CN111104670B - APT attack identification and protection method - Google Patents
APT attack identification and protection method Download PDFInfo
- Publication number
- CN111104670B CN111104670B CN201911267397.XA CN201911267397A CN111104670B CN 111104670 B CN111104670 B CN 111104670B CN 201911267397 A CN201911267397 A CN 201911267397A CN 111104670 B CN111104670 B CN 111104670B
- Authority
- CN
- China
- Prior art keywords
- log
- program
- monitoring
- attack
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to the field of information security, and particularly discloses an APT attack recognition and protection method. The research program behavior association analysis technology is used for identifying program intentions through association analysis of program behaviors, judging threat conditions, simulating a mechanism of finding novel attack programs by experts, automatically analyzing logic relations among various program actions through automatic monitoring of the program actions, comprehensively applying attack program behavior identification rule knowledge, automatically judging novel malicious behaviors, and achieving the purpose of defending in advance.
Description
Technical Field
The invention relates to the field of information security, in particular to an APT attack identification and protection method.
Background
APT security attacks are security events that occur frequently in recent years, generally defined as long-term, organized, advanced persistent security threat attacks. Essentially, APT attacks do not have new means of attack, which is a tactical comprehensive utilization of a variety of known means of attack. It is therefore a belief in the industry that APT should be a specific form of network warfare from country to country, organization to organization.
In recent years, advanced Persistent Threat (APT) attacks have become a major security threat for government and various level enterprise organizations. The APT attack detection defense technology can actively detect APT attack behaviors and prevent damage and loss caused by malicious invasion and abnormal behaviors. The traditional APT attack detection and defense method based on the flow characteristic library is effective for known threats such as known vulnerabilities or attacks of virus Trojan programs, but cannot be used for effectively detecting and positioning APT attacks with unknown attack characteristics, complex technology and long duration.
From the perspective of an APT intruder, attack and user anomalies can be categorized as: the method comprises 7 stages of detecting targets, manufacturing tools, conveying tools, triggering tools, controlling targets, executing activities and reserving data points. Each activity phase typically forms an activity record within the network and the target system, including: flow logs, system operation logs, configuration change records, personnel operation behavior logs, and the like. The log records comprise user login behavior records, interface calling information, data adding and deleting and checking information, permission and data structure modification records, and contain spider silk and horse marks of invasion and abnormal behaviors such as unauthorized access, data stealing and host computer collapse. Through analysis of the operation behavior data, potential user abnormal behaviors can be mined.
The method is effective for conventional behavior definition and detection, but because of a large number of abnormal behavior scenes, the method cannot be used for simply defining and checking through a plurality of elements of the behavior, otherwise false alarm and missing alarm conditions are easy to occur. Therefore, the historical behavior data needs to be analyzed, and the related algorithm is adopted to predict and detect the abnormal behavior of the user, so that the intrusion and the abnormal behavior can be effectively found.
Disclosure of Invention
In view of the above, the present invention aims to overcome the defects in the prior art, and provide an APT attack recognition and protection method, which can study program behavior association analysis technology, recognize program intention through association analysis of program behavior, and perform threat condition judgment; by adopting a dynamic simulation technology, according to the logic of the attack program identification expert for analyzing the program behavior and judging the program property, the mechanism of the attack program judgment by the expert is simulated, so that the advanced defense of the novel attack program is realized.
The invention relates to a method for identifying and protecting APT attacks, which comprises the following steps of
Step S1, analyzing, summarizing and summarizing the behavior rules of the attack program;
s2, extracting an attack program identification rule knowledge base;
step S3, judging the attacked method of the known program by using the program behavior knowledge base;
step S4, establishing an analysis and judgment basis for identifying the behavior of the attack program to obtain an attack program identification expert system;
step S5: and monitoring the action behaviors of the program to be detected, carrying out matching comparison on the behavior sequence mode to be detected of the user and the known characteristic sequences recorded in the program behavior knowledge base, and judging whether the program to be detected is attacked.
Further, the step S1 is based on big data and machine learning, automatically analyzes and summarizes rules from the detected data, analyzes and predicts unknown threats by using the rules, continuously updates itself, and automatically improves performance.
A method of protecting against APT attacks, comprising:
researching an API called by an attack program;
the various probes are effectively distributed and deployed on a computer system, so that the action of dynamically monitoring the running of the program is realized;
analyzing a series of actions of the program through a logic relation to form a meaningful action;
establishing the influence level of program behavior on the system security;
formulating a program credible behavior monitoring strategy;
program activity behavior is monitored, and security threats are discovered and prevented in real time.
Further, the probe is used for monitoring the file, registry, process, thread and network activity of the system, recording the corresponding activity to the log file in real time and uploading the corresponding activity to the log server.
Further, the dynamic monitoring comprises system omnibearing monitoring and abnormality detection;
the system omnibearing monitoring needs to monitor by using an operating system log and a monitoring log; the operating system log comprises an application program log, a security log, a system log and a service log; the monitoring log comprises a file monitoring log, a registry monitoring log, a process monitoring log and a network monitoring log;
the abnormal detection is divided into three layers, namely a log preprocessing layer, a multi-algorithm processing layer and an abnormal detection layer;
the log preprocessing comprises two steps, namely (1) extracting the log and (2) carrying out standardized processing on the extracted log;
the multi-algorithm processing layer processes the log stream by utilizing a plurality of log analysis algorithms to obtain a plurality of log templates;
and the abnormality detection layer performs abnormality detection on the log to be detected by using the log template obtained by the multi-algorithm processing layer and combining a statistical learning method.
Further, the multiple algorithms include LKE algorithm, IPLoM algorithm, logSig algorithm and Drain algorithm.
The beneficial effects of the invention are as follows: the invention discloses an APT attack recognition and protection method, which is used for analyzing, summarizing and summarizing the behavior rules of an attack program, combining with experience of an attack program recognition expert for judging the attack program, and refining the attack program behavior recognition rule knowledge base. The simulation expert discovers the mechanism of the novel attack program, automatically analyzes the logic relation among the program actions through automatic monitoring of various program actions, comprehensively applies the attack program behavior recognition rule knowledge, automatically judges the novel malicious behavior, and achieves the purpose of defending in advance.
Drawings
The invention is further described below with reference to the accompanying drawings and examples:
FIG. 1 is a flowchart of the identification of the present invention;
FIG. 2 is a diagram of a system logic architecture of the present invention.
Detailed Description
Referring to fig. 1-2, an APT attack recognition method in this embodiment includes:
step S1, analyzing, summarizing and summarizing the behavior rules of the attack program;
s2, extracting an attack program identification rule knowledge base;
step S3, judging the attacked method of the known program by using the program behavior knowledge base;
step S4, establishing an analysis and judgment basis for identifying the behavior of the attack program to obtain an attack program identification expert system;
step S5: and monitoring the action behaviors of the program to be detected, carrying out matching comparison on the behavior sequence mode to be detected of the user and the known characteristic sequences recorded in the program behavior knowledge base, and judging whether the program to be detected is attacked. The step S1 is based on big data and machine learning, automatically analyzes and summarizes rules from detection data, analyzes and predicts unknown threats by using the rules, continuously updates the unknown threats, and automatically improves the performance.
The invention analyzes, generalizes and summarizes the behavior rules of the attack program, combines the experience of the attack program identification expert for judging the attack program, and refines the attack program behavior identification rule knowledge base. The simulation expert discovers the mechanism of the novel attack program, automatically analyzes the logic relation among the program actions through automatic monitoring of various program actions, comprehensively applies the attack program behavior recognition rule knowledge, automatically judges the novel malicious behavior, and achieves the purpose of defending in advance.
A method of protecting against APT attacks, comprising:
researching an API called by an attack program;
the various probes are effectively distributed and deployed on a computer system, so that the action of dynamically monitoring the running of the program is realized;
analyzing a series of actions of the program through a logic relation to form a meaningful action;
establishing the influence level of program behavior on the system security;
formulating a program credible behavior monitoring strategy;
in this embodiment, the probe is used to monitor the file, registry, process, thread, and network activities of the system, record the corresponding activities in real time to the log file, and upload the activities to the log server.
Wherein the file monitor log records file system activity for all Windows file systems, including local storage and remote file systems. The process monitor automatically detects new file system devices and automatically monitors them; registry monitoring logs, recording all registry operations including opening, reading, writing, modifying, adding, deleting, etc.; a process/thread monitoring log, in a process/thread monitoring subsystem, tracking the creation and exit operations of all processes and threads and the loading operations of DLLs and device drivers; the network monitors the log, records TCP and UDP activity, and each network operation includes a source address and a destination address, and the amount of data sent or received, but does not include actual data.
In this embodiment, the dynamic monitoring includes system omnibearing monitoring and abnormality detection; the system omnibearing monitoring needs to monitor by using an operating system log and a monitoring log; the operating system log comprises an application program log, a security log, a system log and a service log; the monitoring log comprises a file monitoring log, a registry monitoring log, a process monitoring log and a network monitoring log.
In this embodiment, the anomaly detection is divided into three layers, which are a log preprocessing layer, a multi-algorithm processing layer and an anomaly detection layer.
1. Log preprocessing layer
This layer implements log preprocessing, turning the original log into a log stream. Modern systems contain a large number of heterogeneous devices, different devices generate logs in different formats, and the logs are mostly text-based and difficult to process. The different formatted text log is processed at this layer using an automated script to become a standard formatted log stream.
2. Multi-algorithm processing
2.1. Generating a set of log templates
For the log stream set, various log parsing algorithms are needed to process the log stream set, and a plurality of log template sets are obtained.
Various log parsing algorithms are used herein to generate log event templates using constants in unstructured content in the log stream. The log streams stored on the blockchain are extracted using LKE algorithm, IPLoM algorithm, logSig algorithm, and Drain algorithm, and representative log event templates are generated using constants of unstructured content therein. Since the implementation of each algorithm is different, the resulting template set for each algorithm is different in number and content from the template sets generated by the other algorithms.
The LKE algorithm extracts keywords of the log from unstructured portions of the pre-processed log according to heuristic rules, thereby generating a log event template. The IPLoM algorithm combines log length, the location of the word tokens, and the mapping relationship between the word tokens to generate a log event template. The LogSig algorithm first converts each log into a plurality of word pairs comprising two words and positions between them, then groups them, and finally obtains a log event template. The Drain algorithm uses directed acyclic graphs that can be automatically generated and updated to generate log-time templates, which are used primarily in online and distributed systems.
In the step, the input of log analysis is an original log stream set X, and a plurality of log analysis algorithms are applied to be combined into a set G; the output is a set of m log templates Tk, k e {1,2,., m }, t= { T1, tm, the value m is related to the number of log parsing algorithms applied; where each set of log templates Tk contains q log templates tkb, b e {1, 2..q }, tk= { Tk 1.. tkb }.
2.2. Calculating an inconsistency score
This is the starting point for the prediction, where a real function is chosen to measure the difference in log flow from the log event templates derived from the log parsing algorithm, this real function being referred to as the inconsistency metric function. There are many such functions. The parameters of the function are two, namely a log stream and a log event template, and the function value is called a score, namely the similarity between the two functions is represented by the lower score.
For each heterogeneous log analysis algorithm, the log flow yi to be detected can be combined with a log template tkb obtained by the log analysis algorithm, and the inconsistency score alpha is calculated by utilizing the inconsistency measurement function g.
The input is a log template set T, a log stream set Y to be tested and an inconsistency measurement function g; where the set of log templates T contains m sets of log templates Tk, k e {1, 2..m }, t= { T1..tm }, and wherein each set of log templates Tk contains q log templates tkb, b e {1,2,..q }, tk= { Tk1,.. tkb }; the log stream set to be tested Y contains w logs yi, i e {1, 2..w }, y= { Y1..yw };
the output here is a set of inconsistency scores.
3. Abnormality detection
3.1. Calculating P-Value
At this stage, first, for the log template tkb, an inconsistency metric is performed on the original log stream xj, resulting in a corresponding set of inconsistency scores { akb _1, akb_2,.. akb _j }; secondly, placing the inconsistency score akb _i of the log stream yi to be tested into an inconsistency score set of the class; finally, the P-Value is the ratio of the number of log streams to the total number of log streams, which is greater than or equal to the inconsistency score akb _i of the log stream yi to be tested. The larger the P-Value is, the higher the significance of the log stream yi to be tested in the class is. The same operation needs to be performed on each log template obtained by each log parsing algorithm.
The input at this stage is a set of inconsistency scores for the log stream; the corresponding output is the P-Value of the log stream yi to be tested. Each log algorithm corresponds to a set of P-Value values.
3.2. Predicting log streams to be tested based on statistical learning
At this stage, for the set formed by all the P-Value values obtained in the previous step, P-Value values greater than the maximum error probability epsilon are selected among them, so as to obtain template class sets corresponding to these P-Value values, and each algorithm corresponds to one such set. If the empty set exists, the log stream yi to be detected is predicted to be an abnormal log, otherwise, the log stream yi to be detected is predicted to be a normal log.
The input at this stage is a P-Value set of the log stream yi to be tested, and the acceptable maximum error probability epsilon is provided by the user, indicating the maximum error probability acceptable to the user; and outputting the predicted result.
The invention adopts a dynamic simulation technology, and simulates the mechanism of judging the attack program by an expert according to the logic of analyzing the program behavior and judging the program property by the attack program identification expert, thereby realizing the advanced defense of the novel attack program.
Finally, it is noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered by the scope of the claims of the present invention.
Claims (2)
1. A method for identifying and protecting APT attack is characterized in that the method for identifying APT attack comprises the following steps of
Step S1, analyzing, summarizing and summarizing the behavior rules of the attack program;
s2, extracting an attack program identification rule knowledge base;
step S3, judging the attacked method of the known program by using the program behavior knowledge base;
step S4, establishing an analysis and judgment basis for identifying the behavior of the attack program to obtain an attack program identification expert system;
step S5: monitoring the action behaviors of a program to be detected, carrying out matching comparison on a behavior sequence mode to be detected of a user and a known characteristic sequence recorded in a program behavior knowledge base, and judging whether the program to be detected is attacked or not;
step S1 is based on big data and machine learning, automatically analyzes and summarizes rules from detection data, analyzes and predicts unknown threats by using the rules, continuously updates the unknown threats, and automatically improves the performance;
the protection method for the APT attack comprises the following steps:
researching an API called by an attack program;
the various probes are effectively distributed and deployed on a computer system, so that the action of dynamically monitoring the running of the program is realized;
analyzing a series of actions of the program through a logic relation to form a meaningful action;
establishing the influence level of program behavior on the system security;
formulating a program credible behavior monitoring strategy;
monitoring program activity behavior, and timely finding and preventing security threat;
the probe is used for monitoring the activities of the files, the registry, the processes, the threads and the network of the system, recording the corresponding activities in real time to the log file and uploading the corresponding activities to the log server;
the dynamic monitoring comprises system omnibearing monitoring and abnormality detection;
the system omnibearing monitoring needs to monitor by using an operating system log and a monitoring log; the operating system log comprises an application program log, a security log, a system log and a service log; the monitoring log comprises a file monitoring log, a registry monitoring log, a process monitoring log and a network monitoring log;
the abnormal detection is divided into three layers, namely a log preprocessing layer, a multi-algorithm processing layer and an abnormal detection layer;
the log preprocessing comprises two steps, namely S1, extracting the log, S2, carrying out standardized processing on the extracted log;
the multi-algorithm processing layer processes the log stream by utilizing a plurality of log analysis algorithms to obtain a plurality of log templates;
and the abnormality detection layer performs abnormality detection on the log to be detected by using the log template obtained by the multi-algorithm processing layer and combining a statistical learning method.
2. The method for protecting against APT attacks according to claim 1, wherein the multi-algorithm comprises: LKE algorithm, IPLoM algorithm, logSig algorithm and Drain algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911267397.XA CN111104670B (en) | 2019-12-11 | 2019-12-11 | APT attack identification and protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911267397.XA CN111104670B (en) | 2019-12-11 | 2019-12-11 | APT attack identification and protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111104670A CN111104670A (en) | 2020-05-05 |
| CN111104670B true CN111104670B (en) | 2023-09-01 |
Family
ID=70422287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911267397.XA Active CN111104670B (en) | 2019-12-11 | 2019-12-11 | APT attack identification and protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111104670B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970272A (en) * | 2020-08-14 | 2020-11-20 | 上海境领信息科技有限公司 | APT attack operation identification method |
| CN113268734B (en) * | 2021-04-27 | 2023-11-24 | 中国科学院信息工程研究所 | Key host event identification method based on information flow analysis |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
| KR20170059279A (en) * | 2015-11-20 | 2017-05-30 | (주)유엠로직스 | Advanced Persistent Threat attack tolerance system and method using cloud computing virtualization |
| CN107623677A (en) * | 2017-08-08 | 2018-01-23 | 国家电网公司 | The determination method and apparatus of Information Security |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
| CN109995722A (en) * | 2017-12-30 | 2019-07-09 | 广州明领基因科技有限公司 | Magnanimity detection data analysis system towards APT protection |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9628507B2 (en) * | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
| WO2016168368A1 (en) * | 2015-04-13 | 2016-10-20 | Secful, Inc. | System and method for identifying and preventing malicious api attacks |
-
2019
- 2019-12-11 CN CN201911267397.XA patent/CN111104670B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
| KR20170059279A (en) * | 2015-11-20 | 2017-05-30 | (주)유엠로직스 | Advanced Persistent Threat attack tolerance system and method using cloud computing virtualization |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN107623677A (en) * | 2017-08-08 | 2018-01-23 | 国家电网公司 | The determination method and apparatus of Information Security |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN109995722A (en) * | 2017-12-30 | 2019-07-09 | 广州明领基因科技有限公司 | Magnanimity detection data analysis system towards APT protection |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
Non-Patent Citations (1)
| Title |
|---|
| APT攻击检测与反制技术体系的研究;陈瑞东;张小松;牛伟纳;蓝皓月;;电子科技大学学报(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111104670A (en) | 2020-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| US10791133B2 (en) | System and method for detecting and mitigating ransomware threats | |
| US11423146B2 (en) | Provenance-based threat detection tools and stealthy malware detection | |
| US10409665B2 (en) | System and method for real-time detection of anomalies in database usage | |
| NL2002694C2 (en) | Method and system for alert classification in a computer network. | |
| US7530105B2 (en) | Tactical and strategic attack detection and prediction | |
| Cao et al. | Machine learning to detect anomalies in web log analysis | |
| US9298913B2 (en) | Method of detecting intrusion based on improved support vector machine | |
| Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN112866292B (en) | Attack behavior prediction method and device for multi-sample combination attack | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
| CN112637108A (en) | Internal threat analysis method and system based on anomaly detection and emotion analysis | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| CN115086081A (en) | Escape prevention method and system for honeypots | |
| Katano et al. | Prediction of infected devices using the quantification theory type 3 based on mitre att&ck technique | |
| CN113872959A (en) | Risk asset grade judgment and dynamic degradation method, device and equipment | |
| CN117544420B (en) | Fusion system safety management method and system based on data analysis | |
| CN114925363B (en) | Cloud online malicious software detection method based on recurrent neural network | |
| US20230214489A1 (en) | Rootkit detection based on system dump files analysis | |
| Qin et al. | LMHADC: Lightweight method for host based anomaly detection in cloud using mobile agents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |