基于局部线性重叠聚类算法的网络攻击溯源分析方法

Cyber Attack Traceability Analysis Method Using Local Linear Relationship-Based Overlapping Clustering Algorithm

科技的进步使得不法组织可以利用各种先进的攻击手段,对特定目标进行隐匿的、长期持续性的网络攻击。当前大部分研究基于大数据、机器学习和图谱的方法进行攻击溯源检测,从而还原攻击全貌,但其存在检测识别正确率低、算力开销大等问题。为此,提出了一种基于溯源图谱的网络攻击分析方法,利用安全产品日志中的攻击特征划分攻击社团,并结合资产和攻击信息的局部线性关系进行重叠聚类,从而还原攻击路径。该算法已应用于某企业安全运行监管系统,实践证明,其能够有效地溯源系统被入侵的过程与痕迹,改善网络安全威胁感知和预警能力。

Advancements of technology have enabled illegal organizations to master a variety of advanced attack methods to carry out hidden,persistent cyberattacks against specific targets.Most of the current research relies on big data,machine learning and graph-based methods for attack traceability detection to restore the full picture of the attack,but it faces challenges such as low detection accuracy and high computational costs.Therefore,this paper proposes a cyber attack analysis method based on provenance graphs,which utilizes attack features from security product logs to categorize attack communities,employing local linear relationships from assets and attack information for overlapping clustering to restore attack paths.The algorithm has been applied to a corporate security monitoring system,and it has been proved that it can effectively trace the process and traces of the system being invaded,and enhance the network security threat perception and early warning ability.