Method and device for identifying attack behaviors

The invention discloses a method and a device for identifying attack behaviors, which are used for automatically identifying the attack behaviors from massive logs acquired by security detection equipment. The method comprises the steps of exracting a plurality of triads from a host log, wherein each triad comprises a source node, a target node and an edge, and the edge is used for indicating operation between the source node and the target node; determining an attribute heterogeneous graph of the host log according to source nodes, target nodes and edges in the plurality of triads; according to the attribute heterogeneous graph, performing model training to obtain a semantic reasoning model; obtaining one or more sub-graphs according to the semantic reasoning model and the attribute heterogeneous graph; and determining an attack behavior from the behaviors corresponding to the one or more sub-graphs. 一种攻击行为识别的方法及装置，用于从安全检测设备获取的海量日志中，自动识别出攻击行为。在本申请中，方法包括：从主机日志中提取出多个三元组，其中三元组包括源节点、目标节点和边，所述边用于指示所述源节点与所述目标节点之间的