基于知识图谱和污点传播的网络攻击检测方法  

作　　者：黄明义 邹福泰[1] 周纸墨 张亮 HUANG Mingyi;ZOU Futai;ZHOU Zhimo;ZHANG Liang(School of Cyber Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China;East Branch of State Grid Corporation of China,Shanghai 200120,China)

机构地区：[1]上海交通大学网络空间安全学院,上海200240 [2]国家电网有限公司华东分部,上海200120

出　　处：《网络与信息安全学报》2025年第1期151-164,共14页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(61831007);国家重点研发计划(2020YFB1807500)。

摘　　要：随着计算机和网络通信技术的迅猛发展,大数据背景下的网络攻击检测日益受到关注。尽管机器学习技术在此领域取得了良好效果,但数据集的标注和训练问题难以得到解决。传统的信念传播算法(belief propagation algorithm)虽然被广泛应用于图攻击检测,但其缺乏对节点和边类型的区分,且在处理恶意节点远少于良性节点场景时表现一般。为解决这些问题,提出了一种基于知识图谱和污点传播的网络攻击检测方法CDTP(community detection and taint propagation),通过定义IP地址、域名和文件3种实体,建立实体间的直接与间接关系来构建知识图谱,并在半监督环境下应用Louvain社区发现算法划分知识图谱,提取恶意实体相关的子图。另外,还提出了一种新型的污点传播算法,基于实体间的关系来推算节点的恶意值,从而能有效地发现恶意和受害实体,并可视化攻击路径。实验结果表明,无论是在仿真实验环境还是权威数据集上,CDTP都表现出了卓越的性能,远优于传统的信念传播算法。特别是在恶意节点数量较少的情况下,CDTP能够有效地检测攻击行为,且精度和召回率均远高于传统方法。这不仅证明了CDTP在网络攻击检测中的卓越性能,还表明它能够在复杂的网络环境中有效识别恶意行为,展现出其在实际应用中的优越性。With the rapid development of computer and network communication technologies,research on network attack detection in the context of big data has increasingly gained attention.Although machine learning techniques have achieved promising results in this field,issues related to dataset labeling and training have remained challeng‐ing.Traditional belief propagation algorithms,while widely used in graph-based attack detection,lacked the distinc‐tion between node and edge types and performed inadequately in scenarios where malicious nodes were far fewer than benign nodes.To address these issues,a network attack detection method based on knowledge graphs and taint propagation,referred to as CDTP(community detection and taint propagation),was proposed.In this method,three types of entities(IP addresses,domain names,and files)were defined to establish both direct and indirect relation‐ships between entities,and a knowledge graph was constructed.In a semi-supervised setting,the Louvain commu‐nity detection algorithm was utilized to partition the knowledge graph and extract subgraphs related to malicious en‐tities.Additionally,a novel taint propagation algorithm was introduced,which inferred the maliciousness score of nodes based on the relationships between entities,thereby effectively detecting malicious and victim entities and vi‐sualizing attack paths.Experimental results demonstrates that CDTP outperforms the traditional belief propagation algorithm in both simulated environments and authoritative datasets,showing superior performance.Particularly in scenarios where the number of malicious nodes is small,CDTP effectively detects attacks with significantly higher precision and recall compared to traditional methods.This proves that CDTP exhibits outstanding performance in network attack detection and effectively identifies malicious behaviors in complex network environments,demon‐strating considerable superiority in practical applications.

关 键 词：网络攻击检测 知识图谱 社区发现 污点传播 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]