CN111784404B - Abnormal asset identification method based on behavior variable prediction - Google Patents
Abnormal asset identification method based on behavior variable prediction Download PDFInfo
- Publication number
- CN111784404B CN111784404B CN202010652685.3A CN202010652685A CN111784404B CN 111784404 B CN111784404 B CN 111784404B CN 202010652685 A CN202010652685 A CN 202010652685A CN 111784404 B CN111784404 B CN 111784404B
- Authority
- CN
- China
- Prior art keywords
- asset
- time
- behavior
- feature vector
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 title claims abstract description 24
- 239000013598 vector Substances 0.000 claims abstract description 37
- 239000011159 matrix material Substances 0.000 claims abstract description 20
- 230000009467 reduction Effects 0.000 claims abstract description 15
- 238000004364 calculation method Methods 0.000 claims abstract description 7
- 238000005516 engineering process Methods 0.000 claims abstract description 3
- 230000006870 function Effects 0.000 claims description 41
- 238000011156 evaluation Methods 0.000 claims description 11
- 230000010354 integration Effects 0.000 claims description 5
- 238000012935 Averaging Methods 0.000 claims description 3
- 230000003542 behavioural effect Effects 0.000 claims 6
- 238000005259 measurement Methods 0.000 claims 1
- 238000002203 pretreatment Methods 0.000 claims 1
- 230000006399 behavior Effects 0.000 abstract description 69
- 230000008859 change Effects 0.000 abstract description 5
- 238000004458 analytical method Methods 0.000 abstract description 4
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 230000035772 mutation Effects 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 4
- 238000000354 decomposition reaction Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000003313 weakening effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0201—Market modelling; Market analysis; Collecting market data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Accounting & Taxation (AREA)
- Entrepreneurship & Innovation (AREA)
- Finance (AREA)
- Marketing (AREA)
- Game Theory and Decision Science (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Data Mining & Analysis (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an abnormal asset identification method based on behavior variable prediction, which is characterized in that full-state characteristics of assets at different moments are extracted, a PAC (programmable logic controller) dimension reduction technology is used for generating a dimension reduction matrix T from a characteristic vector group, then images of the assets at specific moments are formed through analysis, differences of the images of the assets at different moments are selected for analysis by comparison, differences of the different images are selected for analysis, then a time sequence weighted average algorithm is adopted for confidence interval calculation, and an asset time sequence prediction image is generated, so that mutation behaviors are identified, and abnormal assets are found. The invention realizes the identification of the abrupt change behavior based on comprehensive multidimensional characteristics, correlates dynamic asset states, reduces the conditions of missing report and false report, and realizes the increasingly accurate monitoring along with time.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an abnormal asset identification method based on behavior variables.
Background
The abnormal asset is a technical term in the field of network security, and the meaning of the abnormal asset is that the asset cannot be successfully protected after being subjected to network attack, so that the influence on the asset is caused, such as service quality reduction, authority utilization and the like, and further attack of an attacker can utilize the asset to perform springboard operation or pull data and the like, so that the abnormal asset is an early warning of a high dangerous state of the network. The abnormal causes are complex, and common attacks include malicious files, webshells, SQL injection and the like; because the network attack means are diversified and 0day vulnerability layers are endless, enumeration verification is difficult to carry out on all attack methods by using a traditional rule matching mode, the abnormal asset identification based on rule alarm calculation is difficult to comprehensively and accurately judge the asset state, and particularly, the method is often ungainly for some 0day vulnerability exploitation attacks and unknown threats.
In the field of network security, the change of the asset state can be used as an important index of security assessment, enumeration verification is difficult to carry out on all attack methods by using a traditional rule matching mode, so that the abnormal asset identification based on rule alarm calculation is difficult to comprehensively and accurately judge the asset state, and particularly, the method is often in the way of being ungainly about some 0day exploit attacks and unknown threats. The existing abnormal asset identification method mainly uses the characteristics of single dimension, such as the exceeding of the flow threshold, active external connection, unusual port opening, network attack alarm and the like. However, the status of the asset is dynamically changing, and the change in flow behavior is often due to normal business changes; abnormal behavior features are often hidden in a large number of normal behaviors, and such recognition methods often cause a large number of false positives. The asset abnormality based on network alarm is limited by security manufacturer, knowledge base and rule base of security equipment, and is difficult to generate effect on novel attack behavior or advanced continuous threat, resulting in generation of a large number of missing reports; meanwhile, security detection based on rules is also very easy to generate false alarm.
Disclosure of Invention
Aiming at the problems that the prior art is incomplete in identification, false alarm and false alarm are easy to generate in the dynamic asset state, and the like, the invention provides an abnormal asset identification method based on behavior variable prediction, which is characterized in that a dimension-reducing matrix is obtained by dimension-reducing treatment on a multi-dimension characteristic vector group, an asset behavior image group is obtained through the dimension-reducing matrix, asset behavior images at different moments are compared and analyzed, the identification of abrupt behavior is realized based on comprehensive multi-dimension characteristics, the dynamic asset state is related, the situations of false alarm and false alarm are reduced, and the method can be more accurate along with time.
The invention has the following realization contents:
the invention provides an abnormal asset identification method based on behavior variable prediction, which is used for collecting time sequence continuous state samples of a monitored asset in a normal state to obtain m asset state characteristics; generating a feature vector group with the dimension m in one day of the monitored asset; the feature vector group is enabled to generate a dimension reduction matrix T through the PAC dimension reduction technology, then the asset behavior portrait group is obtained through the dimension reduction matrix T and the feature vector group, further the asset behavior variable K corresponding to different moments is obtained, and the asset state evaluation function G (T) changing along with the time is generated.
In order to better implement the present invention, further, the specific generating steps of the feature vector set are:
step one: first extract the initial time t 0 Asset state feature vector V at the time 0 The asset state feature vector V 0 Includes t 0 M asset status features at a time;
step two: extracting t at intervals of one minute 1 Asset state feature vector V at time 1 ;
Step three: repeating the operation 1438 of the second step for times to sequentially obtain t 1 Asset state feature vector V at 1438 times after each time 2 Asset state feature vector V 3 … … asset State feature vector V 1439 ;
Step four: integration t 0 From time to t 1439 Asset State characteristics of time of day V i Obtaining a feature vector group with a dimension of m; subscript i=0, 1, 2, … …, 1439.
In order to better realize the invention, the specific generation steps of the asset behavior portrait group are as follows:
step five: dimension reduction matrix T and T 0 Moment asset State feature vector V 0 Multiplying to obtain t 0 Asset behavior portrayal H at time 0 ;
Step six: for t 0 Asset state feature vector V at 1439 times after time i The operation of multiplying the asset behavior representation H by the dimension-reduction matrix T is sequentially performed to obtain the asset behavior representation H 1 Asset behavior portrayal H 2 … … asset behavior portrayal H 1439 ;
Step seven: integration t 0 -t 1439 Asset behavior portrayal H for all moments i An asset behavior representation group is obtained, where the subscripts i=0, 1, 2, … …, 1439.
To better implement the invention, further, the asset-behavior variable K n The specific calculation method of (a) is as follows: let t n Asset behavior portrayal H at time n And t n-1 Asset behavior portrayal H at time n-1 Performing inner product to obtain t n Asset behavior variable K at time n Wherein the subscript n=1, 2, 3, 4, … …, 1439.
To better implement the invention, further, by asset behavior variable K n Adopting a weighted average algorithm to strengthen the weight of recent asset behavior variation, and calculating to obtain t n Time behavior variable prediction reference value M n Wherein the subscript n=1, 2, 3, …, 1439.
To better implement the invention, further, t is 1 -t 1439 And adding the behavior variable prediction reference values at the moment and then averaging to obtain a prediction error trusted interval B.
In order to better implement the present invention, further, the specific calculation method of the asset status evaluation function G (t) is as follows: firstly, obtaining a behavior variable prediction reference value M at a moment before the current t moment t-1 Then, obtaining the weight C of the prediction error credible section B, and predicting the behavior variable into a reference value M t-1 Adding the product of the prediction error confidence interval B and the product of the weight C to the product of the prediction error confidence interval A and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current t moment; the weight isThe weight->Wherein p is the difference between the current t moment and the starting predicted moment.
In order to better realize the invention, further, according to the difference value between the initial predicted time and the current t time of the monitored asset, different trigger recognition trigger functions f (t) are set, and when the value of the trigger recognition trigger function f (t) is 1, the monitored asset is in an abnormal state; when the trigger recognizes that the value of the trigger function f (t) is 0, the monitored asset is in a normal state.
To better implement the invention, further, when the difference p is greater than 2:
if the value of the asset state assessment function G (t) at the current time t is greater than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 0;
if the value of the asset state assessment function G (t) at the current time t is smaller than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 1.
To better implement the invention, further, when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a time before the current t time t-1 An asset behavior variable K with an average value of a prediction error confidence interval B greater than a time t t The trigger identifies the value of the trigger function f (t) as 0;
if the behavior variable prediction reference value M at a time before the current t time t-1 An asset behavior variable K whose absolute value is smaller than the time t with the average value of the prediction error confidence interval B t The trigger identifies the value of the trigger function f (t) as 1.
Compared with the prior art, the invention has the following advantages:
(1) Asset abnormality judgment is not needed according to security equipment alarm, and the influence of false alarm and missing alarm of the security equipment is reduced
(2) Performing behavior analysis on the multi-dimensional characteristics of the asset, avoiding false alarm influence caused by behavior evaluation such as simple detection ports, external connection and the like, enabling a trigger function to be capable of taking account of dynamic changes and initial health states of the asset along with continuous learning and automatic parameter adjustment of a sample, and enabling an identification device to be more and more accurate;
(3) The method can accurately, efficiently and intelligently detect the unknown threat behaviors occurring in real time.
Drawings
FIG. 1 is a schematic diagram of a specific flow chart of the present invention;
FIG. 2 is a flow chart of an asset-action variable generation trigger identifying a trigger function f (t) and performing anomaly detection.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only some embodiments of the present invention, but not all embodiments, and therefore should not be considered as limiting the scope of protection. All other embodiments, which are obtained by a worker of ordinary skill in the art without creative efforts, are within the protection scope of the present invention based on the embodiments of the present invention.
Example 1:
the invention provides an abnormal asset identification method based on behavior variable prediction, as shown in fig. 1 and 2, firstly collecting time sequence continuous state samples of specific assets in a normal state;
asset status characteristics are then defined: the asset status features include m features of inflow bytes (per minute), outflow bytes (per minute), open ports, procedures, installed soft count, memory usage, disk usage, CPU usage, number of external accesses, number of accessed, accessed success rate, number of domain name resolution failures, number of Trojan viruses, etc.;
extracting initial time t 0 Asset State feature vector V 0 ={V 01 、V 02 、V 03 、……、V 0m Extracting time t within 24 hours a day at intervals of one minute 0 -t 1439 All asset state feature vectors V i ,V 0 To V i The set of (a) is a feature vector group;
then calculate the average u, V of 1440 asset characteristic state vectors i -U is a normalized sample, v2=v×vt is calculated to obtain a covariance matrix U, and eigenvalue decomposition is performed on the covariance matrix U, and [ U, S, V]=eig (V2), extracting the first k columns in the matrix U, resulting in a dimension-reduction matrix T;
for t 0 Asset state feature vector V at 1439 times after time i The operation of multiplying the asset behavior representation H by the dimension-reduction matrix T is sequentially performed to obtain the asset behavior representation H 1 Asset behavior portrayal H 2 … … asset behavior portrayal H 1439 ;
Integration t 0 -t 1439 Asset behavior portrayal H for all moments i Obtaining an asset behavior representation group, wherein subscripts i=0, 1, 2, … …, 1439;
let t n Asset behavior portrayal H at time n And t n-1 Asset behavior portrayal H at time n-1 Performing inner product to obtain t n Asset behavior variable K at time n Wherein the subscript n=1, 2, 3, 4, ……、1439;
Let t 1 -t 1439 And adding the behavior variable prediction reference values at the moment and then averaging to obtain a prediction error trusted interval B.
Working principle: through the operation, the monitored asset is subjected to characteristic sampling by adopting the time of day, a prediction error credible interval B can be calculated in advance, and then the prediction error credible interval B is used for an initial model of subsequent identification; the day is 24 hours, and total 1440 minutes, so that the time is 0-1439; the weight of the recent qualification behavior change can be enhanced through a weighting algorithm, and the longer the time is, the weaker the influence of the characteristic change on the prediction is.
Example 2:
on the basis of the above embodiment 1, as shown in fig. 2, after the prediction error confidence interval B is calculated in advance, in the actual monitoring evaluation, an asset state evaluation function G (t) needs to be calculated first, and a specific calculation method of the asset state evaluation function G (t) is as follows: firstly, obtaining a behavior variable prediction reference value M at a moment before the current t moment t-1 Then, obtaining the weight C of the prediction error credible section B, and predicting the behavior variable into a reference value M t-1 Adding the product of the prediction error confidence interval B and the product of the weight C to the product of the prediction error confidence interval A and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current t moment; the weight isThe weight->Wherein, p is the difference between the current t moment and the initial predicted moment, expressed by a formula:
after the asset state evaluation function G (t) is calculated, setting different trigger recognition trigger functions f (t) according to the difference between the initial predicted time and the current time of the monitored asset, and further, when the difference p is greater than 2, for better implementing the invention:
if the value of the asset state assessment function G (t) at the current time t is greater than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 0;
if the value of the asset state assessment function G (t) at the current time t is smaller than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 1.
To better implement the invention, further, when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a time before the current t time t-1 An asset behavior variable K with an average value of a prediction error confidence interval B greater than a time t t The trigger identifies the value of the trigger function f (t) as 0;
if the behavior variable prediction reference value M at a time before the current t time t-1 An asset behavior variable K whose absolute value is smaller than the time t with the average value of the prediction error confidence interval B t The trigger identifies the value of the trigger function f (t) as 1.
When the trigger recognizes that the value of the trigger function f (t) is 1, the monitored asset is in an abnormal state; when the trigger recognizes that the value of the trigger function f (t) is 0, the monitored asset is in a normal state. The specific formula is expressed as follows:
when p is greater than 2:
when p is less than or equal to 2:
working principle: since the asset status is constantly changing, the impact of the initial training data will gradually fade, thus taking into account time variations, i.eInfluence of t value increase on asset state, and recent behavior variable prediction reference value M is enhanced along with t increase t-1 Weakening the influence of the initial training data prediction error confidence interval B; considering the influence of B in a special state, different trigger recognition trigger functions are designed, and t is an integer and calculated once per minute for convenience and reduction of operation resources.
Other portions of this embodiment are the same as those of embodiment 1 described above, and thus will not be described again.
Example 3:
the invention provides a specific implementation example of PAC dimension reduction and asset behavior portrayal group generation based on any one of the above embodiments 1-2, comprising the following steps:
step A1: the flow collection equipment is used for collecting the flow characteristics of the asset, and the flow characteristics mainly comprise an inlet-outlet flow ratio (per minute), an open port number, an external access number, an accessed success rate, a domain name resolution failure number, an access failure number and the like
Step A2: the terminal detection equipment is adopted to collect the internal behavior characteristics of the asset, and the method mainly comprises the steps of installing soft pieces, memory utilization rate, disk utilization rate, CPU utilization rate, trojan horse virus number, vulnerability number, back door number and the like
Step A3, calculating the initial time t 0 Asset State feature vector V 0 ={V 01 、V 02 、V 03 、……、V 0m };
Step A4: calculating t by taking 1 minute as time scale 1 Moment asset State feature vector V 1 ={V 11 、V 12 、V 13 、……、V 1m };
Step A5: and statistically calculating the characteristic data for one hour to form a behavior characteristic vector group of the asset.
Step B1: performing PCA dimension reduction decomposition, carrying out mean normalization on samples, enabling the samples to be Vi, enabling the mean value of 1440 samples to be U, namely, vi-U to be the normalized samples, calculating V2=V×VT to obtain a covariance matrix, carrying out eigenvalue decomposition on the covariance matrix, [ U, S, V ] =EIG (V2), and extracting the first 10 columns in the matrix U to obtain a dimension reduction matrix T;
step B2, re-calculating the previous feature vector group to generate t 0 Time asset behavior portrayal H 0 =T×V 0
Step B3, circulating B2 operation for 60 times to generate asset behavior portrayal group H within one hour of asset 0 ,H 1 ,…H 60 The partial results are shown in the following table:
| H 0 | 2.3 | 7 | 10 | 0.9 | 1 | 8 | 0.2 | 0.3 | 0.1 | 7 |
| H 1 | 3.1 | 9 | 8 | 1 | 0 | 8 | 0.2 | 0.3 | 0.2 | 7 |
| H 2 | 1.2 | 15 | 6 | 1 | 0 | 8 | 0.2 | 0.3 | 0.2 | 7 |
| H 3 | 0.2 | 10 | 2 | 0.8 | 1 | 9 | 0.4 | 0.3 | 0.2 | 7 |
| H 4 | 0.1 | 20 | 3 | 0.7 | 0 | 9 | 0.2 | 0.3 | 0.2 | 7 |
| H 5 | 1.3 | 17 | 6 | 1 | 0 | 9 | 0.2 | 0.4 | 0.2 | 8 |
table 1: asset behavior portrayal group (part)
Other portions of this embodiment are the same as any of embodiments 1-2 described above, and thus will not be described again.
Example 4:
on the basis of any one of the above embodiments 1 to 3, in actual operation, the present invention adopts the trigger identification triggering function f (t) to calculate and judge the experimental asset, so as to obtain the result (part) shown in the following table two:
and (II) table: trigger result (part)
And f (4), f (9), f (20) represent moments, wherein the asset is abnormal, and the result is used for analyzing and verifying the log of the asset, so that the violent cracking attack behaviors exist at the three moments, and the identification method is effective.
Other portions of this embodiment are the same as any of embodiments 1 to 3 described above, and thus will not be described again.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent variation, etc. of the above embodiment according to the technical matter of the present invention fall within the scope of the present invention.
Claims (6)
1. An abnormal asset identification method based on behavior variable prediction is characterized in that sequential continuous state samples of monitored assets in normal states are collected to obtain m asset state features; generating a feature vector group with the dimension m in one day of the monitored asset; generating a dimension reduction matrix T by the feature vector group through PAC dimension reduction technology, obtaining an asset behavior portrait group through the dimension reduction matrix T and the feature vector group, further obtaining asset behavior variables K corresponding to different time, and finally generating an asset state evaluation function G (T) which changes along with time variation;
the specific generation steps of the feature vector group are as follows:
step one: first extract the initial time t 0 Asset state feature vector V at the time 0 The asset state feature vector V 0 Includes t 0 M asset status features at a time;
step two: extracting t at intervals of one minute 1 Asset state feature vector V at time 1 ;
Step three: repeating the operation 1438 of the second step for times to sequentially obtain t 1 Asset state feature vector V at 1438 times after each time 2 Asset state feature vector V 3 … … asset State feature vector V 1439 ;
Step four: integration t 0 From time to t 1439 Asset State characteristics of time of day V i Obtaining a feature vector group with a dimension of m; subscript i=0, 1, 2, … …, 1439;
the specific generation steps of the asset behavior portrait group are as follows:
step five: dimension reduction matrix T and T 0 Moment asset State feature vector V 0 Multiplying to obtain t 0 Asset behavior portrayal H at time 0 ;
Step six: for t 0 Asset state feature vector V at 1439 times after time i The operation of multiplying the asset behavior representation H by the dimension-reduction matrix T is sequentially performed to obtain the asset behavior representation H 1 Asset behavior portrayal H 2 … … asset behavior portrayal H 1439 ;
Step seven: integration t 0 -t 1439 Asset behavior portrayal H for all moments i Obtaining an asset behavior representation group, wherein subscripts i=0, 1, 2, … …, 1439;
the asset behavior variable K n The specific calculation method of (a) is as follows: let t n Asset behavior portrayal H at time n And t n-1 Asset behavior portrayal H at time n-1 Performing inner product to obtain t n Asset behavior variable K at time n Wherein subscript n=1, 2, 3, 4, … …, 1439;
setting different trigger recognition trigger functions f (t) according to the difference between the initial predicted time of the monitored asset and the current t time, and when the value of the trigger recognition trigger function f (t) is 1, the monitored asset is in an abnormal state; when the trigger recognizes that the value of the trigger function f (t) is 0, the monitored asset is in a normal state.
2. An abnormal asset identification method based on behavioral variable prediction as claimed in claim 1, wherein the asset is identified by an asset behavioral variable K n Adopting a weighted average algorithm to strengthen the weight of recent asset behavior variation, and calculating to obtain t n Time behavior variable prediction reference value M n Wherein the subscript n=1, 2, 3, …, 1439.
3. An abnormal asset identification method based on behavioral variable prediction as claimed in claim 2, whereinThen, t is 1 -t 1439 And adding the behavior variable prediction reference values at the moment and then averaging to obtain a prediction error trusted interval B.
4. A method for identifying abnormal assets based on behavioral variable predictions as claimed in claim 3 wherein said asset state assessment function G (t) is specifically calculated by: firstly, obtaining a behavior variable prediction reference value M at a moment before the current t moment t-1 Then, obtaining the weight C of the prediction error credible section B, and predicting the behavior variable into a reference value M t-1 Adding the product of the prediction error confidence interval B and the product of the weight C to the product of the prediction error confidence interval A and the weight C, and then calculating an absolute value to obtain an asset state evaluation function G (t) at the current t moment; the weight a=The weight c= =>Where p is the difference between the current t time and the starting predicted time.
5. The abnormal asset identification method based on behavioral variable prediction of claim 4 where when the difference p is greater than 2:
if the value of the asset state assessment function G (t) at the current time t is greater than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 0;
if the value of the asset state assessment function G (t) at the current time t is smaller than the asset behavior variable K at the time t t The trigger identifies the value of the trigger function f (t) as 1.
6. The abnormal asset identification method based on behavioral variable prediction of claim 4 where when the difference p is less than or equal to 2:
if the behavior variable prediction reference value M at a time before the current t time t-1 And pre-treatment ofThe absolute value of the average value of the error measurement trusted interval B is larger than the asset behavior variable K at the moment t t The trigger identifies the value of the trigger function f (t) as 0;
if the behavior variable prediction reference value M at a time before the current t time t-1 An asset behavior variable K whose absolute value is smaller than the time t with the average value of the prediction error confidence interval B t The trigger identifies the value of the trigger function f (t) as 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652685.3A CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652685.3A CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111784404A CN111784404A (en) | 2020-10-16 |
| CN111784404B true CN111784404B (en) | 2024-04-16 |
Family
ID=72759322
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010652685.3A Active CN111784404B (en) | 2020-07-08 | 2020-07-08 | Abnormal asset identification method based on behavior variable prediction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111784404B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112581042B (en) * | 2021-02-24 | 2021-06-18 | 广州互联网法院 | Performance capability evaluation system and method and electronic equipment |
| WO2023072021A1 (en) * | 2021-10-26 | 2023-05-04 | Yip Ming Ham | Method, electronic device and system for trading signal generation of financial instruments using graph convolved dynamic mode decomposition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344617A (en) * | 2018-09-16 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of Internet of Things assets security portrait method and system |
| CN109636467A (en) * | 2018-12-13 | 2019-04-16 | 洛阳博得天策网络科技有限公司 | A kind of comprehensive estimation method and system of the internet digital asset of brand |
| CN109657962A (en) * | 2018-12-13 | 2019-04-19 | 洛阳博得天策网络科技有限公司 | A kind of appraisal procedure and system of the volume assets of brand |
-
2020
- 2020-07-08 CN CN202010652685.3A patent/CN111784404B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344617A (en) * | 2018-09-16 | 2019-02-15 | 杭州安恒信息技术股份有限公司 | A kind of Internet of Things assets security portrait method and system |
| CN109636467A (en) * | 2018-12-13 | 2019-04-16 | 洛阳博得天策网络科技有限公司 | A kind of comprehensive estimation method and system of the internet digital asset of brand |
| CN109657962A (en) * | 2018-12-13 | 2019-04-19 | 洛阳博得天策网络科技有限公司 | A kind of appraisal procedure and system of the volume assets of brand |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111784404A (en) | 2020-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yang et al. | Anomaly-based intrusion detection for SCADA systems | |
| EP2040435B1 (en) | Intrusion detection method and system | |
| Chen et al. | An efficient network intrusion detection | |
| Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
| Chang et al. | Intrusion detection by backpropagation neural networks with sample-query and attribute-query | |
| Ye et al. | EWMA forecast of normal system activity for computer intrusion detection | |
| CN111818102B (en) | Defense efficiency evaluation method applied to network target range | |
| Osareh et al. | Intrusion detection in computer networks based on machine learning algorithms | |
| CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
| Guan et al. | Fast intrusion detection based on a non-negative matrix factorization model | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| CN114531283B (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN114330487A (en) | Wireless network security situation assessment method based on BIPMU | |
| Mechtri et al. | Intrusion detection using principal component analysis | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| Baich et al. | Machine Learning for IoT based networks intrusion detection: a comparative study | |
| Saheed et al. | Autoencoder via DCNN and LSTM models for intrusion detection in industrial control systems of critical infrastructures | |
| CN117544366A (en) | Information risk assessment method suitable for security defense of power distribution network | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| Selim et al. | Intrusion detection using multi-stage neural network | |
| Gautam et al. | Anomaly detection system using entropy based technique | |
| Ali et al. | Detecting Conventional and Adversarial Attacks Using Deep Learning Techniques: A Systematic Review | |
| Li et al. | Research on intrusion detection based on neural network optimized by genetic algorithm | |
| Banadaki et al. | Design of intrusion detection systems on the internet of things infrastructure using machine learning algorithms | |
| Liu et al. | Improved detection of user malicious behavior through log mining based on IHMM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |