CN111784404A - Abnormal asset identification method based on behavior variable prediction - Google Patents
Abnormal asset identification method based on behavior variable prediction Download PDFInfo
- Publication number
- CN111784404A CN111784404A CN202010652685.3A CN202010652685A CN111784404A CN 111784404 A CN111784404 A CN 111784404A CN 202010652685 A CN202010652685 A CN 202010652685A CN 111784404 A CN111784404 A CN 111784404A
- Authority
- CN
- China
- Prior art keywords
- asset
- behavior
- value
- time
- feature vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 title claims abstract description 26
- 239000013598 vector Substances 0.000 claims abstract description 37
- 239000011159 matrix material Substances 0.000 claims abstract description 20
- 230000009467 reduction Effects 0.000 claims abstract description 20
- 230000008859 change Effects 0.000 claims abstract description 13
- 238000005516 engineering process Methods 0.000 claims abstract description 3
- 230000006870 function Effects 0.000 claims description 41
- 238000011156 evaluation Methods 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 7
- 230000010354 integration Effects 0.000 claims description 5
- 238000012935 Averaging Methods 0.000 claims description 3
- 230000003542 behavioural effect Effects 0.000 claims 6
- 230000006399 behavior Effects 0.000 abstract description 69
- 238000004458 analytical method Methods 0.000 abstract description 2
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 230000035772 mutation Effects 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 4
- 238000000354 decomposition reaction Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0201—Market modelling; Market analysis; Collecting market data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Accounting & Taxation (AREA)
- Entrepreneurship & Innovation (AREA)
- Finance (AREA)
- Marketing (AREA)
- Game Theory and Decision Science (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Data Mining & Analysis (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an abnormal asset identification method based on behavior variable prediction, which comprises the steps of extracting all-state features of assets at different moments, generating a dimension reduction matrix T from a feature vector group by using a PAC (programmable automation controller) dimension reduction technology, analyzing to form images of the assets at specific moments, comparing and analyzing the difference of the asset images at different moments, selecting the difference of the different images for analysis, calculating a confidence interval by adopting a time sequence weighted average algorithm, generating an asset time sequence prediction image, identifying sudden change behaviors and finding abnormal assets. The invention realizes the identification of the mutation behavior based on comprehensive multidimensional characteristics, associates dynamic asset states, reduces the situations of missing report and false report, and realizes more and more accurate monitoring along with time.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an abnormal asset identification method based on behavior variables.
Background
The abnormal asset is a professional term in the field of network security, and the meaning of the abnormal asset is that after the asset is attacked by a network, the asset cannot be successfully protected, so that the asset is affected, such as service quality reduction, authority utilization and the like, and further attack of an attacker can utilize the asset to perform springboard operation or pull data and the like, so that the abnormal asset is an early warning of a high-risk state of the network. The abnormal cause is complex, and common attacks comprise malicious files, Webshell, SQL injection and the like; due to the fact that network attack means are diversified, 0day vulnerabilities are diversified, enumeration verification is difficult to perform on all attack methods by means of traditional rule matching, abnormal asset identification based on rule alarm calculation is difficult to judge asset states comprehensively and accurately, and especially, a tie is often unfamiliar to some 0day vulnerability exploitation attacks and unknown threats.
In the field of network security, asset state change can be used as an important index of security assessment, and enumeration verification is difficult to perform on all attack methods by using a traditional rule matching mode, so that abnormal asset identification based on rule alarm calculation is difficult to comprehensively and accurately judge asset states, and especially the asset states are often stranded for some 0day vulnerability exploitation attacks and unknown threats. The existing abnormal asset identification method mainly adopts some single-dimensional characteristics, such as flow exceeding a threshold value, active external connection, unusual port opening, network attack alarm and the like. However, the status of the assets is dynamically changing, and the change of the traffic behavior is often caused by normal traffic change; the abnormal behavior features are often hidden in a large number of normal behaviors, and the identification mode often causes a large number of false alarms. The asset abnormity based on network alarm is limited by a security manufacturer, a knowledge base and a rule base of security equipment, and is difficult to generate effects on novel attack behaviors or advanced continuous threats, so that a large amount of false positives are generated; meanwhile, the safety detection based on the rules is easy to generate false alarm.
Disclosure of Invention
The invention provides an abnormal asset identification method based on behavior variable prediction, aiming at the problems that the prior art is incomplete in identification, false reports and false reports are easy to generate in dynamic asset states and the like, a dimensionality reduction matrix is obtained through dimensionality reduction processing on a multi-dimensional feature vector group, an asset behavior image group is obtained through the dimensionality reduction matrix, asset behavior images at different moments are contrastively analyzed, identification of sudden change behaviors is achieved based on comprehensive multi-dimensional features, the dynamic asset states are correlated, the situations of false reports and false reports are reduced, and accuracy can be achieved over time.
The invention has the following realization contents:
the invention provides an abnormal asset identification method based on behavior variable prediction, which is characterized by collecting time sequence continuous state samples of a monitored asset in a normal state to obtain m asset state characteristics; generating a feature vector group with the dimension of m in one day of the monitored asset; and generating a dimension reduction matrix T by the characteristic vector group through PAC dimension reduction technology, obtaining an asset behavior image group through the dimension reduction matrix T and the characteristic vector group, further obtaining asset behavior variables K corresponding to different moments, and generating an asset state evaluation function G (T) which changes along with time change.
In order to better implement the present invention, further, the specific generating steps of the feature vector group are as follows:
the method comprises the following steps: first, an initial time t is extracted0Temporal asset state feature vector V0Said asset state feature vector V0Including t0M asset status features at a time;
step two: extracting t at one minute intervals1Temporal asset state feature vector V1;
Step three: repeating the operation 1438 times in the step two to obtain t in sequence11438 moment-after-moment asset state feature vector V2Asset state feature vector V3… … asset state feature vector V1439;
Step four: integration t0Time t1439Temporal asset status feature ViObtaining a feature vector group with dimension m; subscript i ═ 0, 1, 2, … …, 1439.
In order to better implement the invention, further, the specific generation steps of the asset behavior image group are as follows:
step five: will reduce the dimension matrix T and T0Temporal asset state feature vector V0Multiplication to obtain t0Temporal asset behavior profile H0;
Step six: for t01439 moments after the moment in asset state feature vector ViThe operation of multiplying the dimension reduction matrix T is also carried out in sequence to obtain an asset behavior portrait H1Asset behavior portrayalH2… … asset behavior image H1439;
Step seven: integration t0-t1439Temporal ownership of asset behavior profile HiA set of asset behavior images is obtained, where the index i ═ 0, 1, 2, … …, 1439.
To better implement the invention, further, the asset behavior variable KnThe specific calculation method comprises the following steps: will tnTemporal asset behavior profile HnAnd tn-1Temporal asset behavior profile Hn-1Inner product is carried out to obtain tnTemporal asset behavior variable KnWherein, subscript n is 1, 2, 3, 4, … …, 1439.
To better implement the invention, further, through the asset behavior variable KnAdopting a weighted average algorithm to strengthen the weight of recent property behavior change and calculating to obtain tnReference value M for predicting behavior variables at timenWherein, subscript n is 1, 2, 3, …, 1439.
To better implement the invention, further, t is1-t1439And adding the behavior variable prediction reference values at the moment, and then averaging to obtain a prediction error credible interval B.
In order to better implement the present invention, further, the specific calculation method of the asset state evaluation function g (t) is: firstly, a behavior variable prediction reference value M at a time before the current time t is obtainedt-1Then, the weight C of the prediction error confidence interval B is obtained, and the behavior variable prediction reference value M is usedt-1Adding the product of the weight A and the product of the prediction error credible interval B and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current time t; the weight is
The weight is
Wherein p is the difference between the current time t and the initial prediction time.
In order to better realize the invention, further, according to the difference between the initial prediction time of the monitored asset and the current time t, different trigger identification trigger functions f (t) are set, and when the value of the trigger identification trigger function f (t) is 1, the monitored asset is in an abnormal state; when the value of the trigger recognition trigger function f (t) is 0, the monitored asset is in a normal state.
To better implement the invention, further, when the difference p is greater than 2:
if the value of the asset state evaluation function G (t) at the current time t is greater than the asset behavior variable K at the time ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the value of the asset state evaluation function G (t) at the current time t is less than the asset behavior variable K at the time ttThe value of the trigger recognition trigger function f (t) is 1.
To better implement the invention, further, when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B is larger than the asset behavior variable K at the moment ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B and the asset behavior variable K at the moment ttThe value of the trigger recognition trigger function f (t) is 1.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) asset abnormity judgment is not required to be carried out according to the alarm of the safety equipment, and the influence of false alarm and missed alarm of the safety equipment is reduced
(2) Behavior analysis is carried out on the multi-dimensional characteristics of the assets, false alarm influence caused by behavior evaluation such as simple detection ports and external connection is avoided, the trigger function can be continuously learned and automatically adjusted along with samples, dynamic changes and initial health states of the assets are considered, and the identification device is more and more accurate;
(3) the method can accurately, efficiently and intelligently detect the unknown threat behaviors occurring in real time.
Drawings
FIG. 1 is a schematic flow chart of the present invention;
fig. 2 is a schematic flow chart of the asset behavior variable generation trigger identification trigger function f (t) and exception detection.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and therefore should not be considered as a limitation to the scope of protection. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Example 1:
the invention provides an abnormal asset identification method based on behavior variable prediction, as shown in fig. 1 and 2, firstly, collecting time sequence continuous state samples of specific assets in a normal state;
asset status features are then defined: the asset state characteristics comprise m characteristics such as number of inflow bytes (per minute), number of outflow bytes (per minute), number of open ports, number of processes, number of installed software, memory utilization rate, disk utilization rate, CPU utilization rate, external access times, access success rate, domain name resolution failure number, Trojan horse virus number and the like;
extracting an initial time t0Asset state feature vector V0={V01、V02、V03、……、V0mAt one-minute intervals, extracting for a time t within 24 hours a day0-t1439All asset state feature vectors Vi,V0To ViThe set of (a) is a feature vector group;
1440 resources were then calculatedProducing the mean u, V of the characteristic state vectoriU is a normalized sample, V2 ═ V × VT is calculated to obtain a covariance matrix U, and the covariance matrix U is subjected to eigenvalue decomposition, [ U, S, V]Extracting the first k columns in the matrix U to obtain a dimensionality reduction matrix T (V2);
for t01439 moments after the moment in asset state feature vector ViThe operation of multiplying the dimension reduction matrix T is also carried out in sequence to obtain an asset behavior portrait H1Asset behavior sketch H2… … asset behavior image H1439;
Integration t0-t1439Temporal ownership of asset behavior profile HiObtaining a property behavior image group, wherein the subscript i is 0, 1, 2, … …, 1439;
will tnTemporal asset behavior profile HnAnd tn-1Temporal asset behavior profile Hn-1Inner product is carried out to obtain tnTemporal asset behavior variable KnWherein, subscript n ═ 1, 2, 3, 4, … …, 1439;
will t1-t1439And adding the behavior variable prediction reference values at the moment, and then averaging to obtain a prediction error credible interval B.
The working principle is as follows: by the operation, the characteristic sampling is carried out on the monitored assets in one day, the prediction error credible interval B can be calculated in advance, and then the prediction error credible interval B is used for the initial model of the subsequent identification; 24 hours a day, 1440 minutes, so 0-1439 hours are divided; the weight of recent qualification behavior change can be strengthened through a weighting algorithm, and the influence of characteristic change before the longer the time is on prediction is weaker along with the change of the time.
Example 2:
based on the above embodiment 1, as shown in fig. 2, after the prediction error confidence interval B is calculated in advance, in the actual monitoring and evaluation, the asset state evaluation function g (t) needs to be calculated first, and the specific calculation method of the asset state evaluation function g (t) is as follows: firstly, a behavior variable prediction reference value M at a time before the current time t is obtainedt-1Then, the weight C of the prediction error confidence interval B is obtained, and the behavior variable prediction reference value M is usedt-1Adding the product of the weight A and the product of the prediction error credible interval B and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current time t; the weight is
The weight is
Wherein, p is the difference value between the current time t and the initial prediction time, and is expressed by a formula as follows:
after the asset state evaluation function g (t) is calculated, different trigger identification trigger functions f (t) are set according to the difference between the initial prediction time of the monitored asset and the current time t, and in order to better implement the present invention, further, when the difference p is greater than 2:
if the value of the asset state evaluation function G (t) at the current time t is greater than the asset behavior variable K at the time ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the value of the asset state evaluation function G (t) at the current time t is less than the asset behavior variable K at the time ttThe value of the trigger recognition trigger function f (t) is 1.
To better implement the invention, further, when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B is larger than the asset behavior variable K at the moment ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B and the asset behavior variable K at the moment ttThe value of the trigger recognition trigger function f (t) is 1.
When the value of the trigger identification trigger function f (t) is 1, the monitored asset is in an abnormal state; when the value of the trigger recognition trigger function f (t) is 0, the monitored asset is in a normal state. The specific formula is expressed as follows:
when p is greater than 2:
when p is less than or equal to 2:
the working principle is as follows: since the asset state is constantly changed, the influence of the initial training data is gradually weakened, so that the influence of the time change, namely the increase of the value t on the asset state is fully considered, and the recent behavior variable prediction reference value M is strengthened along with the increase of the value tt-1The influence of the initial training data prediction error confidence interval B is weakened; considering the influence of B in a special state, different trigger recognition trigger functions are designed, and t is an integer and is calculated once per minute for convenience and reduction of operation resources.
Other parts of this embodiment are the same as those of embodiment 1, and thus are not described again.
Example 3:
based on any one of the above embodiments 1-2, the present invention provides a specific implementation example of PAC dimensionality reduction and asset behavior image group generation, including the following steps:
step A1: adopting flow collection equipment to collect asset flow characteristics, which mainly comprise an inlet-outlet flow ratio (per minute), an open port number, an external access frequency, an access success rate, a domain name resolution failure number, an access failure number and the like
Step A2: terminal detection equipment is adopted to collect the internal behavior characteristics of the assets, which mainly comprise the number of installed software, the memory utilization rate, the disk utilization rate, the CPU utilization rate, the Trojan virus number, the vulnerability number, the backdoor number and the like
Step A3 calculating an initial time t0Asset state feature vector V0={V01、V02、V03、……、V0m};
Step A4: calculating t with 1 minute as time scale1Temporal asset state feature vector V1={V11、V12、V13、……、V1m};
Step A5: and statistically calculating the characteristic data for one hour to form a behavior characteristic vector group of the assets.
Step B1: carrying out PCA (principal component analysis) dimensionality reduction decomposition, carrying out mean value standardization on samples, enabling the samples to be Vi, enabling the mean value of 1440 samples to be U, namely Vi-U to be the standardized samples, calculating V2 to be V multiplied by VT to obtain a covariance matrix, carrying out eigenvalue decomposition on the covariance matrix, enabling [ U, S, V ] to be EIG (V2), and extracting the first 10 columns in the matrix U to obtain a dimensionality reduction matrix T;
step B2, recalculating the previous feature vector group to generate t0Temporal asset behavior profile H0=T×V0
Step B3, loop B2 operation 60 times, generate assets behavior image group H in one hour0,H1,…H60Part of the results are shown in the following table:
| H0 | 2.3 | 7 | 10 | 0.9 | 1 | 8 | 0.2 | 0.3 | 0.1 | 7 |
| H1 | 3.1 | 9 | 8 | 1 | 0 | 8 | 0.2 | 0.3 | 0.2 | 7 |
| H2 | 1.2 | 15 | 6 | 1 | 0 | 8 | 0.2 | 0.3 | 0.2 | 7 |
| H3 | 0.2 | 10 | 2 | 0.8 | 1 | 9 | 0.4 | 0.3 | 0.2 | 7 |
| H4 | 0.1 | 20 | 3 | 0.7 | 0 | 9 | 0.2 | 0.3 | 0.2 | 7 |
| H5 | 1.3 | 17 | 6 | 1 | 0 | 9 | 0.2 | 0.4 | 0.2 | 8 |
table 1: assets behavior picture group (part)
Other parts of this embodiment are the same as any of embodiments 1-2 described above, and thus are not described again.
Example 4:
on the basis of any one of the embodiments 1 to 3, in actual operation, the invention adopts the trigger identification trigger function f (t) to calculate and judge the experimental assets, and obtains the results (part) shown in the following table two:
table two: trigger result (part)
And analyzing the moments represented by f (4), f (9) and f (20) by results to determine that the assets are abnormal, analyzing and verifying the logs of the assets by the results to find that violent cracking attack behaviors exist at the three moments, and indicating that the identification method is effective.
Other parts of this embodiment are the same as any of embodiments 1 to 3, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (10)
1. An abnormal asset identification method based on behavior variable prediction is characterized in that time sequence continuous state samples of a monitored asset in a normal state are collected to obtain m asset state characteristics; generating a feature vector group with the dimension of m in one day of the monitored asset; and generating a dimension reduction matrix T by the characteristic vector group through PAC dimension reduction technology, obtaining an asset behavior image group through the dimension reduction matrix T and the characteristic vector group, further obtaining asset behavior variables K corresponding to different moments, and finally generating an asset state evaluation function G (T) which changes along with time change.
2. The method for identifying abnormal assets based on behavioral variable prediction according to claim 1, wherein the specific steps for generating the feature vector group are as follows:
the method comprises the following steps: first, an initial time t is extracted0Temporal asset state feature vector V0Said asset state feature vector V0Including t0M asset status features at a time;
step two: extracting t at one minute intervals1Temporal asset state feature vector V1;
Step three: repeating the operation 1438 times in the step two to obtain t in sequence11438 moment-after-moment asset state feature vector V2Asset state feature vector V3… … asset state feature vector V1439;
Step four: integration t0Time t1439Temporal asset status feature ViObtaining a feature vector group with dimension m; subscript i ═ 0, 1, 2, … …, 1439.
3. The abnormal asset identification method based on behavior variable prediction as claimed in claim 2, wherein the specific generation steps of the asset behavior image group are as follows:
step five: will reduce the dimension matrix T and T0Temporal asset state feature vector V0Multiplication to obtain t0Temporal asset behavior profile H0;
Step six: for t01439 moments after the moment in asset state feature vector ViThe operation of multiplying the dimension reduction matrix T is also carried out in sequence to obtain an asset behavior portrait H1Asset behavior sketch H2… … asset behavior image H1439;
Step seven: integration t0-t1439Temporal ownership of asset behavior profile HiA set of asset behavior images is obtained, where the index i ═ 0, 1, 2, … …, 1439.
4. A method as claimed in claim 3, based on behavioral variable predictionThe abnormal asset identification method of (1), wherein the asset behavior variable KnThe specific calculation method comprises the following steps: will tnTemporal asset behavior profile HnAnd tn-1Temporal asset behavior profile Hn-1Inner product is carried out to obtain tnTemporal asset behavior variable KnWherein, subscript n is 1, 2, 3, 4, … …, 1439.
5. The method of claim 4, wherein the abnormal asset identification based on the behavior variable prediction is realized by the asset behavior variable KnAdopting a weighted average algorithm to strengthen the weight of recent property behavior change and calculating to obtain tnReference value M for predicting behavior variables at timenWherein, subscript n is 1, 2, 3, …, 1439.
6. The method of claim 5, wherein t is used to identify the abnormal assets based on the behavioral variable prediction1-t1439And adding the behavior variable prediction reference values at the moment, and then averaging to obtain a prediction error credible interval B.
7. The abnormal asset identification method based on behavioral variable prediction according to claim 6, characterized in that the specific calculation method of the asset state assessment function G (t) is as follows: firstly, a behavior variable prediction reference value M at a time before the current time t is obtainedt-1Then, the weight C of the prediction error confidence interval B is obtained, and the behavior variable prediction reference value M is usedt-1Adding the product of the weight A and the product of the prediction error credible interval B and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current time t; the weight is
The weight is
Wherein p is the current time t and the startThe difference between the moments is predicted.
8. The method as claimed in claim 7, wherein different trigger recognition trigger functions f (t) are set according to the difference between the initial prediction time of the monitored asset and the current time t, and when the value of the trigger recognition trigger function f (t) is 1, the monitored asset is in an abnormal state; when the value of the trigger recognition trigger function f (t) is 0, the monitored asset is in a normal state.
9. The method for identifying abnormal assets based on behavioral variable prediction according to claim 8, wherein when the difference p is greater than 2:
if the value of the asset state evaluation function G (t) at the current time t is greater than the asset behavior variable K at the time ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the value of the asset state evaluation function G (t) at the current time t is less than the asset behavior variable K at the time ttThe value of the trigger recognition trigger function f (t) is 1.
10. The method for identifying abnormal assets based on behavioral variable prediction according to claim 8, wherein when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B is larger than the asset behavior variable K at the moment ttThen the trigger identifies that the value of the trigger function f (t) is 0;
if the behavior variable prediction reference value M at a moment before the current t momentt-1The absolute value of the average value of the prediction error credible interval B and the asset behavior variable K at the moment ttThe value of the trigger recognition trigger function f (t) is 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652685.3A CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652685.3A CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111784404A true CN111784404A (en) | 2020-10-16 |
| CN111784404B CN111784404B (en) | 2024-04-16 |
Family
ID=72759322
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010652685.3A Active CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111784404B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112581042A (en) * | 2021-02-24 | 2021-03-30 | 广州互联网法院 | Performance capability evaluation system and method and electronic equipment |
| WO2023072021A1 (en) * | 2021-10-26 | 2023-05-04 | Yip Ming Ham | Method, electronic device and system for trading signal generation of financial instruments using graph convolved dynamic mode decomposition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344617A (en) * | 2018-09-16 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of Internet of Things assets security portrait method and system |
| CN109636467A (en) * | 2018-12-13 | 2019-04-16 | 洛阳博得天策网络科技有限公司 | A kind of comprehensive estimation method and system of the internet digital asset of brand |
| CN109657962A (en) * | 2018-12-13 | 2019-04-19 | 洛阳博得天策网络科技有限公司 | A kind of appraisal procedure and system of the volume assets of brand |
-
2020
- 2020-07-08 CN CN202010652685.3A patent/CN111784404B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344617A (en) * | 2018-09-16 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of Internet of Things assets security portrait method and system |
| CN109636467A (en) * | 2018-12-13 | 2019-04-16 | 洛阳博得天策网络科技有限公司 | A kind of comprehensive estimation method and system of the internet digital asset of brand |
| CN109657962A (en) * | 2018-12-13 | 2019-04-19 | 洛阳博得天策网络科技有限公司 | A kind of appraisal procedure and system of the volume assets of brand |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112581042A (en) * | 2021-02-24 | 2021-03-30 | 广州互联网法院 | Performance capability evaluation system and method and electronic equipment |
| WO2023072021A1 (en) * | 2021-10-26 | 2023-05-04 | Yip Ming Ham | Method, electronic device and system for trading signal generation of financial instruments using graph convolved dynamic mode decomposition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111784404B (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9800605B2 (en) | Risk scoring for threat assessment | |
| EP2040435B1 (en) | Intrusion detection method and system | |
| Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
| Ye et al. | EWMA forecast of normal system activity for computer intrusion detection | |
| Yu | A survey of anomaly intrusion detection techniques | |
| Dhakar et al. | A novel data mining based hybrid intrusion detection framework | |
| CN107846389B (en) | Internal threat detection method and system based on user subjective and objective data fusion | |
| CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| Guan et al. | Fast intrusion detection based on a non-negative matrix factorization model | |
| CN114531283B (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| Mechtri et al. | Intrusion detection using principal component analysis | |
| US20210367958A1 (en) | Autonomic incident response system | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| Kavitha et al. | Intelligent Intrusion Detection System using Enhanced Arithmetic Optimization Algorithm with Deep Learning Model | |
| Mohammad et al. | A novel local network intrusion detection system based on support vector machine | |
| CN117370548A (en) | User behavior risk identification method, device, electronic equipment and medium | |
| Selim et al. | Intrusion detection using multi-stage neural network | |
| Thomas et al. | Comparative analysis of dimensionality reduction techniques on datasets for zero-day attack vulnerability | |
| Liao et al. | Research on network intrusion detection method based on deep learning algorithm | |
| CN114172699A (en) | Industrial control network security event correlation analysis method | |
| Hadri et al. | Identifying intrusions in computer networks using robust fuzzy PCA | |
| Qiao et al. | Behavior analysis-based learning framework for host level intrusion detection | |
| Banadaki et al. | Design of intrusion detection systems on the internet of things infrastructure using machine learning algorithms | |
| Baich et al. | Machine Learning for IoT based networks intrusion detection: a comparative study |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |