CN109327480A - A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph - Google Patents
A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph Download PDFInfo
- Publication number
- CN109327480A CN109327480A CN201811532387.XA CN201811532387A CN109327480A CN 109327480 A CN109327480 A CN 109327480A CN 201811532387 A CN201811532387 A CN 201811532387A CN 109327480 A CN109327480 A CN 109327480A
- Authority
- CN
- China
- Prior art keywords
- attack
- alarm
- node
- sequence
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 25
- 238000009412 basement excavation Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 7
- 230000001364 causal effect Effects 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000009826 distribution Methods 0.000 claims description 3
- 238000011478 gradient descent method Methods 0.000 claims description 3
- 239000013589 supplement Substances 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims description 2
- 210000004218 nerve net Anatomy 0.000 claims 1
- 239000000284 extract Substances 0.000 abstract description 3
- 238000012545 processing Methods 0.000 abstract description 3
- 238000004220 aggregation Methods 0.000 abstract description 2
- 230000002776 aggregation Effects 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 14
- 238000007418 data mining Methods 0.000 description 4
- 230000002547 anomalous effect Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention proposes a kind of new multi-step attack scene method for digging.This method is divided into mode and on-line mode two parts under line.Online under lower mode, user is trained rejecting fault alarm by neural network using known true attack alarm log, using a series of processing such as Alert aggregation processing and the generation of causalnexus attack sequence and then generation Bayesian network attack graph;On line under mode, user can use alarm log on a large amount of lines to the neural network that generates of front lower die formula and Bayesian network attack graph be updated iteration, to keep the attack graph after iteration more complete and accurate, finally, we extract a variety of multi-step attack scenes from Bayesian network attack graph.Using technical method of the invention, it can be eliminated by the wrong report to alarm log and find attack mode, building multi-step attack scene from the alarm log of bulk redundancy.
Description
Technical field
The present invention relates to the scene analysis fields of network log, and the invention proposes one kind to be based on neural network and Bayes
The multi-step attack scene method for digging of network attack map.
Background technique
So far, the research for being directed to alarm association is broadly divided into four classes, the method based on causal logic, is based on scene
Method, the method based on similitude and the warning association analysis based on data mining.
Method based on causal logic assumes that there are cause and effect passes between the continuous abnormal event of same threat behavior
System, the latter anomalous event carry out under the premise of previous anomalous event is effective, and basic thought is to give various alarm types
Generation need after the cause and generation that meet caused by consequence, by the cause and effect between matching alarm to alarm data
Causalnexus is carried out, to rebuild Cyberthreat behavior.The advantages of such method is: 1. need to analyze threat behavior and individually walk
Rapid cause and effect, without pre-defined entire threat behavior sequence;2. have certain unknown threat behavioral value ability, it can
To identify the unknown threat behavior sequence of different alarm combination formation.Disadvantage is: 1. are only applicable between each step that there are bright
Causal threat behavior is shown, and unknown threat ability of discovery is weaker;2. search space is larger when association, computing cost is big,
System resource is more demanding;3. rule defines granularity and is difficult to control, granularity is meticulous to will lead to that detection rate of failing to report is higher, and granularity is excessively thick
It is higher to will lead to rate of false alarm again.
The basic thought of method based on scene is that all known threat behaviors are abstracted into rule knowledge in advance, so
Alarm data to be processed and defined rule are matched afterwards, Cyberthreat behavior scene rule is reappeared according to matching result and knows
Know the condition that the process for describing threat behavior and each step need to meet.The advantages of such method is: 1. by more
The scene description language of sample keeps the flexibility of system;2. system can be kept effective by constantly updating knowledge base;As a result
It is easy to understand.Its disadvantage is fairly obvious: 1. are difficult to find new attack based on regular, are easy to be avoided;2. algorithm has one
Determine complexity, it is inefficient.
Method based on similitude assumes there is certain similitude, base between the alarm of same threat behavior
This thought is to be determined whether to carry out alarm association according to the similarity degree between alarm, by by the attribute information of alarm data
(timestamp, alarm type, address information etc.) is uniformly abstracted into vector pattern, and defined function calculates the distance between vector, gathers
Class vector is to complete alarm association.Its maximum feature is exactly to use quantitative calculation method to carry out alarm association, such method
The advantages of be: 1. algorithms are simple, and computing cost is small;2. detect have higher similarity alarm data threat behavior (such as
Worm attack) when effect it is preferable.But disadvantage is also fairly obvious: a large amount of artificial setting ginsengs are needed during 1. calculating similitudes
Number;2. particular attack type can only be directed to, algorithm versatility is poor.
Method based on data mining assumes there is certain connection between the alarm that consolidated network threatens behavior,
Basic thought is to find to be hidden in the incidence relation after data distribution using data mining algorithm, according to incidence relation information
It rebuilds and threatens behavior sequence.Frequent episodes excavation is one of alarm association frequently-used data method for digging [8-10], and this method thinks
Appear between the alarm data in shorter time interval that there are certain incidence relations.According to time window by alarm sequence
Multiple subsequences are decomposed into, frequent-item then is carried out to these subsequences, the obtained alarm in frequent item set is believed that
There are incidence relations.The advantages of such method, is under the premise of not needing priori knowledge, has the ability to obtain unknown alarm class
Type incidence relation, to find new threat behavior sequence.Its shortcoming is that: 1. data mining algorithm complexities are higher, calculate
Expense is big;2. being associated with obtained result accuracy to be difficult to judge, need that domain knowledge is combined further to analyze.
Summary of the invention
The present invention is based on the above problems, proposes a kind of multistep based on neural network and Bayesian network attack graph
Attack Scenarios method for digging is trained rejecting fault alarm by neural network using known true attack alarm log, then
It is handled by Alert aggregation and a series of processing such as causalnexus attack sequence generates generates Bayesian network attack graph in turn, together
On a large amount of lines of Shi Liyong alarm log to front lower die formula generate neural network and Bayesian network attack graph be updated
Iteration, to obtain more complete Attack Scenarios Result.
To achieve this purpose, the present invention adopts the following technical scheme:
1, the multi-step attack scene method for digging based on neural network and Bayesian network attack graph, which is characterized in that packet
Include following steps:
It is respectively mode under on-line mode and line that this method, which is divided into both of which,.
A, mode under line: being the pretreatment operation that fault alarm and redundant alarm are removed to IDS alarm log first,
Next treated IDS alarm log, the Bayesian network attack graph of building initialization alarm log are utilized;
B, on-line mode: utilizing a large amount of real-time logs information update iteration, improves attack graph model, improves Attack Scenarios and digs
Dig efficiency;
C, the excavation of multi-step attack scene is carried out according to the Bayes's attack graph of generation, obtained all different in alarm log
Multi-step attack sequence of scenes.
2, according to claim 1 to be excavated based on the multi-step attack scene of neural network and Bayesian network attack graph
Method, which is characterized in that step A is further included steps of
A1, the related alarm quantity for extracting IDS alarm log, alarm density, periodically these three attributes are alerted;
A2, log is integrally divided into training set and verifying collection, constructs three layers of full connection mind using three attributes of training set
Correctness through network output journal, and using verifying collection verifying Correctness of model, to eliminate fault alarm;
A3, for the alarm after screening, alarm event a is defined first, by a k tuple (at1,at2,at3,...,atk)
It forms, wherein atiThe ith attribute of (1≤i≤k) expression alarm event.We press the timestamp (time of each alarm event
Stamp it) sorts, according to setting time parameter T, with T hours for a batch, all alarms is divided into L batch.Each
Batch is denoted as bi(1≤i≤L) divides time window by Δ t to all batch, traverses the institute in each bi (1≤i≤L)
All alarm event a conversion in each time window is merged into member alarm ma by having time window, and ma meetsTo make to alert
Quantity be further reduced;
A4, successively member alarm ma all in bi (1≤i≤L) is extracted, according to L alarm sequence of generation.Alarm sequence
It is the set of one group of member alarm being sequentially arranged, is denoted as AS, AS={ ma1,ma2,ma3,…,man, and meet
mai.timestamp≤maj.timestamp(1≤i≤j≤n);
A5, L alarm sequence AS is generated into m ASS from each alarm sequence according to following Causal Rule.
If A and B is two different member alarms.
{ 2. A [dstIPs]=B [srcIPs], A [dstPort]=B [srcPort] }
ASS is Attack Scenarios sequence in the step, i.e., attacker completes that IDS production may be triggered when a multi-step attack activity
Raw alarm sequence, wherein ASS={ ma1,ma2,...,mak},mai(1≤i≤j≤k) indicates i-th yuan of alarm, and meets
mai.timestamp<maj.timestamp(1≤i≤j≤k);
A6, to each Attack Scenarios relating sequence ASS, initialize Bayesian network attack graph, and according to suitable in ASS
Sequence successively adds node of the point as attack graph in sequence.It determines the new point being added in BAG and is present in BAG interior joint
Relationship, the value as node ε attribute.For each node, there is a CPT.It is shown in the state for giving its father node
When the node probability value.After node is added to network every time, the CPT of each node is generated.Check alarm sequence AS
In all elements whether be node in BAG, if the element is not present in BAG, the addition into BAG is until member in AS
Element all occurs.It completes to construct by the above process, finally obtains the Bayesian network attack graph with 4 tuples (S, τ, ε, P)
(BAG)。
3, according to claim 1 to be excavated based on the multi-step attack scene of neural network and Bayesian network attack graph
Method, which is characterized in that step B is further included steps of
B1, it is that the on-line parameters of neural network are updated first, is directed to neural network, the hyper parameter of network is set,
Such as: the learning rate learning_rate of network, size batch_size of network inputs etc..In batches by alarm log data with
Batch_size is one group of feeding network, is updated using stochastic gradient descent method to parameter;
B2, followed by the on-line parameters of Bayesian network attack graph are updated, are directed to S, in new AS sequence if
There is new element, then updates node representated by S in BAG.It is directed to τ, the multi-step attack sequence being directed in new ASS, more
The newly corresponding attack path of BAG node of graph.Be directed to ε, update the binary group of the relationship between BAG interior joint and its father node <
Sj,dj>.It is directed to P, the probability of each alarming node is updated each node and be directed to father's section by the impact probability of its father node
The posterior probability of point, thus update the corresponding node probability distribution table (Conditional Probability Table,
CPT)。
4, according to claim 1 to be excavated based on the multi-step attack scene of neural network and Bayesian network attack graph
In scene method for digging, which is characterized in that step C is further included steps of
The root node and some leaf node of C1, fixed Bayesian network attack graph, if there are mulitpath between two o'clock,
A multi-step attack sequence S then is found along a wherein paths, which is put into set Q.
If between C2, previous step root node and leaf node, there are mulitpaths, attack sequence S are taken out from Q, according to not
The attack sequence is improved with path supplement.After selected all paths, the leaf node is deleted, and attack sequence S is relay
Enter in set Q.
C3, step C1 is repeated, until only surplus root node in Bayesian network attack graph, takes out all attack sequences in set Q
Column, obtain final result.
Detailed description of the invention
Fig. 1 is the flow chart of mode under specific implementation method middle line of the present invention.
Fig. 2 is the flow chart of on-line mode in specific implementation method of the present invention.
Fig. 3 is the flow chart for carrying out the excavation of multi-step attack scene in specific implementation method of the present invention from Bayes's attack graph.
Specific embodiment
To be clearer and more comprehensible features described above and advantage of the invention, With reference to embodiment with attached drawing to this hair
Bright method is described in further detail.
As shown in Figure 1, the multi-step attack scene excavation side of the invention based on neural network and Bayesian network attack graph
Mode under the line of method, method includes the following steps:
Step 101, the related alarm quantity (Numbers of related alert) for extracting IDS alarm log, alarm
Density (Alert density) alerts periodically (Alert periodicity) these three attributes.
Step 102 constructs full Connection Neural Network using three attributes that back extracts, and exports as alarm log just
True probability eliminates fault alarm.
All alarms are divided into L batch by step 103.To all batch by time window is divided, traversal is each
All alarm event a conversion in each time window is merged into member alarm ma by all time windows in bi (1≤i≤L)
Step 104 successively extracts member alarm ma all in bi (1≤i≤L), according to L alarm sequence AS of generation.
L alarm sequence AS is generated m ASS from each alarm sequence according to Causal Rule by step 105.
Step 106, to each Attack Scenarios relating sequence ASS, construct the Bayesian network with 4 tuples (S, τ, ε, P)
Attack graph (BAG).
As shown in Fig. 2, the multi-step attack scene excavation side of the invention based on neural network and Bayesian network attack graph
The on-line mode of method, method includes the following steps:
Step 201, for neural network on-line parameters update, in batches by alarm log data with batch_size be one
Group is sent into network, is updated using stochastic gradient descent method to neuron parameter.
Step 202 carries out updating on line respectively to the parameter (S, τ, ε, P) of Bayesian network attack graph.
As shown in figure 3, the side of the invention for carrying out multi-step attack sequential mining using complete Bayesian network attack graph
Method, method includes the following steps:
The root node and some leaf node of step 301, fixed Bayesian network attack graph, if there are a plurality of between two o'clock
Path then finds a multi-step attack sequence S along a wherein paths, which is put into set Q.
If between step 302, previous step root node and leaf node, there are mulitpaths, and attack sequence S is taken out from Q,
The attack sequence is improved according to different paths supplement.After selected all paths, the leaf node is deleted, and by attack sequence S
It is reentered into set Q.
Step 303 repeats step 301, until only surplus root node in Bayesian network attack graph, takes out all in set Q
Attack sequence obtains final result.
Claims (4)
1. a kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph, which is characterized in that institute
The method of stating includes:
To achieve this purpose, the present invention adopts the following technical scheme:
1, the multi-step attack scene method for digging based on neural network and Bayesian network attack graph, which is characterized in that including with
Lower step:
It is respectively mode under on-line mode and line that this method, which is divided into both of which,.
A, mode under line: it is the pretreatment operation for being removed fault alarm and redundant alarm to IDS alarm log first, connects down
Come utilize that treated IDS alarm log, the Bayesian network attack graph of building initialization alarm log;
B, on-line mode: utilizing a large amount of real-time logs information update iteration, improves attack graph model, improves Attack Scenarios and excavates effect
Rate;
C, the excavation of multi-step attack scene is carried out according to the Bayes's attack graph of generation, obtains all different multisteps in alarm log
Attack Scenarios sequence.
2. the multi-step attack scene excavation side according to claim 1 based on neural network and Bayesian network attack graph
Method, which is characterized in that step A is further included steps of
A1, the related alarm quantity for extracting IDS alarm log, alarm density, periodically these three attributes are alerted;
A2, log is integrally divided into training set and verifying collection, constructs three layers of full connection nerve net using three attributes of training set
The correctness of network output journal, and using verifying collection verifying Correctness of model, to eliminate fault alarm;
A3, for the alarm after screening, alarm event a is defined first, by a k tuple (at1,at2,at3,...,atk) composition,
Wherein atiThe ith attribute of (1≤i≤k) expression alarm event.We press the timestamp (time of each alarm event
Stamp it) sorts, according to setting time parameter T, with T hours for a batch, all alarms is divided into L batch.Each
Batch is denoted as bi(1≤i≤L) divides time window by Δ t to all batch, traverses the institute in each bi (1≤i≤L)
All alarm event a conversion in each time window is merged into member alarm ma by having time window, and ma meetsTo make to accuse
Alert quantity is further reduced;
A4, successively member alarm ma all in bi (1≤i≤L) is extracted, according to L alarm sequence of generation.Alarm sequence is one
The set for the member alarm that group is sequentially arranged, is denoted as AS, AS={ ma1,ma2,ma3,…,man, and meet
mai.timestamp≤maj.timestamp(1≤i≤j≤n);
A5, L alarm sequence AS is generated into m ASS from each alarm sequence according to following Causal Rule.
If A and B is two different member alarms.
1.
{ 2. A [dstIPs]=B [srcIPs], A [dstPort]=B [srcPort] }
ASS is Attack Scenarios sequence in the step, i.e., attacker completes that IDS generation may be triggered when a multi-step attack activity
Alarm sequence, wherein ASS={ ma1,ma2,...,mak},mai(1≤i≤j≤k) indicates i-th yuan of alarm, and meets
mai.timestamp<maj.timestamp(1≤i≤j≤k);
A6, to each Attack Scenarios relating sequence ASS, initialize Bayesian network attack graph, and according to the sequence in ASS,
Successively add node of the point as attack graph in sequence.Determine the new point being added in BAG and the pass for being present in BAG interior joint
System, the value as node ε attribute.For each node, there is a CPT.When it is shown in the state for giving its father node
The probability value of the node.After node is added to network every time, the CPT of each node is generated.It checks in alarm sequence AS
All elements whether be node in BAG, if the element is not present in BAG, the addition into BAG is until element in AS
All occur.It completes to construct by the above process, finally obtains the Bayesian network attack graph with 4 tuples (S, τ, ε, P)
(BAG)。
3. the multi-step attack scene excavation side according to claim 1 based on neural network and Bayesian network attack graph
Method, which is characterized in that step B is further included steps of
B1, it is that the on-line parameters of neural network are updated first, is directed to neural network, the hyper parameter of network is set, such as: net
The learning rate learning_rate of network, size batch_size of network inputs etc..In batches by alarm log data with batch_
Size is one group of feeding network, is updated using stochastic gradient descent method to parameter;
B2, followed by the on-line parameters of Bayesian network attack graph are updated, are directed to S, in new AS sequence if there is
New element then updates node representated by S in BAG.It is directed to τ, the multi-step attack sequence being directed in new ASS updates BAG
The corresponding attack path of node of graph.It is directed to ε, updates the binary group < Sj, dj of the relationship between BAG interior joint and its father node
>.It is directed to P, the probability of each alarming node is updated after each node is directed to father node by the impact probability of its father node
Probability is tested, to update the probability distribution table (Conditional Probability Table, CPT) of the corresponding node.
4. according to claim 1 based in the excavation of the multi-step attack scene of neural network and Bayesian network attack graph
Scene method for digging, which is characterized in that step C is further included steps of
The root node and some leaf node of C1, fixed Bayesian network attack graph, if there are mulitpath, edges between two o'clock
Wherein a paths find a multi-step attack sequence S, which is put into set Q.
If between C2, previous step root node and leaf node, there are mulitpaths, and attack sequence S is taken out from Q, according to not going the same way
Diameter supplement improves the attack sequence.After selected all paths, the leaf node is deleted, and attack sequence S is reentered into collection
It closes in Q.
C3, step C1 is repeated, until only surplus root node in Bayesian network attack graph, takes out all attack sequences in set Q, obtain
To final result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811532387.XA CN109327480B (en) | 2018-12-14 | 2018-12-14 | Multi-step attack scene mining method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811532387.XA CN109327480B (en) | 2018-12-14 | 2018-12-14 | Multi-step attack scene mining method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109327480A true CN109327480A (en) | 2019-02-12 |
| CN109327480B CN109327480B (en) | 2020-12-18 |
Family
ID=65257399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811532387.XA Expired - Fee Related CN109327480B (en) | 2018-12-14 | 2018-12-14 | Multi-step attack scene mining method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109327480B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110740059A (en) * | 2019-10-11 | 2020-01-31 | 支付宝(杭州)信息技术有限公司 | Online early warning processing method and system |
| CN110830504A (en) * | 2019-11-28 | 2020-02-21 | 华北电力科学研究院有限责任公司 | Network intrusion behavior detection method and system |
| CN110856178A (en) * | 2019-11-05 | 2020-02-28 | 天津大学 | Behavior identification method based on wireless network physical layer IQ signal |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN112333195A (en) * | 2020-11-10 | 2021-02-05 | 西安电子科技大学 | APT attack scene reduction detection method and system based on multi-source log correlation analysis |
| CN115396169A (en) * | 2022-08-18 | 2022-11-25 | 上海交通大学 | Method and system for multi-step attack detection and scene restoration based on TTP |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN106411921A (en) * | 2016-10-31 | 2017-02-15 | 中国人民解放军信息工程大学 | Multi-step attack prediction method based on cause-and-effect Byesian network |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
-
2018
- 2018-12-14 CN CN201811532387.XA patent/CN109327480B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN106411921A (en) * | 2016-10-31 | 2017-02-15 | 中国人民解放军信息工程大学 | Multi-step attack prediction method based on cause-and-effect Byesian network |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
Non-Patent Citations (1)
| Title |
|---|
| 李思达: "IDS告警信息关联分析系统的研究与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110213077B (en) * | 2019-04-18 | 2022-02-22 | 国家电网有限公司 | Method, device and system for determining safety event of power monitoring system |
| CN110740059A (en) * | 2019-10-11 | 2020-01-31 | 支付宝(杭州)信息技术有限公司 | Online early warning processing method and system |
| CN110740059B (en) * | 2019-10-11 | 2022-07-22 | 支付宝(杭州)信息技术有限公司 | Online early warning processing method and system |
| CN110856178A (en) * | 2019-11-05 | 2020-02-28 | 天津大学 | Behavior identification method based on wireless network physical layer IQ signal |
| CN110830504A (en) * | 2019-11-28 | 2020-02-21 | 华北电力科学研究院有限责任公司 | Network intrusion behavior detection method and system |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN112333195A (en) * | 2020-11-10 | 2021-02-05 | 西安电子科技大学 | APT attack scene reduction detection method and system based on multi-source log correlation analysis |
| CN112333195B (en) * | 2020-11-10 | 2021-11-30 | 西安电子科技大学 | APT attack scene reduction detection method and system based on multi-source log correlation analysis |
| CN115396169A (en) * | 2022-08-18 | 2022-11-25 | 上海交通大学 | Method and system for multi-step attack detection and scene restoration based on TTP |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109327480B (en) | 2020-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109327480A (en) | A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph | |
| Peel et al. | Detecting change points in the large-scale structure of evolving networks | |
| CN105279365B (en) | For the method for the sample for learning abnormality detection | |
| Du et al. | GAN-based anomaly detection for multivariate time series using polluted training set | |
| CN103530540A (en) | User identity attribute detection method based on man-machine interaction behavior characteristics | |
| Opolka et al. | Spatio-temporal deep graph infomax | |
| Sebestyen et al. | A taxonomy and platform for anomaly detection | |
| Gong et al. | Causal discovery from temporal data: An overview and new perspectives | |
| CN110580213A (en) | Database anomaly detection method based on cyclic marking time point process | |
| Money et al. | Sparse online learning with kernels using random features for estimating nonlinear dynamic graphs | |
| Qin et al. | Evaluation of goaf stability based on transfer learning theory of artificial intelligence | |
| CN104899507A (en) | Detecting method for abnormal intrusion of large high-dimensional data of network | |
| CN103793438A (en) | MapReduce based parallel clustering method | |
| Deng et al. | Disentangling Structured Components: Towards Adaptive, Interpretable and Scalable Time Series Forecasting | |
| Dakiche et al. | Sensitive analysis of timeframe type and size impact on community evolution prediction | |
| CN107454089A (en) | A kind of network safety situation diagnostic method based on multinode relevance | |
| Čavojský et al. | Comparative Analysis of Feed-Forward and RNN Models for Intrusion Detection in Data Network Security with UNSW-NB15 Dataset | |
| Yu et al. | MAG: A novel approach for effective anomaly detection in spacecraft telemetry data | |
| Xu et al. | Concept drift and covariate shift detection ensemble with lagged labels | |
| Wang et al. | Early diagnosis of Parkinson's disease with Speech Pronunciation features based on XGBoost model | |
| CN116306780B (en) | Dynamic graph link generation method | |
| CN113254485A (en) | Real-time data flow abnormity detection method and system | |
| Thi et al. | One-class collective anomaly detection based on long short-term memory recurrent neural networks | |
| Zhao et al. | Mdgad: Meta domain generalization for distribution drift in anomaly detection | |
| CN115081555A (en) | Anomaly detection method and device based on generation countermeasure and bidirectional cyclic neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201218 |