CN106027529A - Intrusion detection system and method based on traceability information - Google Patents
Intrusion detection system and method based on traceability information Download PDFInfo
- Publication number
- CN106027529A CN106027529A CN201610351996.XA CN201610351996A CN106027529A CN 106027529 A CN106027529 A CN 106027529A CN 201610351996 A CN201610351996 A CN 201610351996A CN 106027529 A CN106027529 A CN 106027529A
- Authority
- CN
- China
- Prior art keywords
- source
- information
- tracing
- unit
- intrusion detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention discloses an intrusion detection system and method based on traceability information. The system comprises a collector, a detector and an analyzer; the collector comprises a traceability generation unit, a traceability trimming unit and a traceability storage unit; the detector comprises a rule database establishing unit, a rule matching unit and an early warning report outputting unit; the analyzer comprises a propagation query unit and a traceability query unit; the method comprises the following steps: saving the traceability information on a file system in a file mode through the collection of the traceability information, and meanwhile, saving in the traceability database, extracting dependency information in the traceability database, establishing the rule database according to the dependency information; comparing the detected traceability information with the traceability information in the rule database while performing the intrusion detection; outputting an early warning report while finding the intrusion, and comprehensively querying the intrusion action through an intrusion detection point provided by the early warning report, thereby obtaining the whole intrusion process, analyzing the system bug and intrusion source. Through the adoption of the system and method disclosed by the invention, the real time capability of the intrusion detection is improved.
Description
Technical field
The invention belongs to computer system security technical field, more particularly, to one based on tracing to the source
The intruding detection system of information and method.
Background technology
At present, the event utilizing computer network enforcement crime is the most rare.In the face of more and more open
Network environment, data safety is the most also by the biggest threat.The safety of information system is general use mark with
The security mechanisms such as discriminating, access control, encryption technology are protected by, internal network and external network
Between use firewall class technical protection, but by these methods can not stop completely invasion generation,
Assailant may utilize various system vulnerability (such as the operating system of non-patch installing, program bugs, fire wall
Configuration error, password is simple) endanger computer system, cause sensitive data compromised or repair
Change.Therefore, Intrusion Detection Technique is the second layer barrier of system protection.
Mostly existing Intrusion Detection Technique is Host Intrusion Detection System, records and analyzes phagocytic process
In system call;Such method does not has the detailed inherent event disclosing invasion, as system vulnerability exists
Which, be what result in the current generation etc. invaded.Forensics analysis based on daily record strengthens invasion
Process is how to enter system and process which file is affected, but based on daily record takes
Card analysis method is manually to obtain these information, the most loaded down with trivial details;Further, owing to daily record not only being wrapped
The illegal act having contained invader also contains the normal behaviour of user, therefore cannot carry out invasion in real time
Detection.Although some researchs are attempted reducing daily record size, but compared to real-time intrusion detection, from system
Identifying the type of invasion in diary and preferentially detect pith, it is fairly slow for excavating useful information
Process, real-time is the highest.
Summary of the invention
For disadvantages described above or the Improvement requirement of prior art, the invention provides a kind of based on letter of tracing to the source
The intruding detection system of breath and method, its object is to solve in prior art intrusion detection real-time not
High technical problem.
For achieving the above object, according to one aspect of the present invention, it is provided that a kind of based on the information of tracing to the source
Intruding detection system, this system includes catcher, detector and analyzer;
Wherein, catcher is traced to the source information for carrying out changing generation according to system call sequence;
Detector is for setting up rule database according to the above-mentioned information of tracing to the source;During intrusion detection, by tested
The information of tracing to the source surveyed is made comparisons with the information of tracing to the source in rule base;When finding invasion, output early warning report,
Described early warning report includes the off path identified in above-mentioned comparison procedure;According to described invasion road
Footpath, determines intrusion detection point;
Phagocytic process, at above-mentioned intrusion detection point, is carried out propagating inquiry and reviewing inquiry by analyzer,
Detecting system leak and invasion source;
Above-mentioned intruding detection system based on the information of tracing to the source, by the analysis to the information of tracing to the source, exports in real time
Intrusion path, can detect invasion in time.
Preferably, above-mentioned intruding detection system based on the information of tracing to the source, its catcher includes generation of tracing to the source
Unit, pruning unit and memory element;
Wherein, system call sequence, for hooking system service call, is converted into and traces to the source by signal generating unit of tracing to the source
Information;Prune unit for deleting information unrelated with intrusion detection in above-mentioned information of tracing to the source;Storage is single
Unit for being converted into the form of file, the file storage that will obtain by the information of tracing to the source of pruning unit output
In file system, and this document is stored trace to the source in data base;Wherein file system is to write
Enter file, it is impossible to revise and delete the file system of file.
Preferably, above-mentioned intruding detection system based on the information of tracing to the source, its detector includes that rule base is built
Vertical unit, rule match unit and early warning reporting unit;
Wherein, rule base set up unit for extraction trace to the source in data base Dependency Specification, depend on according to this
Bad information sets up rule database;
Rule match unit is for comparing the information of tracing to the source detected with rule database, it is thus achieved that
Comparative result;
Early warning reporting unit, for generating early warning report according to above-mentioned comparative result, determines intrusion detection point.
Preferably, above-mentioned intruding detection system based on the information of tracing to the source, its analyzer includes propagating inquiry
Unit and review query unit;
Wherein, query unit is propagated for carrying out propagating inquiry to invasion according to invasion source;
Review query unit for intrusion behavior being reviewed inquiry according to damaged files.
Preferably, above-mentioned intruding detection system based on the information of tracing to the source, its data base that traces to the source includes master data
Storehouse and index data base;
Wherein, MDL is for storing the identity information of object, including file section period, process ID;
Index data base includes name database, father node data base and child node data base;
Wherein, name database is between the sequence number (No. pnode) storing object name and object
Mapping relations;Father node data base is for storing the mapping relations between object and its father node;Son joint
Point data base is for storing the mapping relations between object and its child node.
For realizing the object of the invention, according to another aspect of the present invention, it is provided that a kind of based on above-mentioned base
In the intrusion detection method of the intruding detection system of the information of tracing to the source, comprise the steps:
(1) real-time blocking system is called, and generates first by converting system calling sequence and traces to the source information;
(2) described first information of tracing to the source is detected, delete and detect unrelated temporary file and pipe
Road file, it is thus achieved that second traces to the source information;
(3) described second information of tracing to the source is stored trace to the source in data base;
(4) according to the system collected from local cache or the information of tracing to the source of user's normal behaviour, extraction depends on
Rely information, set up rule database according to described Dependency Specification;
(5) information of tracing to the source of detected event is compared with the information in rule database, according to
It is the most abnormal that comparative result identification is detected event, and off path;The off path that will detect
The damaged files of middle appearance is as test point;
(7) review inquiry according to described test point, obtain invasion source or invasion leak;
(8) the impaired or information of the file that is stolen is inquired about according to invasion source or invasion leak.
Preferably, above-mentioned intrusion detection method based on the information of tracing to the source, step (4) sets up regular data
The step in storehouse includes following sub-step:
(4-1) from the program run, obtain information R of tracing to the source of normal behaviour;Wherein, normal behaviour
Refer in the case of there is no outside invading, the operation that manager or user are done;
(4-2) above-mentioned information R of tracing to the source is decomposed, it is thus achieved that the dependence between object
R={Dep1 ..., Depn};
Wherein, Depi=(A, B), Depi refer to father node A and two objects of its child node B it
Between directly rely on relation;
(4-3) according to above-mentioned dependence Depi, rule database G, G={Dep1 are set up ..., Depk}.
Preferably, above-mentioned intrusion detection method based on the information of tracing to the source, its step (5) includes following son
Step:
(5-1) information R' of tracing to the source of detected event is decomposed, it is thus achieved that the dependence between object
R'={Dep1' ..., Depi' ... Depn'};
(5-2) for each dependence Depi'=(A, B) in described information R' of tracing to the source, it is judged that depend on
Whether relation Depi' of relying belongs to described rule database G;The most then suspicious by dependence Depi'
Degree is set to 0;If it is not, then the suspicious degree of dependence Depi' is set to 1;
(5-3) search described in trace to the source path that path in information R' is w (Dep1' ..., Depw');
(5-4) the path decision value in described path is obtainedWherein, M refers to that dependency closes
It is the suspicious degree of Depj',Referring to w dependency relationships suspicious degree sum, j takes to w from 1
Value;
(5-5) P is judged whether > T, the most then judge detected event anomalies;If it is not, then judge
Detected event is normal;Wherein, T refers to decision threshold, arranges according to verification and measurement ratio.
Preferably, above-mentioned intrusion detection method based on the information of tracing to the source, by intrusion detection point to entering
The behavior of invading carries out propagating inquiry and reviewing query construction tracing to the source figure;Obtain according to described figure of tracing to the source and attack road
Footpath;According to the event on described attack path, the All Files affected by phagocytic process is found in inquiry.
In general, by the contemplated above technical scheme of the present invention compared with prior art, it is possible to
Obtain following beneficial effect:
(1) intruding detection system based on the information of tracing to the source that the present invention provides, due to can be according to invasion
Test point, is inquired about by propagation and reviews inquiry, it is possible to plays and finds system vulnerability in time or invade
The effect in source;
(2) intrusion detection method based on the information of tracing to the source that the present invention provides, due to by the most tested
Survey is traced to the source information and rule base, determines off path, wherein comprises system vulnerability and invasion source, with
And damaged files;Construct, according to it, figure of tracing to the source, analyze whole phagocytic process;
(3) intrusion detection method based on the information of tracing to the source that the present invention provides, due to can in intrusion path
Damaged files can be comprised, with damaged files for intrusion detection point, intrusion behavior is inquired about, thus
Determining whole phagocytic process, manager can take corresponding measure in time, is subject to as repaired leak and recovery
Damage file;
(4) intrusion detection method based on the information of tracing to the source that the present invention provides, owing to the collection traced to the source is
With invasion operation synchronization, therefore, there is the advantage improving detection real-time.
Accompanying drawing explanation
The schematic block diagram of the intruding detection system based on the information of tracing to the source that Fig. 1 embodiment of the present invention provides;
Fig. 2 is the functional schematic of the catcher of the system that the embodiment of the present invention provides;
Fig. 3 is the functional schematic of the detector of the system that the embodiment of the present invention provides;
Fig. 4 is the functional schematic of the analyzer of the system that the embodiment of the present invention provides.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing
And embodiment, the present invention is further elaborated.Should be appreciated that described herein specifically
Embodiment only in order to explain the present invention, is not intended to limit the present invention.Additionally, it is disclosed below
Just may be used as long as technical characteristic involved in each embodiment of the present invention does not constitutes conflict each other
To be mutually combined.
Its functional schematic figure of intruding detection system based on the information of tracing to the source that the embodiment of the present invention provides is such as
Shown in Fig. 1;This system includes catcher, detector and analyzer;
Its catcher is for calling according to system, and system call sequence system called is changed,
Generation is traced to the source information;Detector is for performing intrusion detection process to the information of tracing to the source, according to intrusion path,
Determine intrusion detection point;Analyzer is inquired about for carrying out propagating at above-mentioned intrusion detection point and reviews inquiry,
Inquiry system leak and invasion source;
The intrusion detection method based on the information of tracing to the source that embodiment provides, based on above-mentioned based on the information of tracing to the source
Intruding detection system, comprise the following steps:
(1) signal generating unit of tracing to the source real-time blocking system is called, and is converted into the information of tracing to the source;This step
Rapid advantage is, this cell operation is transparent to user, it is possible to automatically collects upper layer application and produces
Information of tracing to the source;
(2) prune element deletion to trace to the source in information to the information that detection is unrelated, and tracing to the source after deleting
Information is transmitted to memory element;The irrelevant information wherein deleted includes pipe file and temporary file;
(3) memory element information of tracing to the source leaves in file system in the form of a file, stores simultaneously
In the data base that traces to the source;Be willing to data base includes MDL and index data base, and MDL is used for
The identity information of storage object, such as file section period or process ID;
Index data base includes name database, father node data base and child node data base, name number of words
According to storehouse for storing the mapping relations between object name and No. pnode, father node data base and son joint
Point data base is respectively used to store the relation between an object and its respective father node or child node;
(4) rule base is set up unit and is obtained tracing to the source from local cache collection system or user's normal behaviour
Information or the data base that traces to the source, extract Dependency Specification, set up rule database according to Dependency Specification;
Rule database should improve as far as possible and not have unnecessary dependence, furthermore, it is possible to new by increasing
Normal rely on unlimited renewal rule base;
(5) sequence in the information of tracing to the source of detected event and rule base is made comparisons by rule match unit;
For rule match process, start from limit Depi=(A, B), find limit (B, C) coherent therewith
(C, D) etc., it is also possible to there is other coherent limits (B, E) (E, F);This is the deep of a figure
Spend preferential search procedure;For comprising the program in many paths, judge by searching off path;
Although there is identical limit in some paths, but every paths will be detected;
(6) early warning reporting unit by matching ratio relatively during find that abnormal path exports;This step
Advantage be to find in time invasion source or system vulnerability, and provide test point for forensics analysis;
(7) test point that reviewing during query unit is reported according to early warning provides is reviewed and is inquired invasion source
Or invasion leak;
(8) propagate query unit and find all impaired and file that is stolen according to invasion source;This step
Advantage be to trace to the source figure according to middle dependence structure of tracing to the source, more detailed analyze whole invasion
Process, in order to manager takes corresponding measure in time, as repaired leak, recovers damaged files etc..
The functional schematic of the catcher of the system that the embodiment of the present invention provides is as in figure 2 it is shown, catcher
Including signal generating unit of tracing to the source, prune unit and memory element;Collector unit is used for hooking system service call,
Being converted to the information of tracing to the source, prune unit, for deletion, detection is invaded unrelated information of tracing to the source, storage is single
Unit is for leaving the information of tracing to the source that pruning unit obtains in file system in the form of a file, with
Time be stored in multiple data base.
Information of tracing to the source is generated, including file object, process pair by signal generating unit hooking system service call of tracing to the source
As and network connection objects between dependence, system be each object distribute a unique numbering
And version number identifies this object, different operating system is called and will be produced different objects and dependence
Relation.
In embodiment, system is called as follows with the corresponding relation of the information of tracing to the source:
(1) first kind event is that a process directly affects another one process;These events can be
One process creation another one process, and another one process shared drive, or send signal;
If process A creates another one process B, then there is dependence B > A;Because parent process
B is initialized by A, and the content of the address space of B both is from process A.
(2) Equations of The Second Kind event is that process affects file, or is affected by file;A is file,
P is process, and system is called and write (write and writev), then produce " A > P " such dependence,
Read and create (read, readv and execv), then producing " P > A " such dependence.
(3) in linux system, a corresponding filec descriptor of socket;Pass through socket
From network, read and send data class be similar to read and write a file;B is network connection objects, and P is
Process, the system calling process in Socket to network send data (send) produce " B > P " this
The dependence of sample, receives data (recev) and produces " P > B " such dependence.
The functional schematic of the detector of the system that embodiment provides is as it is shown on figure 3, detector includes rule
Then storehouse set up unit, rule match unit and early warning reporting unit its;Rule base sets up unit for carrying
Take the Dependency Specification tracing to the source in data base, set up rule database according to this Dependency Specification;Rule match
Unit is for comparing the information of tracing to the source detected with rule database, it is thus achieved that comparative result;In advance
Alert reporting unit, for generating early warning report according to comparative result, determines intrusion detection point.
In embodiment, set up the process of rule base and include following sub-step:
(4-1) from the program run, obtain information R of tracing to the source of this program normal behaviour;In embodiment,
In order to rule base is more perfect, run this program M time, obtain M and trace to the source information, be designated as R1,
R2 ... Rm, the most each Ri are the information of tracing to the source produced during program operation i & lt;
(4-2) each information R of tracing to the source is decomposed, it is thus achieved that the dependence between a series of two objects
Relation, R={Dep1 ..., Depn};
Depi represents the relation that directly relies between two special objects, Depi=(A, B);Wherein,
A is the father node of B;
(4-3) according to above-mentioned dependence Depi, rule database G, G={Dep1 are set up ..., Depk}.
In embodiment, step (5) includes following sub-step:
(5-1) information R' of tracing to the source of detected event is decomposed, it is thus achieved that the dependence between object
R'={Dep1' ..., Depi' ... Depn'};
(5-2) for each dependence Depi'=(A, B) in above-mentioned information R' of tracing to the source, it is judged that Depi'
Whether belong to G;The most then the suspicious degree of Depi' is 0;If it is not, then the suspicious degree of Depi' is 1;
(5-3) search a length of W in above-mentioned information R' of tracing to the source path (Dep1' ..., Depw');
(Depi', Dep (i+1) ') constitutes the child node of pathway requirements Depi'=(A, B) is Dep (i+1) '
Father node;
(5-4) the path decision value in described path is obtainedWherein, M refers to that dependency closes
It is the suspicious degree of Depj',Referring to w dependency relationships suspicious degree sum, j takes to w from 1
Value;
(5-5) P is judged whether > T, the most then judge detected event anomalies;If it is not, then judge
Detected event is normal;
Wherein, T refers to decision threshold;According to verification and measurement ratio, corresponding path W and judgement are set
Thresholding T, the path of every length W will calculate its decision value, and compare with thresholding;Experiment draws
Work as W=3, during T=0.3, best verification and measurement ratio can be obtained.
The embodiment of the present invention provide system analyzer functional schematic as shown in Figure 4, analyzer
Including propagating query unit and reviewing query unit;Wherein, propagate query unit to be used for inquiring about invasion row
For;Review query unit inquiry invasion source and system vulnerability;By reviewing inquiry and propagating inquiry,
Construct figure of tracing to the source;Can be according to the whole phagocytic process of map analysis of tracing to the source, in order to corresponding measure taked in time by pipe,
As repaired leak, recover damaged files etc..
As it will be easily appreciated by one skilled in the art that and the foregoing is only presently preferred embodiments of the present invention,
Not in order to limit the present invention, all made within the spirit and principles in the present invention any amendment, etc.
With replacement and improvement etc., should be included within the scope of the present invention.
Claims (9)
1. an intruding detection system based on the information of tracing to the source, it is characterised in that include catcher, inspection
Survey device and analyzer;
Described catcher is traced to the source information for carrying out changing generation according to system call sequence;
Described detector sets up rule database for the information of tracing to the source described in basis;During intrusion detection, will
Detected information of tracing to the source is made comparisons with the information of tracing to the source in rule base;When finding invasion, export early warning
Report, described early warning report includes the off path identified in described comparison procedure, according to described
Off path determines intrusion detection point;
Described analyzer is looked into for phagocytic process carrying out propagating inquiry and reviewing at described intrusion detection point
Ask, detecting system leak and invasion source.
2. intruding detection system as claimed in claim 1, it is characterised in that described catcher includes
Trace to the source signal generating unit, prune unit and memory element;
System call sequence, for hooking system service call, is converted into letter of tracing to the source by described signal generating unit of tracing to the source
Breath;
Described pruning unit is for deleting information unrelated with intrusion detection in above-mentioned information of tracing to the source;
Described memory element is used for changing the information of tracing to the source pruning unit output, the literary composition that will obtain
Part stores file system, and is stored by described file and trace to the source in data base.
3. intruding detection system as claimed in claim 1 or 2, it is characterised in that described detector
Unit, rule match unit and early warning reporting unit is set up including rule base;
Described rule base set up unit for extraction trace to the source in data base Dependency Specification, depend on according to described
Bad information sets up rule database;
Described rule match unit is for comparing the information of tracing to the source detected with described rule database
Relatively, it is thus achieved that comparative result;
Described early warning reporting unit, for generating early warning report according to described comparative result, determines invasion inspection
Measuring point.
4. intruding detection system as claimed in claim 1 or 2, it is characterised in that described analyzer
Including propagating query unit and reviewing query unit;
Described propagation query unit is for carrying out propagating inquiry to invasion according to invasion source;Described review
Query unit is for reviewing inquiry according to damaged files to intrusion behavior.
5. intruding detection system as claimed in claim 2, it is characterised in that described in trace to the source data base's bag
Include MDL and index data base;
Described MDL is for storing the identity information of object, including file section period, process ID;
Index data base includes name database, father node data base and child node data base;
Described name database is for storing the mapping relations between object name and the sequence number of object;Father saves
Point data base is for storing the mapping relations between object and its father node;Child node data base is used for depositing
Mapping relations between storage object and its child node.
6. an intrusion detection side based on the intruding detection system described in any one of claim 1 to 5
Method, it is characterised in that comprise the steps:
(1) real-time blocking system is called, and generates first by converting system calling sequence and traces to the source information;
(2) described first information of tracing to the source is detected, delete and detect unrelated temporary file and pipe
Road file, it is thus achieved that second traces to the source information;
(3) described second information of tracing to the source is stored trace to the source in data base;
(4) according to the system collected from local cache or the information of tracing to the source of user's normal behaviour, extraction depends on
Rely information, set up rule database according to described Dependency Specification;
(5) information of tracing to the source of detected event is compared with the information in rule database, according to
It is the most abnormal that comparative result identification is detected event, and off path;The off path that will detect
The damaged files of middle appearance is as test point;
(7) review inquiry according to described test point and propagate inquiry, obtaining invasion source or invasion leak;
(8) the impaired or information of the file that is stolen is inquired about according to invasion source or invasion leak.
7. intrusion detection method as claimed in claim 6, it is characterised in that described step (4) is built
The method of vertical rule database includes following sub-step:
(4-1) from the program run, obtain information R of tracing to the source of normal behaviour;Wherein, normal behaviour
Refer to the operation that manager or user are done in the case of not having outside invading;
(4-2) described information R of tracing to the source is decomposed, it is thus achieved that the dependence between object
R={Dep1 ..., Depn};
Wherein, Depi=(A, B), Depi refer to father node A and two objects of its child node B it
Between directly rely on relation;
(4-3) according to described dependence Depi, rule database G, G={Dep1 are set up ..., Depk}.
8. intrusion detection method as claimed in claim 7, it is characterised in that described step (5)
Including following sub-step:
(5-1) information R' of tracing to the source of detected event is decomposed, it is thus achieved that the dependence between object
R'={Dep1' ..., Depi' ... Depn'};
(5-2) for each dependence Depi'=(A, B) in described information R' of tracing to the source, it is judged that depend on
Whether relation Depi' of relying belongs to described rule database G;The most then suspicious by dependence Depi'
Degree is set to 0;If it is not, then the suspicious degree of dependence Depi' is set to 1;
(5-3) search described in trace to the source path that path in information R' is w (Dep1' ..., Depw');
(5-4) the path decision value in described path is obtainedWherein, M refers to that dependency closes
It is the suspicious degree of Depj',Referring to w dependency relationships suspicious degree sum, j takes to w from 1
Value;
(5-5) P is judged whether > T, the most then judge detected event anomalies;If it is not, then judge
Detected event is normal;Wherein, T refers to decision threshold, arranges according to verification and measurement ratio.
9. intrusion detection method as claimed in claim 6, it is characterised in that looked into by described propagation
Ask and review query construction and trace to the source figure;Attack path is obtained according to described figure of tracing to the source;According to described attack
Event on path, the All Files affected by phagocytic process is found in inquiry.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610351996.XA CN106027529A (en) | 2016-05-25 | 2016-05-25 | Intrusion detection system and method based on traceability information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610351996.XA CN106027529A (en) | 2016-05-25 | 2016-05-25 | Intrusion detection system and method based on traceability information |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106027529A true CN106027529A (en) | 2016-10-12 |
Family
ID=57095002
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610351996.XA Pending CN106027529A (en) | 2016-05-25 | 2016-05-25 | Intrusion detection system and method based on traceability information |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027529A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106802922A (en) * | 2016-12-19 | 2017-06-06 | 华中科技大学 | A kind of object-based storage system and method for tracing to the source |
CN107403091A (en) * | 2017-07-06 | 2017-11-28 | 华中科技大学 | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source |
CN107515778A (en) * | 2017-08-25 | 2017-12-26 | 武汉大学 | A kind of origin method for tracing and system based on context-aware |
CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
CN111813774A (en) * | 2020-05-18 | 2020-10-23 | 广州锦行网络科技有限公司 | Method for monitoring and acquiring traceability information based on sysdig system |
CN112287339A (en) * | 2020-03-06 | 2021-01-29 | 杭州奇盾信息技术有限公司 | APT intrusion detection method and device and computer equipment |
CN112822198A (en) * | 2021-01-15 | 2021-05-18 | 中国电子科技集团公司第十五研究所 | Multi-layer protocol network beacon implantation detection method for tracing application |
CN112995110A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Method and device for acquiring malicious event information and electronic equipment |
CN113672939A (en) * | 2021-08-23 | 2021-11-19 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
CN115514580A (en) * | 2022-11-11 | 2022-12-23 | 华中科技大学 | Method and device for detecting source-tracing intrusion of self-encoder |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103226675A (en) * | 2013-03-20 | 2013-07-31 | 华中科技大学 | Traceability system and traceability method for analyzing intrusion behavior |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
-
2016
- 2016-05-25 CN CN201610351996.XA patent/CN106027529A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103226675A (en) * | 2013-03-20 | 2013-07-31 | 华中科技大学 | Traceability system and traceability method for analyzing intrusion behavior |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
Non-Patent Citations (1)
Title |
---|
周俊哲: "基于溯源信息的入侵检测方法研究", 《万方数据知识服务平台》 * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106802922B (en) * | 2016-12-19 | 2020-07-10 | 华中科技大学 | Tracing storage system and method based on object |
CN106802922A (en) * | 2016-12-19 | 2017-06-06 | 华中科技大学 | A kind of object-based storage system and method for tracing to the source |
CN107403091A (en) * | 2017-07-06 | 2017-11-28 | 华中科技大学 | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source |
CN107515778A (en) * | 2017-08-25 | 2017-12-26 | 武汉大学 | A kind of origin method for tracing and system based on context-aware |
CN107515778B (en) * | 2017-08-25 | 2020-12-18 | 武汉大学 | Origin tracking method and system based on context sensing |
CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
CN112995110A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Method and device for acquiring malicious event information and electronic equipment |
CN112287339A (en) * | 2020-03-06 | 2021-01-29 | 杭州奇盾信息技术有限公司 | APT intrusion detection method and device and computer equipment |
CN111813774A (en) * | 2020-05-18 | 2020-10-23 | 广州锦行网络科技有限公司 | Method for monitoring and acquiring traceability information based on sysdig system |
CN111813774B (en) * | 2020-05-18 | 2021-02-05 | 广州锦行网络科技有限公司 | Method for monitoring and acquiring traceability information based on sysdig system |
CN112822198A (en) * | 2021-01-15 | 2021-05-18 | 中国电子科技集团公司第十五研究所 | Multi-layer protocol network beacon implantation detection method for tracing application |
CN112822198B (en) * | 2021-01-15 | 2021-11-12 | 中国电子科技集团公司第十五研究所 | Multi-layer protocol network beacon implantation detection method for tracing application |
CN113672939A (en) * | 2021-08-23 | 2021-11-19 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
CN115514580A (en) * | 2022-11-11 | 2022-12-23 | 华中科技大学 | Method and device for detecting source-tracing intrusion of self-encoder |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106027529A (en) | Intrusion detection system and method based on traceability information | |
CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
CN103226675B (en) | A kind of traceability system and method analyzing intrusion behavior | |
CN111083126A (en) | Expert knowledge base-based penetration test risk assessment method and model | |
CN105653956A (en) | Android malicious software sorting method based on dynamic behavior dependency graph | |
CN105809035A (en) | Android application real-time behavior based malicious software detection method and system | |
CN110598411A (en) | Sensitive information detection method and device, storage medium and computer equipment | |
CN104811447A (en) | Security detection method and system based on attack association | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
CN109241223B (en) | Behavior track identification method and system | |
CN107403091A (en) | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source | |
Singh et al. | An approach to understand the end user behavior through log analysis | |
CN111181918B (en) | TTP-based high-risk asset discovery and network attack tracing method | |
CN114003903B (en) | Network attack tracing method and device | |
CN109347808B (en) | Safety analysis method based on user group behavior activity | |
Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
CN112131571B (en) | Threat tracing method and related equipment | |
CN111953697A (en) | APT attack identification and defense method | |
CN113132311A (en) | Abnormal access detection method, device and equipment | |
CN109388949B (en) | Data security centralized management and control method and system | |
Pangsuban et al. | A real-time risk assessment for information system with cicids2017 dataset using machine learning | |
CN115270136A (en) | Binary group-based vulnerability clone detection system and method | |
CN109784048A (en) | A kind of stack buffer spilling vulnerability checking method based on programme diagram |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161012 |
|
RJ01 | Rejection of invention patent application after publication |