Research on Emergency Response Attack Scenario Reconstruction Method Based on Steiner Trees
摘要
With the exponential proliferation of Internet of Things (IoT) endpoints and their deep penetration into critical scenarios such as smart cities, industrial control systems, and smart homes, heterogeneous network perimeters have expanded dramatically, resulting in a geometric surge of the attack surface. Simultaneously, adversaries operating within these complex IoT environments exhibit increasingly stealthy and diverse behavioral patterns. Consequently, traditional emergency response methods face challenges such as the dispersion of abnormal nodes and frequent false positives, making it difficult to reconstruct attack scenarios. There is an urgent need for more efficient and precise reconstruction methods. To address this, this paper proposes an attack scenario reconstruction method based on Steiner tree optimization. First, the association tracing of abnormal nodes is transformed into a Steiner tree construction problem. Graph compression techniques are used to reduce redundant nodes and information interference, and a candidate path set is established based on a node anomaly scoring mechanism. Second, a greedy strategy is employed to prioritize nodes with higher anomaly scores for connection, constructing a globally optimal Steiner tree to accurately reconstruct the attack propagation path. Additionally, this paper introduces multi-dimensional evaluation metrics such as node anomaly degree, path association degree, and temporal order to perform real-time filtering of generated paths, effectively removing low-scoring and noise-interfering paths, thereby further enhancing the accuracy and real-time performance of attack scenario reconstruction. Experiments show that compared to traditional methods, this method reduces the average number of false positives in attack scenarios by 118 and achieves an attack scenario reconstruction rate of 88.8%, significantly enhancing the practicality and reliability of emergency response analysis. This study provides a new technical solution and theoretical foundation for attack attribution in complex network environments, laying the groundwork for the development of related technologies.