多源异构数据中的攻击关联模式挖掘方法研究

Mining attack association patterns and anomaly patterns from multi-source heterogeneous network security data is one of the important research contents of network security analysis using big data technology, and can effectively solve complex network attacks or unknown network attack detection problems. However, the correlation analysis based on the security event level is difficult to effectively express the real threat in the cyberspace. We study fine-grained network security data association analysis methods from the security entity level. First, we study the method of accurate identification of security entities from multi-source heterogeneous network security data. Secondly, under the condition of incomplete information, combining heterogeneous entity feature migration and heterogeneous relationship co-clustering, the multidimensional features and hidden relationship mining methods of heterogeneous security entities are studied，and then a large-scale heterogeneous security entity network with multi-dimensional attributes is constructed. On this basis, the joint embedding model based on heterogeneous security entity network and attack pattern is studied, and the efficient attack association pattern mining method based on vector space is explored, which provides effective support for complex network attack detection. Finally, based on the big data open source ecosystem, we develop an attack association pattern mining platform for massively multi-source heterogeneous data to verify the correctness and practicality of theoretical research results.

从多源异构的网络安全数据中挖掘攻击关联模式、异常模式是利用大数据进行网络安全分析的重要研究内容之一，可有效解决复杂网络攻击或未知网络攻击检测问题。然而，基于安全事件层面的关联分析难以有效表达网络空间中的真实威胁，容易忽略多个攻击步骤之间的关联信息，本课题从安全实体层面研究细粒度的网络安全数据关联分析方法。首先研究多源异构网络安全数据中的安全实体精准识别方法。其次，在不完备信息条件下，结合异构实体特征迁移及异构关系联合聚类研究异构安全实体的多维特征和隐式关系挖掘方法，构建包含多维属性的大规模异构安全实体网络。在此基础上，研究基于异构安全实体网络与攻击模式的联合嵌入模型，探索基于向量空间的高效攻击关联模式挖掘方法，为复杂网络攻击检测奠定理论基础。最后，基于大数据开源生态系统研发面向海量多源异构数据的攻击关联模式挖掘平台，验证理论研究成果的正确性和实用性。

多源异构网络安全数据中的攻击关联模式、异常模式挖掘是大数据安全分析的重要研究任务之一。项目针对海量多源异构的网络安全数据分析，从安全实体识别、安全实体关系抽取、攻击关联模式挖掘分析等三个方面开展研究，提出了多种情形下的网络安全实体识别、关系抽取方法，重点解决中英文混合网络安全实体的精准抽取问题，为构建大规模网络安全知识图谱奠定基础。在大规模网络安全知识图基础上，通过异构信息网络建模及漏洞利用模式分析等，通过大数据分析技术实现高效、可解释的攻击模式发现，为网络攻击检测奠定理论基础和提供技术支撑。