CN108632272A - A kind of network-based attack tool recognition methods and system - Google Patents

A kind of network-based attack tool recognition methods and system Download PDF

Info

Publication number
CN108632272A
CN108632272A CN201810419714.4A CN201810419714A CN108632272A CN 108632272 A CN108632272 A CN 108632272A CN 201810419714 A CN201810419714 A CN 201810419714A CN 108632272 A CN108632272 A CN 108632272A
Authority
CN
China
Prior art keywords
attack
tool
network
sample
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810419714.4A
Other languages
Chinese (zh)
Inventor
林宏刚
陈麟
黄元飞
张家旺
李燕伟
王鹏翩
尹杰
曹鹤鸣
蒋梦丹
林星辰
应志军
吴倩
杜薇
陈禹
张晓娜
王博
杨鹏
高强
陈亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu University of Information Technology
National Computer Network and Information Security Management Center
Original Assignee
Chengdu University of Information Technology
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu University of Information Technology, National Computer Network and Information Security Management Center filed Critical Chengdu University of Information Technology
Priority to CN201810419714.4A priority Critical patent/CN108632272A/en
Publication of CN108632272A publication Critical patent/CN108632272A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention belongs to cyberspace security fields, a kind of network-based attack tool recognition methods and system are disclosed, goal systems is attacked using network attack tool in test environment and obtains network data sample;No attack tool is carried out by Honeypot to obtain suspicious data sample;Attack sample packet is subjected to sequence alignment, then repeating iteration connection with result by distich matches;General character, constant ingredient is extracted, the optimal attack signature of each attack tool is finally extracted, hack tool is then identified according to the attack signature of each tool.The present invention directly analyzes and compares to the network data sample of attack tool, extracts general character, constant ingredient, forms the feature of attack, can more accurately distinguish different attack tools, improves discrimination;Overcome simultaneously and extract existing wrong report and false report from daily record, improves the accuracy rate of identification.

Description

A kind of network-based attack tool recognition methods and system
Technical field
The invention belongs to cyberspace security fields more particularly to a kind of network-based attack tool recognition methods and it is System.
Background technology
Currently, the prior art commonly used in the trade is such:
As internet plays an increasingly important role in the various aspects such as mankind's politics, economic, culture, life, interconnect The safety of net also more causes the concern of people.In face of increasingly serious network security situation, it is anti-to rely solely on traditional deployment Wall with flues, IDS, the Passive Defences method such as IPS be insufficient to assure that tissue, company network security.Current whether attacker institute The level of the attack tool used or attacker itself all have greatly improved, and in general, network attack person was attacking Cheng Zhong, always the technologies such as multiple means is used to hide itself, escapes tracking, in time, efficiently identifies out used in attacker Attack tool is that dynamic continuance guarantees network security effective method, can instruct defender that targetedly defence is taken to arrange It applies, the determination for next step hacker's identity provides help, and strong evidence is provided to punish cybercriminal from the administration of justice.
A kind of hack tool method for digging, apparatus and system (Publication No. 201610514159.4) provide a kind of hacker's work Have method for digging, apparatus and system, using the method for data mining to attacking log analysis, excavates the attacker of hack tool Formula so that fire wall can identify hack tool according to the attack pattern of each hack tool, and provide complete protection accordingly Service, improves the safety of system.
In conclusion problem of the existing technology is:
(1) in the prior art, identification attack tool fully relies on the attack logs information from distinct device, mainly deposits In two problems:1) attack logs information is a kind of intermediate description to attacking tool characteristics, not comprehensive enough and complete, influences to attack Hit the discrimination of tool.2) it reports and makes a false report information present in daily record by mistake, influence the accuracy rate for identifying attack tool.
(2) prior art identifies that hack tool, discrimination be not high according to the attack pattern of each hack tool;
Solve the difficulty and meaning of above-mentioned technical problem:
The present invention directly analyzes and compares to the network data sample of attack tool, extract general character, it is constant Ingredient forms the feature of attack, can more accurately distinguish different attack tools, improves discrimination;Overcome simultaneously and is carried from daily record Existing wrong report and false report are taken, the accuracy rate of identification is improved.Energy of the invention is timely, efficiently identifies out attacker is made Attack tool, to instruct defender that the determination of targeted defensive measure and next step hacker's identity is taken to be provided with power side It helps, and strong evidence is provided to punish cybercriminal from the administration of justice.
Invention content
In view of the problems of the existing technology, the present invention provides a kind of network-based attack tool recognition methods and it is System.
The invention is realized in this way a kind of network-based attack tool recognition methods, the network-based attack Tool recognition methods is:
Goal systems is attacked using network attack tool in test environment and obtains network data sample;To not having Attack tool carry out obtaining suspicious data sample by Honeypot;Attack sample packet is subjected to sequence alignment, then Repeat iteration connection with result by distich to match;General character, constant ingredient is extracted, each attack work is finally extracted Have optimal attack signature, hack tool is then identified according to the attack signature of each tool.
Further, the network-based attack tool recognition methods specifically includes:
Step 1, it includes to attack directly to carry out attack acquisition to target machine system using the attack tool collected in test environment The network data hit simultaneously is denoted as multiple attack samples;Data are obtained by Honeypot to the attack tool that do not collect Sample;
Pending suspicious sample is grouped by step 2, every group 2, when number of samples is odd number, the last one sample This will directly be included in matching next time set and is avoided the imperfect error brought of data;
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, and the connection for obtaining every group of sample is matched As a result;
Step 4, the connection obtained with pruning algorithms processing epicycle match sequence;Pruning algorithms are based on " joining to match and existing in result There is number of characters to be greater than or equal to 3 segment, and requirement distich of the number of segment more than or equal to 3 " is handled with sequence results, Satisfactory segment retains, and undesirable segment abandons;Then the connection for meeting beta pruning condition is entered with sequence addition Next round connection is with set;
Next round connection is grouped with pending sample is gathered by every group 2, recycles Polygraph by step 5 Algorithm carries out sequence alignment to every group of attack sample, finds out connection and matches result;
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and match Sequence;
Step 7 obtains attack signature after being handled the result that connection is matched;The result that connection is matched is analyzed, pass is utilized Keyword " offset " and " distance " expression connection are determined and are at least contained between characteristic character section with the asterisk wildcard " " in result Alphabetical number, obtain reflection characteristic fragment between relative position relation, obtain attack signature;;
Step 8 repeats step 1 and step 7, each attack tool and its relevant information and its correspondence attack is special Sign establishes mapping relations, and is stored in database, builds attack tool feature database;
Step 9, obtains the attack sample that other safety equipments detect in network, the feature obtained after processing with attack Aspect ratio pair in tool characteristics library is hit, corresponding attack tool is automatically identified;
The feature of the unknown attack tool of collection is added to attack tool feature database by step 10 if unidentified.
Another object of the present invention is to provide a kind of calculating for realizing the network-based attack tool recognition methods Machine program.
Another object of the present invention is to provide a kind of information for realizing the network-based attack tool recognition methods Data processing terminal.
Another object of the present invention is to provide a kind of computer readable storage mediums, including instruction, when it is in computer When upper operation so that computer executes the network-based attack tool recognition methods.
Another object of the present invention is to provide a kind of cyberspace of network-based attack tool recognition methods safety Control system.
In conclusion advantages of the present invention and good effect are
The present invention directly attacks goal systems using existing network attack tool in test environment and obtains net Network data sample;No attack tool is carried out by Honeypot to obtain suspicious data sample;Sample packet will be attacked Carry out sequence alignment, then by distich with result repeat iteration join match, Stepwise Refinement, extract general character, it is constant Ingredient finally extracts the optimal attack signature of each attack tool, is then identified according to the attack signature of each tool black Objective tool.This method is directly analyzed and is compared to the network data sample of attack tool, extract general character, it is constant at Point, the feature of attack is formed, different attack tools can be more accurately distinguished, improves discrimination;Overcome simultaneously and is extracted from daily record Existing wrong report and false report improve the accuracy rate of identification.
Present invention is mainly applied to identify attack tool class software, the network packet generated using attack tool is passed through Corresponding tool is identified to the signature analysis of data packet, so corresponding software can be analyzed when intercepting data packet.It is logical The hack tool that this method energy automatic identification attacker uses is crossed, defender can be instructed to take targeted defensive measure, under The determination of one step hacker's identity provides help, provides strong evidence to punish cybercriminal from the administration of justice, is dynamic continuance guarantee The most effective method of network security.
The present invention is based on HoneyDrive to build a honey pot system, using existing ddos attack tool HOIC to honey jar System initiates ddos attack, captures Attacking Packets 23M, feature is extracted after method analyzing processing provided by the invention Value is as shown in Figure 3.After attack tool feature database is added in this feature value, HOIC tool replay attacks, system energy are used in a network Correctly find this attack tool, as shown in Figure 4.The feasibility and validity of the method are proved by the simulation experiment result.
Description of the drawings
Fig. 1 is network-based attack tool recognition methods flow chart provided in an embodiment of the present invention.
Fig. 2 is attack tool feature extraction schematic diagram provided in an embodiment of the present invention.
Fig. 3 is to extract characteristic value figure after analyzing processing provided in an embodiment of the present invention
Fig. 4 is after attack tool feature database is added in the characteristic value provided in an embodiment of the present invention by Fig. 3, to use in a network HOIC tool replay attacks, it is correct to find attack tool figure.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to Limit the present invention.
In the prior art, identification attack tool fully relies on the attack logs information from distinct device, is primarily present Two problems:1) attack logs information is a kind of intermediate description to attacking tool characteristics, not comprehensive enough and complete, influences to attack The discrimination of tool.2) it reports and makes a false report information present in daily record by mistake, influence the accuracy rate for identifying attack tool.
The core of Fig. 1, network-based attack tool recognition methods provided in an embodiment of the present invention are attack signatures generations Algorithm, basic principle be will attack sample packet carry out sequence alignment, iteration is then repeated with result by distich Connection is matched, Stepwise Refinement, finally extracts optimal attack signature.
It specifically includes:
Step 1 directly carries out attack to target machine system using the attack tool collected in test environment and obtains comprising attack Network data and be denoted as multiple attack samples;Number can be obtained by Honeypot to the attack tool that do not collect According to sample.
Pending suspicious sample is grouped by step 2, every group 2, if number of samples is odd number, the last one Sample will directly be included in matching next time set and avoid the imperfect error brought of data.
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, obtains the connection of every group of sample with knot Fruit.
Step 4 is the speed for improving algorithmic statement and the interference for excluding noise, is matched with the connection that pruning algorithms are handled Sequence.Pruning algorithms are based on " joining the number of characters with segment in result to be greater than equal to 3, and the number of segment is more than or equal to 3 " Requirement distich with sequence results processing, satisfactory segment retains, and undesirable segment abandons.If extraction is attacked It hits and is characterized as:" ... http...abc...de... " indicates that the segment number that this connection includes with result is 3, be respectively http, abc、de.Wherein there are two fragment lengths to be equal to 3, so meeting pruning algorithms, this connection will continue to participate in next round with result Iterative algorithm.
Next round connection is grouped with pending sample is gathered by every group 2 by step 5, and Polygraph is recycled to calculate Method carries out sequence alignment to every group of attack sample, finds out connection and matches result.
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and matches sequence Row.
Step 7 matches sequence with the final connection that pruning algorithms are handled.
Step 8 analyzes the result that connection is matched, and connection can be used for determining between characteristic fragment with the asterisk wildcard " " in result The alphabetical number at least contained, to reflect the relative position relation between characteristic fragment, and using keyword " offset " and " distance " expresses this relationship.Attack signature is obtained after the result that connection is matched is handled.
Step 9 repeats step 1 and step 8, each attack tool and its relevant information and its correspondence attack signature are built Vertical mapping relations, and be stored in database, build attack tool feature database.
Step 10 obtains the attack sample that other safety equipments detect in network, after being handled using same method To feature and attack tool feature database in aspect ratio pair, if configuration can automatically identify corresponding attack tool.
If step 11 is unidentified, the feature of the unknown attack tool of collection is added to attack tool feature database, under The secondary equally attack sample that encounters can then identify.
With reference to specific embodiment, the invention will be further described.
Attached drawing 2 retouches the realization of the present invention by taking 5 attack samples of some attack tool of extraction as an example in detail It states:
Step 1 directly attacks target machine system using existing network attack tool in test environment, and acquisition includes The network data of attack is simultaneously denoted as 5 attack samples.
Pending attack sample is grouped by step 2, every group 2, as shown in first layer in Fig. 2, attacks sample P1 With P2 points at one group, P3 and P4 divide at one group.Since number of samples is odd number, the last one sample data packet P5 will be directly included in Matching next time set avoids the imperfect error brought of data.
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample of first layer.As shown in Fig. 2, first The sample P1 and P2 of layer obtain connection with sequence A12 after handle by analysis, after the sample P3 and P4 of first layer are handled by analysis It obtains connection and matches sequence A34.
Step 4 matches sequence with the connection that pruning algorithms are obtained by filtration, and the result of generation is added to as the sample of the second layer Enter next round sequence alignment set.As shown in the second layer in Fig. 2, use pruning algorithms distich at sequence A12 and A34 first Then its result is entered next round connection as the addition of the sample of the second layer and matched by reason.
Pending attack sample is grouped by step 5 by every group 2, and Polygraph algorithms is recycled to attack every group It hits sample and carries out sequence alignment, find out connection and match result.As shown in Fig. 2, A12 and A34 points is one group, Polygraph is recycled to calculate Method carries out sequence alignment to every group of attack sample, finds out connection and matches result A1234.
Step 6 repeats step 4 and step 5, when connection with result only there are one when complete iteration, obtain final connection and match sequence Row.As shown in Fig. 2 third layer, will be obtained after A1234 and P5 analyzing processings connection match sequence A, due to connection with result only there are one, because This exits iteration, obtains top with sequence A;
Step 7 analyzes the result that connection is matched, and matches result using keyword " offset " and " distance " expression connection In asterisk wildcard " ", determine the alphabetical number at least contained between characteristic character section, obtain reflection characteristic fragment between opposite position Relationship is set, attack signature S is obtained.
Attack tool and its attack signature S are established mapping relations and are stored in attack tool feature database by step 8.
Step 9 obtains the attack sample that other safety equipments detect in network, after being handled using same method To feature and attack tool feature database in aspect ratio pair, whether energy automatic identification is corresponding attack tool.
If step 10 is unidentified, the feature of the attack tool of generation is added to attack tool feature database, is met next time It can then be identified to same attack sample.
With reference to emulation experiment, the invention will be further described.
The present invention is based on HoneyDrive to build a honey pot system, using existing ddos attack tool HOIC to honey jar System initiates ddos attack, captures Attacking Packets 23M, feature is extracted after method analyzing processing provided by the invention Value is as shown in Figure 3.After attack tool feature database is added in this feature value, HOIC tool replay attacks, system energy are used in a network Correctly find this attack tool, as shown in Figure 4.The feasibility and validity of the method are proved by the simulation experiment result.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real It is existing.When using entirely or partly realizing in the form of a computer program product, the computer program product include one or Multiple computer instructions.When loading on computers or executing the computer program instructions, entirely or partly generate according to Flow described in the embodiment of the present invention or function.The computer can be all-purpose computer, special purpose computer, computer network Network or other programmable devices.The computer instruction can store in a computer-readable storage medium, or from one Computer readable storage medium is transmitted to another computer readable storage medium, for example, the computer instruction can be from one A web-site, computer, server or data center pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL) Or wireless (such as infrared, wireless, microwave etc.) mode is carried out to another web-site, computer, server or data center Transmission).The computer read/write memory medium can be that any usable medium that computer can access either includes one The data storage devices such as a or multiple usable mediums integrated server, data center.The usable medium can be magnetic Jie Matter, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk Solid State Disk (SSD)) etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.

Claims (6)

1. a kind of network-based attack tool recognition methods, which is characterized in that the network-based attack tool identification side Method is:
Goal systems is attacked using network attack tool in test environment and obtains network data sample;No is attacked Tool is hit to carry out obtaining suspicious data sample by Honeypot;Attack sample packet is subjected to sequence alignment, is then passed through Distich repeats iteration connection with result and matches;
General character, constant ingredient is extracted, the optimal attack signature of each attack tool is finally extracted, further according to each The attack signature of tool identifies hack tool.
2. network-based attack tool recognition methods as described in claim 1, which is characterized in that described network-based to attack The tool recognition methods of hitting specifically includes:
Step 1 directly carries out attack to target machine system using the attack tool collected in test environment and obtains comprising attack Network data is simultaneously denoted as multiple attack samples;Data sample is obtained by Honeypot to the attack tool that do not collect This;
Pending suspicious sample is grouped by step 2, every group 2, and when number of samples is odd number, the last one sample will It is directly included in matching next time set and avoids the imperfect error brought of data;
Step 3 carries out sequence alignment using Polygraph algorithms to every group of attack sample, obtains the connection of every group of sample with knot Fruit;
Step 4, the connection obtained with pruning algorithms processing epicycle match sequence;Pruning algorithms are based on connection with there are words in result The segment that number is greater than or equal to 3 is accorded with, and requirement distich of the number of segment more than or equal to 3 meets with sequence results processing It is required that segment retain, undesirable segment abandons;Then the connection for meeting beta pruning condition is entered with sequence addition next Wheel connection is with set;
Next round connection is grouped with pending sample is gathered by every group 2, recycles Polygraph algorithms by step 5 Sequence alignment is carried out to every group of attack sample, connection is found out and matches result;
Step 6 repeats step 4 and step 5, and iteration is completed when connection only has one with result, obtains finally joining and matches sequence Row;
Step 7 obtains attack signature after being handled the result that connection is matched;The result that connection is matched is analyzed, keyword is utilized Expression connection determines the alphabetical number at least contained between characteristic character section with the asterisk wildcard in result, obtain reflection characteristic fragment it Between relative position relation, obtain attack signature;
Step 8 repeats step 1 and step 7, each attack tool and its relevant information and its correspondence attack signature are built Vertical mapping relations, and be stored in database, build attack tool feature database;
Step 9 obtains the attack sample that other safety equipments detect in network, the feature obtained after processing and attack work Have aspect ratio pair in feature database, automatically identifies corresponding attack tool;
The feature of the unknown attack tool of collection is added to attack tool feature database by step 10 if unidentified.
3. a kind of computer program for realizing network-based attack tool recognition methods described in claim 1~2 any one.
4. a kind of realize at the information data of network-based attack tool recognition methods described in claim 1~2 any one Manage terminal.
5. a kind of computer readable storage medium, including instruction, when run on a computer so that computer is executed as weighed Profit requires the network-based attack tool recognition methods described in 1-2 any one.
6. a kind of cyberspace safety control system of network-based attack tool recognition methods as described in claim 1.
CN201810419714.4A 2018-05-04 2018-05-04 A kind of network-based attack tool recognition methods and system Pending CN108632272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810419714.4A CN108632272A (en) 2018-05-04 2018-05-04 A kind of network-based attack tool recognition methods and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810419714.4A CN108632272A (en) 2018-05-04 2018-05-04 A kind of network-based attack tool recognition methods and system

Publications (1)

Publication Number Publication Date
CN108632272A true CN108632272A (en) 2018-10-09

Family

ID=63695421

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810419714.4A Pending CN108632272A (en) 2018-05-04 2018-05-04 A kind of network-based attack tool recognition methods and system

Country Status (1)

Country Link
CN (1) CN108632272A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037562A (en) * 2022-08-11 2022-09-09 北京网藤科技有限公司 Industrial control network target range construction method and system for safety verification

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420438A (en) * 2008-11-18 2009-04-29 北京航空航天大学 Three stage progressive network attack characteristic extraction method based on sequence alignment
EP3040901A1 (en) * 2014-12-29 2016-07-06 Gemalto Sa System and method for aligning time-series data over a large range of time indices
CN106027554A (en) * 2016-06-30 2016-10-12 北京网康科技有限公司 Hacker tool mining method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420438A (en) * 2008-11-18 2009-04-29 北京航空航天大学 Three stage progressive network attack characteristic extraction method based on sequence alignment
EP3040901A1 (en) * 2014-12-29 2016-07-06 Gemalto Sa System and method for aligning time-series data over a large range of time indices
CN106027554A (en) * 2016-06-30 2016-10-12 北京网康科技有限公司 Hacker tool mining method, device and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张鑫: "基于蜜罐技术的攻击特征自动提取技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
秦拯: "基于序列比对的攻击特征自动提取方法", 《湖南大学学报(自然科学版)》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037562A (en) * 2022-08-11 2022-09-09 北京网藤科技有限公司 Industrial control network target range construction method and system for safety verification

Similar Documents

Publication Publication Date Title
CN106027559B (en) Large scale network scanning detection method based on network session statistical nature
Niu et al. Identifying APT malware domain based on mobile DNS logging
Garg et al. Profiling users in GUI based systems for masquerade detection
JP2015076863A (en) Log analyzing device, method and program
CN109167794B (en) Attack detection method for network system security measurement
CN113225358B (en) Network security risk assessment system
Maslan et al. Feature selection for DDoS detection using classification machine learning techniques
CN106302450A (en) A kind of based on the malice detection method of address and device in DDOS attack
Zali et al. Real-time attack scenario detection via intrusion detection alert correlation
Bortolameotti et al. Headprint: detecting anomalous communications through header-based application fingerprinting
Gates Coordinated Scan Detection.
Sukhwani et al. A survey of anomaly detection techniques and hidden markov model
CN108632272A (en) A kind of network-based attack tool recognition methods and system
CN112070161A (en) Network attack event classification method, device, terminal and storage medium
Aswani et al. Topic modeling of SSH logs using latent dirichlet allocation for the application in cyber security
Jayasimhan et al. Anomaly detection using a clustering technique
Kadam et al. An enhanced approach for intrusion detection in virtual network of cloud computing
Chae et al. Adaptive threshold selection for trust-based detection systems
Lee et al. Camp2Vec: Embedding cyber campaign with ATT&CK framework for attack group analysis
Salami et al. Implementing flash event discrimination in IP traceback using shark smell optimisation algorithm
Atmojo et al. A New Approach for ARP Poisoning Attack Detection Based on Network Traffic Analysis
CN112751863A (en) Attack behavior analysis method and device
Gehri et al. Towards Generalizing Machine Learning Models to Detect Command and Control Attack Traffic
Lee et al. Monsieur poirot: Detecting botnets using re-identification algorithm and nontrivial feature selection technique
Ye et al. An attack-norm separation approach for detecting cyber attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181009