CN111200575A - Machine learning-based method for identifying malicious behaviors of information system - Google Patents
Machine learning-based method for identifying malicious behaviors of information system Download PDFInfo
- Publication number
- CN111200575A CN111200575A CN201811365402.6A CN201811365402A CN111200575A CN 111200575 A CN111200575 A CN 111200575A CN 201811365402 A CN201811365402 A CN 201811365402A CN 111200575 A CN111200575 A CN 111200575A
- Authority
- CN
- China
- Prior art keywords
- graph
- network
- module
- unit
- machine learning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 92
- 230000006399 behavior Effects 0.000 title claims abstract description 51
- 238000010801 machine learning Methods 0.000 title claims abstract description 13
- 230000008569 process Effects 0.000 claims abstract description 58
- 238000012549 training Methods 0.000 claims abstract description 26
- 238000006243 chemical reaction Methods 0.000 claims abstract description 10
- 238000010276 construction Methods 0.000 claims abstract description 6
- 238000010606 normalization Methods 0.000 claims abstract description 6
- 230000009466 transformation Effects 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000000694 effects Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 238000011112 process operation Methods 0.000 claims description 3
- 238000004140 cleaning Methods 0.000 claims description 2
- 238000004519 manufacturing process Methods 0.000 claims description 2
- 238000003860 storage Methods 0.000 claims description 2
- 238000013508 migration Methods 0.000 claims 2
- 230000005012 migration Effects 0.000 claims 2
- 238000012360 testing method Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 241000700605 Viruses Species 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000002085 persistent effect Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000005923 long-lasting effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention provides a method for identifying malicious behaviors of an information system based on machine learning. The method comprises a graph conversion module, a training module and a graph convolution network module. The three modules are combined into two implementation processes, namely a training process and an identification process. The method collects host process/network session behavior information. And the serialization unit completes the behavior serialization operation to form an event set. The graph construction unit abstracts the event set into a topological graph. And the graph normalization unit normalizes the topological graph into a standard vector, and inputs the standard vector into the graph convolution network model for prediction output. The method of the invention can realize the real-time prediction of the malicious behavior in the system at the host level and the network level so as to avoid the possibility that the important data is further damaged.
Description
Technical Field
The invention relates to a method for identifying malicious behaviors of an information system based on machine learning, which can realize real-time prediction of malicious behaviors in the system at a host layer and a network layer by carrying out topological graph modeling on host process behaviors and network session behaviors and using a graph convolution network technology in machine learning so as to avoid the possibility of further damaging important data.
Abbreviations and noun explanations:
GCN: called Graph conditional Network, Graph convolution Network.
GoogLeNet: a22-layer deep Network adopts the structure of Network-in-Network (Network InNet) of the Incepotion.
APT: the Advanced Persistent thread is an Advanced Persistent Threat, and refers to an attack form for carrying out long-term Persistent network attack on a specific target by using an Advanced attack means.
0day vulnerability: in the information security sense, the 0day vulnerability refers to vulnerability information which is known and mastered before the security patch is released, and can be used by hackers or criminals to attack enterprise or personal systems, steal or change data, and since thorough security measures are not in place, attackers can hardly prevent the vulnerability information.
Background
With the continuous development of informatization, more and more important information is stored in various informatization systems in the form of data, and sensitive information is not lacked. If the sensitive information is leaked maliciously or deleted and encrypted maliciously, huge loss can be brought to data owners and even society. Typical destructive means are Lesovirus and APT attacks.
The encryption type Lego software adopts a high-strength encryption algorithm to encrypt the user file. At present, no reliable precaution and detection measures are provided for encrypted Lego software, and once user data is encrypted by Lego software, the traditional antivirus software cannot do the same.
The APT is a "malicious commercial spy threat" which is a long-lasting consummated object for hackers to steal core data and aim at network attacks and attacks launched by clients. Such activities are often conducted and planned for a long period of time and are highly concealed. The APT attack method is to hide itself, steal data for a specific object in a long-term, planned and organized manner, and the actions of stealing data and collecting information in a digital space are the actions of 'network spy'.
The existing protective means is generally screened against known virus characteristics, and the following serious defects exist:
1. it is not effective against variant viruses. The Lexovirus variant is fast and can enter a host system for stealing or destroying through the detection of antivirus software before the antivirus software updates a virus feature library. Antivirus software typically cannot update the full virus library in real time, which provides a possibility for virus intrusion.
2. The 0day bug cannot be defended. In the information security sense, 0Day refers to the known and mastered vulnerability information before the security patch is released, which can be used by hackers or criminals to attack enterprise or personal systems, steal or change data, and since thorough security measures are not in place, attackers can hardly prevent it.
3. It is difficult to protect against APT attacks. APT attacks often place the focus of the attack on "slow-low" -slowly, silently moving from one intruded host to the next, where no network traffic can be monitored, and thus finding the data and target systems that they need, rendering the traditional traffic-based anomaly detection method ineffective.
Disclosure of Invention
The invention provides a method for identifying malicious behaviors of an information system based on machine learning, which can realize identification of the malicious behaviors in progress through a graph convolution network technology based on a host process behavior and a network layer session behavior so as to take measures to avoid further expansion of loss.
The method for identifying the malicious behaviors of the information system can identify the malicious behaviors from two layers.
1. Based on the host level, the behavior of the host process for accessing the file is modeled and judged, and the operations of illegal access, illegal modification, illegal deletion and the like of the data by a malicious process are prevented.
2. Based on the network layer, the network session behavior is modeled and judged, and network attack and virus diffusion of network malicious connection are prevented.
The malicious behavior identification method is divided into three modules, namely a graph conversion module, a training module and a graph convolution network module. The three modules are combined into two implementation processes, namely a training process and an identification process.
Fig. 1 is a diagram conversion module of the malicious behavior identification method according to the present invention, which includes an acquisition unit, a serialization unit, a diagram construction unit, and a diagram normalization unit.
The acquisition unit acquires the operation behavior and the network session behavior of the host process in real time, performs data cleaning on the acquired data, and sends the data to the serialization unit for serialization operation. The host process operation behavior acquired by the acquisition unit in real time comprises the following steps: registry operations (e.g., key and value creation, enumeration, lookup, deletion, etc.), file system operations (operations performed for local storage and remote file systems), network operations (UDP and TCP network activities, including source and destination addresses, port numbers, corresponding connections, disconnections, numbers and bytes of send and receive operations, etc.), process operations (e.g., parent process creation child process, process startup, thread creation, thread exit, process exit, and loading an executable image into the address space of a process, etc.), summaries (e.g., total kernel and user time since last summary event, memory usage, number of context switches, etc.). The network session operation behaviors collected by the collecting unit in real time comprise: source/destination IP addresses, source/destination port numbers, number of transmitted/received bytes, number of transmitted/received messages, transmission/reception rates, session duration, protocols, etc.
After receiving the behavior information sent by the acquisition unit, the serialization unit respectively carries out serialization operation according to the host process/network session, forms an event set on a timeline by a single process/network session, and sends an event set matrix to the graph construction unit.
After receiving the event set matrix, the graph construction unit constructs a topological graph according to the events of the host processes/network sessions, abstracts the topological graph into a topological graph formed by points and edges according to the state transition condition of each host process/network session, is used for describing the degree and state of connection among the events of the host process/network session, and transmits the degree and state to the graph convolution network unit.
And after receiving the topological graph, the graph normalization unit converts the topological graph into standard vector information which is used as the input of the graph convolution network module to carry out convolution of the spatial domain.
Fig. 2 is a training module of the malicious behavior recognition method according to the present invention, which includes a sample division unit, a model training unit, a model testing unit, a model adjustment unit, and an output model parameter unit.
And the sample dividing unit divides the vector set into a training set and a testing set by using a leave method, a K-fold cross-validation method and a self-service method according to a sample dividing strategy, and respectively sends the training set and the testing set to the model training unit and the model testing unit.
The model training unit is used for training each parameter of the graph convolution model by utilizing a square error, a cross entropy, a Hinge loss function and a random gradient descent optimization method according to an input training set and a mark thereof, and the parameters are sent to the model testing unit after being converged. The process model and the network session model respectively train parameters.
And the model test unit receives the test set and the model parameters, predicts on the model by using the vector of the training set, compares the prediction result with the test set mark, and observes the generalization capability performance of the model on the test set, such as calculation accuracy, recall rate, F-Score and the like.
If the generalization capability performance of the model on the test set meets the expectation, determining and outputting the model parameters; if the generalization capability performance of the model on the test set cannot meet the expectation, the hyper-parameters of the model are adjusted in the model adjusting unit, and the model parameters are trained again in the model training unit.
The graph convolution network module is implemented by using a 22-layer GoogLeNet, and FIG. 3 shows an inclusion structure and a two-layer full-connection structure in the GoogLeNet.
The Incep structure adopts convolution kernels with different sizes to match with receptive fields with different sizes, and fusion of features with different scales is carried out.
And the two layers of full connection structures are used for classification calculation.
Fig. 4 shows two implementation processes of the malicious behavior recognition method according to the present invention.
Firstly, in the training process, a large number of labeled event training sets are utilized, an input graph conversion module is converted into a standard vector set, an input training module calculates model parameters, the model parameters are input into a graph convolution network module, and a model is fixed. The model is generally not retrained again unless a large change in the application environment is assumed or it is deemed necessary to retrain the model. And respectively training corresponding model parameters by the host process and the network session.
And then entering an identification process, inputting the data to be identified of the host process/network session collected by the production environment into a graph conversion module, converting the data into a standard vector set input graph convolution network module, and calculating and outputting an identification result, wherein the identification result is dualized 0 or 1 and is used for marking normal/malicious behaviors.
The specific implementation mode is as follows:
the application of the present invention is illustrated by an ethernet environment.
FIG. 5 is a diagram illustrating a deployment manner of a convolution model gateway in the malicious behavior identification method according to the present invention
1. Firstly, a host process model and a network session model are trained by utilizing a training process of a convolution model in a malicious behavior recognition method, and the models are deployed in gateway equipment.
2. Client software is deployed in a host needing protection in an Ethernet environment, and host process behaviors are collected and reported to model equipment.
3. The gateway equipment where the model is located is deployed in an Ethernet environment, host process information reported by a client is received, meanwhile, a routing mirror mode or a policy routing mode is adopted to monitor flow in the Ethernet, and network session information is collected.
4. The collected host process/network session information is sent to the model gateway equipment for prediction, the host process is predicted to be malicious, and the model gateway equipment informs the host client to block the process; the network session is predicted to be malicious, and the session is blocked by the model gateway equipment, so that the purpose of protection is achieved.
Drawings
Fig. 1 is a schematic diagram of a graph transformation module of the malicious behavior identification method according to the present invention.
Fig. 2 is a schematic diagram of a graph training module of the malicious behavior recognition method according to the present invention.
Fig. 3 is a schematic diagram of an inclusion structure and two fully connected layers in a graph convolution network module of the malicious behavior identification method according to the present invention.
Fig. 4 is schematic diagrams of two implementation processes of the malicious behavior identification method according to the present invention.
Fig. 5 is a schematic diagram of a deployment manner of a convolution model gateway of the malicious behavior identification method according to the present invention.
Claims (8)
1. A recognition method of malicious behaviors of an information system based on machine learning is disclosed, which is based on host process behaviors and network layer session behaviors and can realize recognition of the malicious behaviors in progress through a graph convolution network technology; the system comprises a graph conversion module, a training module and a graph convolution network module, wherein:
A. the graph conversion module completes the conversion from the host process/network session event to the standard vector set;
B. the training module is used for finishing the training calculation of the graph convolution network model parameters;
C. and the graph convolution network module completes convolution calculation of the standard vector set and outputs a judgment result.
2. The method for identifying malicious behaviors of information system based on machine learning according to claim 1, wherein the graph transformation module comprises an acquisition unit, a serialization unit, a graph construction unit and a graph normalization unit, wherein:
A. the acquisition unit acquires the operation behavior and the network session behavior of the host process in real time and performs data cleaning;
B. the serialization unit respectively carries out serialization operation according to the host process/network session, and a single process/network session forms an event set on a time line;
C. the graph constructing unit abstracts the event set into a topological graph;
D. and the graph normalization unit converts the topological graph into a standard vector set and outputs the standard vector set to the graph convolution network model.
3. The method for identifying malicious behaviors of information system based on machine learning according to claim 2, wherein the collecting unit collects the following information on the host:
A. host process registry operations collected in real time, comprising: such as key and value creation, enumeration, querying, deletion;
B. the host process file system operation of real-time collection includes: creating, opening, reading, writing, closing and deleting files aiming at a local storage and remote file system, and creating and deleting directory operations;
C. the host process network operation collected in real time comprises UDP and TCP network activities, including process names, process IDs, source/destination addresses, port numbers, corresponding connection, disconnection, the number of sending/receiving operations and byte numbers;
D. the process operation of the host process is collected in real time, and comprises the steps of parent process creation child process, process starting, thread creation, thread quitting and process quitting, and executable image loading into the address space of the process;
E. the summary of the host process collected in real time comprises the total time of the kernel and the user, the memory usage and the context switching times since the last summary event.
4. The method for identifying malicious behaviors of information system based on machine learning according to claim 2, wherein the network session operation behaviors collected by the collecting unit in real time include source/destination IP address, source/destination port number, number of bytes sent/received, number of messages sent/received, sending/receiving rate, session duration and protocol.
5. The method for identifying malicious behaviors of information system based on machine learning according to claim 2, wherein the serialization unit forms an event set by a time serialization method after receiving the behavior information sent by the acquisition unit, and sends the event set to the graph construction unit.
6. The method for identifying malicious behaviors of information systems based on machine learning according to claim 2, wherein the graph constructing unit receives the event set matrix, abstracts the events into a topological graph formed by points and edges, uses each related process, file, registry key, IP address and session as the points of the topological graph, uses the operation type, time length, CPU occupancy, memory occupancy, protocol type, byte number, message number and rate as the edges of the topological graph, describes the migration relationship of the event states, and sends the migration relationship into the graph normalizing unit.
7. The method for identifying malicious behaviors of information system based on machine learning according to claim 2, wherein the graph normalization unit normalizes the topological graph, converts the topological graph into a standard vector, and inputs the standard vector into the graph convolution network module for prediction.
8. The method according to claim 1, wherein the training process is implemented before the recognition process, and comprises a graph transformation module and a training module, wherein the graph transformation module is transformed into a standard vector set by using a large number of labeled event training sets, the input graph transformation module calculates model parameters, and the model parameters are input into the graph convolution network module to fix the model; the identification process is composed of a graph conversion module and a graph convolution network module, data to be identified of a host process/network session collected by a production environment are input into the graph conversion module and are converted into a standard vector set input graph convolution network module, an identification result is calculated and output, and the identification result is dualized 0 or 1 and is used for marking normal/malicious behaviors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811365402.6A CN111200575B (en) | 2018-11-16 | 2018-11-16 | Machine learning-based identification method for malicious behaviors of information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811365402.6A CN111200575B (en) | 2018-11-16 | 2018-11-16 | Machine learning-based identification method for malicious behaviors of information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111200575A true CN111200575A (en) | 2020-05-26 |
| CN111200575B CN111200575B (en) | 2023-12-01 |
Family
ID=70747305
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811365402.6A Active CN111200575B (en) | 2018-11-16 | 2018-11-16 | Machine learning-based identification method for malicious behaviors of information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111200575B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104602A (en) * | 2020-08-04 | 2020-12-18 | 广东工业大学 | Network intrusion detection method based on CNN transfer learning |
| CN112383516A (en) * | 2020-10-29 | 2021-02-19 | 博雅正链(北京)科技有限公司 | Graph neural network construction method and abnormal flow detection method based on graph neural network |
| CN112883995A (en) * | 2020-12-30 | 2021-06-01 | 华北电力大学 | Method and device for identifying malicious behaviors of closed-source power engineering control system based on ensemble learning |
| CN113992349A (en) * | 2021-09-23 | 2022-01-28 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
| WO2022088972A1 (en) * | 2020-10-30 | 2022-05-05 | 广州大学 | Malicious behavior identification method and system for weighted heterogeneous graph, and storage medium |
| EP4184875A4 (en) * | 2020-07-15 | 2023-12-27 | Panasonic Intellectual Property Corporation of America | Communication monitoring method and communication monitoring system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150172302A1 (en) * | 2013-12-13 | 2015-06-18 | Vahna, Inc. | Interface for analysis of malicious activity on a network |
| CN107682216A (en) * | 2017-09-01 | 2018-02-09 | 南京南瑞集团公司 | A kind of network traffics protocol recognition method based on deep learning |
| CN108090356A (en) * | 2017-12-08 | 2018-05-29 | 湖南大学 | A kind of malicious file detection method based on image texture and BP neural network |
-
2018
- 2018-11-16 CN CN201811365402.6A patent/CN111200575B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150172302A1 (en) * | 2013-12-13 | 2015-06-18 | Vahna, Inc. | Interface for analysis of malicious activity on a network |
| CN107682216A (en) * | 2017-09-01 | 2018-02-09 | 南京南瑞集团公司 | A kind of network traffics protocol recognition method based on deep learning |
| CN108090356A (en) * | 2017-12-08 | 2018-05-29 | 湖南大学 | A kind of malicious file detection method based on image texture and BP neural network |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4184875A4 (en) * | 2020-07-15 | 2023-12-27 | Panasonic Intellectual Property Corporation of America | Communication monitoring method and communication monitoring system |
| CN112104602A (en) * | 2020-08-04 | 2020-12-18 | 广东工业大学 | Network intrusion detection method based on CNN transfer learning |
| CN112383516A (en) * | 2020-10-29 | 2021-02-19 | 博雅正链(北京)科技有限公司 | Graph neural network construction method and abnormal flow detection method based on graph neural network |
| WO2022088972A1 (en) * | 2020-10-30 | 2022-05-05 | 广州大学 | Malicious behavior identification method and system for weighted heterogeneous graph, and storage medium |
| CN112883995A (en) * | 2020-12-30 | 2021-06-01 | 华北电力大学 | Method and device for identifying malicious behaviors of closed-source power engineering control system based on ensemble learning |
| CN113992349A (en) * | 2021-09-23 | 2022-01-28 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
| CN113992349B (en) * | 2021-09-23 | 2023-05-19 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111200575B (en) | 2023-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111200575B (en) | Machine learning-based identification method for malicious behaviors of information system | |
| US20210273949A1 (en) | Treating Data Flows Differently Based on Level of Interest | |
| Cabaj et al. | Using software-defined networking for ransomware mitigation: the case of cryptowall | |
| Peddabachigari et al. | Intrusion detection systems using decision trees and support vector machines | |
| Fan et al. | An improved network security situation assessment approach in software defined networks | |
| US11277430B2 (en) | System and method for securing a network | |
| Chandran et al. | An efficient classification model for detecting advanced persistent threat | |
| Asif et al. | Network intrusion detection and its strategic importance | |
| Dutta et al. | Generative adversarial networks in security: A survey | |
| Fu et al. | Encrypted malware traffic detection via graph-based network analysis | |
| Möller et al. | Challenges for vehicular cybersecurity | |
| Mathane et al. | Predictive analysis of ransomware attacks using context-aware AI in IoT systems | |
| Momand et al. | A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: deep learning, datasets, and attack taxonomy | |
| Al-Hawawreh et al. | Securing the Industrial Internet of Things against ransomware attacks: A comprehensive analysis of the emerging threat landscape and detection mechanisms | |
| Park et al. | Ransomware-based cyber attacks: A comprehensive survey | |
| WO2019186535A1 (en) | Bio-inspired agile cyber-security assurance framework | |
| Vatsyayan et al. | A detailed investigation of popular attacks on cyber physical systems | |
| Hsiao et al. | Cross-level behavioral analysis for robust early intrusion detection | |
| Shanmugam | Novel attack detection using fuzzy logic and data mining | |
| Vähäkainu et al. | Cyberattacks Against Critical Infrastructure Facilities and Corresponding Countermeasures | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Ramos et al. | A Machine Learning Based Approach to Detect Stealthy Cobalt Strike C &C Activities from Encrypted Network Traffic | |
| He et al. | Liuer Mihou: A Practical Framework for Generating and Evaluating Grey-box Adversarial Attacks against NIDS | |
| Mihanjo et al. | Isolation of DDoS Attacks and Flash Events in Internet Traffic Using Deep Learning Techniques | |
| Gauhar Fatima et al. | A Study on Intrusion Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200515 Address after: 215123 5th floor, golden house building, 280 Dongping street, Suzhou Industrial Park, Jiangsu Province Applicant after: Hui shield information security technology (Suzhou) Limited by Share Ltd. Address before: 215000 5 / F, golden house building, No. 280, Dongping street, Suzhou Industrial Park, Jiangsu Province Applicant before: Hui shield information security technology (Suzhou) Limited by Share Ltd. Applicant before: Liu Xingpeng Applicant before: Wang Xiaobo |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |