CN109492390A - A kind of advanced duration threat analysis method based on attack time line - Google Patents
A kind of advanced duration threat analysis method based on attack time line Download PDFInfo
- Publication number
- CN109492390A CN109492390A CN201811289059.1A CN201811289059A CN109492390A CN 109492390 A CN109492390 A CN 109492390A CN 201811289059 A CN201811289059 A CN 201811289059A CN 109492390 A CN109492390 A CN 109492390A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- file
- analysis method
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The present invention provides a kind of advanced duration threat analysis method based on attack time line, all executable programs of adapter system kernel and pipeline, enumerates all-network channel;Longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;It transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether it is attack, if then issuing alarm, it is continued to execute if not then jumping to S4, in the behavioural information of operating system inner passage capture process and kernel, by the suspicious degree for analyzing operation behavior, and it matches intrusion feature database and carries out decision, dynamic analysis network flow data and feature, excavate the user behavior of abnormal activity time, determine whether there is the attack of malice, and continue to track, it is threatened to reach the advanced duration of detection, detection efficiency is high, it being capable of more fully behavior situation of the analytical attack in system level.
Description
Technical field
The present invention is a kind of advanced duration threat analysis method based on attack time line, belongs to network security technology neck
Domain.
Background technique
In the prior art, in network attack become increasingly complex, influence military, in terms of business also increasingly
Extensively, the unpredictability attacked leads to the difficulty of advanced duration detection more, and the development of the attack is embodied in attack
The degree of automation and attack speed for the various attack means that person uses greatly improve, long-term after smoothly penetrating into internal network
Dormancy constantly obtains relevant sensitization information and continues to lift up permission by every means, in a network until obtaining important sensitive information
Until.The attack high for concealment needs that it is found and is handled in time, the main body of operating system is protected to pacify
Entirely.However, when hacker grasps the unknown loophole of network management personnel, and obtain back door permission, behavior like normal users so that
It is only just being found when there is loss of assets under attack, is just doing emergency processing, the extent of damage can only be reduced, can not be
When avoid.
Advanced duration threatens attack (Advanced Persistent Threat, APT) that may deposit in user environment
At 1 year or more or more long, various information are constantly collected, until being collected into valuable information.And these start advanced duration to threaten
The purpose of hacker of attack is frequently not but " controlled host " to be treated as springboard to make a profit in a short time, lasting to search for, directly
To can thoroughly grasp targeted target person, thing, object.The feature that there is duration to be even up to the several years for this attack, attacker
The various attack means continuously attempted to, and live in seclusion for a long time after penetrating into network internal, allow network management personnel to have no way of discovering.
Although APT is much like with common attack behavior on attack process, in specific steps, there is mesh as one kind
Mark, organized attack pattern, the attack feature of APT is difficult to extract, the hidden ability of single-point is strong, attack channel diversities,
The attack duration is long, so that defense mechanism of the tradition based on real-time detection, real-time blocking is difficult to effectively play a role.
It finds by prior art documents, Chinese Patent Application No. are as follows: CN201710802670 .9 is entitled
" network safety event process analysis method and system based on timeline ", this method comprises: obtaining by the log of object of attack
Document location;Read the journal file being located at log file location;According to logging time line algorithm in journal file
Appearance is analyzed, to obtain the attack path of object of attack in network safety event.The network based on timeline in the invention
Security incident process analysis method can automatically analyze the content in journal file, more intelligently, improve efficiency, and
And be the analysis carried out by logging time line algorithm to the content in journal file, it can obtain attacking in network safety event
The attack path for hitting object, the attack path of object of attack can not be restored by alleviating traditional artificial analysis method, and
Analysis efficiency is low, the technical problem of degree of intelligence difference.The technology is subsequent reduction, can not accomplish to prejudge in advance, even if reduction
The attack path of hacker, it is also difficult to retrieve the loss having resulted in.
Summary of the invention
In view of the deficienciess of the prior art, it is an object of the present invention to provide a kind of advanced durations based on attack time line
Threat analysis method, to solve the problems mentioned in the above background technology.
To achieve the goals above, the present invention is to realize by the following technical solutions: one kind is based on attack time line
Advanced duration threat analysis method, include the following steps:
S1: all executable programs of adapter system kernel and pipeline enumerate all-network channel;
S2: longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;
S3: it transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether
It is continued to execute if then issuing alarm if not then jumping to S4 for attack;
S4: laterally monitoring: the behavior of these users is persistently monitored, return step 3 continues to execute.
The S1 includes the following steps:
S1.1: all programs of adapter system kernel execute pipeline, capture sorts of systems and apply layer operation, will be in implementation procedure
It is all kinds of it is instruction morphing detected for reference format, process performing is converted operational order by including PE file and all kinds of scripts,
I.e. using executive process and order pipeline all in kernel function adapter system, internal implementation procedure and api function tune are captured
With situation, instruction is converted by implementation procedure and is detected;
S1.2: being confusion mode by Network card setup, various types protocol data packet is obtained by network layer, in different network layers
On data packet is extracted, obtain suspicious characteristic in data, extraction obtains suspicious behavioural characteristic.
The S2 includes the following steps:
S2.1: it is analyzed in conjunction with local port, the data port occurred in network flow, if the application that local API can not be obtained
Port, then it is assumed that be potential attack data port, system is alerted;If port information and local acquisition in network flow
Port information it is consistent, then it is assumed that be normal use port numbers, be not processed;
S2.2: Enumerate network channel, the network channel includes: remote desktop, the shared pipeline of IPC, according to time difference feature, IP
White list mechanism, when abnormal between intercept the network channel request that exception IP is issued, and for attacker's common IPC channel reality
Control is applied, when the abnormal behaviour of discovery, system alarm;
S2.3: the generation of All Files inside monitoring system is renamed, is rewritten, access, executes, from the file of any variation
Extract abnormal keyword message;If detecting abnormal keyword message, foundation and system file such as in system folder
Executable file similar in name, or executable program is run in Photo folder, then system carries out alarming processing;
S2.4: when detecting the consumer process and network behavior of abnormal activity time, further being tracked, and is determined and is obtained net
The self attributes such as feature, dynamic domain name, control terminal network address, circulation way, route of transmission and the author of network security threat letter
Breath.
Further, the data packet in local IP link layer sniff Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS,
ICMP type of data packet and data port information extract behavioural characteristic suspicious in application layer data, i.e., include in behavioural characteristic
The malicious operation of attack instructs.
Further, the variation includes: the newly-increased of file, modification, file format change and deletes.
Further, the keyword message includes: filename, file type, file present position, operating time.
Beneficial effects of the present invention: a kind of advanced duration threat analysis method based on attack time line of the invention,
In the behavioural information of operating system inner passage capture process and kernel, by analyzing the suspicious degree of operation behavior, and match
Intrusion feature database carries out decision, dynamic analysis network flow data and feature, excavates the user behavior of abnormal activity time, really
Surely it whether there is the attack of malice, and continue to track, threatened to reach the advanced duration of detection, detection efficiency is high, energy
Enough more fully behavior situation of the analytical attack in system level.
Detailed description of the invention
Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention,
Objects and advantages will become more apparent upon:
Fig. 1 is a kind of flow diagram of the advanced duration threat analysis method based on attack time line provided by the invention.
Specific embodiment
To be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, below with reference to
Specific embodiment, the present invention is further explained.
Referring to Fig. 1, the present invention provides a kind of technical solution: a kind of advanced duration threat point based on attack time line
Analysis method, includes the following steps:
S1: all executable programs of adapter system kernel and pipeline enumerate all-network channel;
S2: longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;
S3: it transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether
It is continued to execute if then issuing alarm if not then jumping to S4 for attack;
S4: laterally monitoring: the behavior of these users is persistently monitored, return step 3 continues to execute.
The S1 includes the following steps:
S1.1: all programs of adapter system kernel execute pipeline, capture sorts of systems and apply layer operation, will be in implementation procedure
It is all kinds of it is instruction morphing detected for reference format, process performing is converted operational order by including PE file and all kinds of scripts,
I.e. using executive process and order pipeline all in kernel function adapter system, internal implementation procedure and api function tune are captured
With situation, instruction is converted by implementation procedure and is detected;
S1.2: being confusion mode by Network card setup, various types protocol data packet is obtained by network layer, in different network layers
On data packet is extracted, obtain suspicious characteristic in data, extraction obtains suspicious behavioural characteristic.
The S2 includes the following steps:
S2.1: it is analyzed in conjunction with local port, the data port occurred in network flow, if the application that local API can not be obtained
Port, then it is assumed that be potential attack data port, system is alerted;If port information and local acquisition in network flow
Port information it is consistent, then it is assumed that be normal use port numbers, be not processed;
S2.2: Enumerate network channel, the network channel includes: remote desktop, the shared pipeline of IPC, according to time difference feature, IP
White list mechanism, when abnormal between intercept the network channel request that exception IP is issued, and for attacker's common IPC channel reality
Control is applied, when the abnormal behaviour of discovery, system alarm;
S2.3: the generation of All Files inside monitoring system is renamed, is rewritten, access, executes, from the file of any variation
Extract abnormal keyword message;If detecting abnormal keyword message, foundation and system file such as in system folder
Executable file similar in name, or executable program is run in Photo folder, then system carries out alarming processing;
S2.4: when detecting the consumer process and network behavior of abnormal activity time, further being tracked, and is determined and is obtained net
The self attributes such as feature, dynamic domain name, control terminal network address, circulation way, route of transmission and the author of network security threat letter
Breath.
In data packet of the local IP link layer sniff Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS, ICMP data packet
Type and data port information extract behavioural characteristic suspicious in application layer data, i.e., include network attack row in behavioural characteristic
For malicious operation instruction.
The variation includes: the newly-increased of file, modification, file format change and deletes.
The keyword message includes: filename, file type, file present position, operating time.
A kind of advanced duration threat analysis method based on attack time line provided according to the present invention, can be
Under the premise of meeting testing requirements, hacker is obtained as far as possible in the behavioural analysis data of internal system, while to network data flow
Monitored in real time, judge in data flow can with Characteristics of Damage lead to when hacker obtains the long-term access right by object of attack
Analysis timeline is crossed to distinguish normal users behavior and improper user behavior, pays special attention to what non-normal hours were accessed and operated
User is individually handled, and tracking is traceable to original access path, to the process and command line parameter captured, detection
It is suspicious to execute instruction and code.It is mainly used to analyze the attack of malicious code, and is joined with local attack behavior
Dynamic analysis.
Specifically, for Windows operating system, this refers to the advanced duration threats under Windows system environments
Detection method, using the behavioural information of internal system channel capture process and kernel, by analyzing the suspicious degree of operation behavior,
And match intrusion feature database and carry out decision, dynamic analysis network flow data and spy detect.Excavate the user of abnormal activity time
Behavior, it is determined whether there are the attacks of malice, to achieve the purpose that the advanced duration of detection threatens.
For Windows operating system lower network attack, it is primarily referred to as the detection threatened advanced duration, specifically
Testing process as shown in Figure 1, including the following steps:
The first step, it is longitudinal to monitor: the consumer process and network behavior of detection abnormal activity time: all journeys of adapter system kernel
Sequence executes pipeline, captures sorts of systems and applies layer operation, that is, captures the operation of all feasibilitys, including PE file and all kinds of feet
This;It converts process performing to operational order (have observability), i.e., instruction morphing is by all kinds of in specific implementation procedure
Reference format is detected.Specifically, using executive process and order pipeline all in kernel function adapter system, in capture
Portion's implementation procedure and api function call situation.Instruction is converted by implementation procedure to detect.It is to obscure mould by Network card setup
Formula obtains various types protocol data packet by network layer, extracts in different network layers to data packet, obtains data
In suspicious characteristic, suspicious behavioural characteristic is analyzed in combination with local port.Specifically, it is smelt in local IP link layer
Visit the data packet Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS, ICMP type of data packet and data port information, rapidly extracting
Suspicious characteristic in application layer data.All-network channel is enumerated, (includes but are not limited to remote desktop, the shared pipe of IPC
Road), according to temporal characteristics, IP information searches abnormal connection behavior that may be present.Specifically, according to time difference feature, IP is white
Name single-unit, when abnormal between intercept exception IP issue network channel request, for common IPC channel implement high intensity
Control.File operation is monitored, including is generated, is renamed, is rewritten, access, execute etc., the crucial letter of detection is extracted from file variation
Breath, including file name, type, feature are monitored.Specifically, the generation of monitoring windows system the inside All Files, weight
Name is rewritten, access, execute etc., abnormal keyword message is extracted from the file of any variation, particular for executable PE
The shell scripts such as program, ASP, PHP, JavaScipt are monitored.
Second step actively transboundary submits capture data to give behavior to application layer from inner nuclear layer release signal from inner nuclear layer
Analysis engine.Transboundary data drive for ratification layer encryption submit avoid in by other driving intercept and capture, avoid maliciously being driven
It intercepts.Abnormal behaviour strategy repository by attack signature storehouse matching and based on service environment alerts suspicious actions.
Third step laterally monitors: persistently monitoring the behavior of these users.
The present invention is by process performing abnormal in system, network behavior and file operation behavioural analysis, and long-term monitoring,
The operation that advanced lasting sexual assault may occur in systems is alerted.
The present invention have passed through functional test, and test result shows the present invention for the common advanced row for continuing sexual assault
For with good verification and measurement ratio;Especially under Windows system platform the case where permeated and attacked by network,
Attack detecting rate is higher;The detection method being capable of more fully behavior situation of the analytical attack in system level;Even if attack ratio
When more complex, it is also capable of detecting when a part of attack operation behavior.
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned
Particular implementation, those skilled in the art can make a variety of changes or modify within the scope of the claims, this not shadow
Ring substantive content of the invention.In the absence of conflict, the feature in embodiments herein and embodiment can any phase
Mutually combination.
After hacker obtains user right, user behavior normal for one, security system is to be difficult to differentiate this work
It is dynamic to come from ordinary user or hacker, because hacker when implementing the threat of advanced duration, is finally obtaining important information
Before data, specific activity is not carried out in hacker, and the activity of harmful suspicion is not carried out, preferably to hide oneself, very
Extremely also without wide range operation after possessing the lawful authority of access application-specific or data.All users are carried out
The monitoring of unrelated active path can a large amount of occupying system resources and space.
It is to carry out after finding assets property loss, but hacker is easy to pass through phase that common hacker's identity, which is traced to the source,
With means or upgrading means, network management personnel can be cheated long by changing an ip and changing a login path, then more for going through
The analysis of history data is also of no avail.
Even best security system is all difficult to differentiate a specific activity, whether harmful suspicion or user are
The no lawful authority for having access application-specific or data.And by longitudinal timeline, we can look in non-normal hours
The hacker of normal users behavior is carried out out.By the historical record of timeline, the mechanics of hacker is laterally found, to prejudge
It invades next time.
By monitoring User Activity, we have been able to determine whether that a remote session is opened for specific user, or
Whether the user has some unrelated active paths in mutually in the same time, especially pays close attention to the use for being once used to carry out deception movement
Whether synchronization has logged in the information such as another work station by family identity and the same user.
The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention, for this field skill
For art personnel, it is clear that invention is not limited to the details of the above exemplary embodiments, and without departing substantially from spirit of the invention or
In the case where essential characteristic, the present invention can be realized in other specific forms.Therefore, in all respects, should all incite somebody to action
Embodiment regards exemplary as, and is non-limiting, the scope of the present invention by appended claims rather than on state
Bright restriction, it is intended that including all changes that fall within the meaning and scope of the equivalent elements of the claims in the present invention
It is interior.Any reference signs in the claims should not be construed as limiting the involved claims.
In addition, it should be understood that although this specification is described in terms of embodiments, but not each embodiment is only wrapped
Containing an independent technical solution, this description of the specification is merely for the sake of clarity, and those skilled in the art should
It considers the specification as a whole, the technical solutions in the various embodiments may also be suitably combined, forms those skilled in the art
The other embodiments being understood that.
Claims (6)
1. a kind of advanced duration threat analysis method based on attack time line, it is characterised in that include the following steps:
S1: all executable programs of adapter system kernel and pipeline enumerate all-network channel;
S2: longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;
S3: it transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether
It is continued to execute if then issuing alarm if not then jumping to S4 for attack;
S4: laterally monitoring: the behavior of these users is persistently monitored, return step 3 continues to execute.
2. a kind of advanced duration threat analysis method based on attack time line according to claim 1, feature exist
In: the S1 includes the following steps:
S1.1: all programs of adapter system kernel execute pipeline, capture sorts of systems and apply layer operation, will be in implementation procedure
It is all kinds of it is instruction morphing detected for reference format, process performing is converted operational order by including PE file and all kinds of scripts,
I.e. using executive process and order pipeline all in kernel function adapter system, internal implementation procedure and api function tune are captured
With situation, instruction is converted by implementation procedure and is detected;
S1.2: being confusion mode by Network card setup, various types protocol data packet is obtained by network layer, in different network layers
On data packet is extracted, obtain suspicious characteristic in data, extraction obtains suspicious behavioural characteristic.
3. a kind of advanced duration threat analysis method based on attack time line according to claim 1, feature exist
In: the S2 includes the following steps:
S2.1: it is analyzed in conjunction with local port, the data port occurred in network flow, if the application that local API can not be obtained
Port, then it is assumed that be potential attack data port, system is alerted;If port information and local acquisition in network flow
Port information it is consistent, then it is assumed that be normal use port numbers, be not processed;
S2.2: Enumerate network channel, the network channel includes: remote desktop, the shared pipeline of IPC, according to time difference feature, IP
White list mechanism, when abnormal between intercept the network channel request that exception IP is issued, and for attacker's common IPC channel reality
Control is applied, when the abnormal behaviour of discovery, system alarm;
S2.3: the generation of All Files inside monitoring system is renamed, is rewritten, access, executes, from the file of any variation
Extract abnormal keyword message;If detecting abnormal keyword message, foundation and system file such as in system folder
Executable file similar in name, or executable program is run in Photo folder, then system carries out alarming processing;
S2.4: when detecting the consumer process and network behavior of abnormal activity time, further being tracked, and is determined and is obtained net
The self attributes such as feature, dynamic domain name, control terminal network address, circulation way, route of transmission and the author of network security threat letter
Breath.
4. a kind of advanced duration threat analysis method based on attack time line according to claim 1, feature exist
In: in data packet of the local IP link layer sniff Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS, ICMP type of data packet and
Data port information extracts behavioural characteristic suspicious in application layer data, i.e., includes the evil of attack in behavioural characteristic
Meaning operational order.
5. a kind of advanced duration threat analysis method based on attack time line according to claim 1, feature exist
In: the variation includes: the newly-increased of file, modification, file format change and deletes.
6. a kind of advanced duration threat analysis method based on attack time line according to claim 1, feature exist
In: the keyword message includes: filename, file type, file present position, operating time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811289059.1A CN109492390A (en) | 2018-10-31 | 2018-10-31 | A kind of advanced duration threat analysis method based on attack time line |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811289059.1A CN109492390A (en) | 2018-10-31 | 2018-10-31 | A kind of advanced duration threat analysis method based on attack time line |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109492390A true CN109492390A (en) | 2019-03-19 |
Family
ID=65693554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811289059.1A Pending CN109492390A (en) | 2018-10-31 | 2018-10-31 | A kind of advanced duration threat analysis method based on attack time line |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109492390A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995793A (en) * | 2019-04-12 | 2019-07-09 | 中国人民解放军战略支援部队信息工程大学 | Network dynamic threatens tracking quantization method and system |
| CN112003824A (en) * | 2020-07-20 | 2020-11-27 | 中国银联股份有限公司 | Attack detection method and device and computer readable storage medium |
| CN113282518A (en) * | 2021-07-22 | 2021-08-20 | 广州市玄武无线科技股份有限公司 | Method and device for tracking and displaying form behaviors of mobile terminal in real time |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871883A (en) * | 2016-05-10 | 2016-08-17 | 上海交通大学 | Advanced persistent threat detection method based on aggressive behavior analysis |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
-
2018
- 2018-10-31 CN CN201811289059.1A patent/CN109492390A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871883A (en) * | 2016-05-10 | 2016-08-17 | 上海交通大学 | Advanced persistent threat detection method based on aggressive behavior analysis |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995793A (en) * | 2019-04-12 | 2019-07-09 | 中国人民解放军战略支援部队信息工程大学 | Network dynamic threatens tracking quantization method and system |
| CN109995793B (en) * | 2019-04-12 | 2021-08-03 | 中国人民解放军战略支援部队信息工程大学 | Network dynamic threat tracking quantification method and system |
| CN112003824A (en) * | 2020-07-20 | 2020-11-27 | 中国银联股份有限公司 | Attack detection method and device and computer readable storage medium |
| CN113282518A (en) * | 2021-07-22 | 2021-08-20 | 广州市玄武无线科技股份有限公司 | Method and device for tracking and displaying form behaviors of mobile terminal in real time |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105871883B (en) | Advanced duration threat detection method based on attack analysis | |
| Carrier et al. | Getting physical with the digital investigation process | |
| Ashoor et al. | Importance of intrusion detection system (IDS) | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| Wani et al. | Ransomware protection in loT using software defined networking | |
| Ghosh et al. | Cybercrimes: A multidisciplinary analysis | |
| Wainwright et al. | An analysis of botnet models | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| CN109492390A (en) | A kind of advanced duration threat analysis method based on attack time line | |
| Ussath et al. | Identifying suspicious user behavior with neural networks | |
| Rasheed et al. | Threat hunting using grr rapid response | |
| CN109474586A (en) | A kind of advanced duration threat analysis method based on user behavior analysis | |
| Liu et al. | Research and application of APT attack defense and detection technology based on big data technology | |
| CN105243328A (en) | Behavioral characteristic based Ferry horse defense method | |
| Yuan et al. | Research of intrusion detection system on android | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| CN115587357A (en) | Threat scene analysis method and system based on big data | |
| Bowen et al. | Monitoring technologies for mitigating insider threats | |
| Chovancová et al. | The Security of Heterogeneous Systems based on Cluster High-interaction Hybrid Honeypot | |
| Javadianasl et al. | A practical procedure for collecting more volatile information in live investigation of botnet attack | |
| CN114024740A (en) | Threat trapping method based on secret tag bait | |
| CN109492389A (en) | A kind of behavior threat analysis method of machine learning Automatic behavior analysis | |
| Ren et al. | A hybrid intelligent system for insider threat detection using iterative attention | |
| Jia et al. | Bidirectional RNN-Based Few-Shot Training for Detecting Multi-stage Attack | |
| Bhatt et al. | Analyzing Targeted Attacks using Hadoop applied to Forensic Investigation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200727 Address after: 200000 Shanghai Pudong New Area free trade trial area, 1 spring 3, 400 Fang Chun road. Applicant after: Shanghai leading Mdt InfoTech Ltd. Address before: 200 000 Shuiqing Road 332, Minhang District, Shanghai Applicant before: Shi Yong Applicant before: Fu Yewen Applicant before: Liu Ning Applicant before: He Xiang |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190319 |