CN113486339A - Data processing method, device, equipment and machine-readable storage medium - Google Patents
Data processing method, device, equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN113486339A CN113486339A CN202110724389.4A CN202110724389A CN113486339A CN 113486339 A CN113486339 A CN 113486339A CN 202110724389 A CN202110724389 A CN 202110724389A CN 113486339 A CN113486339 A CN 113486339A
- Authority
- CN
- China
- Prior art keywords
- attack
- attack source
- source
- safety alarm
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure provides a data processing method, apparatus, device and machine-readable storage medium, the method comprising: receiving a safety alarm log; grouping the safety alarm logs related to the same attack source IP into a group, and respectively calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule; and performing clustering calculation according to the attack characteristics associated with the IP of each attack source, and acquiring the image of the attacker according to the calculation result. By the technical scheme, the safety alarm reported by the safety equipment is analyzed according to the attack event of each attack source, the attack behavior characteristics of the attack source on a single target are extracted, the attack behavior of the attack source on a plurality of attack targets is further calculated and analyzed, the attack behavior characteristics of the attack source are extracted, on the basis, the attack sources are classified by utilizing cluster calculation, and finally, the attacker portrait is obtained, so that the efficiency is high, and the portrait is accurate.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a data processing method, apparatus, device, and machine-readable storage medium.
Background
Network security is more and more concerned in the modern times, and boundary defense equipment becomes standard equipment for enterprise informatization construction. The method faces to increasing network security attacks, identifies the attack behavior characteristics of attackers, is a relatively concerned subject in the network security industry, and has considerable research value for increasing external attack prediction, identifying attack means of attackers and the like.
K-means is a common Euclidean distance-based clustering algorithm, which considers that the closer the two targets are, the greater the similarity.
The LCS (Long Common Sequence) algorithm is used to solve the problem of finding the longest Common substring of two strings.
DBSCAN (sensitivity-Based Spatial Clustering of Applications with Noise) is a Density-Based Clustering algorithm. Unlike the partitioning and hierarchical clustering method, which defines clusters as the largest set of density-connected points, it is possible to partition areas with sufficiently high density into clusters and find clusters of arbitrary shape in a spatial database of noise.
In the current method for processing the security alarm log to obtain the attacker portrait, data processing is too extensive, the divided attacker community basis is insufficient, and the clustered effect is poor.
Disclosure of Invention
In view of the above, the present disclosure provides a data processing method, a data processing apparatus, an electronic device, and a machine-readable storage medium to solve the problem of poor image capturing effect of an attacker.
The specific technical scheme is as follows:
the present disclosure provides a data processing method applied to a security management platform, the method including: receiving a safety alarm log; grouping the safety alarm logs related to the same attack source IP into a group, and respectively calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule; and performing clustering calculation according to the attack characteristics associated with the IP of each attack source, and acquiring the image of the attacker according to the calculation result.
As a technical solution, the receiving a security alarm log includes: and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
As a technical solution, the grouping security alarm logs associated with the same attack source IP into a group, and calculating attack characteristics associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule, respectively, includes: acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
As a technical scheme, the clustering calculation is carried out according to the attack characteristics related to the IP of each attack source, and an attacker portrait is obtained according to the calculation result, and the method comprises the following steps: according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
The present disclosure also provides a data processing apparatus applied to a security management platform, the apparatus includes: the log module is used for receiving a safety alarm log; the characteristic module is used for grouping the safety alarm logs related to the same attack source IP into a group and calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule; and the portrait module is used for carrying out clustering calculation according to the attack characteristics related to the IP of each attack source and obtaining the portrait of the attacker according to the calculation result.
As a technical solution, the receiving a security alarm log includes: and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
As a technical solution, the grouping security alarm logs associated with the same attack source IP into a group, and calculating attack characteristics associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule, respectively, includes: acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
As a technical scheme, the clustering calculation is carried out according to the attack characteristics related to the IP of each attack source, and an attacker portrait is obtained according to the calculation result, and the method comprises the following steps: according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
The present disclosure also provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned data processing method.
The present disclosure also provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned data processing method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
the security alarm reported by the security equipment is analyzed according to the attack event of each attack source, the attack behavior characteristics of the attack source on a single target are extracted, the attack behavior of the attack source on a plurality of attack targets is further calculated and analyzed, the attack behavior characteristics of the attack source are extracted, on the basis, the attack sources are classified by utilizing cluster calculation, finally, the attacker portrait is obtained, the efficiency is high, and the portrait is accurate.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.
FIG. 1 is a flow diagram of a data processing method in one embodiment of the present disclosure;
FIG. 2 is a block diagram of a data processing device in one embodiment of the present disclosure;
fig. 3 is a hardware configuration diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The present disclosure provides a data processing method, a data processing device, an electronic apparatus, and a machine-readable storage medium, so as to solve the problem of poor image capturing effect of an attacker.
Specifically, the technical scheme is as follows.
In one embodiment, the present disclosure provides a data processing method applied to a security management platform, including: receiving a safety alarm log; grouping the safety alarm logs related to the same attack source IP into a group, and respectively calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule; and performing clustering calculation according to the attack characteristics associated with the IP of each attack source, and acquiring the image of the attacker according to the calculation result.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, receiving a safety alarm log;
step S12, the safety alarm logs related to the same attack source IP are grouped, and the attack characteristics related to the attack source IP related to the safety alarm logs of the group are calculated according to the safety alarm logs of the same group by preset rules;
and step S13, performing clustering calculation according to the attack characteristics associated with the IP of each attack source, and acquiring an attacker portrait according to the calculation result.
The security alarm reported by the security equipment is analyzed according to the attack event of each attack source, the attack behavior characteristics of the attack source on a single target are extracted, the attack behavior of the attack source on a plurality of attack targets is further calculated and analyzed, the attack behavior characteristics of the attack source are extracted, on the basis, the attack sources are classified by utilizing cluster calculation, finally, the attacker portrait is obtained, the efficiency is high, and the portrait is accurate.
In one embodiment, the receiving the security alert log comprises: and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
Because the safety equipment of different manufacturers, different models and different versions have different formats and contents of the reported safety alarm logs, normalization processing is carried out so that the safety management platform can better understand the attack behavior expressed by the attack event.
TABLE 1
The output data of the normalization process can be as shown in table 1, and exemplary attack types can include: denial of service, scanning reconnaissance, malicious files, exploits, rights acquisition, trace cleanup, data leakage, malicious communication, vulnerability risk, risk access, abnormal login, abnormal operation, system destruction, and others. Taking scanning reconnaissance as an example, the method can be further divided into various attack subtypes, such as host scanning, port scanning, network topology scanning, application scanning, operating system scanning, database scanning, sensitive information leakage and other scanning. The specific classification can be set arbitrarily according to the use scene and the requirement.
The severity level may be divided into three levels, high, medium and low, or more subdivided as desired. Performing an action may include blocking, releasing, or other actions. The special hit direction may include a request direction, a response direction.
Whether the data is the attack data which is imaged by the existing attacker can be directly judged by comparing relevant ports of the attack source IP and the attack destination IP with a preset blacklist.
In one embodiment, the grouping the security alarm logs associated with the same attack source IP into a group, and calculating the attack characteristics associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule respectively includes: acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
Calculating an attack sequence of the same attack source IP to each attack destination IP, and sequencing attack events to obtain an attack sequence set, wherein F (i) (< attack classification 1, attack sub-classification 1, attack name 1>, < attack classification 2, attack sub-classification 2, attack name 2>, < attack classification 3, attack sub-classification 3, attack name 3> and … …), wherein i represents one attack target, and the value of i is the set of all attack targets. And calculating the longest public subsequence of each attack sequence set by using an LCS algorithm as an attack characteristic related to the attack source IP.
In one embodiment, the performing cluster computation according to the attack features associated with the attacks source IP, and obtaining an attacker profile according to the computation result includes: according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
And performing cluster calculation on the attack characteristics associated with the attack source IPs by using a DBSCAN algorithm, dividing the attack source IPs into a plurality of communities, such as C1, C2 and C3, regarding the attack source IPs divided into the same community as being associated with the same attacker, and taking all the attack characteristics associated with the community as the attack characteristics of the attacker, thereby obtaining an attacker portrait associated with the attacker, and correspondingly obtaining the attacker portrait of each attacker.
In an embodiment, the present disclosure also provides a data processing apparatus, as shown in fig. 2, applied to a security management platform, the apparatus including: a log module 21, configured to receive a security alarm log; the characteristic module 22 is used for grouping the safety alarm logs associated with the same attack source IP into a group, and calculating the attack characteristics associated with the attack source IP of the group of safety alarm logs according to the same group of safety alarm logs by a preset rule; and the portrait module 23 is used for performing clustering calculation according to the attack characteristics associated with the IP of each attack source and acquiring a portrait of the attacker according to the calculation result.
In one embodiment, the receiving the security alert log comprises: and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
In one embodiment, the grouping the security alarm logs associated with the same attack source IP into a group, and calculating the attack characteristics associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule respectively includes: acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
In one embodiment, the performing cluster computation according to the attack features associated with the attacks source IP, and obtaining an attacker profile according to the computation result includes: according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
The device embodiments are the same or similar to the corresponding method embodiments and are not described herein again.
In an embodiment, the present disclosure provides an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the foregoing data processing method, and from a hardware level, a schematic diagram of a hardware architecture may be as shown in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned data processing method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an embodiment of the present disclosure, and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.
Claims (10)
1. A data processing method is applied to a security management platform, and comprises the following steps:
receiving a safety alarm log;
grouping the safety alarm logs related to the same attack source IP into a group, and respectively calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule;
and performing clustering calculation according to the attack characteristics associated with the IP of each attack source, and acquiring the image of the attacker according to the calculation result.
2. The method of claim 1, wherein receiving the security alert log comprises:
and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
3. The method according to claim 1, wherein the grouping the security alarm logs associated with the same attack source IP into a group, and calculating the attack features associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule respectively comprises:
acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
4. The method according to claim 1, wherein the performing cluster computation according to the attack features associated with the attack sources IP and obtaining the attacker profile according to the computation result comprises:
according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
5. A data processing apparatus, applied to a security management platform, the apparatus comprising:
the log module is used for receiving a safety alarm log;
the characteristic module is used for grouping the safety alarm logs related to the same attack source IP into a group and calculating the attack characteristics related to the attack source IP related to the group of safety alarm logs according to the same group of safety alarm logs by a preset rule;
and the portrait module is used for carrying out clustering calculation according to the attack characteristics related to the IP of each attack source and obtaining the portrait of the attacker according to the calculation result.
6. The apparatus of claim 5, wherein the receiving a security alarm log comprises:
and receiving the safety alarm log, carrying out normalization processing on the safety alarm log, and acquiring safety alarm log data after the normalization processing as the safety alarm log of the next step.
7. The apparatus according to claim 5, wherein said grouping the security alarm logs associated with the same attack source IP into a group, and calculating the attack features associated with the attack source IP associated with the group of security alarm logs according to the security alarm logs of the same group by using a preset rule respectively comprises:
acquiring an attack source IP, extracting all security alarm logs related to the attack source IP, classifying the security alarm logs related to the attack source IP according to the attack target IP, calculating attack sequence sets related to the same attack target IP and the same attack source IP according to a set method, and calculating the maximum public subsequence of each attack sequence set as the attack characteristic related to the attack source IP.
8. The apparatus of claim 5, wherein the clustering computation is performed according to the attack characteristics associated with the attack sources IP, and the attackers' portrayal is obtained according to the computation result, comprising:
according to the attack characteristics associated with the attack source IPs, the attack source IPs are divided into a plurality of communities by using a specified algorithm, and the attack characteristics associated with the attack source IPs of the same community are used as the portrait of attackers associated with the community.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1 to 4.
10. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110724389.4A CN113486339A (en) | 2021-06-29 | 2021-06-29 | Data processing method, device, equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110724389.4A CN113486339A (en) | 2021-06-29 | 2021-06-29 | Data processing method, device, equipment and machine-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113486339A true CN113486339A (en) | 2021-10-08 |
Family
ID=77936490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110724389.4A Pending CN113486339A (en) | 2021-06-29 | 2021-06-29 | Data processing method, device, equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486339A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938301A (en) * | 2021-10-12 | 2022-01-14 | 中国电信股份有限公司 | Method, device and storage medium for generating operation and maintenance strategy for network attack |
| CN114143096A (en) * | 2021-12-02 | 2022-03-04 | 北京神州新桥科技有限公司 | Security policy configuration method, device, equipment, storage medium and program product |
| CN114244617A (en) * | 2021-12-22 | 2022-03-25 | 深信服科技股份有限公司 | Method, device and computer readable storage medium for preventing illegal attack behaviors |
| CN114553500A (en) * | 2022-01-28 | 2022-05-27 | 新华三信息安全技术有限公司 | Safety operation management method, device, equipment and machine readable storage medium |
| CN115001753A (en) * | 2022-05-11 | 2022-09-02 | 绿盟科技集团股份有限公司 | Method and device for analyzing associated alarm, electronic equipment and storage medium |
-
2021
- 2021-06-29 CN CN202110724389.4A patent/CN113486339A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113938301A (en) * | 2021-10-12 | 2022-01-14 | 中国电信股份有限公司 | Method, device and storage medium for generating operation and maintenance strategy for network attack |
| CN113938301B (en) * | 2021-10-12 | 2024-01-30 | 中国电信股份有限公司 | Method, device and storage medium for generating operation and maintenance strategy for network attack |
| CN114143096A (en) * | 2021-12-02 | 2022-03-04 | 北京神州新桥科技有限公司 | Security policy configuration method, device, equipment, storage medium and program product |
| CN114244617A (en) * | 2021-12-22 | 2022-03-25 | 深信服科技股份有限公司 | Method, device and computer readable storage medium for preventing illegal attack behaviors |
| CN114553500A (en) * | 2022-01-28 | 2022-05-27 | 新华三信息安全技术有限公司 | Safety operation management method, device, equipment and machine readable storage medium |
| CN115001753A (en) * | 2022-05-11 | 2022-09-02 | 绿盟科技集团股份有限公司 | Method and device for analyzing associated alarm, electronic equipment and storage medium |
| CN115001753B (en) * | 2022-05-11 | 2023-06-09 | 绿盟科技集团股份有限公司 | Method and device for analyzing associated alarms, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113486339A (en) | Data processing method, device, equipment and machine-readable storage medium | |
| CN111565205B (en) | Network attack identification method and device, computer equipment and storage medium | |
| EP3507960B1 (en) | Clustering approach for detecting ddos botnets on the cloud from ipfix data | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| US9900335B2 (en) | Systems and methods for prioritizing indicators of compromise | |
| US20060206935A1 (en) | Apparatus and method for adaptively preventing attacks | |
| US10104112B2 (en) | Rating threat submitter | |
| CN113328985B (en) | Passive Internet of things equipment identification method, system, medium and equipment | |
| CN114598512B (en) | Network security guarantee method and device based on honeypot and terminal equipment | |
| WO2016014014A1 (en) | Remedial action for release of threat data | |
| CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
| Moia et al. | Similarity digest search: A survey and comparative analysis of strategies to perform known file filtering using approximate matching | |
| Ahmed | Thwarting dos attacks: A framework for detection based on collective anomalies and clustering | |
| Usha et al. | Detection and classification of distributed DoS attacks using machine learning | |
| CN111709022A (en) | Hybrid alarm association method based on AP clustering and causal relationship | |
| US11423099B2 (en) | Classification apparatus, classification method, and classification program | |
| CN111064719A (en) | Method and device for detecting abnormal downloading behavior of file | |
| CN117061254B (en) | Abnormal flow detection method, device and computer equipment | |
| CN117294497A (en) | Network traffic abnormality detection method and device, electronic equipment and storage medium | |
| CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
| US20150163183A1 (en) | System and method for spam filtering using insignificant shingles | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN113645286B (en) | Data leakage-oriented Web security event evidence obtaining method and system | |
| CN112560085B (en) | Privacy protection method and device for business prediction model | |
| CN112491820B (en) | Abnormity detection method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |