CN111431865A - Network deep threat detection method - Google Patents

Network deep threat detection method Download PDF

Info

Publication number
CN111431865A
CN111431865A CN202010130894.1A CN202010130894A CN111431865A CN 111431865 A CN111431865 A CN 111431865A CN 202010130894 A CN202010130894 A CN 202010130894A CN 111431865 A CN111431865 A CN 111431865A
Authority
CN
China
Prior art keywords
map
user
sample
vector
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010130894.1A
Other languages
Chinese (zh)
Other versions
CN111431865B (en
Inventor
任大章
李润恒
梁颖
刘欢
武宇
李玉军
谢敏容
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Yilan Situation Technology Co ltd
Original Assignee
Sichuan Yilan Situation Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Yilan Situation Technology Co ltd filed Critical Sichuan Yilan Situation Technology Co ltd
Priority to CN202010130894.1A priority Critical patent/CN111431865B/en
Publication of CN111431865A publication Critical patent/CN111431865A/en
Application granted granted Critical
Publication of CN111431865B publication Critical patent/CN111431865B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a network deep threat detection method, which belongs to the technical field of artificial intelligence, and is characterized in that whether deep threats exist is judged by steps of obtaining a deep threat principle, generating a massive sample map, generating a sample vector set, generating a user map, generating a user vector and the like, and the map with the deep threats is stored in the massive sample map, so that the continuous evolution of detection capability is realized. The method carries out deep threat detection from the angles of the map and the vector space, has quick and accurate detection, can realize autonomous evolution of detection capability in the detection process, and is favorable for optimizing detection performance while detecting.

Description

Network deep threat detection method
Technical Field
The invention belongs to the technical field of artificial intelligence, and particularly relates to a network deep threat detection method.
Background
With the continuous development and application of modern networks, especially the internet, networks have become a part of people's life and work. Meanwhile, the network threats from all levels are increasing day by day and are emerging endlessly. How to discover and detect network threats guarantees network security in front of each network user, especially network operation and maintenance personnel.
At present, each enterprise and public institution increases the investment of network security construction, and deploys various types of security devices or systems, such as an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), a firewall, antivirus software and the like. However, these conventional security devices based on feature rules can only detect known attacks, with high false negative and false positive.
The Safety Operation Center (SOC) integrates a large number of logs of the safety system, so that not only is the data source single, but also the capability and means for providing accurate analysis are lacked, and safety analysis personnel analyze the mass data to obtain effective clues which are not different from the large sea fishing needles. Therefore, SOC does not effectively act against active defense against network security.
The digitization and the intelligence degree of the power grid are continuously improved, meanwhile, along with the advance of the intelligent era, the power grid is increasingly attacked by computer viruses, logic bombs and trojans from the internet, the difficulty of information safety protection is greatly increased, and new challenges are brought to the development of power information safety and intelligent power grids. The aspects of the acquisition and storage capacity of the safety data of the power grid information system, the discovery sensing capacity of the safety threat of the information system, the three-dimensional depth defense capacity and the like all face higher technical and management standardization requirements compared with the safety protection system of the traditional information system in the past. Especially under the condition of rapid expansion of quantity, speed and types of related safety intelligence data, the fusion, storage, management and utilization of massive heterogeneous data pose a significant challenge to the traditional safety analysis method.
Because network attack behaviors are usually scattered in various places, an attack process is implemented by multiple steps, certain complexity is achieved, and the original appearance of the attack cannot be completely restored only by log information of a single network security device, so that the evaluation of the running state of the whole network environment and the activity condition of a user by network security analysts is severely restricted.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a network deep threat detection method which can perform deep threat analysis from the perspective of a map and a vector space and can be optimized autonomously.
The technical scheme adopted by the invention is as follows:
a network deep threat detection method comprises the following steps:
s1) obtaining a deep threat principle: and reversely analyzing a deep threat sample (usually an executable file exe or a dynamic link library dll) by using an IDA Pro static disassembling and OllyDbg dynamic debugging technology to obtain a deep threat principle. Deep threat principles can also be obtained by searching for deep threat related data, such as vendor reports, academic papers, technical articles, and the like, via the internet.
The deep threat principle comprises a deep threat use attack technology (CAPEC), a vulnerability number (CVE), a control mode (C & C), a diffusion strategy (attack interval, attack quantity, attack target selection) and the like;
s2) generating a massive sample map:
s21), setting different environment parameters to generate a large number of simulated environments, wherein the environment parameters comprise the number of network nodes, the number of nodes with bugs, the number of nodes provided with protection software and the like;
s22) according to the deep threat principle of the step S1), different attack duration is set for deduction in different simulation environments, and a massive sample map (in million level) is generated. The graph is composed of nodes and connecting lines, wherein the attackers and targets are the nodes, and the attack behavior is the connecting lines between the nodes. Theoretically, the combination of the environmental parameters and the attack duration is infinite, so that the sample map complete set is also infinite and is marked as G, and the generated massive sample maps are actually sample map subsets and are marked as G0
Figure BDA0002395745650000021
S3) generating a set of sample vectors:
s31) the massive sample map G generated in the step S2)0Partitioning into multiple mutually disjoint subsets H1,...,HmApplication gSpan algorithm mines each subset HiFrequent subgraph of (subset H)iIs scaled according to computing power) is written as S ═ SiAnd i is more than or equal to 1 and less than or equal to n, wherein n is the number of the found characteristic subgraphs and is called as a characteristic subgraph set. Subgraphs refer to a subset of the graph, and frequent subgraphs refer to subgraphs that appear multiple times in the graph set. The frequent subgraphs do not necessarily appear in each graph of the set, and the preset threshold value is met;
s32) taking the top m characteristic subgraphs with the most times in S and recording as S0={siI is more than or equal to 1 and less than or equal to m and less than or equal to n, wherein the value of m is determined according to the calculation capacity), and the map contains S0Taking the number of different characteristic subgraphs as components to form a vector space, and mapping the mass sample graph G0Mapping into vector space to obtain sample vector subset X0. For example, let the number of characteristic subgraphs included in a certain sample map g be (x)1,..,xn) Wherein x isiRepresenting the graph g containing characteristic subgraphs siThe number of (a) is (x)1,..,xn) Viewed as a vector in an n-dimensional vector space, then G0With vector set X0Corresponding relation exists between X, called X0Is a subset of the sample vector. Due to the fact that
Figure BDA0002395745650000031
So that X is inevitably present, an
Figure BDA0002395745650000032
Enabling a sample map complete set G to have a corresponding relation with X, and calling X as a sample vector complete set;
s4) generating a user profile: converting the safety log (the log of the safety protection equipment and the log of the abnormal behavior) in the user network into a map, namely a user map, and recording the map as gu. The security log usually comprises time, attackers, targets, attack behaviors, feature codes and other elements, wherein in the graph, the attackers and the targets are nodes, and the attack behaviors are connection lines between the nodes;
s5) generating a user vector: each log corresponds to two nodes and a connecting line between the two nodes in the map, and the characteristic subgraph is composed of a plurality of points and connecting lines, so that the characteristic subgraph can be obtainedRegarding the characteristic subgraph as a log combination mode (Pattern), and collecting S characteristic subgraph0={siI is more than or equal to 1 and less than or equal to n is equivalent to n modes;
because the safety logs in the user network are generated in sequence, after one log is generated, only the corresponding node and the connecting line need to be calculated, and whether the corresponding node and the connecting line are matched with each other or not is calculated0Pattern Matching (Pattern Matching), thereby enabling real-time stream computation;
calculating to obtain a user map guIncluding a characteristic subgraph S0={siThe number of 1 ≦ i ≦ m, i.e., the user vector, denoted as u ≦ m (u ≦ u)1,..,un) Wherein u isiDenotes guComprises siThe number of (2);
s6) determining whether a deep threat exists.
Since the number of characteristic subgraphs is a natural number, hyperplane y must exist0=f0(x) For arbitrary X ∈ X0All have y ≧ y0Wherein y is0Far from point 0, X0Is a sample vector subset. At y0On the basis of (1), adding an offset of 1 to each dimension to obtain y1And so on, obtaining the hyperplane set Y ═ YiI is more than or equal to 0. Calculating the sample vector coverage rate between two adjacent hyperplanes as the sample vector quantity/space coordinate quantity to obtain a coverage rate sequence set R as the { R }i},i≥0。
Since sample vector subset X0Is finite, and therefore R ═ RiIt will peak when i-k and then fall and approach 0. According to common knowledge, the more feature subgraphs a user graph contains, the greater the probability of being a depth threat. Therefore, the set of coverage sequences before taking the peak R ═ Ri},i<The fitting yields the function p (p) (X), i.e. the probability that the vector X belongs to the sample vector corpus X, where p approaches 1 as X increases.
Let a threshold value p0Calculating the probability p that the user vector u belongs to the sample vector corpus XuWhen p is p (u)u>p0When u ∈ X is found, g is further foundu∈ G, i.e. user profiles belonging to sample profilesThe spectrum is complete, and the user network has deep threat.
When g isu∈ G, map the user to GuAdding a mass sample map G0To obtain G1And recalculating the feature subgraph set. Continuously obtaining G along with the detection1,..,Gn,GnThe method can continuously approach to the sample map complete set G, thereby realizing continuous evolution of detection capability.
Further, the deep threat principle is that the deep threat uses any one or more of an attack technology, a vulnerability number, a control mode and a diffusion strategy.
Furthermore, the environment parameters comprise the number of network nodes, the number of nodes with vulnerabilities and the number of nodes with protection software.
Further, the security log includes time, attacker, target, attack behavior, signature.
Further, step S5) includes the steps of:
s51) each log corresponds to two nodes in the map and a connecting line between the two nodes, and the corresponding nodes and the connecting line are calculated;
s52) whether the relevant nodes and the connecting lines match the feature subgraph set or not, and calculating a real-time flow;
s53) calculating to obtain a user vector, namely the number of characteristic sub-images contained in the user map.
Further, the S6) includes the steps of:
s61) as the number of the characteristic subgraphs is a natural number, a hyperplane exists inevitably, and a hyperplane set is obtained according to the sample vector subset;
s62) calculating the sample vector coverage rate between two adjacent hyperplanes to obtain a coverage rate sequence set;
s63) taking a coverage rate sequence set before the peak value, and fitting to obtain a function;
s64) setting a threshold value, and calculating the probability that the user vector belongs to the sample vector complete set;
s65) determining whether a deep threat exists.
Further, the manner of determination in step S65) is:
and when the probability is greater than a threshold value, judging that the user map belongs to the sample map complete set, and the user network has deep threat.
Further, the step S6) further includes the following steps: and when judging that the deep threat exists in the user network, adding the user map into the massive sample map, and recalculating the characteristic subgraph set.
Further, in step S31), a gSpan algorithm is applied to mine frequent subgraphs in each subset.
The invention has the beneficial effects that:
the invention carries out deep threat detection from the view of the map and the vector space, can realize the autonomous evolution of the detection capability in the detection process, and is beneficial to optimizing the detection performance while detecting.
Detailed Description
The present invention is further illustrated below with reference to specific examples.
The embodiment provides a network deep threat detection method, which comprises the following steps:
s1) obtaining a deep threat principle: and reversely analyzing a deep threat sample (usually an executable file exe or a dynamic link library dll) by using an IDA Pro static disassembling and OllyDbg dynamic debugging technology to obtain a deep threat principle. Deep threat principles can also be obtained by searching for deep threat related data, such as vendor reports, academic papers, technical articles, and the like, via the internet.
The deep threat principle comprises a deep threat use attack technology (CAPEC), a vulnerability number (CVE), a control mode (C & C), a diffusion strategy (attack interval, attack quantity, attack target selection) and the like;
s2) generating a massive sample map:
s21), setting different environment parameters to generate a large number of simulated environments, wherein the environment parameters comprise the number of network nodes, the number of nodes with bugs, the number of nodes provided with protection software and the like;
s22) setting different attack duration to deduce in different simulation environments according to the deep threat principle of the step S1),generating a massive sample map (in millions). The graph is composed of nodes and connecting lines, wherein the attackers and targets are the nodes, and the attack behavior is the connecting lines between the nodes. Theoretically, the combination of the environmental parameters and the attack duration is infinite, so that the sample map complete set is also infinite and is marked as G, and the generated massive sample maps are actually sample map subsets and are marked as G0
Figure BDA0002395745650000061
S3) generating a set of sample vectors:
s31) the massive sample map G generated in the step S2)0Partitioning into multiple mutually disjoint subsets H1,...,HmMining each subset H by using a gSpan algorithmiFrequent subgraph of (subset H)iIs scaled according to computing power) is written as S ═ SiAnd i is more than or equal to 1 and less than or equal to n, wherein n is the number of the found characteristic subgraphs and is called as a characteristic subgraph set. Subgraphs refer to a subset of the graph, and frequent subgraphs refer to subgraphs that appear multiple times in the graph set. The frequent subgraphs do not necessarily appear in each graph of the set, and the preset threshold value is met;
s32) taking the top m characteristic subgraphs with the most times in S and recording as S0={siI is more than or equal to 1 and less than or equal to m and less than or equal to n, wherein the value of m is determined according to the calculation capacity), and the map contains S0Taking the number of different characteristic subgraphs as components to form a vector space, and mapping the mass sample graph G0Mapping into vector space to obtain sample vector subset X0. For example, let the number of characteristic subgraphs included in a certain sample map g be (x)1,..,xn) Wherein x isiRepresenting the graph g containing characteristic subgraphs siThe number of (a) is (x)1,..,xn) Viewed as a vector in an n-dimensional vector space, then G0With vector set X0Corresponding relation exists between X, called X0Is a subset of the sample vector. Due to the fact that
Figure BDA0002395745650000071
So that X is inevitably present, an
Figure BDA0002395745650000072
Enabling a sample map complete set G to have a corresponding relation with X, and calling X as a sample vector complete set;
s4) generating a user profile: converting the safety log (the log of the safety protection equipment and the log of the abnormal behavior) in the user network into a map, namely a user map, and recording the map as gu. The security log usually comprises time, attackers, targets, attack behaviors, feature codes and other elements, wherein in the graph, the attackers and the targets are nodes, and the attack behaviors are connection lines between the nodes;
s5) generating a user vector: each log corresponds to two nodes and a connecting line between the two nodes in the graph, and the characteristic subgraph is composed of a plurality of points and connecting lines, so that the characteristic subgraph can be regarded as a log combination mode (Pattern), and a characteristic subgraph set S0={siI is more than or equal to 1 and less than or equal to n is equivalent to n modes;
because the safety logs in the user network are generated in sequence, after one log is generated, only the corresponding node and the connecting line need to be calculated, and whether the corresponding node and the connecting line are matched with each other or not is calculated0Pattern Matching (Pattern Matching), thereby enabling real-time stream computation;
calculating to obtain a user map guIncluding a characteristic subgraph S0={siThe number of 1 ≦ i ≦ m, i.e., the user vector, denoted as u ≦ m (u ≦ u)1,..,un) Wherein u isiDenotes guComprises siThe number of (2);
s6) determining whether a deep threat exists.
Since the number of characteristic subgraphs is a natural number, hyperplane y must exist0=f0(x) For arbitrary X ∈ X0All have y ≧ y0Wherein y is0Far from point 0, X0Is a sample vector subset. At y0On the basis of (1), adding an offset of 1 to each dimension to obtain y1And so on, obtaining the hyperplane set Y ═ YiI is more than or equal to 0. Calculating the sample vector coverage rate between two adjacent hyperplanes as the sample vector quantity/space coordinate quantity to obtain a coverage rate sequence setR={ri},i≥0。
Since sample vector subset X0Is finite, and therefore R ═ RiIt will peak when i-k and then fall and approach 0. According to common knowledge, the more feature subgraphs a user graph contains, the greater the probability of being a depth threat. Therefore, the set of coverage sequences before taking the peak R ═ Ri},i<The fitting yields the function p (p) (X), i.e. the probability that the vector X belongs to the sample vector corpus X, where p approaches 1 as X increases.
Let a threshold value p0Calculating the probability p that the user vector u belongs to the sample vector corpus XuWhen p is p (u)u>p0When u ∈ X is found, g is further foundu∈ G, namely the user map belongs to the sample map complete set, and the user network has deep threat.
When g isu∈ G, map the user to GuAdding a mass sample map G0To obtain G1And recalculating the feature subgraph set. Continuously obtaining G along with the detection1,..,Gn,GnThe method can continuously approach to the sample map complete set G, thereby realizing continuous evolution of detection capability.
The invention is not limited to the alternative embodiments described and other various forms of products may be made by anyone in light of the present invention. The described embodiments should not be construed as limiting the scope of the invention, which is defined in the claims, and which the description may be used for interpreting the claims.

Claims (9)

1. A network deep threat detection method is characterized in that: the method comprises the following steps:
s1) obtaining a deep threat principle: obtaining a depth threat principle by using IDA Pro static disassembling and OllyDbg dynamic debugging technologies or searching depth threat related data;
s2) generating a massive sample map:
s21) setting different environment parameters to generate a large number of simulation environments;
s22) setting different attack durations for deduction in different simulation environments according to the deep threat principle of the step S1), and generating a massive sample map;
s3) generating a set of sample vectors:
s31) dividing the massive sample map generated in the step S2) into a plurality of mutually disjoint subsets, and mining frequent subgraphs in each subset to obtain a characteristic subgraph set;
s32) one or more feature sub-images with the most times in the feature sub-image set are taken to obtain a frequent feature sub-image set, a vector space is formed by taking the number of different feature sub-images in the map containing frequent feature sub-image set as components, and a mass sample map is mapped into the vector space to obtain a sample vector subset;
s4) generating a user profile: converting a security log in a user network into a user map;
s5) generating a user vector;
s6) determining whether a deep threat exists.
2. The method according to claim 1, wherein the method comprises the following steps: the deep threat principle is that the deep threat uses any one or more of an attack technology, a vulnerability number, a control mode and a diffusion strategy.
3. The method according to claim 1, wherein the method comprises the following steps: the environment parameters comprise the number of network nodes, the number of nodes with vulnerabilities and the number of nodes with protection software.
4. The method according to claim 1, wherein the method comprises the following steps: the security log comprises time, attackers, targets, attack behaviors and feature codes.
5. The method according to claim 1, wherein the method comprises the following steps: step S5) includes the steps of:
s51) each log corresponds to two nodes in the map and a connecting line between the two nodes, and the corresponding nodes and the connecting line are calculated;
s52) whether the relevant nodes and the connecting lines match the feature subgraph set or not, and calculating a real-time flow;
s53) calculating to obtain a user vector, namely the number of characteristic sub-images contained in the user map.
6. The method according to claim 1, wherein the method comprises the following steps: the S6) includes the following steps:
s61) as the number of the characteristic subgraphs is a natural number, a hyperplane exists inevitably, and a hyperplane set is obtained according to the sample vector subset;
s62) calculating the sample vector coverage rate between two adjacent hyperplanes to obtain a coverage rate sequence set;
s63) taking a coverage rate sequence set before the peak value, and fitting to obtain a function;
s64) setting a threshold value, and calculating the probability that the user vector belongs to the sample vector complete set;
s65) determining whether a deep threat exists.
7. The method of claim 6, wherein the method comprises: the manner of determination in step S65) is:
and when the probability is greater than a threshold value, judging that the user map belongs to the sample map complete set, and the user network has deep threat.
8. The method of claim 6, wherein the method comprises: the step S6) further includes the following steps: and when judging that the deep threat exists in the user network, adding the user map into the massive sample map, and recalculating the characteristic subgraph set.
9. The method according to claim 1, wherein the method comprises the following steps: and step S31), mining frequent subgraphs in each subset by applying a gSpan algorithm.
CN202010130894.1A 2020-02-28 2020-02-28 Network deep threat detection method Active CN111431865B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010130894.1A CN111431865B (en) 2020-02-28 2020-02-28 Network deep threat detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010130894.1A CN111431865B (en) 2020-02-28 2020-02-28 Network deep threat detection method

Publications (2)

Publication Number Publication Date
CN111431865A true CN111431865A (en) 2020-07-17
CN111431865B CN111431865B (en) 2022-01-04

Family

ID=71547265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010130894.1A Active CN111431865B (en) 2020-02-28 2020-02-28 Network deep threat detection method

Country Status (1)

Country Link
CN (1) CN111431865B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112604297A (en) * 2020-12-29 2021-04-06 网易(杭州)网络有限公司 Game plug-in detection method and device, server and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931570A (en) * 2010-02-08 2010-12-29 中国航天科技集团公司第七一○研究所 Method for reconstructing network attack path based on frequent pattern-growth algorithm
CN107666468A (en) * 2016-07-29 2018-02-06 中国电信股份有限公司 network security detection method and device
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
US20190158517A1 (en) * 2015-08-31 2019-05-23 Splunk Inc. Interface Providing An Interactive Trendline For A Detected Threat to Facilitate Evaluation For False Positives
CN109861858A (en) * 2019-01-28 2019-06-07 北京大学 Wrong investigation method of the micro services system root because of node

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931570A (en) * 2010-02-08 2010-12-29 中国航天科技集团公司第七一○研究所 Method for reconstructing network attack path based on frequent pattern-growth algorithm
US20190158517A1 (en) * 2015-08-31 2019-05-23 Splunk Inc. Interface Providing An Interactive Trendline For A Detected Threat to Facilitate Evaluation For False Positives
CN107666468A (en) * 2016-07-29 2018-02-06 中国电信股份有限公司 network security detection method and device
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
CN109861858A (en) * 2019-01-28 2019-06-07 北京大学 Wrong investigation method of the micro services system root because of node

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李锦玲等: "基于最大频繁序列模式挖掘的App-DDoS攻击的异常检测", 《电子与信息学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112604297A (en) * 2020-12-29 2021-04-06 网易(杭州)网络有限公司 Game plug-in detection method and device, server and storage medium

Also Published As

Publication number Publication date
CN111431865B (en) 2022-01-04

Similar Documents

Publication Publication Date Title
Zhang et al. Classification of ransomware families with machine learning based onN-gram of opcodes
Falcão et al. Quantitative comparison of unsupervised anomaly detection algorithms for intrusion detection
Calderon The benefits of artificial intelligence in cybersecurity
CN112269316B (en) High-robustness threat hunting system and method based on graph neural network
Kantarcioglu et al. Adversarial data mining: Big data meets cyber security
CN111368302A (en) Automatic threat detection method based on attacker attack strategy generation
Rosli et al. Clustering analysis for malware behavior detection using registry data
CN114499982A (en) Honey net dynamic configuration strategy generating method, configuration method and storage medium
CN111431865B (en) Network deep threat detection method
Sakthivelu et al. Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model.
Chandrasekaran et al. Spycon: Emulating user activities to detect evasive spyware
Sodiya et al. An Improved Semi-Global Alignment Algorithm for Masquerade Detection.
Cheng et al. Protecting VNF services with smart online behavior anomaly detection method
Kang et al. Actdetector: A sequence-based framework for network attack activity detection
Talompo et al. NAIDS design using ChiMIC-KGS
Hashim et al. A proposal to detect computer worms (malicious codes) using data mining classification algorithms
CN112969180A (en) Wireless sensor network attack defense method and system under fuzzy environment
Wen et al. A image texture and BP neural network basec malicious files detection technique for cloud storage systems
Feng Discussion on the Ways of Constructing Computer Network Security in Colleges: Considering Complex Worm Networks
Raju et al. Network Intrusion Detection for IoT-Botnet Attacks Using ML Algorithms
Lv et al. Coordinated scan detection algorithm based on the global characteristics of time sequence
CN115801458B (en) Real-time attack scene reconstruction method, system and equipment aiming at multi-step attack
Huang et al. An adaptive rule-based intrusion alert correlation detection method
Bai et al. Multidimensional Detection and Evaluation System of Computer Network Security Based on Machine Learning Algorithm
Liu et al. Software Deployment Strategy Based on Performance and Heterogeneity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant