摘要: |
云系统有着天然的图结构并且处于动态变化当中, 网络攻击的各个阶段往往也具有空间和时序上的关联性。传统的异常检测算法从单源数据入手, 关联性差、可信度低。同时, 海量冗余的安全日志、告警信息给安全分析工作造成了极大的负担。在这样的场景下, 网络安全数据不仅没有发挥其应有的价值, 还由于检测误警率高, 真正的安全威胁被海量的日志和告警数据淹没, 大量的失陷资产由于安全信息关联性差无法被及时发现, 为系统安全运行埋下了极大隐患。 针对该问题, 本文提出了基于层次化图神经网络的云资产安全性分析算法, 综合云中多源异构网络安全信息, 将图神经网络应用于云网络安全异常检测当中。通过对云系统中各类多源异构网络安全数据进行深入分析, 提出了异质、动态、有向并带有属性的图建模方式, 将系统中各个实体和实体之间的关系映射到图空间中。在此基础之上, 使用层次化图神经网络学习云系统的特征, 本文提出了改进的图结构自注意力网络来提取图的结构特征、改进的循环神经网络来提取图的动态时序特征, 最后通过节点分类任务完成失陷资产发现, 从而实现云资产安全性分析。在多源异构网络安全数据集上的仿真实验表明, 该算法具有充分利用云系统各个维度上的信息的能力, 对具有不同特征的系统具有较强的适应性, 可以较好地学习到云系统在结构、 时序和动态变化中的特征, 有效支撑云场景下的云资产安全性分析。 |
关键词: 云安全 图神经网络 图建模 多源异构网络安全数据 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.07.13 |
Received:July 11, 2022Revised:November 04, 2022 |
基金项目:本课题得到国网上海市电力公司科学技术项目云平台安全态势感知与威胁预警研究与应用(No. SGTYHT/21-JS-223)资助。 |
|
Cloud Asset Security Analysis based on Hierarchical Graph Neural Network |
ZHANG Yilian,ZHOU Diqing,XU Liwen,YE Tianpeng,LIN Xiang |
State Grid Shanghai Municipal Electric Power Company, Shanghai 200122, China;Institute of Cyber Science and Technology, Shanghai Jiao Tong University, Shanghai 200240, China |
Abstract: |
Cloud systems, with natural graph structure change dynamically, and the stages of network attacks are often spatially and temporally correlated. Traditional anomaly detection algorithms start from single-source data, leading to poor correlation and low credibility. In the meantime, mass redundant security logs and alarm information are burdensome on the security analysis work. In such a scenario, multi-source heterogeneous data not only fails to fulfill its proper value, but also due to the high false alarm detection rate, the real security threats are overwhelmed by the huge amount of logs and alarm data, and a large number of lost assets cannot be discovered in time due to the poor correlation of security information, which has laid a great hidden danger for the safe operation of the system. To solve this problem, this paper proposes a cloud asset security analysis algorithm based on hierarchical graph neural network, which integrates multi-source heterogeneous network security information in the cloud and applies graph neural networks to cloud network security anomaly detection. Through in-depth analysis of various types of multi-source heterogeneous network security data in the cloud system, a heterogeneous, dynamic, directional and attributed graph modeling approach is proposed, mapping each entity in the system and the relationship between the entities into the graph space. On this basis, the algorithm uses hierarchical graph neural network to learn the features of the cloud system, this paper proposes an improved graph structure self-attentive network to extract structural features of graphs, an improved recurrent neural network to extract dynamic temporal features of graphs and then discovers lost assets through node classification task, which finally reaches the goal of cloud asset security analysis. Simulation experiments on multi-source heterogeneous security data sets show that the algorithm has the ability to make full use of the information in each dimension of the cloud system and is highly adaptable to systems with different characteristics. Thus, it can properly learn the features of cloud systems in structural, temporal and dynamic changes, and effectively perform security threat analyses in cloud scenes. |
Key words: cloud security graph neural networks graph modeling multi-source heterogeneous network security data |