CN112261006B - Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors - Google Patents
Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors Download PDFInfo
- Publication number
- CN112261006B CN112261006B CN202011034651.4A CN202011034651A CN112261006B CN 112261006 B CN112261006 B CN 112261006B CN 202011034651 A CN202011034651 A CN 202011034651A CN 112261006 B CN112261006 B CN 112261006B
- Authority
- CN
- China
- Prior art keywords
- behavior
- beh
- behaviors
- attack
- dep
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention provides a mining method, a terminal and a storage medium for discovering dependency relationship among threat behaviors, which are used for collecting log files of all users a in a system, cleaning and sorting data in the log files to form an employee behavior set S ═ behaiH, counting the time span w in the set St(ii) a Based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj) (ii) a Calculating a dependency value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of; according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of one employee; deriving an attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely, series of attack actions. The invention finds out the potential relation among the staff behaviors and quantifies the dependency relationship. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a mining method, a terminal and a storage medium for discovering dependency relationship among threat behaviors.
Background
Internal threats are generally considered to be malicious activities that compromise the system by employees or former employees who are unhappy with a business, organization, or organization. The destructor gains access to the enterprise system or network, finds the weak location of the system defense through infiltration of the system structure and operating state and attacks it. Attack of internal threats takes various forms, such as intrusion into a system by using program tools such as trojans, worms, viruses and the like; stealing confidential data inside the enterprise; modifying, deleting or destroying corporate critical data; identity information of employees within a company is stolen, etc. The occurrence of any of these actions can cause an unmanageable loss to an enterprise, organization, or organization.
In the traditional information security, the main information security attack and defense ideas are vulnerability scanning, denial of service and the like, and an attack matrix can well show the types and attack modes of attack behaviors. The attack matrices known at present are MITRE ATT & CK and attack hypothesis matrices. The MITRE ATT & CK may also be referred to as an attacker policy knowledge base, and the matrix represents the attack policy used by the attacker and the corresponding technical means in the corresponding policy. The attack hypothesis matrix represents the aggressors' whereabouts and expected attack effects, and an attack hypothesis model is shown in table 1.
TABLE 1 an MCPS attack matrix
With the coming of big data, more attack behaviors are no longer single battles, thousands of connections exist among the attack behaviors, the traditional attack matrix is difficult to identify and quantify the attack relations, and when one threat is identified, the preventive measures can release another attack behavior related to the threat all the time, so that the damage which is difficult to estimate is caused to a computer.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a mining method for discovering dependency relationship among threat behaviors, which comprises the following steps:
step one, collecting log files of all users in the system, wherein the log files reflect behavior operations of a user a, cleaning and sorting data in the log files to form an employee behavior set S { beh {aiRepresents the ith behavior of the a-th employee;
step two, counting the time span w in the set St;
Step three, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
Step four, calculating a dependency relationship value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of (c);
step five, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of an employee;
deriving attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur, series of attack actions.
Further, it should be noted that, in the first step, various Behavior log logs of the user a are collected, and a Behavior data structure Behavior is constructed based on information in the logs;
the Behavior data structure Behavior at least comprises the following fields: the behavior identification system comprises a behavior number b _ id for identifying the uniqueness of the behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior.
It should be further noted that collecting various types of behavior logs log of the user a includes: collecting input instruction information of the staff, executing software information, program operation information executed by a system according to the input instruction information of the staff and staff identity information.
It should be further noted that, in step two, the earliest starting time t appearing in the statistical data structure BehaviorearliestAnd the latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time spans w of equal lengtht。
It should be further noted that, in the third step,
counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time:
wherein the function cntall (w)t) Indicating counting the total number of time windows, the function sum (s, z) indicating counting the number of occurrences of the variable s under the constraint z, behaRepresents all actions by user a;
counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time:
wherein, the function sum (s, l, z) represents that under the limiting condition z, the number of times s and l commonly occur is counted, and when t > s, sum (s, l, t) is s; when t is less than or equal to s, the cntduble (s, l, t) ═ t.
It should be further noted that, in step four, for user a, the action beh occursaiTo act behajThe degree of dependence of (c) can be calculated by the following formula:
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behaiPair behavior behajThe lower the degree of dependence, i.e. action behajAfter this occurs, act behaiIs substantially impossible to occur;
when the value is 0, action beh is indicatedaiIs completely dependent on action behaj。
It should be further noted that, in the fifth step,
for user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
wherein i, j belongs to [1, n ];
setting a dependent threshold vector λT=(λ1,λ2,...,λn);
Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajConstitute attack pathag→ak,g,k∈[1,n];
Outputting all the coincidences from matrix MTSpecified attack pathag→ak。
The present invention also provides a terminal, comprising: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
the processor is used for executing the computer program and the mining method for discovering the dependency relationship among the threat behaviors so as to realize the steps of the mining method for discovering the dependency relationship among the threat behaviors.
The present invention also provides a storage medium having a mining method for discovering dependencies between threat behaviors, the storage medium being adapted to store a computer program for execution by a processor to implement the steps of the mining method for discovering dependencies between threat behaviors.
According to the technical scheme, the invention has the following advantages:
the invention finds out the potential dependency among the staff behaviors and quantifies the dependency. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.
According to the invention, based on the attack dependency matrix among behaviors, the distribution condition of the behavior of the staff is excavated. The existing attack matrix can only count the types and threats of attack behaviors, the invention expands the attack matrix and puts the dependency relationship between the behaviors into the attack matrix, so that an enterprise can directly find out two behaviors which are most closely related in a system, and the two behaviors are uniformly processed at the moment, thereby improving the event response capability of the enterprise.
The method for generating the path based on the attack behavior excavates and monitors the behavior dynamics of the staff in real time. The paths show the trend and the sequence relation of one or a series of attack behaviors, and enterprises can monitor the behaviors of employees in real time, discover precursor behaviors which are easy to cause threat behaviors in time and stop the behaviors.
Detailed Description
The described features, structures, or characteristics of the mining method for discovering dependencies between threat behaviors to which the present invention relates may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. However, those skilled in the art will appreciate that the present invention may be practiced without several of the details of the described embodiments, and that the various embodiments may be practiced by other methods, apparatus, steps, etc. that are known to those of skill in the art. Accordingly, the following description does not show or describe well-known methods, apparatus, implementations or operations in detail, to avoid obscuring aspects of the invention.
The invention provides a mining method for discovering dependency relationship among threat behaviors, and aims to mine the dependency relationship among the behaviors.
S11, collecting log files of all users in the system, wherein the log files reflect the behavior operation of the user a, cleaning and sorting the data in the log files to form an employee behavior set S { beh {aiRepresents the ith behavior of the a-th employee;
s12, time span w in statistic set St;
S13, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
S14, calculating a dependency relationship value dep based on the two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of;
s15, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of an employee;
deriving an attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur, series of attack actions.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. The method mainly comprises the following implementation steps:
and acquiring the behavior. And collecting various Behavior logs log of the user a, and constructing a Behavior data structure Behavior based on information in the logs. The log should indicate when and where an employee performed what work on the system, and therefore, in order to ensure that the subsequent design is performed successfully, the Behavior data structure Behavior at least includes the following fields: a behavior number b _ id for identifying the uniqueness of a behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior. User a may be an internal employee of the enterprise, a visitor using the system, etc.
The above data is the basis for the subsequent analysis of the dependency relationship between the behaviors.
Table 2 behavioral data structure Behavior example
Counting the earliest onset time t appearing in BehaviorearliestAnd a latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time windows w of equal lengtht。
Counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time amount:
wherein the function cntall (w)t) Representing counting the total number of time windows, a functionsum (s, z) indicates the count of the number of occurrences of the variable s under the constraint z, behaRepresenting all actions by user a.
Counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time amount:
wherein, the function sumd (s, l, z) represents counting the number of times s and l commonly occur under the limiting condition z, and when t > s, sumd (s, l, t) is s; when t is less than or equal to s, the cntduble (s, l, t) ═ t.
For user a, the actions beh that it takesaiPair behavior behajThe degree of dependence can be calculated by the following formula:
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behajPair behavior behaiThe lower the degree of dependence, i.e. action behajAfter occurrence, act behaiSubstantially impossible to occur. When the value is 0, action beh is indicatedaiIs completely dependent on action behaj。
For user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
wherein i, j is belonged to [1, n ].
In order to reduce the influence of the magnitude difference of the behavior occurrence times on the result, a dependence threshold vector lambda is setT=(λ1,λ2,...,λn). Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajConstitute attack pathag→ak,g,k∈[1,n]。
Outputting all the coincidences from matrix MTSpecified attack pathag→ak。
The mining method for discovering the dependency relationship among the threat behaviors, which is disclosed by the invention, is based on the dependency relationship expansion attack matrix, the attack path design and the potential relationship among the enterprise employee behaviors, so that the thought is clear and easy to understand, and the operation is easy to realize. The method has the advantages that a certain correlation exists between the unstructured behavior data, the correlation is discovered and quantified by using the dependency relationship, and the behavior data are structured by using the attack matrix. The mining of the behavior dependency relationship mining method enables enterprises to better master the behavior dynamics of internal employees, carries out risk assessment on internal threats implied by each behavior and guarantees safe, reliable and continuous operation of enterprise systems.
Specifically, the advantages of the present invention can be divided into the following three aspects:
the method for calculating the dependency relationship among the behaviors excavates the behavior properties of the staff. The invention finds out the potential relation among the staff behaviors and quantifies the dependency relationship. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.
According to the invention, based on the attack dependency matrix among behaviors, the distribution condition of the behavior of the staff is excavated. The existing attack matrix can only count the types and threats of the attack behaviors, the invention expands the attack matrix and puts the dependency relationship between the behaviors into the attack matrix, so that an enterprise can directly find out two behaviors with the closest relationship in a system, and the two behaviors are uniformly processed at the moment, thereby improving the event response capability of the enterprise.
The method for generating the path based on the attack behavior excavates and monitors the behavior dynamics of the staff in real time. The paths show the trend and the sequence relation of one or a series of attack behaviors, and enterprises can monitor the behaviors of employees in real time, find precursor behaviors which are easy to cause threat behaviors in time and stop the behaviors.
In summary, the present invention uses co-occurrence frequency and conditional probability to identify dependencies between internal behaviors. The dependency relationship is one of the association relationships in association analysis, and the purpose of the dependency relationship is to search a causal item set or object set in various information carriers such as transaction data and relationship data. The dependency relationship can find out the connection among a large number of data objects, and visually describe the rule and the mode of some attributes in one thing appearing at the same time.
The invention is inspired by the existing attack matrix model, and expands the effect of the attack matrix, so that the attack matrix can not only represent the type and threat of the attack, but also measure the dependency relationship between two potential threat behaviors. Therefore, the method and the system are based on the internal behaviors of the enterprise, the dependency relationship between the behaviors is mined, the dependency degree between the two behaviors is quantified by using a conditional probability formula, and the occurrence sequence between the internal behaviors is identified. And then mapping the value of the dependency relationship between every two behaviors to an attack dependency matrix, and through the matrix, the enterprise can directly find two internal behaviors with the most dense relationship. And finally, performing path search on the attack dependency matrix to obtain a plurality of attack paths, wherein the paths show the causal relationship among one or a series of attack behaviors.
The invention also provides a terminal based on the method, which comprises the following steps: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
the processor is used for executing the computer program and the mining method for discovering the dependency relationship among the threat behaviors so as to realize the steps of the mining method for discovering the dependency relationship among the threat behaviors.
Based on the above method, the present invention further provides a storage medium having a mining method for discovering dependency relationships among threat behaviors, wherein the storage medium stores a computer program, and the computer program is executed by a processor to implement the steps of the mining method for discovering dependency relationships among threat behaviors.
The terminal of the present invention may include a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a Digital broadcast receiver, a Personal Digital Assistant (PDA), a tablet computer (PAD), etc., and a fixed terminal such as a Digital TV, a desktop computer, etc. It will be understood by those skilled in the art that the configuration according to the embodiment of the present invention can be applied to a fixed type terminal in addition to elements particularly used for moving purposes.
The terminals implementing the mining method for discovering dependencies between threat behaviors are the exemplary elements and algorithm steps described in connection with the embodiments disclosed herein, and can be implemented in electronic hardware, computer software, or a combination of both, the components and steps of the examples having been generally described in terms of functionality in the foregoing description for clarity of illustration of interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Through the above description of the embodiments, those skilled in the art will readily understand that the terminal implementing the mining method for discovering dependencies between threat behaviors described herein may be implemented by software, or may be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the disclosure for implementing the mining method for discovering dependency relationship between threat behaviors may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a mobile hard disk, or the like) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, or the like) to execute the indexing method according to the embodiment of the disclosure.
A terminal implementing a mining method for discovering dependencies between threat behaviors may write program code for performing the operations of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + +, or the like, as well as conventional procedural programming languages, such as the "C" language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A mining method for discovering dependency relationships among threat behaviors, the method comprising:
step one, collecting log files of all users a in the system, wherein the log files reflect the behavior operations of the users a, cleaning and sorting data in the log files to form an employee behavior set S (beh)aiRepresents the ith behavior of the a-th employee;
step two, counting the time span w in the set St;
Step three, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
Counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time amount:
wherein the function cntall (w)t) Indicating counting the total number of time windows, the function sum (s, z) indicating counting the number of occurrences of the variable s under the constraint z, behaRepresents all actions by user a;
counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time amount:
wherein, the function sumd (s, l, z) represents counting the number of times s and l commonly occur under the limiting condition z, and when t > s, sumd (s, l, t) ═ s; when t is less than or equal to s, the cnt double (s, l, t) is t;
step four, calculating a dependency relationship value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiTo act behajThe degree of dependence of (c);
for user a, the behavior beh that it occursaiPair behavior behajThe degree of dependence of (c) can be calculated by the following formula:
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behaiTo act behajIs dependent on the programThe lower the degree;
when the value is 0, action beh is indicatedaiIs completely dependent on action behaj;
Step five, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of one employee;
deriving attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur series of attack actions;
for user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
wherein i, j belongs to [1, n ];
setting a dependency threshold vector λT=(λ1,λ2,...,λn);
Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajComposing attack pathag→ak,g,k∈[1,n];
Outputting all the coincidences from matrix MTSpecified attack pathag→ak。
2. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 1,
collecting various Behavior log logs of a user a, and constructing a Behavior data structure Behavior based on information in the logs;
the Behavior data structure Behavior at least comprises the following fields: the behavior identification system comprises a behavior number b _ id for identifying the uniqueness of the behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior.
3. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 2,
collecting various types of behavior logs log of the user a includes: collecting input instruction information of the staff, executing software information, program operation information executed by a system according to the input instruction information of the staff and staff identity information.
4. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 1,
in step two, the earliest starting time t appearing in the data structure Behavior is countedearliestAnd a latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time spans w of equal lengtht。
5. A terminal, comprising: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
a processor is adapted to execute the computer program and the mining method for discovering dependency relationships between threat behaviors, so as to implement the steps of the mining method for discovering dependency relationships between threat behaviors as claimed in any one of claims 1 to 4.
6. A storage medium having a mining method for discovering dependency relationships between threat behaviors, the storage medium having a computer program stored thereon, the computer program being executed by a processor to implement the steps of the mining method for discovering dependency relationships between threat behaviors as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011034651.4A CN112261006B (en) | 2020-09-27 | 2020-09-27 | Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011034651.4A CN112261006B (en) | 2020-09-27 | 2020-09-27 | Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112261006A CN112261006A (en) | 2021-01-22 |
| CN112261006B true CN112261006B (en) | 2022-07-19 |
Family
ID=74234290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011034651.4A Active CN112261006B (en) | 2020-09-27 | 2020-09-27 | Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112261006B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098306A (en) * | 2011-01-27 | 2011-06-15 | 北京信安天元科技有限公司 | Network attack path analysis method based on incidence matrixes |
| CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
| CN105069044A (en) * | 2015-07-22 | 2015-11-18 | 安徽理工大学 | Simulated indirect dependency based novel process model mining method |
| CN105516127A (en) * | 2015-12-07 | 2016-04-20 | 中国科学院信息工程研究所 | Internal threat detection-oriented user cross-domain behavior pattern mining method |
| CN108063776A (en) * | 2018-02-26 | 2018-05-22 | 重庆邮电大学 | Inside threat detection method based on cross-domain behavioural analysis |
| CN109299044A (en) * | 2018-07-20 | 2019-02-01 | 浙江工业大学 | A kind of secure visual analysis system based on intra-company's log |
| CN111092879A (en) * | 2019-12-13 | 2020-05-01 | 杭州迪普科技股份有限公司 | Log association method and device, electronic equipment and storage medium |
| CN111224928A (en) * | 2018-11-26 | 2020-06-02 | 中国移动通信集团辽宁有限公司 | Network attack behavior prediction method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8438644B2 (en) * | 2011-03-07 | 2013-05-07 | Isight Partners, Inc. | Information system security based on threat vectors |
| US9967282B2 (en) * | 2014-09-14 | 2018-05-08 | Sophos Limited | Labeling computing objects for improved threat detection |
| US10505953B2 (en) * | 2017-02-15 | 2019-12-10 | Empow Cyber Security Ltd. | Proactive prediction and mitigation of cyber-threats |
-
2020
- 2020-09-27 CN CN202011034651.4A patent/CN112261006B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098306A (en) * | 2011-01-27 | 2011-06-15 | 北京信安天元科技有限公司 | Network attack path analysis method based on incidence matrixes |
| CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
| CN105069044A (en) * | 2015-07-22 | 2015-11-18 | 安徽理工大学 | Simulated indirect dependency based novel process model mining method |
| CN105516127A (en) * | 2015-12-07 | 2016-04-20 | 中国科学院信息工程研究所 | Internal threat detection-oriented user cross-domain behavior pattern mining method |
| CN108063776A (en) * | 2018-02-26 | 2018-05-22 | 重庆邮电大学 | Inside threat detection method based on cross-domain behavioural analysis |
| CN109299044A (en) * | 2018-07-20 | 2019-02-01 | 浙江工业大学 | A kind of secure visual analysis system based on intra-company's log |
| CN111224928A (en) * | 2018-11-26 | 2020-06-02 | 中国移动通信集团辽宁有限公司 | Network attack behavior prediction method, device, equipment and storage medium |
| CN111092879A (en) * | 2019-12-13 | 2020-05-01 | 杭州迪普科技股份有限公司 | Log association method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112261006A (en) | 2021-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hassan et al. | Tactical provenance analysis for endpoint detection and response systems | |
| Cheng et al. | Enterprise data breach: causes, challenges, prevention, and future directions | |
| US10791133B2 (en) | System and method for detecting and mitigating ransomware threats | |
| EP3502943B1 (en) | Method and system for generating cognitive security intelligence for detecting and preventing malwares | |
| US9661003B2 (en) | System and method for forensic cyber adversary profiling, attribution and attack identification | |
| US20170034197A1 (en) | Mitigating blockchain attack | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| US20150172303A1 (en) | Malware Detection and Identification | |
| US20240048571A1 (en) | Endpoint security architecture with programmable logic engine | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| CN113497786B (en) | Evidence collection and tracing method, device and storage medium | |
| EP3692695B1 (en) | Intrusion investigation | |
| WO2018213061A2 (en) | Timely causality analysis in homegeneous enterprise hosts | |
| CN112287339A (en) | APT intrusion detection method and device and computer equipment | |
| CN112287340B (en) | Evidence obtaining and tracing method and device for terminal attack and computer equipment | |
| US11190589B1 (en) | System and method for efficient fingerprinting in cloud multitenant data loss prevention | |
| CN112261006B (en) | Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors | |
| JP2012093804A (en) | Security monitoring device, security monitoring method and security monitoring program based on security policy | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| Alaba et al. | Ransomware attacks on remote learning systems in 21st century: A survey | |
| Lei et al. | Self-recovery Service Securing Edge Server in IoT Network against Ransomware Attack. | |
| Najafi et al. | NLP-based Entity Behavior Analytics for Malware Detection | |
| KR102471731B1 (en) | A method of managing network security for users |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |