CN108632272A - A kind of network-based attack tool recognition methods and system - Google Patents
A kind of network-based attack tool recognition methods and system Download PDFInfo
- Publication number
- CN108632272A CN108632272A CN201810419714.4A CN201810419714A CN108632272A CN 108632272 A CN108632272 A CN 108632272A CN 201810419714 A CN201810419714 A CN 201810419714A CN 108632272 A CN108632272 A CN 108632272A
- Authority
- CN
- China
- Prior art keywords
- attack
- tool
- network
- sample
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to cyberspace security fields, a kind of network-based attack tool recognition methods and system are disclosed, goal systems is attacked using network attack tool in test environment and obtains network data sample;No attack tool is carried out by Honeypot to obtain suspicious data sample;Attack sample packet is subjected to sequence alignment, then repeating iteration connection with result by distich matches;General character, constant ingredient is extracted, the optimal attack signature of each attack tool is finally extracted, hack tool is then identified according to the attack signature of each tool.The present invention directly analyzes and compares to the network data sample of attack tool, extracts general character, constant ingredient, forms the feature of attack, can more accurately distinguish different attack tools, improves discrimination;Overcome simultaneously and extract existing wrong report and false report from daily record, improves the accuracy rate of identification.
Description
Technical field
The invention belongs to cyberspace security fields more particularly to a kind of network-based attack tool recognition methods and it is
System.
Background technology
Currently, the prior art commonly used in the trade is such:
As internet plays an increasingly important role in the various aspects such as mankind's politics, economic, culture, life, interconnect
The safety of net also more causes the concern of people.In face of increasingly serious network security situation, it is anti-to rely solely on traditional deployment
Wall with flues, IDS, the Passive Defences method such as IPS be insufficient to assure that tissue, company network security.Current whether attacker institute
The level of the attack tool used or attacker itself all have greatly improved, and in general, network attack person was attacking
Cheng Zhong, always the technologies such as multiple means is used to hide itself, escapes tracking, in time, efficiently identifies out used in attacker
Attack tool is that dynamic continuance guarantees network security effective method, can instruct defender that targetedly defence is taken to arrange
It applies, the determination for next step hacker's identity provides help, and strong evidence is provided to punish cybercriminal from the administration of justice.
A kind of hack tool method for digging, apparatus and system (Publication No. 201610514159.4) provide a kind of hacker's work
Have method for digging, apparatus and system, using the method for data mining to attacking log analysis, excavates the attacker of hack tool
Formula so that fire wall can identify hack tool according to the attack pattern of each hack tool, and provide complete protection accordingly
Service, improves the safety of system.
In conclusion problem of the existing technology is:
(1) in the prior art, identification attack tool fully relies on the attack logs information from distinct device, mainly deposits
In two problems:1) attack logs information is a kind of intermediate description to attacking tool characteristics, not comprehensive enough and complete, influences to attack
Hit the discrimination of tool.2) it reports and makes a false report information present in daily record by mistake, influence the accuracy rate for identifying attack tool.
(2) prior art identifies that hack tool, discrimination be not high according to the attack pattern of each hack tool;
Solve the difficulty and meaning of above-mentioned technical problem:
The present invention directly analyzes and compares to the network data sample of attack tool, extract general character, it is constant
Ingredient forms the feature of attack, can more accurately distinguish different attack tools, improves discrimination;Overcome simultaneously and is carried from daily record
Existing wrong report and false report are taken, the accuracy rate of identification is improved.Energy of the invention is timely, efficiently identifies out attacker is made
Attack tool, to instruct defender that the determination of targeted defensive measure and next step hacker's identity is taken to be provided with power side
It helps, and strong evidence is provided to punish cybercriminal from the administration of justice.
Invention content
In view of the problems of the existing technology, the present invention provides a kind of network-based attack tool recognition methods and it is
System.
The invention is realized in this way a kind of network-based attack tool recognition methods, the network-based attack
Tool recognition methods is:
Goal systems is attacked using network attack tool in test environment and obtains network data sample;To not having
Attack tool carry out obtaining suspicious data sample by Honeypot;Attack sample packet is subjected to sequence alignment, then
Repeat iteration connection with result by distich to match;General character, constant ingredient is extracted, each attack work is finally extracted
Have optimal attack signature, hack tool is then identified according to the attack signature of each tool.
Further, the network-based attack tool recognition methods specifically includes:
Step 1, it includes to attack directly to carry out attack acquisition to target machine system using the attack tool collected in test environment
The network data hit simultaneously is denoted as multiple attack samples;Data are obtained by Honeypot to the attack tool that do not collect
Sample;
Pending suspicious sample is grouped by step 2, every group 2, when number of samples is odd number, the last one sample
This will directly be included in matching next time set and is avoided the imperfect error brought of data;
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, and the connection for obtaining every group of sample is matched
As a result;
Step 4, the connection obtained with pruning algorithms processing epicycle match sequence;Pruning algorithms are based on " joining to match and existing in result
There is number of characters to be greater than or equal to 3 segment, and requirement distich of the number of segment more than or equal to 3 " is handled with sequence results,
Satisfactory segment retains, and undesirable segment abandons;Then the connection for meeting beta pruning condition is entered with sequence addition
Next round connection is with set;
Next round connection is grouped with pending sample is gathered by every group 2, recycles Polygraph by step 5
Algorithm carries out sequence alignment to every group of attack sample, finds out connection and matches result;
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and match
Sequence;
Step 7 obtains attack signature after being handled the result that connection is matched;The result that connection is matched is analyzed, pass is utilized
Keyword " offset " and " distance " expression connection are determined and are at least contained between characteristic character section with the asterisk wildcard " " in result
Alphabetical number, obtain reflection characteristic fragment between relative position relation, obtain attack signature;;
Step 8 repeats step 1 and step 7, each attack tool and its relevant information and its correspondence attack is special
Sign establishes mapping relations, and is stored in database, builds attack tool feature database;
Step 9, obtains the attack sample that other safety equipments detect in network, the feature obtained after processing with attack
Aspect ratio pair in tool characteristics library is hit, corresponding attack tool is automatically identified;
The feature of the unknown attack tool of collection is added to attack tool feature database by step 10 if unidentified.
Another object of the present invention is to provide a kind of calculating for realizing the network-based attack tool recognition methods
Machine program.
Another object of the present invention is to provide a kind of information for realizing the network-based attack tool recognition methods
Data processing terminal.
Another object of the present invention is to provide a kind of computer readable storage mediums, including instruction, when it is in computer
When upper operation so that computer executes the network-based attack tool recognition methods.
Another object of the present invention is to provide a kind of cyberspace of network-based attack tool recognition methods safety
Control system.
In conclusion advantages of the present invention and good effect are:
The present invention directly attacks goal systems using existing network attack tool in test environment and obtains net
Network data sample;No attack tool is carried out by Honeypot to obtain suspicious data sample;Sample packet will be attacked
Carry out sequence alignment, then by distich with result repeat iteration join match, Stepwise Refinement, extract general character, it is constant
Ingredient finally extracts the optimal attack signature of each attack tool, is then identified according to the attack signature of each tool black
Objective tool.This method is directly analyzed and is compared to the network data sample of attack tool, extract general character, it is constant at
Point, the feature of attack is formed, different attack tools can be more accurately distinguished, improves discrimination;Overcome simultaneously and is extracted from daily record
Existing wrong report and false report improve the accuracy rate of identification.
Present invention is mainly applied to identify attack tool class software, the network packet generated using attack tool is passed through
Corresponding tool is identified to the signature analysis of data packet, so corresponding software can be analyzed when intercepting data packet.It is logical
The hack tool that this method energy automatic identification attacker uses is crossed, defender can be instructed to take targeted defensive measure, under
The determination of one step hacker's identity provides help, provides strong evidence to punish cybercriminal from the administration of justice, is dynamic continuance guarantee
The most effective method of network security.
The present invention is based on HoneyDrive to build a honey pot system, using existing ddos attack tool HOIC to honey jar
System initiates ddos attack, captures Attacking Packets 23M, feature is extracted after method analyzing processing provided by the invention
Value is as shown in Figure 3.After attack tool feature database is added in this feature value, HOIC tool replay attacks, system energy are used in a network
Correctly find this attack tool, as shown in Figure 4.The feasibility and validity of the method are proved by the simulation experiment result.
Description of the drawings
Fig. 1 is network-based attack tool recognition methods flow chart provided in an embodiment of the present invention.
Fig. 2 is attack tool feature extraction schematic diagram provided in an embodiment of the present invention.
Fig. 3 is to extract characteristic value figure after analyzing processing provided in an embodiment of the present invention
Fig. 4 is after attack tool feature database is added in the characteristic value provided in an embodiment of the present invention by Fig. 3, to use in a network
HOIC tool replay attacks, it is correct to find attack tool figure.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention
It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to
Limit the present invention.
In the prior art, identification attack tool fully relies on the attack logs information from distinct device, is primarily present
Two problems:1) attack logs information is a kind of intermediate description to attacking tool characteristics, not comprehensive enough and complete, influences to attack
The discrimination of tool.2) it reports and makes a false report information present in daily record by mistake, influence the accuracy rate for identifying attack tool.
The core of Fig. 1, network-based attack tool recognition methods provided in an embodiment of the present invention are attack signatures generations
Algorithm, basic principle be will attack sample packet carry out sequence alignment, iteration is then repeated with result by distich
Connection is matched, Stepwise Refinement, finally extracts optimal attack signature.
It specifically includes:
Step 1 directly carries out attack to target machine system using the attack tool collected in test environment and obtains comprising attack
Network data and be denoted as multiple attack samples;Number can be obtained by Honeypot to the attack tool that do not collect
According to sample.
Pending suspicious sample is grouped by step 2, every group 2, if number of samples is odd number, the last one
Sample will directly be included in matching next time set and avoid the imperfect error brought of data.
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, obtains the connection of every group of sample with knot
Fruit.
Step 4 is the speed for improving algorithmic statement and the interference for excluding noise, is matched with the connection that pruning algorithms are handled
Sequence.Pruning algorithms are based on " joining the number of characters with segment in result to be greater than equal to 3, and the number of segment is more than or equal to 3 "
Requirement distich with sequence results processing, satisfactory segment retains, and undesirable segment abandons.If extraction is attacked
It hits and is characterized as:" ... http...abc...de... " indicates that the segment number that this connection includes with result is 3, be respectively http,
abc、de.Wherein there are two fragment lengths to be equal to 3, so meeting pruning algorithms, this connection will continue to participate in next round with result
Iterative algorithm.
Next round connection is grouped with pending sample is gathered by every group 2 by step 5, and Polygraph is recycled to calculate
Method carries out sequence alignment to every group of attack sample, finds out connection and matches result.
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and matches sequence
Row.
Step 7 matches sequence with the final connection that pruning algorithms are handled.
Step 8 analyzes the result that connection is matched, and connection can be used for determining between characteristic fragment with the asterisk wildcard " " in result
The alphabetical number at least contained, to reflect the relative position relation between characteristic fragment, and using keyword " offset " and
" distance " expresses this relationship.Attack signature is obtained after the result that connection is matched is handled.
Step 9 repeats step 1 and step 8, each attack tool and its relevant information and its correspondence attack signature are built
Vertical mapping relations, and be stored in database, build attack tool feature database.
Step 10 obtains the attack sample that other safety equipments detect in network, after being handled using same method
To feature and attack tool feature database in aspect ratio pair, if configuration can automatically identify corresponding attack tool.
If step 11 is unidentified, the feature of the unknown attack tool of collection is added to attack tool feature database, under
The secondary equally attack sample that encounters can then identify.
With reference to specific embodiment, the invention will be further described.
Attached drawing 2 retouches the realization of the present invention by taking 5 attack samples of some attack tool of extraction as an example in detail
It states:
Step 1 directly attacks target machine system using existing network attack tool in test environment, and acquisition includes
The network data of attack is simultaneously denoted as 5 attack samples.
Pending attack sample is grouped by step 2, every group 2, as shown in first layer in Fig. 2, attacks sample P1
With P2 points at one group, P3 and P4 divide at one group.Since number of samples is odd number, the last one sample data packet P5 will be directly included in
Matching next time set avoids the imperfect error brought of data.
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample of first layer.As shown in Fig. 2, first
The sample P1 and P2 of layer obtain connection with sequence A12 after handle by analysis, after the sample P3 and P4 of first layer are handled by analysis
It obtains connection and matches sequence A34.
Step 4 matches sequence with the connection that pruning algorithms are obtained by filtration, and the result of generation is added to as the sample of the second layer
Enter next round sequence alignment set.As shown in the second layer in Fig. 2, use pruning algorithms distich at sequence A12 and A34 first
Then its result is entered next round connection as the addition of the sample of the second layer and matched by reason.
Pending attack sample is grouped by step 5 by every group 2, and Polygraph algorithms is recycled to attack every group
It hits sample and carries out sequence alignment, find out connection and match result.As shown in Fig. 2, A12 and A34 points is one group, Polygraph is recycled to calculate
Method carries out sequence alignment to every group of attack sample, finds out connection and matches result A1234.
Step 6 repeats step 4 and step 5, when connection with result only there are one when complete iteration, obtain final connection and match sequence
Row.As shown in Fig. 2 third layer, will be obtained after A1234 and P5 analyzing processings connection match sequence A, due to connection with result only there are one, because
This exits iteration, obtains top with sequence A;
Step 7 analyzes the result that connection is matched, and matches result using keyword " offset " and " distance " expression connection
In asterisk wildcard " ", determine the alphabetical number at least contained between characteristic character section, obtain reflection characteristic fragment between opposite position
Relationship is set, attack signature S is obtained.
Attack tool and its attack signature S are established mapping relations and are stored in attack tool feature database by step 8.
Step 9 obtains the attack sample that other safety equipments detect in network, after being handled using same method
To feature and attack tool feature database in aspect ratio pair, whether energy automatic identification is corresponding attack tool.
If step 10 is unidentified, the feature of the attack tool of generation is added to attack tool feature database, is met next time
It can then be identified to same attack sample.
With reference to emulation experiment, the invention will be further described.
The present invention is based on HoneyDrive to build a honey pot system, using existing ddos attack tool HOIC to honey jar
System initiates ddos attack, captures Attacking Packets 23M, feature is extracted after method analyzing processing provided by the invention
Value is as shown in Figure 3.After attack tool feature database is added in this feature value, HOIC tool replay attacks, system energy are used in a network
Correctly find this attack tool, as shown in Figure 4.The feasibility and validity of the method are proved by the simulation experiment result.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real
It is existing.When using entirely or partly realizing in the form of a computer program product, the computer program product include one or
Multiple computer instructions.When loading on computers or executing the computer program instructions, entirely or partly generate according to
Flow described in the embodiment of the present invention or function.The computer can be all-purpose computer, special purpose computer, computer network
Network or other programmable devices.The computer instruction can store in a computer-readable storage medium, or from one
Computer readable storage medium is transmitted to another computer readable storage medium, for example, the computer instruction can be from one
A web-site, computer, server or data center pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)
Or wireless (such as infrared, wireless, microwave etc.) mode is carried out to another web-site, computer, server or data center
Transmission).The computer read/write memory medium can be that any usable medium that computer can access either includes one
The data storage devices such as a or multiple usable mediums integrated server, data center.The usable medium can be magnetic Jie
Matter, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk Solid
State Disk (SSD)) etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.
Claims (6)
1. a kind of network-based attack tool recognition methods, which is characterized in that the network-based attack tool identification side
Method is:
Goal systems is attacked using network attack tool in test environment and obtains network data sample;No is attacked
Tool is hit to carry out obtaining suspicious data sample by Honeypot;Attack sample packet is subjected to sequence alignment, is then passed through
Distich repeats iteration connection with result and matches;
General character, constant ingredient is extracted, the optimal attack signature of each attack tool is finally extracted, further according to each
The attack signature of tool identifies hack tool.
2. network-based attack tool recognition methods as described in claim 1, which is characterized in that described network-based to attack
The tool recognition methods of hitting specifically includes:
Step 1 directly carries out attack to target machine system using the attack tool collected in test environment and obtains comprising attack
Network data is simultaneously denoted as multiple attack samples;Data sample is obtained by Honeypot to the attack tool that do not collect
This;
Pending suspicious sample is grouped by step 2, every group 2, and when number of samples is odd number, the last one sample will
It is directly included in matching next time set and avoids the imperfect error brought of data;
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, obtains the connection of every group of sample with knot
Fruit;
Step 4, the connection obtained with pruning algorithms processing epicycle match sequence;Pruning algorithms are based on connection with there are words in result
The segment that number is greater than or equal to 3 is accorded with, and requirement distich of the number of segment more than or equal to 3 meets with sequence results processing
It is required that segment retain, undesirable segment abandons;Then the connection for meeting beta pruning condition is entered with sequence addition next
Wheel connection is with set;
Next round connection is grouped with pending sample is gathered by every group 2, recycles Polygraph algorithms by step 5
Sequence alignment is carried out to every group of attack sample, connection is found out and matches result;
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and matches sequence
Row;
Step 7 obtains attack signature after being handled the result that connection is matched;The result that connection is matched is analyzed, keyword is utilized
Expression connection determines the alphabetical number at least contained between characteristic character section with the asterisk wildcard in result, obtain reflection characteristic fragment it
Between relative position relation, obtain attack signature;
Step 8 repeats step 1 and step 7, each attack tool and its relevant information and its correspondence attack signature are built
Vertical mapping relations, and be stored in database, build attack tool feature database;
Step 9 obtains the attack sample that other safety equipments detect in network, the feature obtained after processing and attack work
Have aspect ratio pair in feature database, automatically identifies corresponding attack tool;
The feature of the unknown attack tool of collection is added to attack tool feature database by step 10 if unidentified.
3. a kind of computer program for realizing network-based attack tool recognition methods described in claim 1~2 any one.
4. a kind of realize at the information data of network-based attack tool recognition methods described in claim 1~2 any one
Manage terminal.
5. a kind of computer readable storage medium, including instruction, when run on a computer so that computer is executed as weighed
Profit requires the network-based attack tool recognition methods described in 1-2 any one.
6. a kind of cyberspace safety control system of network-based attack tool recognition methods as described in claim 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810419714.4A CN108632272A (en) | 2018-05-04 | 2018-05-04 | A kind of network-based attack tool recognition methods and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810419714.4A CN108632272A (en) | 2018-05-04 | 2018-05-04 | A kind of network-based attack tool recognition methods and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108632272A true CN108632272A (en) | 2018-10-09 |
Family
ID=63695421
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810419714.4A Pending CN108632272A (en) | 2018-05-04 | 2018-05-04 | A kind of network-based attack tool recognition methods and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108632272A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115037562A (en) * | 2022-08-11 | 2022-09-09 | 北京网藤科技有限公司 | Industrial control network target range construction method and system for safety verification |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101420438A (en) * | 2008-11-18 | 2009-04-29 | 北京航空航天大学 | Three stage progressive network attack characteristic extraction method based on sequence alignment |
EP3040901A1 (en) * | 2014-12-29 | 2016-07-06 | Gemalto Sa | System and method for aligning time-series data over a large range of time indices |
CN106027554A (en) * | 2016-06-30 | 2016-10-12 | 北京网康科技有限公司 | Hacker tool mining method, device and system |
-
2018
- 2018-05-04 CN CN201810419714.4A patent/CN108632272A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101420438A (en) * | 2008-11-18 | 2009-04-29 | 北京航空航天大学 | Three stage progressive network attack characteristic extraction method based on sequence alignment |
EP3040901A1 (en) * | 2014-12-29 | 2016-07-06 | Gemalto Sa | System and method for aligning time-series data over a large range of time indices |
CN106027554A (en) * | 2016-06-30 | 2016-10-12 | 北京网康科技有限公司 | Hacker tool mining method, device and system |
Non-Patent Citations (2)
Title |
---|
张鑫: "基于蜜罐技术的攻击特征自动提取技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
秦拯: "基于序列比对的攻击特征自动提取方法", 《湖南大学学报(自然科学版)》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115037562A (en) * | 2022-08-11 | 2022-09-09 | 北京网藤科技有限公司 | Industrial control network target range construction method and system for safety verification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106027559B (en) | Large scale network scanning detection method based on network session statistical nature | |
Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
Garg et al. | Profiling users in GUI based systems for masquerade detection | |
JP2015076863A (en) | Log analyzing device, method and program | |
CN109167794B (en) | Attack detection method for network system security measurement | |
CN113225358B (en) | Network security risk assessment system | |
Maslan et al. | Feature selection for DDoS detection using classification machine learning techniques | |
CN106302450A (en) | A kind of based on the malice detection method of address and device in DDOS attack | |
Pellegrino et al. | Learning behavioral fingerprints from netflows using timed automata | |
Zali et al. | Real-time attack scenario detection via intrusion detection alert correlation | |
Bortolameotti et al. | Headprint: detecting anomalous communications through header-based application fingerprinting | |
Gates | Coordinated Scan Detection. | |
Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
CN108632272A (en) | A kind of network-based attack tool recognition methods and system | |
CN112070161A (en) | Network attack event classification method, device, terminal and storage medium | |
Aswani et al. | Topic modeling of SSH logs using latent dirichlet allocation for the application in cyber security | |
Jayasimhan et al. | Anomaly detection using a clustering technique | |
Kadam et al. | An enhanced approach for intrusion detection in virtual network of cloud computing | |
Chae et al. | Adaptive threshold selection for trust-based detection systems | |
Lee et al. | Camp2Vec: Embedding cyber campaign with ATT&CK framework for attack group analysis | |
Salami et al. | Implementing flash event discrimination in IP traceback using shark smell optimisation algorithm | |
Atmojo et al. | A New Approach for ARP Poisoning Attack Detection Based on Network Traffic Analysis | |
CN112751863A (en) | Attack behavior analysis method and device | |
Gehri et al. | Towards Generalizing Machine Learning Models to Detect Command and Control Attack Traffic | |
Lee et al. | Monsieur poirot: Detecting botnets using re-identification algorithm and nontrivial feature selection technique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181009 |