CN107920055B - IP risk evaluation method and IP risk evaluation system - Google Patents
IP risk evaluation method and IP risk evaluation system Download PDFInfo
- Publication number
- CN107920055B CN107920055B CN201710887457.2A CN201710887457A CN107920055B CN 107920055 B CN107920055 B CN 107920055B CN 201710887457 A CN201710887457 A CN 201710887457A CN 107920055 B CN107920055 B CN 107920055B
- Authority
- CN
- China
- Prior art keywords
- decision tree
- risk evaluation
- behavior
- training set
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention relates to an IP risk evaluation method and an IP risk evaluation system. The method comprises the following steps: an IP behavior data acquisition step, which is to acquire IP behavior data and form an IP database; a characteristic matrix extraction step, namely performing characteristic processing on the IP behavior data, and training the IP database as a training set to form a characteristic matrix; a decision tree generation step, namely constructing a training set based on the characteristic matrix, and generating a classification and regression decision tree according to the training set and specified conditions; and an IP address risk evaluation step, namely acquiring the IP address needing risk evaluation, and performing the risk evaluation of the IP address based on the classification and regression decision tree. By using the method and the device, the IP risk evaluation can be accurately and comprehensively carried out.
Description
Technical Field
The invention relates to a computer technology, in particular to an IP risk evaluation method and an IP risk evaluation system.
Background
In the prior art, for the IP risk evaluation, it is generally performed mainly according to the IP label, for example, whether to perform a foreign transaction is determined according to the home location of the IP, and whether the IP is a normal user is determined according to the proxy IP label.
The judgment method is simple and has a rough answer, and one or more labels are often used for judging whether the IP is malicious or not, so that the problem of low accuracy rate exists in practical application.
Therefore, at present, no mature method exists for evaluating the IP risk.
Disclosure of Invention
In view of the above problems, the present invention is directed to an IP risk evaluation method and an IP risk evaluation system capable of accurately performing risk evaluation of an IP address.
The IP risk evaluation method is characterized by comprising the following steps:
an IP behavior data acquisition step, which is to acquire IP behavior data and form an IP database;
a characteristic matrix extraction step, namely taking the IP database as a training set, and performing characteristic processing on the IP behavior data to form a characteristic matrix;
a decision tree generation step of generating a classification and regression decision tree according to the training set and a specified condition based on the training set; and
and an IP address risk evaluation step, namely acquiring the IP address needing risk evaluation, and evaluating the risk of the IP address based on the classification and regression decision tree.
Preferably, the IP data collected in the IP behavior data collecting step includes: IP attribute information, IP association information, and IP behavior information.
Preferably, in the feature matrix extracting step, the following feature processing is performed on the IP data: for the IP attribute information, selecting a corresponding code as a characteristic value or taking 0 and 1 as characteristic values; for the IP associated information, selecting the number of historical associated domain names or the average domain name as a characteristic value; and for the IP behavior information, selecting the time number of the IP behavior from a specified time point as a characteristic value.
Preferably, in the decision tree generating step, a training set is constructed, and a binary decision tree is constructed by performing a specified operation on each node recursively starting from a root node.
Preferably, the decision tree generating step comprises the following sub-steps:
(1) setting the training data set of the nodes as D, calculating the Gini index of the existing features to the data set, and dividing D into two parts, namely D1 and D2, for each feature A;
(2) selecting the feature with the minimum Gini index and the corresponding segmentation point as the optimal feature and the optimal segmentation point from all possible features A and all possible segmentation points alpha thereof, generating two child nodes from the current node by using the optimal feature and the optimal segmentation point, and distributing the training data set into the two child nodes according to the features;
(3) recursively calling the (1) and (2) for the two child nodes until a stop condition is met;
(4) a classification and regression decision tree T0 is generated.
Preferably, the decision tree generating step further comprises the following sub-steps after (4) above:
(5) and executing a pruning algorithm on the classification and regression decision tree T0 to obtain an optimal decision tree T alpha.
The IP risk evaluation system of the present invention is characterized by comprising:
the IP behavior data acquisition module is used for acquiring IP behavior data and forming an IP database;
the characteristic matrix extraction module is used for taking the IP database as a training set and carrying out characteristic processing on the IP behavior data to form a characteristic matrix;
a decision tree generation module for generating a classification and regression decision tree according to the training set and a specified condition based on the training set; and
and the IP address risk evaluation module is used for acquiring the IP address needing risk evaluation and carrying out the risk evaluation of the IP address based on the classification and regression decision tree.
Preferably, the IP data collected by the IP behavior data collection module includes: IP attribute information, IP association information, and IP behavior information.
Preferably, in the feature matrix extraction module, for the IP attribute information, a corresponding code is selected as a feature value or 0, 1 is used as a feature value; for the IP associated information, selecting the number of historical associated domain names or the average domain name as a characteristic value; and for the IP behavior information, selecting the time number of the IP behavior from a specified time point as a characteristic value.
Preferably, the decision tree generation module constructs a training set and recursively operates on each node starting from a root node to construct a binary decision tree.
The computer-readable storage medium of the present invention, on which a computer program is stored, is characterized in that the program realizes the above-described IP risk evaluation method when executed by a processor.
The computer device of the present invention includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and is characterized in that the processor implements the IP risk assessment method when executing the program.
According to the IP risk evaluation method and the IP risk evaluation system, compared with the current IP risk evaluation method, the following technical effects can be obtained:
(1) IP address information is acquired from a global view, and various attributes such as time attributes are also provided, so that the IP state can be comprehensively reflected, and the evaluation result is more accurate;
(2) with the updating of the training data, the decision tree can be continuously updated;
(3) the decision tree can be further optimized to obtain an optimal decision tree, so that IP risk evaluation can be more accurately carried out;
(4) and the decision tree is used for IP risk evaluation, so that the evaluation can be easily understood and realized.
Drawings
Fig. 1 is a flowchart showing the steps of the IP risk assessment method of the present invention.
Fig. 2 shows an IP risk evaluation system according to an embodiment of the present invention.
Detailed Description
The following description is of some of the several embodiments of the invention and is intended to provide a basic understanding of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention.
Fig. 1 is a flowchart showing steps of an IP risk evaluation method according to an embodiment of the present invention.
As shown in fig. 1, the IP risk assessment method according to an embodiment of the present invention includes the steps of:
an IP behavior data acquisition step S100: collecting IP behavior data and forming an IP database;
feature matrix extraction step S200: taking the IP database as a training set, and performing characteristic processing on the IP behavior data to form a characteristic matrix;
decision tree generation step S300: generating a classification and regression decision tree according to the training set and specified conditions based on the training set; and
IP address risk evaluation step S400: and acquiring the IP address needing risk evaluation, and performing the risk evaluation of the IP address based on the classification and regression decision tree.
Next, the steps S100 to S400 will be specifically described.
In the IP behavior data collection step S100, IP data is collected and an IP database is formed. Current means of collecting IP behavior data include:
the method comprises the steps that safety protection equipment such as a firewall, an IPS (intrusion prevention system), a WAF (wireless access gateway) and the like are collected, and the safety protection equipment is generally deployed at an enterprise internet outlet and can collect information for accessing IP (Internet protocol);
deploying a honeypot server on the Internet through honeypot acquisition, and acquiring accessed IP information;
collecting public information such as whois information, ASN information and the like from the Internet; and
the IP information is obtained by means of IP information acquisition, purchase, exchange and the like.
The collected IP behavior data includes, for example, but is not limited to, the following information:
IP attribute information: country, province, city, IDC, dynamic IP, mobile gateway, latitude and longitude, ASN, etc.
IP associated information: IP associated domain names, IP associated files and time periods corresponding to the domain names and the IP associated files.
IP behavior information: the behavior of the IP, including agents, scans, crawlers, cc attacks, ddos attacks, spam, etc., and their corresponding times.
In the feature matrix extraction step S200, the IP database is used as a training set, and feature processing is performed on the IP behavior data to form a feature matrix.
For example, for the IP attribute information, the country, province, city information selects the corresponding code as the characteristic value, and the IDC, dynamic IP, mobile gateway, etc. take 0, 1 as the characteristic value.
For example, for the IP-related information, the number of historical related domain names and the average of domain names are often selected as feature values.
For example, for the IP behavior information, for each tag, 0 is not the case, and the eigenvalue is 1/square of the number of months today in the tag time interval.
The known IP database is taken as a training set, and the credibility and size of the training set affect the training results. And processing the training set according to the method to form a feature matrix. For example, the training may be performed using a machine learning algorithm. Here, we take the generated training data set as training data set D.
Next, in a decision tree generation step S300, based on the training set, a classification and regression decision tree is generated according to the training set and a predetermined condition.
In the process of generating the decision tree, the training data set D and the condition for stopping calculation are input as input, and the classification and regression decision tree is output as output. The algorithm used is as follows:
a training data set is constructed, and from a root node, the following operations are performed on each node recursively to construct a binary decision tree:
(1) and (4) setting the training data set of the node as D, and calculating the kini index of the existing features to the data set. At this time, for each feature a, for each value α that it is possible to take, dividing D into two parts, D1 and D2, according to whether the test of the sample point pair a = α is yes or no, calculating the kini index at a = α;
(2) and selecting the feature with the minimum Gini index and the corresponding segmentation point thereof as the optimal feature and the optimal segmentation point from all the possible features A and all the possible segmentation points alpha. Generating two child nodes from the current node according to the optimal characteristics and the optimal segmentation points, and distributing the training data set to the two child nodes according to the characteristics;
(3) recursively calling (1) and (2) for the two child nodes until a stop condition is satisfied; and
(4) a classification and regression decision tree T0 is generated.
As a condition for stopping the calculation by the algorithm, for example, the number of samples in the node is less than a predetermined threshold, or the kini index of the sample set is less than a predetermined threshold (the samples belong to substantially the same class), or there are no more features.
In order to enable the generated classification and regression decision tree to be more accurately used for risk evaluation of IP addresses, the generated classification and regression decision tree can preferably be further pruned.
Next, a pruning algorithm for the classification and regression decision tree will be described.
In the pruning algorithm of the classification and regression decision tree, the decision tree T0 generated by the classification and regression algorithm is input as input, and the optimal decision tree ta is output as output. The pruning algorithm used is as follows:
(1) let k =0, T = T0;
(2) let α = + ∞;
(3) c (Tt), | Tt | and
g(t)=C(t)−C(Tt)|Tt|−1g(t)=C(t)−C(Tt)|Tt|−1
α=min(α,g(t))α=min(α,g(t)),
where Tt denotes a subtree with t as the root node, c (t) denotes a prediction error (e.g., kini index) with respect to the training data when t is a single-node tree, c (Tt) denotes a prediction error (e.g., kini index) with respect to the training data by a subtree with t as the root node, and | Tt | denotes the number of leaf nodes of Tt;
(4) accessing an internal node T from top to bottom, if g (T) = alpha exists, pruning, and determining the class of the leaf node T by a majority voting method to obtain a tree T;
(5) let k = k +1, α k = α, Tk = T;
(6) if T is not a tree consisting of root nodes alone, returning to the step (4);
(7) and selecting an optimal sub-tree from the sub-tree sequences T0, T1.., TnT0, T1.. and Tn by adopting a cross-validation method, and outputting an optimal decision tree T alpha.
Finally, in the IP address risk evaluation step S400, an IP address for which risk evaluation is required is acquired, and risk evaluation of the IP address is performed based on the generated optimal decision tree ta.
The IP risk evaluation method of the present invention is explained above. Next, the IP risk evaluation system of the present invention will be described.
Fig. 2 shows an IP risk evaluation system according to an embodiment of the present invention.
As shown in fig. 2, an IP risk evaluation system according to an embodiment of the present invention includes:
the IP behavior data acquisition module 100 is configured to acquire IP behavior data and form an IP database;
a feature matrix extraction module 200, configured to perform feature processing on the IP behavior data to form a feature matrix, with the IP database as a training set;
a decision tree generating module 300, configured to generate a classification and regression decision tree according to the training set and a specified condition based on the training set; and
and the IP address risk evaluation module 400 is configured to obtain an IP address for which risk evaluation is required, and perform risk evaluation on the IP address based on the classification and regression decision tree.
The IP data collected by the IP behavior data collection module 100 includes but is not limited to: IP attribute information, IP association information, and IP behavior information.
In the feature matrix extraction module 200, for the IP attribute information, a corresponding code is selected as a feature value or 0, 1 is used as a feature value; for the IP associated information, selecting the number of historical associated domain names or the average domain name as a characteristic value; and for the IP behavior information, selecting the time number of the IP behavior from a specified time point as a characteristic value.
The decision tree generation module 300 constructs a training set and recursively operates on each node starting with the root node to construct a binary decision tree. The calculation process for constructing the binary decision tree has already been described in the above description, and a repeated description is omitted here.
Furthermore, in order to enable the generated classification and regression decision tree to be more accurately used for risk evaluation of the IP address, the decision tree generation module 300 is preferably capable of further pruning the generated classification and regression decision tree to generate the optimal decision tree ta. Also, the calculation process for generating the optimal decision tree ta has been described in the above description, and a repetitive description thereof is omitted here.
The present invention also provides a computer-readable storage medium having stored thereon a computer program characterized in that the program, when executed by a processor, implements the IP risk assessment method of the present invention described above.
The present invention also provides a computer device, comprising a memory, a processor and a computer program stored on the memory and operable on the processor, wherein the processor implements the IP risk assessment method of the present invention when executing the program.
According to the IP risk evaluation method and the IP risk evaluation system, compared with the current IP risk evaluation method, the following technical effects can be obtained:
(1) IP address information is acquired from a global view, and various attributes such as time attributes are also provided, so that the IP state can be comprehensively reflected, and the evaluation result is more accurate;
(2) with the updating of the training data, the decision tree can be continuously updated;
(3) the decision tree can be further optimized to obtain an optimal decision tree, so that IP risk evaluation can be more accurately carried out;
(4) and the decision tree is used for IP risk evaluation, so that the evaluation can be easily understood and realized.
The above examples mainly describe the IP risk evaluation method and the IP risk evaluation system of the present invention. Although only a few embodiments of the present invention have been described in detail, those skilled in the art will appreciate that the present invention may be embodied in many other forms without departing from the spirit or scope thereof. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and various modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined by the appended claims.
Claims (8)
1. An IP risk evaluation method is characterized by comprising the following steps:
an IP behavior data acquisition step, which is to acquire IP behavior data and form an IP database;
a characteristic matrix extraction step, namely taking the IP database as a training set, and performing characteristic processing on the IP behavior data to form a characteristic matrix;
a decision tree generation step, based on the training set, generating a classification and regression decision tree according to the training set and a specified condition; and
an IP address risk evaluation step, namely acquiring the IP address needing risk evaluation, carrying out the risk evaluation of the IP address based on the classification and regression decision tree,
the IP data collected in the IP behavior data collection step includes: IP attribute information, IP association information, and IP behavior information,
in the feature matrix extraction step, the following feature processing is performed on the IP data: for the IP attribute information, selecting a corresponding code as a characteristic value or taking 0 and 1 as characteristic values; for the IP associated information, selecting the number of historical associated domain names or the average domain name as a characteristic value; and for the IP behavior information, selecting the time number of the IP behavior from a specified time point as a characteristic value.
2. The IP risk assessment method of claim 1,
in the step of generating the decision tree, a training set is constructed, and specified operation is performed on each node from a root node in a recursion mode to construct a binary decision tree.
3. The IP risk assessment method of claim 2,
the decision tree generating step comprises the following substeps:
(1) setting the training data set of the nodes as D, calculating the Gini index of the existing features to the data set, and dividing D into two parts, namely D1 and D2, for each feature A;
(2) selecting the feature with the minimum Gini index and the corresponding segmentation point as the optimal feature and the optimal segmentation point from all possible features A and all possible segmentation points alpha thereof, generating two child nodes from the current node by using the optimal feature and the optimal segmentation point, and distributing the training data set into the two child nodes according to the features;
(3) recursively calling the (1) and (2) for the two child nodes until a stop condition is met;
(4) a classification and regression decision tree T0 is generated.
4. The IP risk assessment method of claim 3,
the decision tree generating step further comprises the following sub-steps after the step (4):
(5) and executing a pruning algorithm on the classification and regression decision tree T0 to obtain an optimal decision tree T alpha.
5. An IP risk evaluation system is characterized by comprising:
the IP behavior data acquisition module is used for acquiring IP behavior data and forming an IP database;
the characteristic matrix extraction module is used for taking the IP database as a training set and carrying out characteristic processing on the IP behavior data to form a characteristic matrix;
a decision tree generation module for generating a classification and regression decision tree according to the training set and a specified condition based on the training set; and
an IP address risk evaluation module for obtaining the IP address needing risk evaluation and carrying out the risk evaluation of the IP address based on the classification and regression decision tree,
the IP data collected by the IP behavior data collecting module comprises: IP attribute information, IP association information, and IP behavior information,
in the feature matrix extraction module, for IP attribute information, selecting a corresponding code as a feature value or taking 0 and 1 as feature values; for the IP associated information, selecting the number of historical associated domain names or the average domain name as a characteristic value; and for the IP behavior information, selecting the time number of the IP behavior from a specified time point as a characteristic value.
6. The IP risk assessment system of claim 5,
the decision tree generation module constructs a training set and recursively operates on each node starting from a root node to construct a binary decision tree.
7. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the IP risk assessment method of any one of claims 1 to 4.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the IP risk assessment method of any one of claims 1 to 4 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710887457.2A CN107920055B (en) | 2017-09-27 | 2017-09-27 | IP risk evaluation method and IP risk evaluation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710887457.2A CN107920055B (en) | 2017-09-27 | 2017-09-27 | IP risk evaluation method and IP risk evaluation system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107920055A CN107920055A (en) | 2018-04-17 |
| CN107920055B true CN107920055B (en) | 2020-08-25 |
Family
ID=61898698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710887457.2A Active CN107920055B (en) | 2017-09-27 | 2017-09-27 | IP risk evaluation method and IP risk evaluation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107920055B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108711103A (en) * | 2018-06-04 | 2018-10-26 | 中国平安人寿保险股份有限公司 | Personal loan repays Risk Forecast Method, device, computer equipment and medium |
| CN110717179A (en) * | 2018-07-13 | 2020-01-21 | 马上消费金融股份有限公司 | Risk assessment method of IP address and related device |
| CN109685635A (en) * | 2018-09-11 | 2019-04-26 | 深圳平安财富宝投资咨询有限公司 | Methods of risk assessment, air control server-side and the storage medium of financial business |
| CN109729069B (en) * | 2018-11-26 | 2021-12-28 | 武汉极意网络科技有限公司 | Abnormal IP address detection method and device and electronic equipment |
| CN109345381A (en) * | 2018-12-19 | 2019-02-15 | 重庆誉存大数据科技有限公司 | A kind of Risk Identification Method and system |
| CN110808987B (en) * | 2019-11-07 | 2022-03-29 | 南京亚信智网科技有限公司 | Method and computing device for identifying malicious domain name |
| CN112822143B (en) * | 2019-11-15 | 2022-05-27 | 网宿科技股份有限公司 | Method, system and equipment for evaluating IP address |
| CN112861093B (en) * | 2021-04-25 | 2021-09-10 | 上海派拉软件股份有限公司 | Verification method, device and equipment for access data and storage medium |
| CN115099684B (en) * | 2022-07-18 | 2023-04-07 | 江西中科冠物联网科技有限公司 | Enterprise safety production management system and management method thereof |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1746916A (en) * | 2005-10-25 | 2006-03-15 | 二六三网络通信股份有限公司 | Network IP address credit assessment and use in electronic mail system |
| CN101990003A (en) * | 2010-10-22 | 2011-03-23 | 西安交通大学 | User action monitoring system and method based on IP address attribute |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN105721406A (en) * | 2014-12-05 | 2016-06-29 | 中国移动通信集团广东有限公司 | Method and device for obtaining IP black list |
| KR101712462B1 (en) * | 2016-10-14 | 2017-03-06 | 국방과학연구소 | System for monitoring dangerous ip |
-
2017
- 2017-09-27 CN CN201710887457.2A patent/CN107920055B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1746916A (en) * | 2005-10-25 | 2006-03-15 | 二六三网络通信股份有限公司 | Network IP address credit assessment and use in electronic mail system |
| CN101990003A (en) * | 2010-10-22 | 2011-03-23 | 西安交通大学 | User action monitoring system and method based on IP address attribute |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN105721406A (en) * | 2014-12-05 | 2016-06-29 | 中国移动通信集团广东有限公司 | Method and device for obtaining IP black list |
| KR101712462B1 (en) * | 2016-10-14 | 2017-03-06 | 국방과학연구소 | System for monitoring dangerous ip |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107920055A (en) | 2018-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107920055B (en) | IP risk evaluation method and IP risk evaluation system | |
| Kamp et al. | Unstructured citizen science data fail to detect long‐term population declines of common birds in Denmark | |
| US20220327409A1 (en) | Real Time Detection of Cyber Threats Using Self-Referential Entity Data | |
| US10574681B2 (en) | Detection of known and unknown malicious domains | |
| Tsoar et al. | A comparative evaluation of presence‐only methods for modelling species distribution | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| Smadi et al. | Detection of phishing emails using data mining algorithms | |
| CN104579773A (en) | Domain name system analysis method and device | |
| JP2004511834A (en) | Methods and systems for data classification in the presence of temporal unsteadiness | |
| CN110071829B (en) | DNS tunnel detection method and device and computer readable storage medium | |
| JP2021507360A (en) | How to de-identify data, systems to de-identify data, and computer programs to identify non-data | |
| CN107679626A (en) | Machine learning method, device, system, storage medium and equipment | |
| US9251328B2 (en) | User identification using multifaceted footprints | |
| Roberts | Statistical analysis of multidimensional fuzzy set ordinations | |
| US11431602B2 (en) | Network asset discovery | |
| CN112839014A (en) | Method, system, device and medium for establishing model for identifying abnormal visitor | |
| WO2015044595A1 (en) | Method for detecting anomalies in network traffic | |
| CN113392399A (en) | Malicious software classification method, device, equipment and medium | |
| CN111865958A (en) | Detection method and system based on multi-source safety detection framework | |
| Janse van Rensburg et al. | Attacker-parametrised attack graphs | |
| Periyasamy et al. | Prediction of future vulnerability discovery in software applications using vulnerability syntax tree (PFVD-VST). | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| WO2020170911A1 (en) | Estimation device, estimation method, and program | |
| CN116383029B (en) | User behavior label generation method and device based on small program | |
| Medhat et al. | Humans and bots web session identification using K-means clustering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |