Host abnormal behavior detection method based on subgraph matching

• Main Authors: LYU MINGQI, SONG QIJIE, CHEN TIEMING, QIU XUEBO, YE HONG, ZHU TIANTIAN, WANG HAO
• Format: Patent
• Language: Chinese; English
• Published: 21.11.2023
• Subjects: CALCULATING; COMPUTING; COUNTING; ELECTRIC COMMUNICATION TECHNIQUE; ELECTRIC DIGITAL DATA PROCESSING; ELECTRICITY; PHYSICS; TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHICCOMMUNICATION

The invention discloses a host abnormal behavior detection method based on subgraph matching, which comprises the following steps: collecting abnormal behavior log data to construct a first heterogeneous graph, and extracting behavior meta-graphs based on the first heterogeneous graph to form a behavior meta-graph library; operating system kernel events are collected to construct a second heterogeneous graph; extracting a behavior meta-graph from the behavior meta-graph library, and searching candidate nodes matched with meta-graph nodes in the second heterogeneous graph for each meta-graph node in the behavior meta-graph; selecting a meta-graph node with the least number of candidate nodes as a seed node; traversing from each candidate node in the candidate node set of the seed nodes, simplifying a matching result by using an influence score between the nodes, and determining a matching sub-graph; and calculating the similarity between the behavior meta-graph and the matched sub-graph, and if the similarity