| With the continuous popularization of network applications,on the one hand,it greatly facilitates people’s learning,work,and life.On the other hand,the scale and complexity of the network have also increased.Moreover,hacker technology and tools have rapidly developed,and attack methods are also complex and diverse,posing huge security challenges to the network and information system.As an active defense technology,intrusion detection technology has made some achievements in network security protection,but the traditional single,lack of cooperation intrusion detection technology cannot meet the current needs.However,existing technologies cannot fully explore the correlation between redundant alarm data,thus unable to effectively identify attack scenarios.In response to the characteristics of multi-source heterogeneity of network security data and complex relationships between alarm data,a knowledge graph is constructed based on the knowledge graph for network security domain data,and a graph neural network is used for alarm data association analysis.The aim is to improve the efficiency of network security data processing and the accuracy of identifying attack scenarios.The main work of this paper is as follows:(1)A knowledge graph based intelligent alarm data association analysis model is designed to address the issues of frequent duplicate alarms and high false alarm rates in current intrusion detection systems,making it difficult to achieve alarm correlation.The model adopts a hierarchical structure,which is composed of data acquisition layer,data preprocessing layer,network security domain knowledge map construction layer and alarm data association analysis layer.The model makes full use of the advantages of knowledge atlas for the good organization of relationships between entities to build a network security domain knowledge knowledge base,and uses the graph neural network’s strong understanding and cognitive ability for unstructured data to make the association of alarm data more efficient.Finally,a corresponding prototype system was designed to verify the effectiveness of the proposed model.(2)Due to the continuous improvement of hacker methods,especially the emergence and development of distributed,collaborative,and complex mode attacks,network security data has the characteristics of massive,multi-source,and heterogeneous.In order to effectively represent the relationship between data,a network security domain knowledge map was constructed.The knowledge map includes four dimensions:basic asset dimension,vulnerability dimension,alarm dimension and attack threat dimension.knowledge extraction is carried out for the data of the four dimensions respectively,and then a more complete map is constructed by finding the relationship of each dimension for fusion processing.Through the comparison experiment of query efficiency,the results show that compared with MySQL and MongoDB,whether single query or count query,the execution time of graph database using Neo4j is close to 0,so the query efficiency is the highest.(3)Due to the existing alarm correlation analysis methods not being able to fully analyze the internal connections between network alarm data,it is difficult to discover new attack scenarios.A correlation analysis method combining network security knowledge graph and graph neural network is proposed to address this issue.The entire correlation process includes alarm data preprocessing,knowledge graph construction,and graph neural network correlation analysis.Firstly,the modeling of the attack scenario graph mainly adopts the form of knowledge graph organization.The security events and vulnerability related alarms in the attack scenario graph are represented using two logical relationships of "AND" and "OR",and the Sparrow Search Algorithm(SSA)is combined to automatically optimize the model parameters.The experimental results show that this method can effectively learn the structure of attack graphs,improve the accuracy of attack scene recognition,construct more comprehensive attack graphs,and reduce the false alarm rate. |
