CN110011990B - Intelligent analysis method for intranet security threats - Google Patents

Intelligent analysis method for intranet security threats Download PDF

Info

Publication number
CN110011990B
CN110011990B CN201910219705.5A CN201910219705A CN110011990B CN 110011990 B CN110011990 B CN 110011990B CN 201910219705 A CN201910219705 A CN 201910219705A CN 110011990 B CN110011990 B CN 110011990B
Authority
CN
China
Prior art keywords
log
stream
template
inconsistency
tested
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910219705.5A
Other languages
Chinese (zh)
Other versions
CN110011990A (en
Inventor
王志
肖旭航
谢学说
李涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nankai University
Original Assignee
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nankai University filed Critical Nankai University
Priority to CN201910219705.5A priority Critical patent/CN110011990B/en
Publication of CN110011990A publication Critical patent/CN110011990A/en
Application granted granted Critical
Publication of CN110011990B publication Critical patent/CN110011990B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Operations Research (AREA)
  • Probability & Statistics with Applications (AREA)
  • Evolutionary Biology (AREA)
  • Algebra (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an intelligent analysis method for intranet security threats, which is applied to the field of network security. The method is realized by the following steps: 1, calculating a multi-model inconsistency score, comprising: step 1.1, generating a log template set; step 1.2, calculating an inconsistency score; the intelligent analysis method for the intranet security threat comprises the following steps: step 2.1, calculating P-Value; and 2.2, predicting the log stream to be tested based on statistical learning. The invention utilizes artificial intelligence analysis instead of manual analysis to realize the analysis of the log; changing a storage mode of storing the logs in a local area, and then adopting a block chain to perform safe storage, and realizing the merging use of the logs generated by different devices in the intranet; the method supports various log analysis models and realizes multi-model cooperation; by using the statistical learning method, the detection capability of the abnormal log is improved.

Description

Intelligent analysis method for intranet security threats
Technical Field
The present invention belongs to the field of computer network security.
Background
With the development of networks, the amount of logs generated by equipment is larger and larger, and the logs are difficult to analyze manually; due to the development of the technology, the logs originally stored in the local area face a huge risk of being tampered; at present, in an intranet, a device cannot inform other devices in the same network of an attack behavior encountered by the device; the single model can be degraded along with time, so that a comprehensive and accurate detection result cannot be obtained. Therefore, a model which can analyze the logs by using artificial intelligence, can store the logs more safely by using a block chain, can detect abnormal logs by using the advantages of an intranet and can defend through multi-model cooperation is required to be constructed to discover threats.
Disclosure of Invention
The invention aims to solve the problems that under the condition that a large number of logs are generated in an intranet, the logs are easy to tamper and cannot be combined for use, and a model is degraded, so that a comprehensive and accurate result cannot be obtained in prediction, and provides an intranet security threat intelligent analysis method based on statistical learning. The method utilizes artificial intelligence analysis instead of manual analysis to realize the analysis of the log; changing a storage mode of storing the logs in a local area, and then adopting a block chain to perform safe storage, and realizing the merging use of the logs generated by different devices in the intranet; the method supports various log analysis models and realizes multi-model cooperation; and the statistical learning algorithm is utilized to improve the identification capability of the abnormal log.
Technical scheme of the invention
The intelligent analysis method for the safety threat of the intranet comprises the following steps:
basic concept:
(1) logging: recording text of valuable application and system running information, wherein the content comprises a time stamp and the like;
(2) log stream: the log with the standard format can be used as the input of a log analysis algorithm, and is different from the log in that each line only has one log stream, but a plurality of lines of logs can exist;
(3) a log template: the log stream is only composed of constants in the log stream and can represent a group of log streams;
(4) inconsistency metric function: evaluating the similarity of the log stream to be tested and the known log stream set through the score;
describing the similarity between a log stream and a group of known log streams, inputting a log template and a log stream to be tested, outputting a numerical value, namely an inconsistency score, wherein the higher the score is, the more similar the log stream to be tested is to the group of log streams; the lower the score is, the more dissimilar the log stream to be tested is to the group of log streams;
(5) P-Value: the statistical quantity of the significance of the log stream to be measured in the known log stream set is measured and used for comparing the credibility of the multi-model prediction result;
1, calculating a multi-model inconsistency score, which comprises the following steps:
step 1.1, generating a log template set
1.1.1, processing the log stream set by using a log analysis algorithm f to obtain a log template set T;
1.1.2, input of log analysis: original log stream set X, log parsing algorithm set G:
original log stream set X: containing n log streams xj,j∈{1,2,...,n},X={x1,...,xn};
Log analysis algorithm set G: comprising m log parsing algorithms fk,k∈{1,2,...,m},G={f1,...,fm};
1.1.3, output of log analysis: comprising a set of m log templates Tk,k∈{1,2,...,m},T={T1,...,Tm}; wherein each log template set TkContaining q log templates tkb,b∈{1,2,...,q},Tk={tk1,...,tkb}。
Step 1.2, calculate the inconsistency score
1.2.1, each heterogeneous log analysis algorithm, for the log stream y to be testediCan be based on the log template tkbCalculating an inconsistency score alpha by utilizing an inconsistency measurement function g; inconsistency scores given by the heterogeneous model have no comparability, and the quality of a model prediction result cannot be directly compared according to the inconsistency scores;
1.2.2, input of inconsistency metric: a log template set T, a log stream set Y to be tested, and an inconsistency measurement function g:
log template set T: comprising a set of m log templates Tk,k∈{1,2,...,m},T={T1,...,
Tm}; wherein each log template set TkContaining q log templates tkb,b∈{1,2,...,
q},Tk={tk1,...,tkb};
Secondly, a log stream set Y to be tested: contains w logs yi,i∈{1,2,...,w},Y={y1,...,yw};
Thirdly, an inconsistency measurement function g; the return value is a real number called the inconsistency score, and the input to the function is the log stream and the log template tkbThe return value is a real number which indicates the inconsistency between the log stream to be tested and the log stream set;
1.2.3, output of inconsistency metric: a set of inconsistency scores;
1.2.4, algorithm flow:
Figure BDA0002003181380000031
2, an intelligent analysis method for intranet security threats, comprising the following steps:
step 2.1, calculating P-Value
2.1.1, log template tkbIn particular, for the original log stream xjCarrying out inconsistency measurement to obtain a corresponding inconsistency score set { akb_1,akb_2,...,akb_j};
2.1.2 Log stream y to be testediDiscordance score of akb_iPut into the inconsistency score set of the class, and the P-Value of the class is more than or equal to the log stream y to be testediDiscordance score of akb_iThe ratio of the number of log streams to the total number of log streams;
the larger the Value of the P-Value is, the larger the Value of the 2.1.3 indicates that the log stream y to be tested isiThe higher the significance in this class;
2.1.4, input: a set of inconsistency scores for the log stream;
2.1.5, output: log stream y to be testediP-Value of (1);
2.1.6, algorithm flow:
Figure BDA0002003181380000041
step 2.2, predicting the log stream to be tested based on statistical learning
2.2.1, selecting P-Value values larger than the maximum error probability epsilon from all the P-Value sets obtained in the previous step to obtain template class sets corresponding to the P-Value values, and predicting the log stream y to be tested if an empty set existsiIs an abnormal log, otherwise, the log stream y to be tested is predictediThe log is a normal log;
2.2.2, input: log stream y to be testediA set of P-Value values of; acceptable maximum error probability ε, provided by the user, indicates that the user is able toAn accepted maximum error probability;
2.2.3, output: predicting the result;
2.2.4, algorithm flow:
Figure BDA0002003181380000051
the invention has the advantages and positive effects that:
the invention provides an intranet security threat intelligent analysis method based on statistical learning. The method utilizes artificial intelligence analysis instead of manual analysis to realize the analysis of the log, thereby improving the analysis efficiency; the method changes the storage mode of the log stored in the local area, and adopts the block chain to perform safe storage, thereby improving the safety; the method realizes the merging use of the logs generated by different equipment of the internal network, and improves the efficiency of detecting the abnormity; the method supports various heterogeneous log analysis models, and achieves multi-model cooperative defense by using a statistical method.
Drawings
Fig. 1 is a flow chart of an intranet security threat intelligent analysis method based on statistical learning.
FIG. 2 is a portion of an industrial control log stream collection.
FIG. 3 is a log template set obtained by using IPLoM algorithm for industrial control logs.
FIG. 4 is a log template set obtained by using a Drain algorithm for an industrial control log.
FIG. 5 is a log template set obtained by using the LogSig algorithm for the industrial control log.
FIG. 6 is a P-Value set obtained by an IPLoM algorithm in an industrial control log.
FIG. 7 is a P-Value set obtained by using a Drain algorithm on an industrial control log.
Detailed Description
The invention specifically describes the detection of abnormal logs as an example, any log analysis algorithm for obtaining a log template set by inputting an original log stream set can be used for the method, the flow of the method is shown in fig. 1, and four log analysis algorithms of IPLoM, Drain V1 and LogSig are exemplified in the embodiment, and the specific description is as follows:
IPLoM is a log resolution algorithm. The algorithm is divided into four steps when the log is analyzed, and all the log is input at the beginning. The first step is that all original logs are divided into different groups according to the length; the second step is to continue grouping the original logs in the same log length group. All words in the same position of all log records are counted, the position with the least unique words is found, and the words are classified according to the unique words. Raw logs with the same unique word are grouped into a group. The third step will operate on each group obtained in the previous step. And dividing the original log into different groups according to the corresponding relation between words. And step four, processing each finally obtained group in the step. And if the words at the same position are different, replacing the words with wildcards, and directly writing down the same words to obtain the log template.
Drain is a log parsing algorithm. The algorithm is divided into three steps when the log is analyzed, and one log is input at a time. The purpose of the first step is to group original logs with the same length into a group; the second step is to classify the logs with the same token and the same length into a group, wherein the token in the method can be the first word of the log, the last word of the log and a wildcard; the third step is to gather the similar logs in the original logs with the same length and the same token together to obtain a log template which can represent the set.
Drain V1 is a log parsing algorithm. The algorithm is divided into three steps when the log is analyzed, and one log is input at a time. The purpose of the first step is to group original logs with the same length into a group; the second step is to classify logs with the same token and the same length into a group, wherein the token in the method can be the first word of the log and can also be a wildcard; the third step is to gather the similar logs in the original logs with the same length and the same token together to obtain a log template which can represent the set.
LogSig is a log parsing algorithm. The algorithm is divided into three steps when the log is analyzed, and all the log is input at the beginning. The first step is that each log stream is cut into a plurality of word pairs to form word pair groups; the second step is that all logs are randomly divided into groups with fixed number, and then each log is transferred to a proper group; the third step is to obtain a suitable log template for each group obtained in the previous step.
Each log analysis algorithm can process the original log set to obtain a template set T capable of representing the log setk. For the log y to be testediCan collect T according to the obtained log templatekAnd calculating an inconsistency score by utilizing an inconsistency metric function g. The inconsistency scores given by the heterogeneous models are not comparable, and the quality of the model prediction result cannot be directly compared according to the inconsistency scores, so that the logs to be tested need to be predicted based on statistical learning after the inconsistency scores are obtained by the heterogeneous models.
1. Preprocessing raw logs
In this embodiment, the original log set is changed into a log stream set. The automatic script is used for processing the original textual logs with different formats to form a log stream set with a standard format suitable for being input as a log analysis algorithm. The set of industrial control log streams obtained after preprocessing is shown in fig. 2.
2. Storing and sharing log streams
The embodiment utilizes the block chain to realize safe and effective storage of the log stream and merging use of the log streams generated by various devices. Each block of the block chain is composed of a block header and a block body. The chunks are in one-to-one correspondence with the hashes. When encrypting using a chunk chain, the hash value of the current chunk is encrypted with the content of the current chunk header, which includes the hash of the previous chunk and the hash of the current chunk. This ensures that the use of the blockchain can achieve secure storage of the log stream; when data is written into the block chain, all nodes need to synchronize the data, so that each device on the intranet can use logs generated by all devices, and the log streams generated by various devices can be combined for use.
3. Get a set of log templates
In this embodiment, two thousand log streams are processed by four log analysis algorithms, i.e., IPLoM, Drain, DrainV1, and LogSig, to obtain a log template set. The input is a set of log streams stored on the blockchain and the output is a log template. And generating a log event template by using the constant in the unstructured content in the log stream. The IPLoM algorithm combines the log length, the location of the word tokens and the mapping between word tokens to generate a log event template, as shown in FIG. 3. The Drain algorithm utilizes a directed acyclic graph that can be automatically generated and updated to generate a log time template, which is used primarily in online and distributed systems, as shown in FIG. 4. The LogSig algorithm first converts each log into a plurality of word pairs including two words and a position between them, then performs a grouping operation on them, and finally obtains a log event template, as shown in fig. 5.
4. Calculating an inconsistency score
In this embodiment, the obtained log template set is used to calculate an inconsistency score for the log stream set according to the inconsistency metric function, and each log analysis algorithm obtains each log template set to obtain an inconsistency score set. For each log analysis algorithm, we can finally get the same number of inconsistency score sets as the log templates.
And then, carrying out inconsistency measurement on the log stream x to be measured by utilizing the templates obtained by four log analysis algorithms of IPLoM, Drain V1 and LogSig, wherein each template corresponds to an inconsistency score. Inconsistency scores given by four log analysis algorithms of IPLoM, Drain V1 and LogSig are not comparable, and the quality of a model prediction result cannot be directly compared according to the inconsistency scores.
5. Calculating P-Value
In this embodiment, one of the templates t is usedkbFor example, the corresponding inconsistency is recorded as diversity akb_1,akb_2,...,akb_j}, log stream y to be testediThe inconsistency score corresponding to this template is marked as akb_i. To-be-tested log stream yiDiscordance score of akb_iPut into the corresponding inconsistency score set { a of the templatekb_1,akb_2,...,akb_jIn the description, the P-Value corresponding to this template is the set { a }kb_1,akb_2,...,akb_jIn } the inconsistency score is greater than or equal to akb_iThe ratio of the number of (c) to the total number. And performing the same calculation on all the templates obtained by the same log analysis algorithm to obtain a P-Value set corresponding to each log analysis algorithm. The P-Value sets corresponding to the two log resolution algorithms, i.e., IPLoM and Drain, are used herein as examples, as shown in fig. 6 and 7.
6. Detecting log streams based on statistical learning
And selecting the P-Value values larger than the maximum error probability epsilon from all the P-Value sets obtained in the previous step, wherein the maximum error probability epsilon is provided by a user, and obtaining the template class sets corresponding to the P-Value values. If the empty set exists, predicting the log stream y to be testediIs an abnormal log, otherwise, the log stream y to be tested is predictediIs a normal log.
7. General algorithm flow
(1) Inputting: a log stream set X, a log Y to be tested, a log analysis algorithm set G, an inconsistency measurement function G and an acceptable maximum error probability epsilon:
original log stream set X: containing n log streams xj,j∈{1,2,...,n},X={x1,...,xn};
Secondly, a log stream set Y to be tested: contains w logs yi,i∈{1,2,...,w},Y={y1,...,yw};
Third, log analysis algorithm set G: comprising m log parsing algorithms fk,k∈{1,2,...,m},G={f1,...,fm};
Fourthly, an inconsistency measurement function g; the return value is a real number called the inconsistency score, and the input to the function is the log stream and the log template tkbThe return value is a real number indicating the value to be measuredInconsistency of log streams with the log stream set;
acceptable maximum error probability epsilon provided by the user, indicating the maximum error probability acceptable by the user.
(2) And (3) outputting:
prediction results, i.e. logs to be tested yiNormal or abnormal.
(3) The algorithm flow is as follows:
Figure BDA0002003181380000101
Figure BDA0002003181380000111

Claims (3)

1. an intelligent analysis method for intranet security threats is characterized by comprising the following steps:
1, calculating the inconsistency scores of the log template of the multiple models and the log stream to be tested, which comprises the following steps:
step 1.1, generating a log template set;
step 1.2, calculating the inconsistency score of the log template and the log stream to be tested;
the intelligent analysis method for the intranet security threat comprises the following steps:
step 2.1, calculating P-Value;
step 2.2, predicting the log stream to be tested based on statistical learning;
wherein
The step 1.1 comprises the following steps: processing the original log stream set by using a log analysis algorithm f to obtain a log template set T;
the step 1.2 comprises the following steps: each heterogeneous log analysis algorithm is used for the log stream y to be testediI ∈ {1, 2., w }, which can be based on the log template tkbK represents one log template set in the log template sets, b represents one log template in the log template sets, and the inconsistency measuring function g is utilized to calculate the log templateAnd the inconsistency score a of the log stream to be testedkb_i
The step 2.1 comprises the following steps:
for log template tkbIn particular, for the original log stream xjAnd j belongs to {1, 2.. once, n }, carrying out inconsistency measurement to obtain a corresponding inconsistency score set { a }kb_1,akb_2,...,akb_j};
To-be-tested log stream yiDiscordance score of akb_iPut into original log stream xjAnd a log template tkbIn the obtained inconsistency score set, the log stream y to be tested is related toiAnd a log template tkbThe P-Value of (A) iskb_jGreater than or equal to the log stream y to be testediDiscordance score of akb_iThe larger the P-Value is, the larger the ratio of the number of the log streams to the total number of the log streams is, the larger the P-Value is, the log stream y to be tested isiThe higher the significance in the set of log templates.
The step 2.2 comprises the following steps:
selecting P-Value values larger than the maximum error probability epsilon from the P-Value sets of all log templates obtained in the previous step to obtain a set formed by the log templates corresponding to the P-Value values, and predicting the log stream y to be tested if an empty set existsiIs an abnormal log, otherwise, the log stream y to be tested is predictediThe log is a normal log;
2. the intelligent analysis method for intranet security threats according to claim 1, wherein a specific method for generating a log template set comprises the following steps:
input of log analysis: original log stream set X, log analysis algorithm set G:
original log stream set X: containing n log streams xj,j∈{1,2,...,n},X={x1,...,xn};
A log analysis algorithm set G: comprising m log parsing algorithms fk,k∈{1,2,...,m},G={f1,...,fm};
Output of log parsing: comprising a set of m log templates Tk,k∈{1,2,...,m},T={T1,...,Tm}; wherein each log template set TkContaining q log templates tkb,b∈{1,2,...,q},Tk={tk1,...,tkb}。
3. The intelligent analysis method for the intranet security threats according to claim 1, wherein a specific method for calculating the inconsistency scores of the log template and the log stream to be tested comprises the following steps:
input of inconsistency metric: a log template set T, a log stream set Y to be tested, and an inconsistency measurement function g:
log template set T: comprising a set of m log templates Tk,k∈{1,2,...,m},T={T1,...,Tm}; wherein each log template set TkContaining q log templates tkb,b∈{1,2,...,q},Tk={tk1,...,tkb};
Secondly, a log stream set Y to be tested: contains w logs yi,i∈{1,2,...,w},Y={y1,...,yw};
Thirdly, an inconsistency measurement function g; the return value is a real number called the inconsistency score, and the input to the function is the log stream and the log template tkbThe return value is a real number indicating the log stream to be tested and the log template tkbInconsistency of (2);
output of inconsistency metric: a set of inconsistency scores.
CN201910219705.5A 2019-03-22 2019-03-22 Intelligent analysis method for intranet security threats Active CN110011990B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910219705.5A CN110011990B (en) 2019-03-22 2019-03-22 Intelligent analysis method for intranet security threats

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910219705.5A CN110011990B (en) 2019-03-22 2019-03-22 Intelligent analysis method for intranet security threats

Publications (2)

Publication Number Publication Date
CN110011990A CN110011990A (en) 2019-07-12
CN110011990B true CN110011990B (en) 2022-03-04

Family

ID=67167748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910219705.5A Active CN110011990B (en) 2019-03-22 2019-03-22 Intelligent analysis method for intranet security threats

Country Status (1)

Country Link
CN (1) CN110011990B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351301B (en) * 2019-07-26 2021-09-28 长沙市智为信息技术有限公司 HTTP request double-layer progressive anomaly detection method
US11483154B2 (en) 2020-02-19 2022-10-25 International Business Machines Corporation Artificial intelligence certification of factsheets using blockchain
CN111565192A (en) * 2020-05-08 2020-08-21 南开大学 Credibility-based multi-model cooperative defense method for internal network security threats
CN113420777A (en) * 2021-05-14 2021-09-21 中国民航大学 Abnormal log detection method, device storage medium and equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5933463B2 (en) * 2013-02-04 2016-06-08 日本電信電話株式会社 Log occurrence abnormality detection device and method
CN103514398B (en) * 2013-10-18 2016-08-17 中国科学院信息工程研究所 A kind of real-time online log detection method and system
CN106657160B (en) * 2017-02-28 2019-05-21 南开大学 Network malicious act detection method towards big flow based on confidence level
CN106878314B (en) * 2017-02-28 2019-12-10 南开大学 Network malicious behavior detection method based on credibility
CN106850658B (en) * 2017-02-28 2019-12-03 南开大学 The network malicious act detection method of real-time online study

Also Published As

Publication number Publication date
CN110011990A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
CN110011990B (en) Intelligent analysis method for intranet security threats
CN112491796B (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
CN110381079B (en) Method for detecting network log abnormity by combining GRU and SVDD
CN113961434A (en) Method and system for monitoring abnormal behaviors of distributed block chain system users
KR102281819B1 (en) Auto Encoder Ensemble Based Anomaly Detection Method and System
CN111177714A (en) Abnormal behavior detection method and device, computer equipment and storage medium
CN114785563B (en) Encryption malicious traffic detection method of soft voting strategy
CN115643035A (en) Network security situation assessment method based on multi-source log
CN112738014A (en) Industrial control flow abnormity detection method and system based on convolution time sequence network
CN115277189B (en) Unsupervised intrusion flow detection and identification method based on generation type countermeasure network
CN111726351B (en) Bagging-improved GRU parallel network flow abnormity detection method
CN115865483A (en) Abnormal behavior analysis method and device based on machine learning
CN112202718A (en) XGboost algorithm-based operating system identification method, storage medium and device
CN117195250A (en) Data security management method and system
Ezeme et al. An imputation-based augmented anomaly detection from large traces of operating system events
CN117370548A (en) User behavior risk identification method, device, electronic equipment and medium
CN113469247B (en) Network asset abnormity detection method
CN115658546A (en) Software fault prediction method and system based on heterogeneous information network
CN111565192A (en) Credibility-based multi-model cooperative defense method for internal network security threats
Pan et al. An anomaly detection method for system logs using Venn-Abers predictors
CN115587007A (en) Robertta-based weblog security detection method and system
Dong et al. Security situation assessment algorithm for industrial control network nodes based on improved text simhash
Zhao et al. TAElog: A Novel Transformer AutoEncoder-Based Log Anomaly Detection Method
CN116089520B (en) Fault identification method based on blockchain and big data and general computing node
KR102470364B1 (en) A method for generating security event traning data and an apparatus for generating security event traning data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant