups can be identified as process node-centric communities (subgraphs).

Optionally, a process node-centric community is a graph that can include a main process node, a set of process nodes (representing child processes generated by the main process and have data dependencies through resource nodes), and a set of process nodes generated by the main process. Resource nodes accessed by processes and child processes.

For example, leak in Figure 2 is the main process of community C3, which spawns subprocesses tar, bzip, gpg, and curl to compress and upload files, and these subprocesses have data dependencies with at least one other subprocess, as shown in Figure 2 In the dependency graph: tar→./upload.tar→bzip2→../upload.tar.bz2→gpg→../upload→curl→xxx->xxx.

Optionally, a process node-centric community may also include process nodes or resource nodes that belong to multiple communities and are called overlapping nodes.

For example, in Figure 2, leak first cooperates with curl to complete the execution of the script leak.sh in C2, and then spawns subprocesses tar, bzip2, gpg, and curl to compress and upload files in C3. In this case, leaks are overlapping nodes in C2 and C3.

For example, FIG. 3 is one of the schematic diagrams of overlapping nodes of the method for generating a summary diagram provided by the present invention, FIG. 4 is a schematic diagram of the second overlapping nodes of the method for generating a summary diagram provided by the present invention, and FIG. The third schematic diagram of overlapping nodes, as shown in Figure 3-5, overlapping nodes can be divided into the following three types:

(1) Main process node: cooperates with different sets of sub-processes of different system activities;

(2) Child process node: cooperate with its peers to complete system activities, and generate child processes to complete different system activities at the same time;

(3) Resource node: It is a resource node accessed by process nodes from different communities.

Optionally, a summary can be generated for each community, and the summary can visualize the main system activities included in the corresponding community.

For example, FIG. 6 is a schematic diagram of the summary diagram generation method provided by the present invention. As shown in FIG. 6 , each community (C1, C2, . . . , C10) generates a concise summary for each community. to visualize system activity.

The method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, by determining the system entity dependency graph of the attack event to be investigated and restored, executes the analysis on the process nodes in the system entity dependency graph. The layer walks randomly, determines the behavior representation of the process node, and divides the system entity dependency graph into at least one first subgraph based on the behavior representation of the process node, and compresses each first subgraph to obtain at least one second subgraph, Finally, a summary of each second subgraph is generated, so as to obtain a summary graph corresponding to the system entity dependency graph; the summary graph is generated by dividing the system entity dependency graph into multiple subgraphs and providing a concise summary for each subgraph. Each subgraph contains only closely related processes that work together to complete system tasks. The generated summary diagram maintains the semantics of system activities in the system entity dependency diagram by hiding less important details, and visualizes it in the form of a summary, not only shrinking It reduces the size of the system entity dependency graph and facilitates viewing a summary of relevant system activity and a summary of the attack-related community.

Optionally, performing a hierarchical random walk on the process nodes in the system entity dependency graph to determine the behavior representation of the process nodes includes:

Take each process node in the system entity dependency graph as a starting point to randomly walk for a preset length to generate a walking route;

Based on the walking route, a word vector model is used to obtain the behavior representation of the process node.

Optionally, a preset length may be randomly walked with each process node in the system entity dependency graph as a starting point to generate a walking route.

Optionally, the value of the preset length may be 5 or 10 or 15, which is not specifically limited in the present invention.

其中w(v_i,n)表示从v_i到n的行走权重，

表示v_i的所有邻居节点之间的行走权重之和。与现有的随机行走算法以相等概率处理邻居节点不同，本发明中的行走算法为v_i的邻居节点提供更高的概率，这些邻居节点更可能是与v_i联系紧密的进程节点。For example, a random walk starting from node v ₁ generates a walking route W = _{{ v 1} , . The transition probability from vi to its neighbor node _n is

where w(v _i ,n) represents the walking weight from v _i to n,

represents the sum of walk weights among all neighbor nodes of _vi . Different from the existing random walk algorithms that deal with neighbor nodes with equal probability, the walk algorithm in the present invention provides a higher probability for the neighbor nodes of _vi , and these neighbor nodes are more likely to be process nodes closely related to _vi .

Specifically, the neighbor nodes of a process node and the global process lineage tree can be considered simultaneously to ensure that closely related process nodes are sampled to the same walking path, so that they will have similar contexts. For each process node p, check the single-hop neighbor nodes of p, and associate p with the parent process node, child process node, and visited resource nodes.

Optionally, based on the generated walking route, a word vector model may be used to obtain behavior representations of process nodes.

Optionally, the word2vec model can be used to obtain the behavior representation of each process node based on the walking route.

For example, an analogy can be made by thinking of nodes in a system entity dependency graph as words, and walking routes as ordered sequences of words.

Alternatively, a widely used word representation learning algorithm, SkipGram, can be used to learn the behavioral representations of the process nodes included in the walking route.

The invention takes each process node in the system entity dependency graph as a starting point to randomly walk a preset length to generate a walking route, and then uses a word vector model to learn the behavior representation of the process node based on the walking route, and finally can be based on the behavior of the process node. Representation, dividing process nodes with similar behavioral representations into the same subgraph can effectively realize the identification of closely related process groups as process-centric communities.

Optionally, the compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture includes:

Determine the first mode in the target subgraph in the at least one first subgraph, the first mode includes: a mode in which the same process node generates at least two identical process node sets to access the same resource node, so The process node set includes at least one child process node, and the resource node includes a file node or a network node;

The same sub-process nodes in the first mode are merged, and the edges connecting the sub-process nodes are merged to complete the compression of the target sub-graph, and a second sub-graph corresponding to the target sub-graph is obtained.

Optionally, the first pattern in the target subgraph in the at least one first subgraph in the system entity dependency graph may be determined.

Optionally, the first mode may include a mode in which the same process node in the target subgraph generates at least two identical process node sets to access the same resource node, and the process node set includes at least one child process node.

Optionally, the same child process nodes in the first mode can be merged, and the edges connecting the child process nodes can be merged to complete the compression of the target subgraph.

Optionally, the first mode in each first subgraph in the system entity dependency graph can be identified, and redundant nodes and redundant edges in the first mode can be merged to obtain a compressed second subgraph, Then, based on the compressed second subgraph, a summary corresponding to the second subgraph is generated.

Alternatively, the first pattern may be used to describe repetitive activities that produce the same set of processes to process certain resources.

For example, FIG. 7 is a schematic diagram of the first mode of the method for generating a summary graph provided by the present invention. As shown in FIG. 7 , the process node P0 repeatedly generates child process nodes named P1 and P2 to write to the file F1, and such repeated Activities do not provide additional value for security analysis, so multiple P1 and P2 can be merged separately in the manner shown in Figure 7 to remove redundant nodes and redundant edges.

Optionally, the first pattern in the first subgraph can be identified through four steps (building a process lineage tree, association with accessed resources, mining process-based patterns, and pattern-based compression) Duplicate nodes and edges to complete the compression of the first subgraph.

The invention realizes the compression of the subgraph by identifying the first mode in the subgraph and merging the repeated edges and nodes in the first mode, effectively reducing redundant edges and nodes, and reducing the size of the system entity dependency graph. size.

Optionally, the compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture includes:

Determine a second mode in the target subgraph in the at least one first subgraph, where the second mode includes: a mode in which the same process node accesses different resource nodes at least twice, the resource nodes include file nodes or network node;

The different resource nodes in the second mode are merged, the compression of the target subgraph is completed, and a second subgraph corresponding to the target subgraph is obtained.

Optionally, the second pattern in the target subgraph in at least one of the first subgraphs in the system entity dependency graph may be determined.

Optionally, the second mode may include a mode in which the same process node in the target subgraph accesses different resource nodes at least twice.

For example, FIG. 8 is a schematic diagram of the second mode of the method for generating a summary graph provided by the present invention. As shown in FIG. 8 , the process node P0 repeatedly accesses the resource nodes F1, F2, . The analysis provides additional value, so the resource nodes F1, F2, ..., Fn can be merged as shown in Figure 8 to remove redundant nodes and redundant edges.

Optionally, different resource nodes in the second mode may be combined to complete the compression of the target subgraph.

Optionally, the second mode in each first subgraph in the system entity dependency graph can be identified, and redundant nodes and redundant edges in the second mode can be merged to obtain a compressed second subgraph, Based on the compressed second subgraph, a summary corresponding to the second subgraph is generated.

Optionally, to identify the second pattern, process nodes can be associated with the resource nodes they visit, and then each resource node can be searched to identify repeated visits.

Optionally, the resource nodes in the second mode may be combined into one node according to the searched second mode.

Optionally, the attributes of the resource nodes obtained after merging may be a union of the attributes of the original resource nodes.

The present invention realizes the compression of the subgraph by identifying the second mode in the subgraph and merging the repeated edges and nodes in the second mode, effectively reducing redundant edges and nodes, and reducing the size of the system entity dependency graph. size.

Optionally, before the compressing each first sub-picture in the at least one first sub-picture, the method further includes:

In the case that at least two process nodes access the same resource node, and the at least two process nodes are from different first subgraphs, creating at least one replica node of the resource node;

Allocate the resource node and the at least one replica node to the first subgraph where the at least two process nodes are located in a one-to-one correspondence, and create an orientation between the resource node and the at least one replica node edge to connect the resource node and the replica node.

Specifically, before compressing the first subgraph, an overlapping node in the first subgraph may be searched first, where the overlapping node is a resource node, and the resource node is associated with multiple processes from different first subgraphs The nodes are connected; after the overlapping node is searched, a replica node of the overlapping node can be created, and the created replica node and the resource node are assigned to the first subgraph where the multiple process nodes are located in a one-to-one correspondence.

Optionally, when at least two process nodes access the same resource node, and the at least two process nodes are from different first subgraphs, at least one replica node of the resource node may be created.

Optionally, the resource node and the at least one replica node may be assigned to the first subgraph where the at least two process nodes are located in a one-to-one correspondence.

Optionally, directed edges may be created between the resource nodes and the respective replica nodes to connect the resource nodes and the created replica nodes.

For example, given two replica nodes v ₁ and v ₂ of a resource node v, where v ₁ is contained in subgraph C _i and v ₂ is contained in subgraph C _j , suppose v ₁ has input edges e ₁ , v ₂ has an output edge e ₂ , and the start time of e ₁ is earlier than the end event of e ₂ , then a directed edge v ₁ →v ₂ can be created.

For example, given a resource node r and a process node p, if they are connected by an edge, then v is associated with the community to which p belongs. If a resource node is connected to multiple process nodes from different communities, the resource node is an overlapping node, and a replica of the resource node can be created, with one replica assigned to each community. Since these nodes lack a visible direction of information flow, directed edges are created in the present invention to connect replicas (eg, thin dashed arrows in Figure 2).

Alternatively, dependencies between communities can be classified into edge-based dependencies (ie, dependencies represented by inter-community edges between communities) and node-based dependencies (ie, dependencies represented by overlapping nodes) .

Optionally, before performing the hierarchical random walk on the process nodes in the system entity dependency graph, the method further includes:

Merge each process node in the system entity dependency graph with parallel edges between the resource nodes in the system entity dependency graph, where the parallel edges include: having the same read operation or the same The edge of the type of write operation.

Specifically, before dividing the system entity dependency graph into subgraphs based on the hierarchical random walk method, the system entity dependency graph may be preprocessed first, and the preprocessing may include dividing the process nodes in the system entity dependency graph with the Parallel edges between resource nodes are merged to remove redundant edges.

Optionally, before the hierarchical random walk is performed on the process nodes in the system entity dependency graph, each process node in the system entity dependency graph can be paralleled with the resource nodes in the system entity dependency graph. Edges are merged.

Alternatively, parallel edges may include edges with the same read operation or the same type of write operation.

It can be understood that the system entity dependency graph usually has many parallel edges between process nodes and file nodes or network nodes, that is, the operating system usually has repeated read or write operations in a short period of time. This is because operating systems typically perform read or write tasks by distributing data proportionally across multiple system calls. These parallel edges do not provide additional useful information for attack investigation, so parallel edges of the same operation type can be directly merged into one edge.

By merging parallel edges that do not contain useful attack related information in the system entity dependency graph, the present invention not only effectively reduces redundant edges, but also facilitates the generation of semantic summary information of main system activities.

Optionally, before performing the hierarchical random walk on the process nodes in the system entity dependency graph, the method further includes:

The resource nodes with only input edges but no output edges in the system entity dependency graph are deleted.

Optionally, before the hierarchical random walk is performed on the process nodes in the system entity dependency graph, the resource nodes having only input edges but no output edges in the system entity dependency graph may be deleted.

For example, the system entity dependency graph has many read-only files, which are libraries, configuration files, and resources used for process initialization (eg, /lib64/libdl.so.2), that do not contain useful attack-related information. Thus, read-only file nodes can be filtered (removed), while process nodes are preserved, preserving the semantics of major system activity.

By deleting the resource nodes that do not contain useful attack related information in the system entity dependency graph, the invention not only effectively reduces redundant nodes, but also facilitates the generation of semantic summary information of main system activities.

Optionally, the summary includes at least one of the following:

main process;

time span;

target information flow;

Wherein, the main process represents the parent process node of the system activity included in the second subgraph;

the time span represents the time interval between the earliest start time and the latest end time of the system activity included in the second subgraph;

The target information flow represents the information flow whose priority ranking is located in the top preset number of places in the ranking of all the information flows among the information flows corresponding to the system activities included in the second sub-graph.

Optionally, the generated summary of the second subgraph may include at least one of the following: a main process, a time span, and a target information flow.

Optionally, the main process may represent the parent process node of the system activity included in the second subgraph, or the root process node.

Optionally, the time span may represent the time interval between the earliest start time and the latest end time of the system activity included in the second subgraph.

Optionally, the target information flow may represent a preset number of information flows in the information flow corresponding to the system activity included in the second subgraph in the top priority score ranking.

Optionally, the target information flow may be an information flow with a higher priority score among the information flows corresponding to the system activities included in the second subgraph.

Optionally, the target information flow may be the information flow whose priority ranking is located in the top preset number of places in the ranking of all the information flows.

For example, the target information flow may be the information flow with the top 2 or the top 3 or the top 4 in the priority ranking, and the specific quantity is not specifically limited in the present invention.

Optionally, before generating the summary corresponding to the second subgraph, information flow extraction may be performed on the second subgraph.

Optionally, the input node and output node of each second subgraph can be identified according to the information flow between multiple second subgraphs in the system entity dependency graph, and then each pair of input nodes and output nodes can be found by searching for each pair of input nodes and output nodes. path to generate information flow.

For example, given a community (subgraph) centered on a process node, one can first identify its input nodes and output nodes, where the input nodes represent the incoming information flow of the community, that is, the target nodes of the inter-community edge connections and A network node with no output edges. In addition, for a community without input edges, the main process node can be selected as the input node, and the output node represents the output information flow of the community, that is, the source node of the connecting edge between communities. Network nodes with input edges represent external IPs and POIs. Then, for each pair of input and output nodes, a Depth First Search (DFS) algorithm can be used to find the longest path without using duplicate nodes as information flow. Such paths typically cover more activity information than shorter paths.

Optionally, the information flows extracted in the second subgraph may be prioritized.

For example, the priority score of all the information flows in the second subgraph can be calculated according to the probability that the information flow represents the main activity (such as attack behavior), and the information flow can be prioritized based on the priority score, and finally the ranking will be placed among all the information flows. The top three information flows in the ranking of the information flows are used as the target information flows in the summary corresponding to the second subgraph.

Optionally, the merging of the different resource nodes in the second mode includes:

The different resource nodes in the second mode are merged into one node as a merged resource node, and the attribute of the merged resource node is a union of the attributes of the different resource nodes.

Optionally, different resource nodes in the second mode may be merged into one node as a merged resource node.

Optionally, the properties of the merged resource nodes may be a union of properties of different resource nodes.

For example, the resource nodes F1, F2, .

FIG. 9 is the second schematic flow chart of the method for generating a summary graph provided by the present invention. As shown in FIG. 9 , the method mainly includes five parts: (1) generating a dependency graph; (2) preprocessing the dependency graph; (3) ) Community Monitoring; (4) Community Compression; (5) Community Summary. The specific implementation of each part and the above-described method for generating a system log dependency graph for attack investigation and restoration can be referred to each other correspondingly, and will not be repeated here.

The method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention is verified by experiments below.

(1) The dataset includes the following two:

(1.1) Attack dataset;

Attack datasets were collected from 6 Linux hosts with 10 active users using Sysdig, a powerful system tool. Common system tasks on these hosts include web browsing, text editing, code development, and some other services (such as databases). On these hosts, 6 multi-step attacks were performed based on known vulnerabilities and kill chains. The collected dataset contains 100 million events over 3 days.

(1.2) DARPA TC dataset.

The DARPA TC dataset is dedicated to the development of forensics and detection of Advanced Persistent Threats (APTs). This dataset records attack traces of various exploits on different operating systems such as Linux and Windows. Based on the attack description, failed attacks were excluded and 8 attacks (50 million events) were used in the evaluation.

(2) Experimental effect.

(a) Overall effect on summary dependency graphs.

The summary graph generation method of the system log dependency graph for attack investigation and restoration provided by the present invention is applied to generate a summary graph for the dependency graph shown in Table 3, and the number and scale of the monitored communities are measured.

Table 3 Statistics of attack dependency graph

10 is a schematic diagram of the number of sub-graphs monitored by the summary graph generation method provided by the present invention. As shown in FIG. 10 , the summary graph generation method provided by the present invention divides the dependency graph into 18.4 communities (sub-graphs) on average. Compared to the original dependency graph, which has an average of 1302.1 nodes, its size is reduced by a factor of 70.7. These results show that with a smaller number of communities, all communities can be visualized so that an overview of all relevant system activity can be easily seen. Also, as can be seen from Figure 10, the maximum number of communities for phishing emails (C.S) is 48, which includes different system tasks (e.g. browsing the web in firefox, sending or receiving emails and calendar services) .

Figure 11 is a schematic diagram of the size distribution of subgraphs monitored by the method for generating a summary graph provided by the present invention. As shown in Figure 11, the community size distribution of 14 attacks is shown. It can be seen from the figure that the size of the community (subgraph) is relatively large Small (15.7 nodes on average), this greatly reduces the workload of checking each community. Compared with the original dependency graph, these results also show that community compression is very effective in compressing duplicate edges, reducing redundant edges by an average of 216.4 per community. In addition, the summary graph requires only 2.26MB on average to store the summary graph, while the original dependency graph requires an average of 344.32MB.

Table 4 is the edge statistics table generated by the method of the present invention and Nodoze respectively, as shown in Table 4, the number of events in the top-1, top-2 and top-3 information flows of all communities and the state-of-the-art dependency graph are simplified Events identified by method NoDoze are compared, where Nodoze learns execution profiles from benign system behavior and reduces the dependency graph based on anomaly scores computed using profiles for each path in the dependency graph.

Table 4 The edge statistics table generated by the method of the present invention and Nodoze

As can be seen from Table 4, the edge of the top-3 information flow of the method for generating the summary graph of the system log dependency graph for attack investigation and restoration provided by the present invention is 21 times lower on average than that of NoDoze. NoDoze has relatively poor performance because its effectiveness depends heavily on the execution profile being able to cover all benign events and be representative, which is very difficult because the runtime environment of most systems has multiple Feature. Therefore, the execution configuration file learned from one system is difficult to generalize to other systems, and the method for generating the summary graph of the system log dependency graph for attack investigation and restoration provided by the present invention is not subject to the same limitation, because the The summary graph generation method for syslog dependency graphs for attack investigation and restoration requires an additional execution configuration file.

(b) Collaboration with the HOLMES method.

Combining the summary graph generation method of the system log dependency graph for attack investigation and restoration provided by the present invention with HOLMES, one of the most advanced investigation technologies, HOLMES constructs a high-level scene graph (High-level Scenario Graph, HSG), which The diagram integrates Tactics, Techniques and Procedures (TTP), an important metric that describes APT steps for advanced persistent threats, and uses HSG to map the flow of low-level incident information to steps in the kill chain.

The HSG is first constructed for the 14 attack cases, and then the HSG is used to map the top-ranked information flows to steps in the kill chain. The results show that HOLEMS identifies 35 of the 37 attack-related communities with a recall rate of 96.2%, and it can be observed that the top 2 information flows are sufficient to find the kill chain. In addition, based on the summary graph generation method of the system log dependency graph for attack investigation and restoration provided by the present invention, it is still possible to easily identify attack-related communities that are not detected by HOLMES, because the information flow of these communities usually comes from attack-related communities and enters Another attack related community, making it an indispensable step in the attack chain. These results demonstrate that the summary graph generation method for syslog dependency graphs for attack investigation and restoration provided by the present invention can easily work with other automated techniques, highlighting communities associated with attacks, and helps identify automated techniques not found of other attack-related communities.

(c) Comparison of community monitoring.

Compare the summary graph generation method of the system log dependency graph for attack investigation and restoration provided by the present invention with other state-of-the-art community monitoring algorithms to verify the system log dependency graph for attack investigation and restoration provided by the present invention. Summary graph generation methods for community monitoring of the effectiveness of techniques. Considering the overlapping nature of dependency graphs, 9 typical overlapping community monitoring algorithms are selected as baselines, including NISE (2016), EgoSpliter (2017), NMNF (2017), DANMF (2018), PMCV (2019), CGAN (2019) ), VGRAPH (2019), CNRL (2019), and DeepWalk (2014), and use the F1 score to evaluate the overall correspondence between the monitored communities and the labeled ground truth communities, and the experimental results are shown in Table 5.

Table 5 Community monitoring results of 14 attack events

As can be seen from Table 5, the F1 score obtained by the method for generating the summary graph of the system log dependency graph for attack investigation and restoration provided by the present invention is on average 2.29 times higher than the baseline score, indicating that the method for attack investigation and recovery provided by the present invention The summary graph generation method of the restored syslog dependency graph is able to effectively monitor the community centered on process nodes, while the performance of other baselines is poor.

(d) The effect of community compression.

Fig. 12 is a schematic diagram of the distribution of the node compression ratio of the method for generating a summary graph provided by the present invention, and Fig. 13 is a schematic diagram of the distribution of the compression ratio of the edge of the method for generating a summary graph provided by the present invention. As shown in Figs. 12 and 13, it can be seen that for For a community, the number of nodes and edges were reduced by an average of 38.4% and 44.7%, respectively, with the largest reduction of 97.3% of nodes and 98.9% of edges. In addition, it is verified that the information flow does not change after compression, the reason is that repeated activities have the same information flow, which usually enters the subgraph formed by the repeated activity through a single node, and then leaves the subgraph through another single node, so the compression Repeated activities do not change the events in the stream. In conclusion, compressing these repetitive activities still preserves the semantics of the task represented by the community.

(e) Effectiveness of information flow ranking.

Table 6 shows the top 3 information flows of community C3, which contains attack-related events, and community C8, which does not contain attack-related events. Incidents in C3 show that attackers run malicious scripts to compress, encrypt, and upload sensitive files to a remote server. As can be seen from the table, these attack behaviors can be effectively represented using the top-1 information flow with a priority of 0.8234. Although top-2 and top-3 can also cover these behaviors, the input node of the top-1 information flow is A malicious script process that further helps to track down the community that created malicious scripts. The events in C8 showed that the user logged into their own host via sshd, transferred the compressed file from the server to the host, and then decompressed the file. As you can see from the table, the top 1 stream with the highest priority (0.4914) can represent all of these activities, while the top 2 streams lack events for sshd logins, and the top 3 streams lack sshd logins event, and including a file event (/dev/null!bash) appeared in many communities.

Table 6 Top 3 information flows of C3 communities with attacks and C8 communities without attacks

The method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, by determining the system entity dependency graph of the attack event to be investigated and restored, executes the analysis on the process nodes in the system entity dependency graph. The layer walks randomly, determines the behavior representation of the process node, and divides the system entity dependency graph into at least one first subgraph based on the behavior representation of the process node, and compresses each first subgraph to obtain at least one second subgraph, Finally, a summary of each second subgraph is generated, so as to obtain a summary graph corresponding to the system entity dependency graph; the summary graph is generated by dividing the system entity dependency graph into multiple subgraphs and providing a concise summary for each subgraph. Each subgraph only contains closely related processes that complete system tasks together. The generated summary diagram maintains the semantics of system activities in the system entity dependency diagram by hiding less important details, and visualizes it in the form of a summary, which not only can Reduces the size of the dependency graph and makes it easy to view a summary of relevant system activity and a summary of the community associated with the attack.

The device for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention will be described below. The summary graph generation method of the system log dependency graph for attack investigation and restoration can be referred to each other.

FIG. 14 is a schematic structural diagram of an apparatus for generating a summary image provided by the present invention. As shown in FIG. 14 , the apparatus includes: a first determination module 1410, a second determination module 1420, a sub-image division module 1430, a sub-image compression module 1440, and a summary Graph generation module 1450; wherein:

The first determining module 1410 is configured to determine a system entity dependency graph of the attack event to be investigated and restored, and the system entity dependency graph includes the system entity node associated with the attack event to be investigated and restored and the The calling relationship between system entity nodes; wherein, the system entity node includes a process node and a resource node, and the calling relationship between the system entity nodes represents system activities;

The second determining module 1420 is configured to perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

The subgraph dividing module 1430 is configured to cluster the process nodes based on the behavior representation of the process nodes, and divide the system entity dependency graph into at least one first subgraph based on the result of the clustering ;

The sub-picture compression module 1440 is configured to compress each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, the at least one second sub-picture and the at least one first sub-picture One-to-one correspondence between subgraphs;

The summary graph generating module 1450 is configured to generate a summary corresponding to each second subgraph in the at least one second subgraph, and obtain a summary graph corresponding to the system entity dependency graph.

The device for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the present invention, by determining the system entity dependency graph of the attack event to be investigated and restored, executes the analysis on the process nodes in the system entity dependency graph. The layer walks randomly, determines the behavior representation of the process node, and divides the system entity dependency graph into at least one first subgraph based on the behavior representation of the process node, and compresses each first subgraph to obtain at least one second subgraph, Finally, a summary of each second subgraph is generated, so as to obtain a summary graph corresponding to the system entity dependency graph; the summary graph is generated by dividing the system entity dependency graph into multiple subgraphs and providing a concise summary for each subgraph. Each subgraph only contains closely related processes that complete system tasks together. The generated summary diagram maintains the semantics of system activities in the system entity dependency diagram by hiding less important details, and visualizes it in the form of a summary, which not only can Reduce the size of system entity dependency graphs and make it easier to view a summary of related system activity and a summary of attack-related communities.

FIG. 15 is a schematic diagram of the physical structure of the electronic device provided by the present invention. As shown in FIG. 15 , the electronic device may include: a processor (processor) 1510 , a communication interface (Communications Interface) 1520 , a memory (memory) 1530 and a communication bus 1540 , wherein the processor 1510 , the communication interface 1520 , and the memory 1530 complete the communication with each other through the communication bus 1540 . The processor 1510 can invoke the logic instructions in the memory 1530 to execute the method for generating the summary graph of the system log dependency graph for attack investigation and restoration provided by the above methods, the method includes:

Determine the system entity dependency graph of the attack event to be investigated and restored, the system entity dependency graph including the system entity nodes associated with the attack event to be investigated and restored and calls between the system entity nodes relationship; wherein, the system entity nodes include process nodes and resource nodes, and the calling relationship between the system entity nodes represents system activities;

Perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

Clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency graph into at least one subgraph based on a result of the clustering;

compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, and the at least one second sub-picture is in one-to-one correspondence with the at least one first sub-picture;

A summary corresponding to each of the second subgraphs in the at least one second subgraph is generated, and a summary graph corresponding to the system entity dependency graph is obtained.

In addition, the above-mentioned logic instructions in the memory 1530 may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer When executed, the computer can execute the method for generating a summary graph of a system log dependency graph for attack investigation and restoration provided by the above methods, and the method includes:

Determine the system entity dependency graph of the attack event to be investigated and restored, the system entity dependency graph including the system entity nodes associated with the attack event to be investigated and restored and calls between the system entity nodes relationship; wherein, the system entity nodes include process nodes and resource nodes, and the calling relationship between the system entity nodes represents system activities;

Perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

Clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency graph into at least one first subgraph based on a result of the clustering;

compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, and the at least one second sub-picture is in one-to-one correspondence with the at least one first sub-picture;

A summary corresponding to each of the second subgraphs in the at least one second subgraph is generated, and a summary graph corresponding to the system entity dependency graph is obtained.

In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the system logs for attack investigation and recovery provided by each of the above A summary graph generation method for dependency graphs, which includes:

Determine the system entity dependency graph of the attack event to be investigated and restored, the system entity dependency graph including the system entity nodes associated with the attack event to be investigated and restored and calls between the system entity nodes relationship; wherein, the system entity nodes include process nodes and resource nodes, and the calling relationship between the system entity nodes represents system activities;

Perform a hierarchical random walk on the process nodes in the system entity dependency graph, and determine the behavior representation of the process nodes;

Clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency graph into at least one first subgraph based on a result of the clustering;

compressing each first sub-picture in the at least one first sub-picture to obtain at least one second sub-picture, and the at least one second sub-picture is in one-to-one correspondence with the at least one first sub-picture;

A summary corresponding to each of the second subgraphs in the at least one second subgraph is generated, and a summary graph corresponding to the system entity dependency graph is obtained.

The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (13)

1. A method for generating a profile of a system log dependency graph for attack investigation and recovery, comprising:

determining a system entity dependency relationship graph of an attack event to be investigated and restored, wherein the system entity dependency relationship graph comprises system entity nodes associated with the attack event to be investigated and restored and call relations among the system entity nodes; the system entity nodes comprise process nodes and resource nodes, and the calling relationship among the system entity nodes represents system activities;

executing layered random walking on the process nodes in the system entity dependency relationship graph, and determining the behavior representation of the process nodes;

clustering the process nodes based on the behavior representation of the process nodes, and dividing the system entity dependency relationship graph into at least one first subgraph based on the clustering result;

compressing each first sub-graph of the at least one first sub-graph to obtain at least one second sub-graph, wherein the at least one second sub-graph is in one-to-one correspondence with the at least one first sub-graph;

and generating a summary corresponding to each second sub-graph in the at least one second sub-graph, and obtaining a summary graph corresponding to the system entity dependency relationship graph.

2. The method for generating a profile of a system log dependency graph for attack investigation and recovery as claimed in claim 1, wherein the performing a hierarchical random walk on a process node in the system entity dependency graph to determine a behavioral representation of the process node comprises:

randomly walking by a preset length by taking each process node in the system entity dependency relationship graph as a starting point to generate a walking route;

and acquiring the behavior representation of the process node by adopting a word vector model based on the walking route.

3. The method for generating a profile of a system log dependency graph for attack investigation and recovery as claimed in claim 1, wherein the compressing each of the at least one first sub-graph to obtain at least one second sub-graph comprises:

determining a first pattern in a target sub-graph of the at least one first sub-graph, the first pattern comprising: the method comprises the steps that at least two identical process node sets are generated by the same process node to access the same resource node mode, the process node sets comprise at least one sub-process node, and the resource node comprises a file node or a network node;

and merging the same child process nodes in the first mode, merging edges connecting the child process nodes, completing compression of the target subgraph, and acquiring a second subgraph corresponding to the target subgraph.

4. The method for generating a profile of a system log dependency graph for attack investigation and recovery according to claim 1, wherein the compressing each of the at least one first sub-graph to obtain at least one second sub-graph comprises:

determining a second pattern in a target sub-graph of the at least one first sub-graph, the second pattern comprising: the mode that the same process node accesses different resource nodes at least twice, wherein the resource nodes comprise file nodes or network nodes;

and combining the different resource nodes in the second mode, completing the compression of the target subgraph, and acquiring a second subgraph corresponding to the target subgraph.

5. The method for profile generation of a system log dependency graph for attack investigation and restoration according to any of claims 1-4, wherein prior to the compressing each of the at least one first sub-graph, the method further comprises:

under the condition that at least two process nodes access the same resource node and come from different first subgraphs, creating at least one copy node of the resource node;

and allocating the resource node and the at least one copy node to the first subgraph in which the at least two process nodes are positioned in a one-to-one correspondence manner, and creating a directional edge between the resource node and the at least one copy node to connect the resource node and the copy node.

6. The method for profile generation of a system log dependency graph for attack investigation and recovery as claimed in claim 1 wherein prior to performing hierarchical random walks on process nodes in the system entity dependency graph, the method further comprises:

merging each process node in the system entity dependency graph with a parallel edge between the resource nodes in the system entity dependency graph, respectively, where the parallel edge includes: edges having the same read operation or the same write operation type.

7. The method for generating a profile of a system log dependency graph for attack investigation and recovery as claimed in claim 1, wherein prior to performing hierarchical random walks on process nodes in the system entity dependency graph, the method further comprises:

and deleting the resource nodes which only have input edges but not output edges in the system entity dependency relationship graph.

8. The method of generating a summary graph of a system log dependency graph for attack investigation and recovery as claimed in claim 1, wherein the summary includes at least one of:

a main process;

a time span;

a target information stream;

wherein the master process represents a parent process node of system activity included in the second subgraph;

the time span represents a time interval between an earliest start time and a latest end time of system activity included in the second subgraph;

and the target information flow represents the information flow of which the priority ranking is a preset number of bits before the ranking of all the information flows in the information flow corresponding to the system activity in the second subgraph.

9. The method of profile generation for a system log dependency graph for attack investigation and recovery as claimed in claim 4 wherein the merging the different resource nodes in the second schema comprises:

merging the different resource nodes in the second mode into one node as a merged resource node, wherein the attribute of the merged resource node is a union of the attributes of the different resource nodes.

10. An overview generating apparatus for a system log dependency graph for attack investigation and recovery, comprising:

the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining a system entity dependency relationship graph of an attack event to be investigated and restored, and the system entity dependency relationship graph comprises system entity nodes related to the attack event to be investigated and restored and call relations among the system entity nodes; the system entity nodes comprise process nodes and resource nodes, and the calling relationship among the system entity nodes represents system activities;

the second determination module is used for executing hierarchical random walking on the process nodes in the system entity dependency relationship graph and determining the behavior representation of the process nodes;

the subgraph division module is used for clustering the process nodes based on the behavior representation of the process nodes and dividing the system entity dependency relationship graph into at least one first subgraph based on the clustering result;

the subgraph compression module is used for compressing each first subgraph in the at least one first subgraph to obtain at least one second subgraph, and the at least one second subgraph is in one-to-one correspondence with the at least one first subgraph;

and the schematic diagram generating module is used for generating a schematic diagram corresponding to each of the at least one second sub-diagram and obtaining a schematic diagram corresponding to the system entity dependency diagram.

11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the method for profile generation of a syslog dependency graph for attack investigation and recovery as claimed in any one of claims 1 to 9.

12. A non-transitory computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the method for profile generation of a system log dependency graph for attack investigation and recovery as claimed in any one of claims 1 to 9.

13. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the method for generating a profile for a syslog dependency graph for attack investigation and recovery as claimed in any one of claims 1 to 9.

Images