Research And Implementation On Network Security Knowledge Graph Based Attack Attribution Technology

Network attack attribution technology is an important branch of network defense system and a key link of network attack and defense.The network attack attribution technology can restore the network attack scene and attack path through the evidences left by the network attack,and can use the results of attribution to formulate security strategies specifically,which greatly reduces the cost of network security defense and improves the defense effect.However,in the face of increasingly complex network attacks and flaws of the network protocol,network attack attribution still faces great challenges.Aiming at these problems,this paper combines the knowledge graph technology and network attack attribution technology,and use the knowledge graph to carry out network attack attribution.The network attack attribution technology based on the knowledge graph proposed in this paper mainly includes:First,a network security knowledge graph for network attack attribution is established,which is mainly composed of host asset dimension,vulnerability dimension,attack threat dimension,evidence dimension,location dimension and strategy dimension.This paper discusses the knowledge sources of each dimension,introduces the knowledge attribute structure of each dimension,and describes the correlation between the knowledge of each dimension.At last,the knowledge of each dimension is integrated into one to build the network security knowledge graph for attacking attribution.Second,aiming at the established network security knowledge graph,this paper innovatively proposes a network attack attribution algorithm based on network security knowledge graph.When attributing,we can start from the dimension anyone that according to the network security knowledge graph.Then introduces the types of attribution strategies,the logical relationships between sub-strategies.This paper introduces the attack attribution algorithm based on host asset dimension,and explains the meaning of each variable in the algorithm.Finally,with an example of attack attribution,the method and process of attack attribution based on network security knowledge graph is described more intuitively.Third,to verify and test the correctness and practicability of the attack attribution method based on network security knowledge graph,this paper develops a prototype of attack attribution system based on network security knowledge graph with software engineering method.The prototype system implements the attack attribution algorithm proposed in this paper.It provides visual editing of the knowledge graph,and can carry out attack attribution from any node.The result of attribution can be presented to users simply and clearly,and can be used on Windows,Linux and Mac platforms.