CN101222317A - Depth-first attack drawing generating method - Google Patents

Depth-first attack drawing generating method Download PDF

Info

Publication number
CN101222317A
CN101222317A CNA2007101446931A CN200710144693A CN101222317A CN 101222317 A CN101222317 A CN 101222317A CN A2007101446931 A CNA2007101446931 A CN A2007101446931A CN 200710144693 A CN200710144693 A CN 200710144693A CN 101222317 A CN101222317 A CN 101222317A
Authority
CN
China
Prior art keywords
attack
path
network
depth
prolog
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101446931A
Other languages
Chinese (zh)
Inventor
杨武
苘大鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Engineering University
Original Assignee
Harbin Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Engineering University filed Critical Harbin Engineering University
Priority to CNA2007101446931A priority Critical patent/CN101222317A/en
Publication of CN101222317A publication Critical patent/CN101222317A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a depth-first attack graph generation method. The steps are as follows: (1) the entire safety factors of the current network are collected to form an initial network state; (2) a prolog system is used to search the entire network states that an attacker is possible to pass through before a target state is reached; (3) attack routes are constructed according to the searched dependency relations among the network states; (4) the constructed attack routes are combined into a network attack graph. The invention has the advantages that: the depth-first generation algorithm decreases the scale of the attack graph, and can ensure that no non-target leaf node exists in the attack graph.

Description

A kind of attack drawing generating method of depth-first
(1) technical field
What the present invention relates to is a kind of network safety protective method, particularly a kind of recognition technology at the network attack sequence.
(2) background technology
At the network vulnerability analysis field, existing vulnerability scanners is better for the vulnerability scanning effect of single or multiple main frames in the objective network at present.But these instruments are only checked security breaches from isolated visual angle, lack the association analysis between weakness.And finish on the border that the attack in the reality often needs to utilize a plurality of leaks, cross over a plurality of main frames.In order more objectively network vulnerability to be analyzed and to be assessed, need analysis tool to set up systematic attack scene automatically according to the information such as leak, network service, physical link and access rights of objective network existence.In recent years, many research institutions have proposed the network vulnerability analytical model at the problems referred to above, as attacking tree, privilege figure and attack graph etc.Because attack graph is suitable for simulated strike scene, phase-split network fragility and sets up Prevention-Security mechanism, therefore receive increasing concern.
The assailant should have corresponding authority and information, and behind successful intrusion system, can obtain higher authority and more information when attacking certain weakness.According to this feature, researcher's formalization mobilize to attack precondition, process and result, the attack graph model has been proposed.At present, attack the map generalization method and can be divided into 3 classes.First kind method adopts the model detection technique to generate attack graph.Utilize the model detection technique can produce attack graph automatically, but in order to obtain all attack scenes, model must comprise all states, therefore the space complexity and the time complexity of this method are higher.Second class methods adopt the thought based on graph theory to generate attack graph.This method has good space complexity and time complexity, can not add or revise but generate the template of attacking scene, and the scale problem of attack graph is not resolved yet.The 3rd class methods adopt the technology of logic-based to generate attack graph.The advantage of this method is to add the new attack template neatly according to the characteristics of novel attack means.Its shortcoming is too detailed to the description of attack, causes the larger of attack graph, is unfavorable for that administrative staff analyze intuitively to it.
Because the scale problem of attack graph has greatly influenced its practicality, existing many researchers have carried out the research work of such face, have proposed the method for some head it offs.For example adopt the method for level merging and adjacency matrix to reduce the number of nodes that attack graph shows.How these two kinds of methods makes attack graph easier to be visual if being paid close attention to, fundamentally do not solve the scale problem of attack graph.Again for example by before generating attack graph, merging the scale that the main frame with same characteristic features reduces attack graph.Though this method can effectively reduce the quantity of node and limit in the attack graph, it only is applicable to carries out vulnerability analysis to some special networks.Another method is the strategy that has adopted the restriction attack step when generating the attack tree.Owing to adopted the searching algorithm of breadth First, therefore may exist when reaching maximum attack step, but still do not arrive the situation of dbjective state, the leaf node that comprises a large amount of non-dbjective states is set in the attack that causes generating.
Use the attack graph of existing attack graph generating algorithm structure mainly to have following two class attack paths: 1) the more path of attack step number.For example, objective network has 100 main frames, has an elevation of privilege class weakness on every main frame, if when generating attack graph, do not limit to attacking number of steps, under the worst case, can comprise length in the attack graph of generation and be 100 attack path, this obviously is unpractical.2) the lower attack path of the probability of success.If total n bar attack path in the network, wherein the probability of success of an attack path l is p, and the assailant selects the probability of each paths to equate, and attack is independently at every turn, and then in N time was attacked, the assailant by the probability that path l successfully arrives target of attack was P ( N ) = Σ k = 1 N C N k ( 1 / n ) k ( 1 - 1 / n ) N - k ( 1 - ( 1 - p ) k ) 。Work as p=0.1, during n=50, in 100 network attacks, the assailant is 0.1814 by the probability P (100) that path l successfully arrives target of attack, and when n=100, P (100) only is 0.0952.In fact, even also can comprise tens even hundreds of bar attack path in the attack graph at the small scale network generation.Suppose that N is constant, along with the increase of attack graph scale, P (N) will reduce gradually.In addition, the assailant is certain to preferentially select the high attack path of the probability of success to attack as intelligent agent, and this also makes the assailant pass through the probability that path l successfully arrives target of attack to reduce further.By above-mentioned analysis as can be known, the attack path that those probability of succesies are lower in the removal attack graph is very little to the accuracy influence of safety analysis.
Hence one can see that, and there is network state blast problem in existing attack drawing generating method, comprises the too much and low excessively attack path of the probability of success of a large amount of attack step numbers in the attack graph that causes generating.The existence of these attack paths has increased the scale of attack graph, has brought great difficulty for the analytical work of attack graph.
(3) summary of the invention
The object of the present invention is to provide a kind of attack drawing generating method that can remove a kind of depth-first of the redundant path that attack graph generates.
The object of the present invention is achieved like this:
1, collects whole security factors of current network, constitute the initial network state;
2, use prolog systematic search assailant before arriving dbjective state the network state that might pass through;
3, according to the dependence between the network state that searches, the structure attack path;
4, the attack path with structure is combined into network attack map.
The present invention can also comprise:
1, described collection network security factor is to be realized by Nessus and OVAL Scanner scanner.
2, described use prolog systematic search assailant before arriving dbjective state the network state that might pass through, be to use the Prolog system as inference engine, the search assailant before arriving target of attack the network state that might pass through, and before the pairing tuple of each network security key element, add the predicate name, as the fact among the Prolog, utilize rule and target of attack as rule among the Prolog and problem weakness.
3, after finding the dependence of overall network state node with the prolog system, with the principle of depth-first, the structure attack path; When the structure attack path, judge that destination node can reach the length of probability and attack path; When destination node can reach probability less than given threshold value, delete this path; When attack path greater than given threshold value and no show destination node still, the deletion path.
The invention has the advantages that: the generating algorithm of depth-first is in the scale that has reduced attack graph, and can guarantee can not exist in the attack graph non-target leaf node.
In order to verify the present invention for the validity that suppresses the attack graph scale, we have constructed an Experimental Network environment, and its topological structure as shown in Figure 3.
Experimental situation is a switching network, has 5 main frames.Open Telnet serves on the IP1 main frame, IP2 main frame open F TP service, and operation Mysql database and HTTP service on the IP3 main frame, the IP4 main frame is a smtp server, the open SSH of IP5 main frame serves and is storing important data.Assailant's target is the Root authority that obtains the IP5 main frame.Fire compartment wall only allows the Telnet service on the external host visit host ip 1, and other external reference all is prevented from, and accessing without limits between internal host.In order to maximize the scale of attack graph, the weakness that this experiment is chosen is elevation of privilege class weakness.The information of each main frame and weakness thereof is shown in the table 3 of the table 2 of Fig. 5, Fig. 6 in the Experimental Network.
Attack graph is generated automatically by drafting instrument graphviz, and wherein, directed edge is represented attack action, and node is represented the network state after the attack action success.Fig. 6 is the attack graph that generates under condition without limits.Comprise 54 nodes and 62 limits among the figure, the attack path that the assailant may obtain root authority on the IP5 main frame has 46.Fig. 7 is less than the attack graph that generates under the condition in 5 steps at the restriction attack step.Comprise 22 nodes and 25 limits among the figure, the attack path that the assailant may obtain root authority on the IP5 main frame has 16.Adopt no more than 4 steps of restriction attack step number and the attack path probability of success as shown in Figure 8 greater than 10% the attack graph that strategy generated.Have 12 nodes and 14 limits among the figure, the attack path that the assailant may obtain root authority on the IP5 main frame has only 9.This shows that the method for the restriction attack step number and the attack path probability of success can reduce the scale of attack graph effectively.Because this algorithm only keeps less than maximum attack step number with greater than the attack path of probability of success threshold value, and the quantity of these attack paths is subjected to the influence of network size less relatively, therefore network size is big more, and this strategy is just big more in the effect of being played aspect the inhibition attack graph scale.In addition, by observing Fig. 8 as can be known, the attack graph that adopts restriction attack step number and attack path probability of success strategy to be generated has almost comprised all network states that can reach of external attacker, so the present invention is very little to the influence of vulnerability analysis accuracy.
(4) description of drawings
Fig. 1 discovers and uses cycle and the relation of attacking complexity;
Fig. 2 attacks the quantitative criteria table of complexity;
Fig. 3 Experimental Network topological diagram;
Fig. 4 host information table;
Fig. 5 vulnerability information table;
The attack graph of the unrestricted condition of Fig. 6;
Fig. 7 attack step number is less than 5 attack graph;
Fig. 8 attack step less than 5 steps and the probability of success greater than 10% attack graph.
(5) embodiment
For example the present invention is done description in more detail below in conjunction with accompanying drawing:
In order to realize that purpose the present invention of the present invention at first provides a series of definition:
Definition 1 (attack complexity). the attack complexity of weakness is to be used for weighing a kind of tolerance that the assailant successfully utilizes the complexity of this weakness.
The attack complexity of weakness is subjected to influence of various factors, for example experience of attack tool, attack time and assailant or the like.Calculating to the attack complexity of weakness comes down to set up a kind of mapping from the higher-dimension attribute space to the low-dimensional attribute space.The researcher is by investigation and statistics to a large amount of security incidents, and the cycle that discovers and uses of discovery weakness and weakness are attacked between the complexity and existed a kind of mapping relations, and this mapping relations can give expression to each weakness in the difference of attacking on the complexity, see Fig. 1.On this research basis, people such as Zhang Yongzheng analyze and compare the utilize method and the attack tool of hundreds of kind weakness, have provided the quantitative criteria of attack complexity, see Fig. 2.
The definition 2 (weakness). weakness with following seven element group representations (hostid, vid, range, type, service, conprivilege, complex).Wherein hostid is for existing the host name of this weakness, vid is weak period, range is the scope of utilizing of weakness, type is the weakness type, service is the pairing service name of this weakness, conprivilege successfully utilizes the authority that obtains after this weakness, and complex is the attack complexity of weakness.
We identify weakness with the number in the Bugtraq vulnerability database.The scope of utilizing of weakness is divided into local and remote two classes.The weakness type can be divided into confidentiality class weakness, integrality class weakness, Dos class weakness and elevation of privilege class weakness.For first three class weakness, conprivilege is identical with the authority that had of assailant before attack, and for elevation of privilege class weakness, conprivilege is greater than the authority that the assailant is had before attack.With user right divide the meticulous scale that can increase attack graph, therefore, we are divided into Access, User, Root with user right.
The definition 3 (main frame annexations). the annexation between main frame be expressed as a four-tuple (src_host, dst_host, protocol, port).Wherein, src_host represents source host, and dst_host represents destination host, and protocol represents the connection protocol between source host and destination host, and port represents port numbers.
The definition 4 (host services). host services with following quadruple notation (hostid, service, protocol, port).Wherein, hostid represents host number, and service represents service name, and protocol and port represent that respectively this serves pairing agreement and port.
When source host was identical with destination host, its annexation was local the connection, and this moment, protocol was local, and port is NULL.
Definition 5 (data accesses). to the access list of data be shown a four-tuple (user, hostid, operation, path).Wherein, user is a user name, and hostid is a host name, the operation that operation can carry out file for the user, and path is a file path.
The definition 6 (assailants). the assailant with following two tuples represent (hostid, privilege).Wherein hostid represents the host number at assailant place, and privilege represents the authority of assailant on this main frame.
Definition 7 (weakness utilize rule). weakness utilization rule is the formalized description to a kind of attack action, and it comprises and utilizes the necessary precondition of weakness and successfully utilize the result who is obtained after the weakness.If utilizing the necessary precondition of weakness is a set { C 1, C 2..., C n, successfully utilizing the result after the weakness is C 0, then the utilization rule of weakness can be expressed as
Figure A20071014469300061
Definition 8 (attack graph). attack graph is state transition system T=(S, τ, a s 0, S G).Wherein, S is the set of network state, τ ⊆ S × S Be the set of state exchange relation, s 0∈ S is the network initial condition, S G ⊆ S It is the set of dbjective state.
Definition 9 (attack paths). for a dbjective state s n∈ S GIf, from initial condition s 0There is one group of status switch s in beginning 1, s 2, K, s N-1, feasible (s 1, s I+1) ∈ τ, 0<i<n-1 then claims status switch s 0, s 1, K, s nIt is an attack path.
Definition 10 (the attack path probability of succesies). for an attack path s 0, s 1, s 2, K, s N-1, s n, node s i, it is c that the weakness of 0<i≤n correspondence is attacked complexity i, the probability of success of attack path then p = Π i = 1 n c i
According to definition 8 and definition 9, it is as follows that this paper provides attack map generalization step:
Step 1. is collected whole security factors of current network, constitutes the initial network state;
Step 2. use prolog systematic search assailant before arriving dbjective state the network state that might pass through.
Step 3. is constructed attack path according to the dependence between the network state that searches.
Step 4. is combined into network attack map with the attack path of structure.
In specific implementation, the work of collection network security factor is finished by scanners such as Nessus and OVAL Scanner, and the present invention does not do detailed elaboration.
The Prolog program is based on the logical program of Horn clause, its implementation is one and sums up the process of deducting, and the network attack action is to take place according to certain logical order, therefore, the present invention utilizes programming in logic to describe the network security key element, use the Prolog system as inference engine, the search assailant before arriving target of attack the network state that might pass through.
The basic statement of Prolog has only three kinds, i.e. the fact, rule and problem.The present invention adds the predicate name before the pairing tuple of each network security key element, as the fact among the Prolog, utilize rule and target of attack as rule among the Prolog and problem weakness.For example, a kind of long-range elevation of privilege class weakness utilize rule description as follows:
If the assailant can be with user authority run time version on main frame Host1, main frame Host1 can visit the port Port of Host2, there is a long-range elevation of privilege leak Vulid in the service of the port Port correspondence of main frame Host2, and then the assailant can be with Privilege authority run time version on main frame Host2.
Above-mentioned rule can be expressed as with programming in logic:
execcode(attacker,Host2,Privilege):-
connect(Host1,Host2,Protocol,Port),
service(Host2,Servname,Protocol,Port),
vulexist(Host2,Vulid,remote,privescalation,Servname,Privilege),
execode(attacker,Host1,user).
Definition 11 (attack nodes). attacking node is an example that utilizes rule about weakness, it be one two tuple (result, precondition).Wherein, result is the result of certain attack action, and precondition is the precondition of this attack action success.
In order to generate attack graph, need system can note the precondition and the result of each successful attack action automatically.And existing Prolog system can only provide the answer of "Yes" and "No" at target.For this reason, people such as Pemmasani have improved the XSB of Prolog system, make XSB can write down the evidence of derivation automatically.The present invention also adopts this method, to attack the form of node, notes successfully the step of reasoning.
If N attacks the combination of node, N for all pFor the assailant goes on foot the attack node combination that can reach from network initial condition one, remove N pOuter attack node is N mSet, A 0Be the network security elements combination under the initial condition, n 0Be start node, E is the set on limit in the attack graph, and P is a probability of success threshold value, and Maxstep is maximum attack step number.The present invention represents a kind of network state with the result who attacks in the node, and then the generating algorithm of attack graph is described below:
Input:N,A 0,n 0,P,Maxstep
Output:attack?graph
1.N p,N m
Figure A20071014469300071
step=0,stack=NULL;
2.For?each?n∈N{
if ( n → precondition ⊆ A 0 ) N p ← N p ∪ { n } ;
else{
N m←N m∪{n};
}}
3.For?each?n i∈N p{
4.if (arrive n iProbability less than P) continue;
5.else if (n i->result is a dbjective state)
E←E∪{(n 0,n i)};continue;
}
6.else{
7.push(n i);step++;
8.while(step<Maxstep){
9. get the stack top node n of stack j
10.if (have node n k, arrive n kProbability greater than P﹠amp; ﹠amp; n j→ result ∈ n k→ precondition)
11.if (n k→ result is Mu Biaozhuantai ﹠amp; ﹠amp; Attack path is acyclic)
12. every limit (n for attack path p, n q)
if ( ( n p , n q ) ∉ E ) E ← E ∪ { ( n p , n q ) } ;
}}
13.else{
14. if (step<N-1﹠amp; ﹠amp; Attack path is acyclic)
15. push(n k);step++;
}}}
17.else{
pop(n j)step--;
if(stack==NULL)break;
}}}}
The the 1st, the 2 liang of step wherein is with attack node and a step inaccessible attack node of whole attack node division for reaching from one step of network initial condition.4th, whether 10 steps judged the current path probability of success greater than preset threshold P, if less than P, then returned other attack path of layer attacks node searching.8th, 14 steps were limited the length of attack path.The 12nd step only needed those also do not belong to the limit adding E that gathers E in the attack path.According to the monotonicity hypothesis of Ammann, the assailant can not start those attacks that own attacking ability is improved, and that is to say, should not have directed loop in the attack path, for the 11st, 14 of this this algorithm goes on foot the judgement that has added directed loop.By above-mentioned processing, the present invention can guarantee not exist in the attack graph length greater than Maxstep, the probability of success attack path less than P, and there is not directed loop in every attack path.

Claims (5)

1. the attack drawing generating method of a depth-first is characterized in that:
(1) whole security factors of collection current network constitute the initial network state;
(2) use prolog systematic search assailant before arriving dbjective state the network state that might pass through;
(3) according to the dependence between the network state that searches, the structure attack path;
(4) when the structure attack path, by judging possibility that arrives destination node and the scale that the attack step number reduces attack graph.
(5) attack path with structure is combined into network attack map.
2. the attack drawing generating method of depth-first according to claim 1 is characterized in that: described collection network security factor is to be realized by Nessus and OVAL Scanner scanner.
3. the attack drawing generating method of depth-first according to claim 1 and 2, it is characterized in that: described use prolog systematic search assailant before arriving dbjective state the network state that might pass through, be to use the Prolog system as inference engine, the search assailant before arriving target of attack the network state that might pass through, and before the pairing tuple of each network security key element, add the predicate name, as the fact among the Prolog, utilize rule and target of attack as rule among the Prolog and problem weakness.
4. the attack drawing generating method of depth-first according to claim 1 and 2 is characterized in that: after finding the dependence of overall network state node with the prolog system, with the principle of depth-first, construct attack path; When the structure attack path, judge that destination node can reach the length of probability and attack path; When destination node can reach probability less than given threshold value, delete this path; When attack path greater than given threshold value and no show destination node still, the deletion path.
5. the attack drawing generating method of depth-first according to claim 4 is characterized in that: after finding the dependence of overall network state node with the prolog system, with the principle of depth-first, construct attack path; When the structure attack path, judge that destination node can reach the length of probability and attack path; When destination node can reach probability less than given threshold value, delete this path; When attack path greater than given threshold value and no show destination node still, the deletion path.
CNA2007101446931A 2007-11-29 2007-11-29 Depth-first attack drawing generating method Pending CN101222317A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101446931A CN101222317A (en) 2007-11-29 2007-11-29 Depth-first attack drawing generating method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101446931A CN101222317A (en) 2007-11-29 2007-11-29 Depth-first attack drawing generating method

Publications (1)

Publication Number Publication Date
CN101222317A true CN101222317A (en) 2008-07-16

Family

ID=39631916

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101446931A Pending CN101222317A (en) 2007-11-29 2007-11-29 Depth-first attack drawing generating method

Country Status (1)

Country Link
CN (1) CN101222317A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
CN102724210A (en) * 2012-06-29 2012-10-10 上海海事大学 Network security analytical method for solving K maximum probability attack graph
CN103023871A (en) * 2012-11-16 2013-04-03 华中科技大学 Android privilege escalation attack detection system and method based on cloud platform
CN103139220A (en) * 2013-03-07 2013-06-05 南京理工大学常熟研究院有限公司 Network security attack defense method using state attack and defense graph model
CN104243445A (en) * 2013-06-20 2014-12-24 波音公司 Methods and systems for use in analyzing cyber-security threats in an aviation platform
CN105516174A (en) * 2015-12-25 2016-04-20 北京奇虎科技有限公司 Network attack tracking display system and method
CN105939306A (en) * 2015-07-08 2016-09-14 北京匡恩网络科技有限责任公司 Network structure security analysis method based on connectivity
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
WO2017152877A1 (en) * 2016-03-11 2017-09-14 中兴通讯股份有限公司 Network threat event evaluation method and apparatus
CN110300368A (en) * 2019-05-24 2019-10-01 中国人民解放军63880部队 A kind of IP geo-positioning system overall process method
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network
CN110868377A (en) * 2018-12-05 2020-03-06 北京安天网络安全技术有限公司 Method and device for generating network attack graph and electronic equipment
CN113810365A (en) * 2021-07-30 2021-12-17 中汽研(天津)汽车工程研究院有限公司 Method and system for establishing automobile information security attack tree model

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
CN102724210A (en) * 2012-06-29 2012-10-10 上海海事大学 Network security analytical method for solving K maximum probability attack graph
CN102724210B (en) * 2012-06-29 2015-02-11 上海海事大学 Network security analytical method for solving K maximum probability attack graph
CN103023871A (en) * 2012-11-16 2013-04-03 华中科技大学 Android privilege escalation attack detection system and method based on cloud platform
CN103023871B (en) * 2012-11-16 2015-05-20 华中科技大学 Android privilege escalation attack detection system and method based on cloud platform
CN103139220A (en) * 2013-03-07 2013-06-05 南京理工大学常熟研究院有限公司 Network security attack defense method using state attack and defense graph model
CN104243445A (en) * 2013-06-20 2014-12-24 波音公司 Methods and systems for use in analyzing cyber-security threats in an aviation platform
CN104243445B (en) * 2013-06-20 2019-05-03 波音公司 For analyzing the method and system of the network security threats in airborne platform
CN105939306A (en) * 2015-07-08 2016-09-14 北京匡恩网络科技有限责任公司 Network structure security analysis method based on connectivity
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
CN106709613B (en) * 2015-07-16 2020-11-27 中国科学院信息工程研究所 Risk assessment method applicable to industrial control system
CN105516174A (en) * 2015-12-25 2016-04-20 北京奇虎科技有限公司 Network attack tracking display system and method
WO2017152877A1 (en) * 2016-03-11 2017-09-14 中兴通讯股份有限公司 Network threat event evaluation method and apparatus
CN110868377A (en) * 2018-12-05 2020-03-06 北京安天网络安全技术有限公司 Method and device for generating network attack graph and electronic equipment
CN110300368A (en) * 2019-05-24 2019-10-01 中国人民解放军63880部队 A kind of IP geo-positioning system overall process method
CN110300368B (en) * 2019-05-24 2021-01-01 中国人民解放军63880部队 IP geographical positioning system overall processing method
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network
CN113810365A (en) * 2021-07-30 2021-12-17 中汽研(天津)汽车工程研究院有限公司 Method and system for establishing automobile information security attack tree model
CN113810365B (en) * 2021-07-30 2023-04-07 中汽研(天津)汽车工程研究院有限公司 Method and system for establishing automobile information security attack tree model

Similar Documents

Publication Publication Date Title
CN101222317A (en) Depth-first attack drawing generating method
Navarro et al. A systematic survey on multi-step attack detection
Yuan et al. Detecting phishing scams on ethereum based on transaction records
CN108933793B (en) Attack graph generation method and device based on knowledge graph
CN100463461C (en) Active network safety loophole detector
US9602548B2 (en) System and method for intelligent state management
CN111431939B (en) CTI-based SDN malicious flow defense method
Li et al. LSTM based phishing detection for big email data
CN105871882A (en) Network-security-risk analysis method based on network node vulnerability and attack information
CN112165462A (en) Attack prediction method and device based on portrait, electronic equipment and storage medium
Behnke et al. Feature engineering and machine learning model comparison for malicious activity detection in the dns-over-https protocol
CN115242438B (en) Potential victim group positioning method based on heterogeneous information network
Yuan et al. An attack path generation methods based on graph database
Wang et al. Efficient detection of DDoS attacks with important attributes
Yang et al. Detecting DNS covert channels using stacking model
Rao et al. Zero-shot learning approach to adaptive Cybersecurity using Explainable AI
Yang et al. Naruto: DNS covert channels detection based on stacking model
Cai et al. A rough set theory based method for anomaly intrusion detection in computer network systems
CN109194605A (en) A kind of suspected threat index Proactive authentication method and system based on open source information
Wang et al. An attack graph generation method based on heuristic searching strategy
Merkle Automated network forensics
Reshamwala et al. Prediction of DoS attack sequences
Yang et al. Identification of DNS covert channel based on stacking method
Touloumis et al. Vulnerabilities Manager, a platform for linking vulnerability data sources
Grekov et al. Distributed Detection of Anomalies in the Network Flow Using Generative Adversarial Networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20080716