CN111224933A - Method for simulating embezzlement sensitive data perception latent APT attack - Google Patents

Method for simulating embezzlement sensitive data perception latent APT attack Download PDF

Info

Publication number
CN111224933A
CN111224933A CN201911020563.6A CN201911020563A CN111224933A CN 111224933 A CN111224933 A CN 111224933A CN 201911020563 A CN201911020563 A CN 201911020563A CN 111224933 A CN111224933 A CN 111224933A
Authority
CN
China
Prior art keywords
sequence
data
latent
real
apt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911020563.6A
Other languages
Chinese (zh)
Other versions
CN111224933B (en
Inventor
陈涵
王真
王睿
赵洪华
朱卫星
付印金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Army Engineering University of PLA
Original Assignee
Army Engineering University of PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Army Engineering University of PLA filed Critical Army Engineering University of PLA
Priority to CN201911020563.6A priority Critical patent/CN111224933B/en
Publication of CN111224933A publication Critical patent/CN111224933A/en
Application granted granted Critical
Publication of CN111224933B publication Critical patent/CN111224933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

The invention discloses a method for simulating embezzlement sensitive data perception latent APT attack, which comprises the following steps: building a data model, and generating a characteristic sequence A [ a ] by using a system log1,a2,...ai,...an]Wherein a isiIs the ith sequence; analyzing data flow fluctuation to generate flow sequence B [ B ]1,b2,...bi,...bn]Wherein b isiIs the ith sequence; matching the characteristic sequence with the flow sequence to generate a normal sequence library; releasing viruses simulating data stealing to obtain a virus characteristic diagram and monitoring a real-time sequence of a system; and calculating the relative difference degree of the real-time sequence and the normal sequence, and comparing the relative difference degree with a threshold value to judge whether the system has latent APT. The invention has the advantages that virus is released to simulate stealing sensitive data, then the real-time characteristic sequence of the system is matched with the normal characteristic sequence, the relative difference degree is calculated and compared with the threshold value, and whether the latent property aiming at stealing data possibly exists in the system is sensedAnd the sensitivity and accuracy of the latent APT of the detection system are improved by the APT attack.

Description

Method for simulating embezzlement sensitive data perception latent APT attack
Technical Field
The invention relates to the technical field of computer network security, in particular to a method for simulating an Advanced Persistent Attack (APT) attack by embezzling sensitive data.
Technical Field
APT does not refer to a particular virus, but rather hackers use advanced means to conduct long-term, persistent cyber attacks on targets, usually high-value businesses, government agencies, and sensitive information. After the prism door event outbreak, china has been identified as one of the major countries suffering from network attacks. According to the research report of '2017 China Advanced Persistent Threat (APT) issued by a 360-threat information center', as long as 12 months end in 2017, 38 APT organizations inside and outside the country, which are accumulatively monitored by the 360-threat information center and aim at the targets in China to attack, are shown, and the attack actions initiated by the APT organizations in the whole year in 2017 at least influence over ten thousand computers in China, the attack range extends over 31 provincial administrative regions in China, wherein the proportion of the government organization in the attack targets is 50%, and the APT seriously threatens the information security of the national important organization. In addition, in the HighLevel network operational principle of the U.S. department of defense, it is explicitly pointed out that detection and defense against APT attack behavior are a crucial part of the overall risk management chain. In recent years, advanced persistent threat attack events continuously appear, the remarkable characteristic is persistence, usually for years, and the specific characteristics are that various attack means are continuously sought, long-term hibernation is realized after the attack means slowly permeate into an internal network, authority is continuously promoted in the network, various information is continuously collected until important information is obtained.
Because APT is hidden and can be hidden in a computer system for years without being perceived, the traditional intrusion detection method, such as firewall, IDS product, etc., can hardly detect the latent APT. The final target of the APT attack is valuable data, the network and the system are not damaged, the current model and algorithm for sensing and detecting the APT attack generally have the defect of low sensitivity, meanwhile, the data cannot be matched according to the environmental characteristics, and the difficulty in extracting the characteristic value is high.
Disclosure of Invention
In order to improve the sensing accuracy and sensitivity of the existing APT detection method, the invention provides a method for simulating the perception of latent APT attack by stealing sensitive data, which judges the APT attack by simulating the reaction of a system after stealing the sensitive data of the system.
The technical scheme for realizing the purpose of the invention is as follows: a method of simulating a theft sensitive data aware latent APT attack, comprising the steps of:
1) establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]Carrying out data annotation based on an attribute value extraction method of a neural network to generate a characteristic sequence A and form a data model; wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, analyzing data flow fluctuation by a flow analyzer and a KTAM to generate a flow sequence B;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is taken as the timestamp as a variable to be added into the calculation, a specific time vector is formed by the timestamps by using a sampling rate of 100Hz to obtain a virus characteristic time sequence group diagram, and meanwhile, the real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Compared with the prior art, the invention has the remarkable advantages that: by releasing virus to simulate stealing sensitive data, matching the real-time characteristic sequence of the system with the normal characteristic sequence, calculating the relative difference degree, and comparing the relative difference degree with a threshold value, whether the latent APT attack aiming at stealing data possibly exists in the perception system or not is sensed, and the sensitivity and the accuracy of detecting the latent APT of the system are improved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The invention discloses a method for simulating embezzlement sensitive data perception latent APT attack, which comprises the following steps:
1) establishing a data environment, building a data model, and performing labeling compilation sequence A [ a ] on a data source1,a2,...ai,...an]Wherein a isiThe ith sequence is restored, extracted and screened by using a system log to generate a characteristic sequence A;
2) setting several data source sending targets, establishing data channels with data sources in data environment, making one code for each channel, recording data set Bb with all codes1,b2,...bi,...bn]Wherein b isiAnalyzing data flow fluctuation by using a flow analyzer for the ith sequence to generate a flow sequence B;
3) combining and calculating the sequence A and the sequence B, matching, summarizing and classifying to obtain an AB combined feature library, and taking the AB combined feature library as a normal sequence library of the system;
4) taking the release time of the stolen data virus as a variable to be added into calculation to obtain a virus characteristic group diagram, and monitoring a real-time sequence of the system;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Further, in step 5), it is assumed that the number of the system call sequences of a real-time process is f (t) (t ≧ 1, 2.), the width of the sliding window is w real-time sequences, and if f (t) ≧ w, then (f (t) -w +1) short sequences with the width of w can be formed according to the sliding window method principle, and these short sequences are labeled as { a ≧ wiu1,2, f (t) -w +1, u 1,2, w. The normal sequence library is N, wherein any normal sequence is { bju}(j=1,2,...,n;u=1,2,...,w)。
In practical circumstances, noise data cannot be excluded, and therefore, the difference between the real-time sequences is subjected to windowing and noise filtering. Assuming that the window width is L, the difference between the real-time sequence and the normal sequence library is:
Figure BDA0002247067260000031
wherein Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w.
By analyzing a large number of samples, the threshold τ for the degree of difference between the real-time sequence and the normal sequence can be calculated, if D ({ aiuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
At present, in the field of intrusion detection, traditional enterprises use various network security protection systems including software and hardware firewalls, IDS, IPS, log management and the like, but these detection means cannot effectively detect and defend latent APT.
The invention senses whether the latent APT exists in the system by extracting and modeling the system log and matching the system log with the flow sequence after releasing the virus.
The invention is further described below with reference to the accompanying drawings.
1) Establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]And carrying out data annotation based on an attribute value extraction method of the neural network to generate a characteristic sequence A and form a data model. Wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, generating a flow sequence B by using a flow analyzer and adopting a KTAM analysis method to analyze data flow fluctuation, wherein the data flow fluctuation comprises characteristic data such as flow rate, link utilization rate, protocol distribution of different protocol layers, packet size and the like;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is used as the timestamp to be added into calculation, the timestamp comprises metadata attributes describing a timetable, the row time of the timetable and variables of the row time, a specific time vector formed by the timestamps is used for obtaining a virus characteristic time sequence group diagram, and a real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Further, in step 5), it is assumed that the number of the system call sequences of a real-time process is f (t) (t ≧ 1, 2.), the width of the sliding window is w real-time sequences, and if f (t) ≧ w, then (f (t) -w +1) short sequences with the width of w can be formed according to the sliding window method principle, and these short sequences are labeled as { a ≧ wiu1,2, f (t) -w +1, u 1,2, w. The normal sequence library is N, wherein any normal sequence is { bju}(j=1,2,...,n;u=1,2,...,w)。
In practical circumstances, noise data cannot be excluded, and therefore, the difference between the real-time sequences is subjected to windowing and noise filtering. And carrying out windowing and noise filtering processing on the difference degree of each real-time sequence, wherein the assumed window width is L, and the difference degree of the real-time sequence and a normal sequence library is as follows:
Figure BDA0002247067260000051
among them, Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w;
analyzing through a sample, selecting a field window which is determined to be centered by each vector by adopting an adaptive threshold method, searching the maximum value and the minimum value of the vectors in the window, and taking the average value of the maximum value and the minimum value as a threshold value, or taking the average value of all the vectors in the window as the threshold value, or taking the Gaussian convolution of all the vectors in the window as the threshold value. Calculating to obtain the threshold value tau of the difference degree between the real-time sequence and the normal sequence if D ({ a)iuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
At present, in the field of machine learning, the technology for extracting the characteristics of system logs and network flow is gradually mature, the method can acquire the real-time sequence characteristics of a system by using a sliding window method, then matches the characteristics with a normal behavior characteristic library, and calculates the relative difference between the characteristics, so that the detection sensitivity of the unknown latent APT is improved.
According to the invention, after the virus simulating the stolen data is released, whether the latent APT exists is judged by comparing the virus characteristic diagram with the non-infected computer characteristic sequence, so that the detection accuracy of the unknown latent APT is improved, and the perception accuracy and sensitivity of an intrusion detection platform are improved.

Claims (4)

1. A method of simulating a theft sensitive data aware latent APT attack comprising the steps of:
1) establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]Carrying out data annotation based on an attribute value extraction method of a neural network to generate a characteristic sequence A and form a data model; wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, analyzing data flow fluctuation by a flow analyzer and a KTAM to generate a flow sequence B;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is taken as the timestamp as a variable to be added into the calculation, a specific time vector is formed by the timestamps by using a sampling rate of 100Hz to obtain a virus characteristic time sequence group diagram, and meanwhile, the real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
2. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: and 2) analyzing data traffic fluctuation by adopting KTAM, wherein the data traffic fluctuation comprises traffic rate, link utilization rate, protocol distribution of different protocol layers and packet size.
3. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: the time stamp in step 4) contains metadata attributes describing the schedule, its line time and its variables.
4. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: in the step 5), the number of the system call sequences of a real-time process is set as f (t) (t is 1, 2.), the width of the sliding window is w real-time sequences, if f (t) is greater than or equal to w, (f (t) -w +1) short sequences with the width of w are formed according to the sliding window method principle, and the short sequences are marked as { a ≧ wiuN as a normal sequence library, where any normal sequence is { b }, N, and (i) ═ 1,2,. times.f (t) -w + 1; u ═ 1,2,. times.w)ju}(j=1,2,...,n;u=1,2,...,w);
And carrying out windowing and noise filtering processing on the difference degree of each real-time sequence, setting the window width as L, and setting the difference degree between the real-time sequence and a normal sequence library as follows:
Figure FDA0002247067250000021
among them, Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w;
analyzing through a sample, selecting a field window which is determined to be centered by each vector by adopting a self-adaptive threshold method, searching the maximum value and the minimum value of the vectors in the window, and taking the average value of the maximum value and the minimum value as a threshold value, or taking the average value of all the vectors in the window as the threshold value, or taking the Gaussian convolution of all the vectors in the window as the threshold value; calculating to obtain the threshold value tau of the difference degree between the real-time sequence and the normal sequence if D ({ a)iuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
CN201911020563.6A 2019-10-25 2019-10-25 Method for simulating embezzlement sensitive data perception latent APT attack Active CN111224933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911020563.6A CN111224933B (en) 2019-10-25 2019-10-25 Method for simulating embezzlement sensitive data perception latent APT attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911020563.6A CN111224933B (en) 2019-10-25 2019-10-25 Method for simulating embezzlement sensitive data perception latent APT attack

Publications (2)

Publication Number Publication Date
CN111224933A true CN111224933A (en) 2020-06-02
CN111224933B CN111224933B (en) 2022-04-08

Family

ID=70827553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911020563.6A Active CN111224933B (en) 2019-10-25 2019-10-25 Method for simulating embezzlement sensitive data perception latent APT attack

Country Status (1)

Country Link
CN (1) CN111224933B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2942919A1 (en) * 2014-05-08 2015-11-11 Deutsche Telekom AG Social network honeypot
CN105262726A (en) * 2015-09-10 2016-01-20 中国人民解放军信息工程大学 APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108229153A (en) * 2016-12-21 2018-06-29 青岛祥智电子技术有限公司 A kind of advanced duration threatens the method for discrimination of attack
CN108768989A (en) * 2018-05-18 2018-11-06 刘勇 It is a kind of using the APT attack defense methods of mimicry technology, system
CN108875364A (en) * 2017-12-29 2018-11-23 北京安天网络安全技术有限公司 Menace determination method, device, electronic equipment and the storage medium of unknown file
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2942919A1 (en) * 2014-05-08 2015-11-11 Deutsche Telekom AG Social network honeypot
CN105262726A (en) * 2015-09-10 2016-01-20 中国人民解放军信息工程大学 APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis
CN108229153A (en) * 2016-12-21 2018-06-29 青岛祥智电子技术有限公司 A kind of advanced duration threatens the method for discrimination of attack
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108875364A (en) * 2017-12-29 2018-11-23 北京安天网络安全技术有限公司 Menace determination method, device, electronic equipment and the storage medium of unknown file
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN108768989A (en) * 2018-05-18 2018-11-06 刘勇 It is a kind of using the APT attack defense methods of mimicry technology, system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
贾焰等: "大规模网络安全态势分析系统YHSAS设计与实现", 《信息技术与网络安全》 *

Also Published As

Publication number Publication date
CN111224933B (en) 2022-04-08

Similar Documents

Publication Publication Date Title
CN103441982A (en) Intrusion alarm analyzing method based on relative entropy
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
Liu et al. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling
CN111181918B (en) TTP-based high-risk asset discovery and network attack tracing method
CN112333195B (en) APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN113422763B (en) Alarm correlation analysis method constructed based on attack scene
CN110598180B (en) Event detection method, device and system based on statistical analysis
CN105959270A (en) Network attack detection method based on spectral clustering algorithm
CN115459965A (en) Multistep attack detection method for network security of power system
Nalavade et al. Mining association rules to evade network intrusion in network audit data
Hendry et al. Intrusion signature creation via clustering anomalies
CN110598397A (en) Deep learning-based Unix system user malicious operation detection method
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN111784404B (en) Abnormal asset identification method based on behavior variable prediction
CN111191683B (en) Network security situation assessment method based on random forest and Bayesian network
CN116074092B (en) Attack scene reconstruction system based on heterogram attention network
CN111224933B (en) Method for simulating embezzlement sensitive data perception latent APT attack
Haque et al. An intelligent approach for Intrusion Detection based on data mining techniques
CN113132414B (en) Multi-step attack mode mining method
Phutane et al. A survey of intrusion detection system using different data mining techniques
CN114726623A (en) Advanced threat attack evaluation method and device, electronic equipment and storage medium
Zhai et al. Research and improvement on ID3 algorithm in intrusion detection system
Gambo et al. Hybrid approach for intrusion detection model using combination of k-means clustering algorithm and random forest classification
Liu et al. A Blockchain-assisted Collaborative Ensemble Learning for Network Intrusion Detection
Athira et al. Standardisation and classification of alerts generated by intrusion detection systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant