CN114143109A - Visual processing method, interaction method and device for attack data - Google Patents
Visual processing method, interaction method and device for attack data Download PDFInfo
- Publication number
- CN114143109A CN114143109A CN202111490368.7A CN202111490368A CN114143109A CN 114143109 A CN114143109 A CN 114143109A CN 202111490368 A CN202111490368 A CN 202111490368A CN 114143109 A CN114143109 A CN 114143109A
- Authority
- CN
- China
- Prior art keywords
- attack
- node
- subgraph
- nodes
- layout
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000003993 interaction Effects 0.000 title claims abstract description 25
- 230000000007 visual effect Effects 0.000 title claims abstract description 20
- 238000003672 processing method Methods 0.000 title claims abstract description 10
- 238000010586 diagram Methods 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 23
- 230000002452 interceptive effect Effects 0.000 claims description 27
- 238000011144 upstream manufacturing Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012856 packing Methods 0.000 claims description 7
- 238000012800 visualization Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 230000003252 repetitive effect Effects 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 abstract description 12
- 239000011159 matrix material Substances 0.000 description 9
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 239000003086 colorant Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 125000001475 halogen functional group Chemical group 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a visual processing method, an interaction method and a device of attack data, wherein the visual processing method of the attack data comprises the following steps: converting the attack data to be processed into graph data of an attack network; classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification; based on the attack relation among the nodes in each subgraph, carrying out intra-subgraph layout on the nodes in each subgraph; and (4) performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing. According to the scheme, the obtained layout diagram of the attack network not only can show the attack relationship among the nodes under the same classification, but also can show the attack relationship among different classifications, so that an analyst can quickly acquire effective information from the shown attack network, and further the analysis efficiency is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of data processing, in particular to a visual processing method, an interaction method and a device for attack data.
Background
In recent years, with the development of network technology, network attack events are increasing. Network security personnel generally analyze the association relationship between network attack events by using a visual attack network.
In the prior art, a force guiding algorithm is generally directly adopted to visually process an attack network. However, the visual attack network obtained in the prior art can only show the connection relationship between nodes, and if an analyst needs to analyze the attack relationship of the attack network, the analyst also needs to perform secondary manual layout adjustment, which not only increases the workload, but also affects the analysis efficiency.
Disclosure of Invention
Based on the problems that the workload of an analyst is increased and the analysis efficiency is affected by the existing visualization processing method, the embodiment of the invention provides a visualization processing method, an interaction method and a device for attacking a network, which can intuitively show an attack relation expressed by attack data so as to improve the analysis efficiency of the analyst.
In a first aspect, an embodiment of the present invention provides a method for visualizing attack data, where the method includes:
converting the attack data to be processed into graph data of an attack network;
classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
based on the attack relation among the nodes in each subgraph, carrying out intra-subgraph layout on the nodes in each subgraph;
and (4) performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
Preferably, the converting the attack data to be processed into the graph data of the attack network includes:
extracting an attacking party IP, an attacked party IP and an attack type in each attack data;
determining each extracted non-repetitive IP as a node in the graph data, determining a connecting line in the graph data aiming at each attack data, determining an attack type in each attack data as a type of a corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classifying the nodes in the attack network according to the graph data includes: nodes of the same type are classified into the same category.
Preferably, the determining the type of each node according to the type of the connection line of each node includes:
when the types of each connecting line directly connected with the node are the same, determining the type of each connecting line directly connected with the node as the type of the node; otherwise, the type of the node is determined as the specified type.
Preferably, the performing inter-sub-graph layout on each sub-graph as a whole respectively includes:
and taking the subgraph corresponding to the specified type as a center, and arranging the subgraphs corresponding to other types around the center in a surrounding way.
Preferably, performing intra-subgraph layout on nodes in the subgraph includes:
determining a connected component in the subgraph according to the attack relation among the nodes in the subgraph;
aiming at each connected component, carrying out three-dimensional layout on nodes in the connected components;
and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
Preferably, the three-dimensional layout of the nodes in the connected components includes:
performing hierarchical configuration on each node in the connected component;
performing two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level;
and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinate of the layout of each node in the connected component in the subgraph.
Preferably, the performing the hierarchical configuration on each node in the connected component includes:
determining an attack target node which only serves as an attacked party and currently exists in the connected component, and configuring the hierarchy of the determined attack target node as an initial hierarchy;
deleting the node subjected to the hierarchical configuration and the connecting line directly connected with the node, determining whether an attack target node only serving as an attacked party exists in the connected component, if so, configuring the hierarchy of the determined attack target node as the next hierarchy level of the last configured hierarchy level, and repeatedly executing the deleting step;
if not, determining whether an intermediate node which is used as both an attacker and an attacked exists in the connected component, if so, configuring the hierarchy of the intermediate node as the next hierarchy level of the last configured hierarchy level, and configuring the hierarchy of the attack source node which is only used as the attacker as the next hierarchy level of the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node which is only an attacker is configured as a hierarchy level next to the last configured hierarchy level.
In a second aspect, an embodiment of the present invention provides an interaction method, including:
displaying a layout of the attack network obtained based on any one of the methods;
when an interactive instruction for a target node in the attack network is received, determining characteristic information related to the target node in the attack network according to the interactive instruction;
and performing characteristic display on the characteristic information.
Preferably, the interactive instruction is used to obtain information of the target node, and the characteristic information is an IP of the target node; or the like, or, alternatively,
the interactive instruction is used for acquiring relationship information of the target node, and the characteristic information includes: a connection directly connected to the target node, and an adjacent upstream node attacking the target node, an adjacent downstream node being attacked by the target node; or the like, or, alternatively,
the interactive instruction is used for acquiring an attack link related to the target node, and the characteristic information comprises: an attack link containing the target node; one end of the attack link is a node only serving as an attacker, and the other end of the attack link is a node only serving as an attacked.
In a third aspect, an embodiment of the present invention provides a visualized processing apparatus for attack data, including:
the graph data conversion unit is used for converting the attack data to be processed into the graph data of the attack network;
the classification unit is used for classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
the layout unit is used for carrying out intra-subgraph layout on the nodes in each subgraph based on the attack relation among the nodes in each subgraph; and performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
In a fourth aspect, an embodiment of the present invention provides an interaction apparatus, including:
the display unit is used for displaying a layout diagram of the attack network obtained by the visual processing device based on the attack data;
and the interactive processing unit is used for determining the characteristic information related to the target node in the attack network according to the interactive instruction and displaying the characteristic information when the interactive instruction to the target node in the attack network is received.
In a fifth aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a sixth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a visual processing method, an interaction method and a device of attack data, wherein the attack data is converted into graph data of an attack network, then the graph data is used for classifying nodes in the attack network, so that each node in each classification corresponds to a sub-graph, and as the attack relationship exists among the nodes in each sub-graph, the intra-graph layout can be carried out on each sub-graph based on the attack relationship so as to embody the attack relationship among the nodes in the sub-graph; in addition, because attack relations also exist among subgraphs, the subgraphs are respectively taken as a whole to be further subjected to layout among the subgraphs so as to embody the attack relations among the subgraphs. Therefore, the obtained layout diagram of the attack network can show the attack relationship among the nodes under the same classification and can also show the attack relationship among different classifications, so that an analyst can quickly acquire effective information from the shown attack network, and the analysis efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a method for visualizing attack data according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a matrix arrangement according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an inter-sub-map layout according to an embodiment of the present invention;
FIG. 4 is a flowchart of an interaction method according to an embodiment of the present invention;
fig. 5 is a structural diagram of a visualization processing apparatus for attack data according to an embodiment of the present invention;
fig. 6 is a structural diagram of an interactive apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As described above, in the prior art, the attack network is generally visualized directly by using the force-oriented algorithm. However, the visual attack network obtained in the prior art can only show the connection relationship between nodes, and cannot visually show the attack relationship information expressed by the attack data, so that an analyst needs to analyze the attack relationship of the attack network and perform secondary manual layout adjustment, which not only increases workload, but also affects analysis efficiency. The nodes in the attack network can be visually processed according to the analysis result of the attack network, and the attack relationship can be visually displayed on the layout diagram of the attack network obtained after processing, so that an analyst can quickly obtain effective information in the layout diagram of the attack network.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for visualizing processing attack data, where the method includes:
102, classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
104, performing intra-subgraph layout on the nodes in each subgraph based on the attack relationship among the nodes in each subgraph;
and 106, performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
In the embodiment of the invention, the attack data is converted into the graph data of the attack network, and then the nodes in the attack network are classified by utilizing the graph data, so that the nodes in each classification correspond to one sub-graph; in addition, because attack relations also exist among subgraphs, the subgraphs are respectively taken as a whole to be further subjected to layout among the subgraphs so as to embody the attack relations among the subgraphs. Therefore, the obtained layout diagram of the attack network can show the attack relationship among the nodes under the same classification and can also show the attack relationship among different classifications, so that an analyst can quickly acquire effective information from the shown attack network, and the analysis efficiency is improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
First, with respect to step 100, the attack data to be processed is converted into graph data of the attack network.
The attack data is a piece of structural data, and in order to realize that the attack data can be visualized, the attack data can be converted into graph data of an attack network.
In one embodiment of the present invention, the data conversion may be performed as follows: extracting an attacking party IP, an attacked party IP and an attack type in each attack data; determining each extracted non-repetitive IP as a node in the graph data, determining a connecting line in the graph data aiming at each attack data, determining an attack type in each attack data as a type of a corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line.
In one embodiment of the invention, the attack type of the attack data can be positioned according to the analysis requirement. For example, the number of the attack group to which the attack party belongs is determined as the attack type of the attack data, so that when the attack network is analyzed subsequently, the attack characteristics initiated by different attack groups can be analyzed respectively. For another example, the attack level related to the attack data is determined as the attack type, so that when the attack network is analyzed subsequently, the attack characteristics corresponding to the attack events with different attack levels can be analyzed.
This embodiment takes the number of the attack group to which the attacker belongs as an example of the attack type. May be numbered with A, B, C.
In the embodiment of the present invention, the graph data at least includes: all node information and all connection information of the attack network. Each IP in all attack data corresponds to a node, and each attack data corresponds to a connecting line.
Each node information may include the following:
IP: the unique identification of the node is an IP appearing in the attack data;
type: the type of the node can be determined according to the type of the connecting line;
links: a set of wires of a node, i.e. a set of wires directly connected to the node.
The information for each connection may include the following:
source: the source node of the connection corresponds to an attacker IP of the attack data;
target: the connected target node corresponds to the attacked IP of the attack data;
type: the type of the connection line corresponds to the attack type of the attack data.
In an embodiment of the present invention, when determining the node type according to the type of the connection line, the node type may be determined by one of the following methods: when the types of each connecting line directly connected with the node are the same, determining the type of each connecting line directly connected with the node as the type of the node; otherwise, the type of the node is determined as the specified type.
For example, if all the types of the wires in the wire set of the node are of the A clique class, the node is also of the A clique class. Otherwise, the type of the node is determined as the specified type.
Wherein, the specified type can be the same type or different types for different nodes. According to the attack characteristics, as an attacked party, a situation that the attacked party is attacked by a plurality of attacking parties may exist, and most of the attacking parties belong to the same attack group, that is, the situations that different types of connection types directly connected with nodes exist are few, so that the nodes of the connection types which have different types of situations can be determined to be the same type, and thus, during layout, the nodes can be arranged as a whole, and the attack characteristics can be displayed. Namely, in the embodiment of the present invention, the designated type is the same type.
In addition, it should be noted that the designated type is a type different from the type of the connection line in the graph data. For example, the specified type is a center class. Therefore, the method can be distinguished from the attack groups to which the method belongs, and further intuitively shows the association relationship between the center class and other types.
It should be noted that, in addition to the above determination method, the node type may also use other methods, for example, a type with the same type and the largest number of links in the link set of the node is determined as the node type.
Then, aiming at step 102, the nodes in the attack network are classified according to the graph data, and a subgraph formed by the nodes under each classification is obtained.
When the nodes in the attack network are classified, the nodes can be classified according to the incidence relation of the nodes. In one embodiment, the nodes in the attack network are classified according to node types, that is, the nodes of the same type are classified into the same classification. For example, the following classifications are obtained after the division: group A, group B, group C, group D, group E and center.
Since each classification includes several nodes, the nodes under each classification form a corresponding subgraph.
Next, with respect to step 104, the nodes in each subgraph are laid out in the subgraph based on the attack relationship between the nodes in each subgraph.
For each subgraph, the layout mode in the subgraph can adopt the same mode or different modes. The present embodiment preferably adopts the same layout mode to layout each sub-graph, so that the overall layout of all nodes of the attack network is more hierarchical, and the layout is more harmonious and beautiful. The layout in the sub-graph is described below by taking one of the sub-graphs as an example.
Firstly, analyzing the nodes in the subgraph, and according to the difference between an attacker and an attacked, classifying the nodes in the subgraph into the following three classes: the first type is an attack source node which is only an attacker; the second type is an attack target node which is only an attacked party; the third type is an intermediate node that acts as both an attacker and an attacker.
Then, the intra-sub-graph layout is carried out according to the following steps S1-S3 for the sub-graph:
s1: and determining connected components in the subgraph according to the attack relation among the nodes in the subgraph.
Since not all nodes included in a subgraph may be connected, at least one connected component may be included in a subgraph. Any two nodes in the connected components can be connected through a connecting line.
S2: and aiming at each connected component, carrying out three-dimensional layout on nodes in the connected components.
Specifically, in one embodiment of the present invention, the following (S21-S23) three-dimensional layout may be performed for the nodes within the connected components:
s21: and carrying out hierarchical configuration on each node in the connected component.
In an embodiment of the present invention, the step S21 may be configured in the following layers:
s211: and determining the attack target node which only serves as an attacked party and currently exists in the subgraph, and configuring the determined level of the attack target node as an initial level. For example, the initial level is 0.
S212: and deleting the nodes subjected to the hierarchical configuration and the connecting lines directly connected with the nodes.
S213: determining whether an attack target node only serving as an attacked party exists in the subgraph, if so, configuring the hierarchy of the determined attack target node as the next hierarchy level of the last configured hierarchy level, and repeatedly executing the steps S212-S213; if not, go to step S214.
S214: determining whether an intermediate node which is used as both an attacker and an attacked exists in the subgraph, if so, configuring the hierarchy of the intermediate node as the next hierarchy level of the last configured hierarchy level, and configuring the hierarchy of an attack source node which is only used as the attacker as the next hierarchy level of the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node which is only an attacker is configured as a hierarchy level next to the last configured hierarchy level.
After S214 is completed, the configuration of the hierarchy of all the nodes in the subgraph is completed, and the nodes in the same hierarchy level are determined to be the same hierarchy.
Each time a hierarchical level is configured for a node, the last configured hierarchical level +1 may be determined as the hierarchical level of the current configuration. As can be seen, the hierarchy levels of the nodes within the subgraph are 0, 1, 2, 3 … …, respectively.
When the attack target node, the attack source node and the intermediate node are determined in the steps, the determination is performed through the node information and the connection information.
S22: and carrying out two-dimensional horizontal layout on the nodes of each level to obtain the two-dimensional coordinates of each node on each level.
Since nodes of the same hierarchy level are located in the same hierarchy, two-dimensional horizontal layout can be performed for nodes in the same hierarchy. In an embodiment of the present invention, the nodes of each level may be laid out horizontally in a matrix layout manner.
Specifically, the rows and columns of the matrix are calculated according to the number of all nodes of the layer, and then the matrix is regularly arranged at set node intervals. Referring to fig. 2, a schematic diagram of a matrix arrangement is shown, in which each rectangular point is a node. In addition, in the matrix layout arrangement, the matrix layout may be performed with the origin (0,0) as the center. In this way, two-dimensional coordinates of each node within the layer may be obtained.
In an embodiment of the present invention, before performing matrix layout, all nodes on the layer may also be sorted by IP size, and then matrix layout is performed according to the order of the sorted nodes, so that nodes in the same IP segment are distributed at adjacent positions in the region. Therefore, when the attack analysis is carried out on the layout diagram of the attack network, the attack conditions in different IP sections can be analyzed.
S23: and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinate of the layout of each node in the connected component in the subgraph.
In one embodiment of the present invention, the product of the level number of the node and the set height may be determined as the level height.
S3: and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
Specifically, in step S3, for each connected component, the layout radius of each level in the connected component may be calculated, and then the maximum layout radius of the level in the connected component is determined as the layout radius of the connected component. And then, taking each communication component as a whole, wherein the radius corresponding to the whole is the radius of the communication component, calculating the radius of a packing circle corresponding to each communication component after layout in the subgraph according to a front chain packing layout algorithm, and determining the radius of the packing circle as the layout radius of the subgraph.
In the above, the intra-subgraph layout of the nodes in each subgraph is completed.
And finally, aiming at the step 106, performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
In this step 106, the layout between sub-graphs can be performed on each sub-graph with reference to the layout manner of the connected components in the sub-graph in step 104.
In an embodiment of the present invention, before performing the inter-sub-graph layout, the relationship between the sub-graphs may be analyzed as follows: for each subgraph, the nodes within the subgraph are divided into an outer connection class and an inner connection class. Aiming at the current subgraph, if one node in the current subgraph has a connection relation with nodes in other subgraphs, the node in the current subgraph is an external connection class; otherwise it is of the interconnect type. It is understood that each node within the hub class is an outer connection class.
The analysis results can be obtained as follows: except the central class, if other group classes have nodes of the external connection class in each subgraph, the nodes of the external connection class in the other group classes are all connected with the nodes in the central class. Therefore, in the embodiment of the present invention, when performing inter-sub-graph layout, the sub-graphs corresponding to the specified type may be used as a center, and sub-graphs corresponding to other types are arranged around the center. Therefore, the connection relation can be clearer, the intersection of the connecting lines is reduced, and the neatness of a display interface in a layout diagram is improved. Please refer to fig. 3, which is a schematic diagram of inter-sub-graph layout.
When the sub-graphs corresponding to other types are arranged around the center in a surrounding manner, the angles of corresponding proportions can be distributed to the sub-graphs according to the radius of each sub-graph so as to carry out the surrounding arrangement.
Further, since the node positions in the connected components in the subgraph are determined according to the three-dimensional coordinates, after the layout positions of the subgraphs are determined, the original three-dimensional coordinates of the nodes are also required to be adjusted, but the relative position relationship between the nodes is not changed.
Further, layout adjustment needs to be performed on all connected components under all subgraphs together. The adjustment mode may include: the nodes under the connected component are divided into an externally connected component and an internally connected component according to whether the nodes under the connected component contain the externally connected node or not, and all the nodes under the special central subgraph are externally connected components. And then, according to the connection relation of the external connection nodes in all the external communication components, converting the connection relations into the connection relation among the external communication components, wherein repeated connection is not calculated. And finally, adjusting the force guiding layout according to all the connected component nodes.
Wherein the force guide layout adjustment process may include: 1, limiting nodes in connected components under each subgraph in a node layout range of the subgraph; 2, mutually calculating repulsive force among all connected components under the same subgraph; and 3, calculating the tension between the connected communication components.
Further, after the positions of all the connected component nodes are adjusted, the positions of the nodes of each layer under the connected components are adjusted, namely the matrix center of each layer of nodes is moved to the center of the connected component node.
And determining the final three-dimensional coordinates of all nodes in the attack network, and laying out according to the three-dimensional coordinates of each system to obtain a three-dimensional layout diagram of the attack network after visualization processing.
In an embodiment of the present invention, rendering may be performed on a display interface of the three-dimensional layout diagram, and during the rendering, different types of nodes and connecting lines may be distinguished according to different colors.
Referring to fig. 4, an embodiment of the present invention further provides an interaction method, including:
And step 404, performing characteristic display on the characteristic information.
In the embodiment of the invention, the attack relationship among the nodes under the same classification and the attack relationship among different classifications can be displayed by utilizing the layout diagram of the attack network obtained by the embodiment, so that an analyst can quickly acquire effective information from the displayed attack network, and in the interaction process, after characteristic information is determined according to an interaction instruction, the analyst can be facilitated to quickly acquire an analysis result through characteristic display.
Step 402 and step 404 are explained below.
During interaction, different interaction instructions can be generated for different interaction modes, and the interaction modes at least include the following modes:
first, when the mouse is detected to move to the target node, the generated interactive instruction may be to acquire the self-information of the target node. Then the characteristic information associated with the target node is the IP of the target node, and the response to the interactive instruction at this time is: and displaying the IP of the target node on the target node to realize characteristic display.
Secondly, when it is detected that the target node is clicked by the left mouse button, the generated interaction instruction may be used to obtain the relationship information of the target node. Then the characteristic information associated with the target node may include: a connection directly connected to the target node, and an adjacent upstream node attacking the target node, an adjacent downstream node being attacked by the target node. The response to the interactive instruction at this time is: and performing characteristic display on a connecting line directly connected with the target node, an adjacent upstream node attacking the target node and an adjacent downstream node attacked by the target node in the layout diagram. The feature display may be a highlight and/or a distinction made with an outer ring halo of a different color.
When determining the adjacent upstream node and the adjacent downstream node, the determination can be performed by using the attack and attacked relationship between the nodes.
Thirdly, when a double click of a left mouse button on a target node is detected, the generated interactive instruction can be used for acquiring an attack link related to the target node. Then the characteristic information associated with the target node may include: an attack link containing a target node; one end of the attack link is a node only serving as an attacker, and the other end of the attack link is a node only serving as an attacked. The response to the interactive instruction at this time is: and displaying all the nodes and the connecting lines on the attack link containing the target node. Similarly, the feature display may be a highlight display.
In an embodiment of the present invention, the attack link including the target node may be determined as follows:
first, a link set, an upstream set, and a downstream set are created for a target node. Wherein, no repeated element feature exists in the set.
Then, through the upper attribute and lower attribute of the target node, all the upstream nodes of the target node are found and added into the upstream set, all the downstream nodes of the target node are found and added into the downstream set, and the target node, all the upstream nodes and all the downstream nodes are added into the link set. Wherein the upper attribute is the set of all upstream nodes of the node and the set of all downstream nodes of the lower attribute node.
And then recursively searching all upstream nodes of all the nodes in the upstream set, and adding the nodes into the link set until the attack source node is found. And recursively searching all the downstream nodes of all the nodes in the downstream set, and adding the nodes into the link set until the attack target node is searched.
And finally, finding out connecting lines among all the nodes of the link set according to all the nodes in the link set and the links attributes of the nodes, and adding the connecting lines into the link set. At this time, all nodes and connecting lines included in the link set are attack links of the target node.
Referring to fig. 5, an embodiment of the present invention further provides a visualized processing apparatus for attack data, including:
a graph data conversion unit 501, configured to convert the attack data to be processed into graph data of an attack network;
a classification unit 502, configured to classify nodes in the attack network according to the graph data to obtain a subgraph formed by each classified node;
a layout unit 503, configured to perform intra-subgraph layout on the nodes in each subgraph based on the attack relationship between the nodes in each subgraph; and performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
In an embodiment of the present invention, the graph data conversion unit 501 is specifically configured to extract an attacker IP, an attacked IP, and an attack type in each attack data; determining each extracted non-repetitive IP as a node in the graph data, determining a connecting line in the graph data aiming at each attack data, determining an attack type in each attack data as a type of a corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classifying unit 502 is specifically configured to classify the nodes of the same type into the same class.
In an embodiment of the present invention, when determining the type of each node according to the type of the connection line of each node, the graph data converting unit 501 is specifically configured to determine, when the types of each connection line directly connected to the node are the same, the type of each connection line directly connected to the node as the type of the node; otherwise, the type of the node is determined as the specified type.
In an embodiment of the present invention, when each sub-graph is respectively taken as a whole to perform inter-sub-graph layout, the layout unit 503 is specifically configured to use the sub-graph corresponding to the specified type as a center, and the sub-graphs corresponding to other types are respectively arranged around the center in a surrounding manner.
In an embodiment of the present invention, the layout unit 503 is specifically configured to determine a connected component in the subgraph according to an attack relationship between nodes in the subgraph when performing the intra-subgraph layout on the nodes in the subgraph; aiming at each connected component, carrying out three-dimensional layout on nodes in the connected components; and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
In an embodiment of the present invention, the layout unit 503 is specifically configured to perform hierarchical configuration on each node in the connected component when performing three-dimensional layout on the nodes in the connected component; performing two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level; and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinate of the layout of each node in the connected component in the subgraph.
In an embodiment of the present invention, the layout unit 503, when performing hierarchical configuration on each node in the unicom component, is specifically configured to determine an attack target node that is only an attacked party and currently exists in the unicom component, and configure the determined hierarchy of the attack target node as an initial hierarchy; deleting the node subjected to the hierarchical configuration and the connecting line directly connected with the node, determining whether an attack target node only serving as an attacked party exists in the connected component, if so, configuring the hierarchy of the determined attack target node as the next hierarchy level of the last configured hierarchy level, and repeatedly executing the deleting step; if not, determining whether an intermediate node which is used as both an attacker and an attacked exists in the connected component, if so, configuring the hierarchy of the intermediate node as the next hierarchy level of the last configured hierarchy level, and configuring the hierarchy of the attack source node which is only used as the attacker as the next hierarchy level of the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node which is only an attacker is configured as a hierarchy level next to the last configured hierarchy level.
Referring to fig. 6, an embodiment of the present invention further provides an interaction apparatus, including:
a display unit 601, configured to display a layout diagram of an attack network obtained by the visualization processing apparatus based on the attack data;
an interaction processing unit 602, configured to, when an interaction instruction for a target node in the attack network is received, determine, according to the interaction instruction, feature information related to the target node in the attack network, and perform feature display on the feature information.
In an embodiment of the present invention, the interactive instruction is used to obtain information of the target node itself, and the characteristic information is an IP of the target node.
In an embodiment of the present invention, the interactive instruction is configured to obtain relationship information of the target node, where the feature information includes: a connection directly connected to the target node, and an adjacent upstream node attacking the target node, an adjacent downstream node attacked by the target node.
In an embodiment of the present invention, the interaction instruction is configured to acquire an attack link related to the target node, and the characteristic information includes: an attack link containing the target node; one end of the attack link is a node only serving as an attacker, and the other end of the attack link is a node only serving as an attacked.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the present invention further provides a computing device, which may include a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method for visualizing and interacting attack data in any embodiment of the present invention is implemented.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, causes the processor to execute a visualization processing and interaction method for attack data in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (13)
1. A visual processing method for attack data is characterized by comprising the following steps:
converting the attack data to be processed into graph data of an attack network;
classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
based on the attack relation among the nodes in each subgraph, carrying out intra-subgraph layout on the nodes in each subgraph;
and (4) performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
2. The method of claim 1,
the converting the attack data to be processed into the graph data of the attack network comprises the following steps:
extracting an attacking party IP, an attacked party IP and an attack type in each attack data;
determining each extracted non-repetitive IP as a node in the graph data, determining a connecting line in the graph data aiming at each attack data, determining an attack type in each attack data as a type of a corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classifying the nodes in the attack network according to the graph data includes: nodes of the same type are classified into the same category.
3. The method of claim 2, wherein determining the type of each node according to the type of the connection line of each node comprises:
when the types of each connecting line directly connected with the node are the same, determining the type of each connecting line directly connected with the node as the type of the node; otherwise, the type of the node is determined as the specified type.
4. The method of claim 3, wherein the inter-sub-graph layout of each sub-graph as a whole comprises:
and taking the subgraph corresponding to the specified type as a center, and arranging the subgraphs corresponding to other types around the center in a surrounding way.
5. The method of claim 1, wherein placing nodes in the subgraph in an intra-subgraph comprises:
determining a connected component in the subgraph according to the attack relation among the nodes in the subgraph;
aiming at each connected component, carrying out three-dimensional layout on nodes in the connected components;
and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
6. The method of claim 5, wherein the three-dimensional placement of nodes within the connected components comprises:
performing hierarchical configuration on each node in the connected component;
performing two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level;
and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinate of the layout of each node in the connected component in the subgraph.
7. The method of claim 6, wherein the hierarchically configuring each node in the connected component comprises:
determining an attack target node which only serves as an attacked party and currently exists in the connected component, and configuring the hierarchy of the determined attack target node as an initial hierarchy;
deleting the node subjected to the hierarchical configuration and the connecting line directly connected with the node, determining whether an attack target node only serving as an attacked party exists in the connected component, if so, configuring the hierarchy of the determined attack target node as the next hierarchy level of the last configured hierarchy level, and repeatedly executing the deleting step;
if not, determining whether an intermediate node which is used as both an attacker and an attacked exists in the connected component, if so, configuring the hierarchy of the intermediate node as the next hierarchy level of the last configured hierarchy level, and configuring the hierarchy of the attack source node which is only used as the attacker as the next hierarchy level of the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node which is only an attacker is configured as a hierarchy level next to the last configured hierarchy level.
8. An interaction method, comprising:
displaying a layout of an attack network obtained based on the method of any one of claims 1 to 7;
when an interactive instruction for a target node in the attack network is received, determining characteristic information related to the target node in the attack network according to the interactive instruction;
and performing characteristic display on the characteristic information.
9. The method of claim 8,
the interactive instruction is used for acquiring self information of the target node, and the characteristic information is the IP of the target node; or the like, or, alternatively,
the interactive instruction is used for acquiring relationship information of the target node, and the characteristic information includes: a connection directly connected to the target node, and an adjacent upstream node attacking the target node, an adjacent downstream node being attacked by the target node; or the like, or, alternatively,
the interactive instruction is used for acquiring an attack link related to the target node, and the characteristic information comprises: an attack link containing the target node; one end of the attack link is a node only serving as an attacker, and the other end of the attack link is a node only serving as an attacked.
10. An apparatus for visually processing attack data, comprising:
the graph data conversion unit is used for converting the attack data to be processed into the graph data of the attack network;
the classification unit is used for classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
the layout unit is used for carrying out intra-subgraph layout on the nodes in each subgraph based on the attack relation among the nodes in each subgraph; and performing inter-subgraph layout on each subgraph as a whole to obtain a layout diagram of the attack network after visual processing.
11. An interactive apparatus, comprising:
a display unit, configured to display a layout diagram of an attack network obtained by the visualization processing apparatus based on the attack data according to claim 10;
and the interactive processing unit is used for determining the characteristic information related to the target node in the attack network according to the interactive instruction and displaying the characteristic information when the interactive instruction to the target node in the attack network is received.
12. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-9.
13. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111490368.7A CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111490368.7A CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143109A true CN114143109A (en) | 2022-03-04 |
| CN114143109B CN114143109B (en) | 2023-11-10 |
Family
ID=80384862
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111490368.7A Active CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143109B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037561A (en) * | 2022-08-10 | 2022-09-09 | 杭州悦数科技有限公司 | Network security detection method and system |
Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| US8881288B1 (en) * | 2008-10-28 | 2014-11-04 | Intelligent Automation, Inc. | Graphical models for cyber security analysis in enterprise networks |
| US20150058993A1 (en) * | 2013-08-23 | 2015-02-26 | The Boeing Company | System and method for discovering optimal network attack paths |
| CN106936637A (en) * | 2017-03-15 | 2017-07-07 | 中国电子科技网络信息安全有限公司 | The panorama heuristic method for visualizing and device of a kind of cyberspace situation |
| CN108540322A (en) * | 2018-04-09 | 2018-09-14 | 南京理工大学 | A kind of optimization method of attack graph effect of visualization |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110336785A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | The method for visualizing and storage medium of network attack chain figure |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
| US20200177616A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| CN111818089A (en) * | 2020-07-31 | 2020-10-23 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN112839039A (en) * | 2021-01-05 | 2021-05-25 | 四川大学 | Interactive automatic restoration method for network threat event attack scene |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN112910865A (en) * | 2021-01-20 | 2021-06-04 | 西安电子科技大学 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
| CN112990285A (en) * | 2021-03-04 | 2021-06-18 | 中山大学 | Simplified attack method oriented to large-scale graph structure |
| CN113055375A (en) * | 2021-03-10 | 2021-06-29 | 华能国际电力股份有限公司 | Power station industrial control system physical network oriented attack process visualization method |
| CN113055386A (en) * | 2021-03-12 | 2021-06-29 | 哈尔滨安天科技集团股份有限公司 | Method and device for identifying and analyzing attack organization |
| CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
| CN113452548A (en) * | 2021-05-08 | 2021-09-28 | 浙江工业大学 | Index evaluation method and system for network node classification and link prediction |
-
2021
- 2021-12-08 CN CN202111490368.7A patent/CN114143109B/en active Active
Patent Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8881288B1 (en) * | 2008-10-28 | 2014-11-04 | Intelligent Automation, Inc. | Graphical models for cyber security analysis in enterprise networks |
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| US20150058993A1 (en) * | 2013-08-23 | 2015-02-26 | The Boeing Company | System and method for discovering optimal network attack paths |
| CN106936637A (en) * | 2017-03-15 | 2017-07-07 | 中国电子科技网络信息安全有限公司 | The panorama heuristic method for visualizing and device of a kind of cyberspace situation |
| CN108540322A (en) * | 2018-04-09 | 2018-09-14 | 南京理工大学 | A kind of optimization method of attack graph effect of visualization |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
| US20200177616A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110336785A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | The method for visualizing and storage medium of network attack chain figure |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN111818089A (en) * | 2020-07-31 | 2020-10-23 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
| CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN112839039A (en) * | 2021-01-05 | 2021-05-25 | 四川大学 | Interactive automatic restoration method for network threat event attack scene |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN112910865A (en) * | 2021-01-20 | 2021-06-04 | 西安电子科技大学 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
| CN112990285A (en) * | 2021-03-04 | 2021-06-18 | 中山大学 | Simplified attack method oriented to large-scale graph structure |
| CN113055375A (en) * | 2021-03-10 | 2021-06-29 | 华能国际电力股份有限公司 | Power station industrial control system physical network oriented attack process visualization method |
| CN113055386A (en) * | 2021-03-12 | 2021-06-29 | 哈尔滨安天科技集团股份有限公司 | Method and device for identifying and analyzing attack organization |
| CN113452548A (en) * | 2021-05-08 | 2021-09-28 | 浙江工业大学 | Index evaluation method and system for network node classification and link prediction |
| CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
Non-Patent Citations (2)
| Title |
|---|
| H. S. LALLIE, K. DEBATTISTA AND J. BAL: ""An Empirical Evaluation of the Effectiveness of Attack Graphs and Fault Trees in Cyber-Attack Perception"", 《 IN IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 * |
| 李艳;黄光球;: "基于可能图的攻击意图检测方法", 计算机工程与科学, no. 04 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037561A (en) * | 2022-08-10 | 2022-09-09 | 杭州悦数科技有限公司 | Network security detection method and system |
| CN115037561B (en) * | 2022-08-10 | 2022-11-22 | 杭州悦数科技有限公司 | Network security detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143109B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4121125B2 (en) | Graphics image generation apparatus and method, data analysis apparatus and method, and program | |
| US7926026B2 (en) | Graphical analysis to detect process object anomalies | |
| US20070038937A1 (en) | Method, Program, and Device for Analyzing Document Structure | |
| JP6912714B2 (en) | Information processing equipment, information processing methods and information processing programs | |
| CN104115145A (en) | Generating visualizations of display group of tags representing content instances in objects satisfying search criteria | |
| US10936620B2 (en) | Systems and methods for management of multi-perspective customer segments | |
| JP2015026188A (en) | Database analysis apparatus and method | |
| Bastani et al. | Machine-assisted map editing | |
| CN116209997A (en) | System and method for classifying software vulnerabilities | |
| CN115244538A (en) | Document information extraction system using sequence comparator | |
| CN113778403A (en) | Front-end code generation method and device | |
| CN114511353A (en) | Data analysis method and device | |
| US11610168B2 (en) | Method for analyzing risk of cooperrator supply chain | |
| US20140172826A1 (en) | Social network analyzer | |
| CN114143109A (en) | Visual processing method, interaction method and device for attack data | |
| CN113837194B (en) | Image processing method, image processing apparatus, electronic device, and storage medium | |
| US9026482B2 (en) | Method and system for analyzing a legacy system based on trails through the legacy system | |
| US11587330B2 (en) | Visual analytics platform for updating object detection models in autonomous driving applications | |
| TW201523421A (en) | Determining images of article for extraction | |
| CN113918534A (en) | Policy processing system and method | |
| CN112750047B (en) | Behavior relation information extraction method and device, storage medium and electronic equipment | |
| CN110895564A (en) | Potential customer data processing method and device | |
| CN117540447B (en) | Modularized modeling method and system based on business analysis scene | |
| KR102403881B1 (en) | Apparatus and method for visualizing causality of events | |
| US20240028787A1 (en) | Techniques for design space exploration in a multi-user collaboration system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |