Construction of a Cybersecurity Behavior Knowledge Base for Malicious Behavior Analysis

Facing the surge in malicious behaviors in the network environment, the existing cybersecurity knowledge graph suffers from fragmented security knowledge and limited application scenarios, making it challenging to collaborative malicious behavior analysis. To address this, we propose a cybersecurity behavior knowledge base (CSBKB) framework for comprehensive malicious behavior analysis. Based on knowledge of user behavior, attack traffic, and attack paths, we construct six types of knowledge graphs to characterize malicious behavior, including user behavior perception, user behavior mapping, malicious behavior association, malicious behavior category, domain attack, and malicious behavior path traceability graph. These graphs characterize malicious behaviors and form a comprehensive security behavior knowledge base. To fully utilize the graph structure information, we design a reasoning module based on the graph neural network further to explore the relationship between entities in the graph. Using DDoS attacks as a case study, we demonstrate this framework's construction and knowledge-reasoning capabilities. Experimental results demonstrate that the proposed CSBKB framework effectively realizes a comprehensive malicious behavior analysis mechanism encompassing "malicious user behavior monitoring, malicious behavior type detection, and malicious behavior path tracing." It can effectively analyze malicious behaviors, with an accuracy of more than 0.97 in detecting abnormal users, more than 0.97 in inferring DDoS attack types, and an identification rate of more than 0.92 for malicious behavior paths.