CN112383527B - Execution body self-healing method of mimicry WAF - Google Patents

Execution body self-healing method of mimicry WAF Download PDF

Info

Publication number
CN112383527B
CN112383527B CN202011238258.7A CN202011238258A CN112383527B CN 112383527 B CN112383527 B CN 112383527B CN 202011238258 A CN202011238258 A CN 202011238258A CN 112383527 B CN112383527 B CN 112383527B
Authority
CN
China
Prior art keywords
abnormal
module
execution
database
executive body
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011238258.7A
Other languages
Chinese (zh)
Other versions
CN112383527A (en
Inventor
陈双喜
吴春明
曲振青
王文海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202011238258.7A priority Critical patent/CN112383527B/en
Publication of CN112383527A publication Critical patent/CN112383527A/en
Application granted granted Critical
Publication of CN112383527B publication Critical patent/CN112383527B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses an executive body self-healing method of a mimicry WAF, which comprises the following steps of abnormal detection of a mimicry WAF executive body, abnormal executive body positioning, abnormal executive body module checking and abnormal executive body self-healing repair: the self-healing process of the mimicry WAF executor is completed by a recovery mechanism and a repair module for redetection. The invention comprehensively considers the working efficiency and the correctness of the executive body, runs the automatic detection, investigation and self-healing mechanism, ensures that the executive body can timely and automatically run the detection mechanism and automatically recover and enhance after the abnormity occurs, and carries out offline cleaning work if the abnormity still exists after the self-healing mechanism is repeatedly run.

Description

Execution body self-healing method of mimicry WAF
Technical Field
The invention belongs to the technical field of network security mimicry defense, and particularly relates to an executive body self-healing method of a mimicry WAF.
Background
With the popularization of the network, the popularization rate of the internet in 2019 worldwide exceeds 55%, but at the same time, serious network security risks are brought. The cost of maintaining network security applications is gradually increasing with the increase of network applications, the increase of popularity of networks, and the increase of network performance requirements. The device for maintaining the network application security has higher performance and also needs higher device maintenance cost, so the requirement for reducing the network security application device maintenance is urgent and is not available.
The simulated WAF system can construct an autonomous controllable, safe and credible protection system, reverse the situation of easy attack and difficult guard in the field of network security, complete the natural combination of service provision and safety protection, the perfect combination of safety and openness, the natural combination of high reliability and high credibility, the perfect combination of an endogenous safety mechanism and the traditional defense means, the simulated WAF technology is the next generation WAF and has the characteristics of diversity, dynamics, redundancy and the like, the dynamic characteristics of the simulated WAF are completed through the isomerism of a plurality of executors and a selection algorithm, but the simulated WAF needs higher operation cost, the simulated WAF executors need higher cost to be repaired after abnormity appears, the current repairing mode of the WAF executors is mainly that the simulated WAF executors are processed and repaired by manual offline and then are re-online, the maintenance and repair cost is high, and can affect the operation of the entire WAF system, with temporary cessation of operation of the WAF system presenting a security threat and a corresponding loss.
Disclosure of Invention
The invention aims to provide an executive body self-healing method of a mimicry WAF aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: an executive body self-healing method of a mimicry WAF comprises the following steps:
(1) and (3) anomaly detection of the mimic WAF executant, when the result of the rule matching module of the WAF executant is inconsistent with the judgment result, the execution body is considered to be abnormal, and the frequency of the abnormality of each WAF execution body i is set as Bi,BiIs 0, and B corresponding to the isomer having the difference is compared with the result of each WAF execution body according to the result of the arbitrationi+1。
(2) Let the exception rate per executable be Di,AiThe number of times of the execution body i is selected is shown, and the calculation formula is Di=Bi/AiAnd after the mimicry arbitration result is generated, updating the exception rate of each executive body, and when the exception rate of a certain executive body is higher than a certain threshold value, considering that the executive body is abnormal, and finishing the positioning work of the abnormal executive body.
(3) And (4) performing module troubleshooting on the abnormity, and automatically troubleshooting the specific abnormal occurrence module through respective troubleshooting. The checking module comprises: the system comprises an executive body micro-container database, an executive body micro-container black and white list set and rule definition set, a protocol analysis module, an action execution module and a log module, and specifically comprises the following steps:
and (3.1) performing exception checking on the micro-container database of the exception executive body, performing the same operations of adding, deleting, modifying and checking on the mirror database in the micro-container of the exception executive body and the complete database in the server based on the executive body, and comparing the operation results of the mirror database and the complete database.
And (3.2) checking the black and white list set and the rule definition set of the execution body micro-container, comparing the black and white list of the abnormal execution body with the black and white list of the rule set and other non-abnormal execution bodies, and checking the rule definition set by initiating the same kind of attack to compare the judgment results of the current abnormal execution body with the non-abnormal execution body.
(3.3) protocol analysis module exception checking, comparing analysis protocol results obtained by analyzing the current exception executor and other non-exception executors with the same flow rate, assuming that the analysis results with the same flow rate are compared with k non-exception executors, setting an analysis result comparison counter as alpha, setting a counter alpha +1 when the analysis results are not matched, setting a threshold delta, and considering that the protocol analysis module is abnormal when the alpha exceeds the threshold delta.
And (3.4) the action execution module and the log module are subjected to abnormity troubleshooting by comparing a step similar to the step (3.3) with a calculation judgment result of a non-abnormal execution body.
(4) The abnormal execution body self-healing repair method specifically comprises the following steps:
and (4.1) self-healing and repairing the micro-container database, directly carrying out partial mirroring operation on the complete database if the database is detected to be inconsistent in data, and discarding the previous mirrored database.
And (4.2) self-healing repair execution body micro-container black and white list collection is realized by copying black and white list collection of other non-abnormal execution bodies.
And (4.3) if the rule definition set, the protocol analysis module, the action execution module and the log module are abnormally repaired, the offline operation is required, and the online operation is carried out again after the abnormal repair is carried out.
(5) And (3) re-detection of the repair module: and (4) launching the same attack to the abnormal execution body repaired in the step (4), comparing the result of the rule matching module with the judgment result, if the comparison result is consistent, completing self-healing, otherwise, repeating the processes of the steps (3) to (4), and if the self-healing fails after repeating for 2-3 times, performing offline investigation.
Further, in the step (3.1), if the database is finally checked for abnormal failure, the step of re-mirroring the WAF database from the full database in the server is directly performed.
The invention has the beneficial effects that: according to the method, the self-healing process of the mimicry WAF executor is completed through the abnormity detection of the mimicry WAF executor, the positioning of the abnormity executor, the module checking of the abnormity executor, the self-healing repair of the abnormity executor and the redetection of the repair module, the self-healing process basically does not need manual participation, and the repair cost is greatly reduced.
Drawings
Fig. 1 is a flowchart of an execution body self-healing process for a mock-up WAF.
Detailed Description
As shown in fig. 1, the method for self-healing a mimic WAF executor according to the present invention is mainly used for completing the self-healing process of the mimic WAF executor through anomaly detection, anomaly executor positioning, anomaly executor module checking, anomaly executor self-healing repair, and repair module re-detection of the mimic WAF executor, and includes the following steps:
(1) anomaly detection of the mimetic WAF executors: when the result of the rule matching module of the WAF executive is inconsistent with the result of the arbitration, the executive is considered to be abnormal, and the number of times of abnormality of each WAF executive i is set as Bi(1≤i≤M),BiIs 0, and according to the result of the arbitration and the result of each WAF execution body, B corresponding to the heterogeneous execution bodies with differencei+1。
(2) Let the exception rate per executable be Di(1≤i≤M),Ai(1 ≦ i ≦ M) represents the number of times the execution body i was selected, and is calculated as Di=Bi/Ai(ii) a When the mimicry decides the knotAnd after the abnormal rate of each executive body is generated, updating the abnormal rate of each executive body, and when the abnormal rate of a certain executive body is higher than a set threshold value, considering that the executive body is abnormal, and finishing the positioning work of the abnormal executive body.
(3) Abnormal execution module troubleshooting: supposing that the abnormal execution body is the W-th execution body, wherein W is more than or equal to 1 and less than or equal to M, and automatically checking the specific abnormal generation module by respectively checking each module of the abnormal execution body; the checking module comprises: the system comprises an executive body micro container database, an executive body micro container black and white list set, an executive body micro container rule definition set, a protocol analysis module, an action execution module and a log module, and specifically comprises the following steps:
(3.1) performing exception checking on the micro container database: mirror database d in micro-containers for execution volume WWExecuting the same operation of adding, deleting, modifying and checking as the executive W based on the complete database D in the server e, and comparing the operation results of the executive W and the complete database D; if the operation results are inconsistent, the execution body micro-container database is considered to be abnormal; need to explain: the investigation in this step can investigate most of the database inconsistency anomalies, for example, the eventual investigation of database anomalies fails, and the full database D in the server e can be directly executed to re-mirror the WAF database.
(3.2) performing black and white list set checking of the micro containers: the black and white list of the abnormal executive body W is compared with the rule set and the black and white lists of other non-abnormal executive bodies to realize the examination of the black and white list set of the micro container of the executive body; and if the checking result is inconsistent, the black and white list set of the execution body micro container is considered to be abnormal.
(3.3) performing a body micro container rule definition set investigation: the method comprises the steps of initiating the same kind of attacks on an abnormal executive body and a non-abnormal executive body, and comparing the judgment results of the abnormal executive body and the non-abnormal executive body at present to realize rule definition set investigation; if the checking result is inconsistent, the black and white list set and the rule definition set of the executive body micro container are considered to be abnormal.
And (3.4) exception checking of a protocol analysis module: analyzing the same flow respectively through the abnormal executive body W and the non-abnormal executive body to obtain an analysis protocol result and comparing the analysis protocol result with the analysis protocol result; assuming that the k non-abnormal executors and the abnormal executors W are subjected to analysis result comparison with the same flow, an analysis result comparison counter is set as alpha, a counter alpha +1 is set as a threshold delta when the counter is not matched, and when the alpha is larger than the threshold delta, the protocol analysis module is considered to be abnormal.
(3.5) checking an action execution module: the calculation judgment result of the non-abnormal execution body is compared through the steps similar to the step (3.4), and the method is realized by the following specific steps: comparing the actions made by the action execution module by respectively passing through the abnormal execution body W and the non-abnormal execution body by using the same flow; if k non-abnormal executors are compared with the abnormal executors W, the counter is set as alpha, the counter alpha +1 is set when the actions are inconsistent, and the action execution module is considered to be abnormal when the alpha is larger than the threshold delta.
(3.6) log module exception checking: the calculation judgment result of the non-abnormal execution body is compared through the steps similar to the step (3.4), and the method is realized by the following specific steps: comparing the logs recorded by the log module by using the same flow respectively passing through the abnormal executive W and the non-abnormal executive; if k non-abnormal executives are compared with the abnormal executives W, the counter is set to be alpha +1 when the recorded logs are inconsistent, and when the alpha is larger than the threshold delta, the log module is considered to be abnormal.
(4) The abnormal execution body self-healing repair method specifically comprises the following steps:
(4.1) self-healing repair micro-container database: and if a large amount of data inconsistency of the database is detected, directly carrying out partial mirroring operation on the full database, and discarding the previous mirrored database.
(4.2) self-healing repair execution body micro-container black and white list collection: by copying the black and white list set of other non-abnormal executives.
And (4.3) performing abnormal repair on the rule definition set of the execution body micro-container, the protocol analysis module, the action execution module and the log module by using the execution body to perform offline operation, and manually checking and repairing by maintenance managers and then re-online.
(5) And (3) re-detection of the repair module: and (4) initiating the same attack on the abnormal execution body W repaired in the step (4) and comparing the result of the rule matching module of the WAF in the execution body with the result of the WAF judgment of the execution body, if the comparison result is consistent, self-healing is completed, otherwise, the processes of the steps (3) to (4) are repeated, and if the processes are repeated for 2-3 times and the self-healing is still failed, the execution body is off line for checking.

Claims (2)

1. An executive body self-healing method of a mimicry WAF is characterized by comprising the following steps:
(1) detecting the exception of the executive body, when the result of the rule matching module of the executive body is inconsistent with the judgment result, considering that the exception occurs to the executive body, and setting the number of the exception of each executive body i as Bi,BiIs 0, and B corresponding to the executives having a difference is compared with the result of the rule matching module of each of the executives according to the result of the arbitrationi +1;
(2) Let the exception rate per executable be Di,AiThe number of times of the execution body i is selected is shown, and the calculation formula is Di=Bi/AiAfter the judgment result is generated, updating the abnormal rate of each executive body, and when the abnormal rate of a certain executive body is higher than a certain threshold value, considering that the executive body is abnormal, and finishing the positioning work of the abnormal executive body;
(3) the abnormal execution body module checks, and the module with specific abnormal occurrence is automatically checked through respective checks; the module to be investigated comprises: the system comprises an executive body micro-container database, an executive body micro-container black and white list set and rule definition set, a protocol analysis module, an action execution module and a log module, and specifically comprises the following steps:
(3.1) abnormal investigation of the micro-container database of the execution body, namely performing the same operations of increasing, deleting, modifying and examining the mirror database in the micro-container of the abnormal execution body and the complete database in the server based on the execution body, and comparing the operation results of the mirror database and the complete database;
(3.2) checking the black-white list set of the execution body micro container and the rule definition set, comparing the black-white list set of the abnormal execution body with the black-white list sets of other non-abnormal execution bodies, and checking the rule definition set by initiating a same kind of attack to compare the judgment results of the current abnormal execution body with the non-abnormal execution body;
(3.3) carrying out exception checking on a protocol analysis module, comparing analysis protocol results obtained by analysis by using the same flow through an exception executor with other non-exception executors, assuming that the analysis results with the same flow are compared with k non-exception executors, setting the value of an analysis result comparison counter to be alpha, updating the value of the counter to be alpha +1 when one non-exception executor is not matched with the exception executor each time, setting a threshold delta, and considering that the protocol analysis module is abnormal when the alpha exceeds the threshold delta;
and (3.4) checking an action execution module: comparing the actions made by the action execution module by using the same flow respectively passing through the abnormal execution body and the non-abnormal execution body; if k 'non-abnormal execution bodies and abnormal execution bodies are compared, the value of the counter is set to be alpha', the value of the counter is updated to be alpha '+ 1 when one non-abnormal execution body does not accord with the abnormal execution body in action each time, a threshold value delta' is set, and when the alpha 'is larger than the threshold value delta', the action execution module is considered to be abnormal;
(3.5) log module exception checking: comparing the logs recorded by the log module by using the same flow respectively passing through the abnormal executive body and the non-abnormal executive body; if k 'non-abnormal executives are compared with the abnormal executives in total, the value of the counter is set as alpha', the value of the counter is updated to alpha '+ 1 when the logs recorded by one non-abnormal executives and the abnormal executives are inconsistent, a threshold delta' is set, and when the alpha 'is larger than the threshold delta', the log module is considered to be abnormal;
(4) the abnormal execution body self-healing repair method specifically comprises the following steps:
(4.1) self-healing and repairing the micro-container database, if the data inconsistency of the database is detected, directly carrying out mirror image operation on the complete database, and discarding the previous mirror image database;
(4.2) self-healing repairing execution body micro-container black and white list collection is realized by copying the black and white list collection of other non-abnormal execution bodies;
(4.3) if the rule definition set, the protocol analysis module, the action execution module and the log module are abnormally repaired, the offline operation is required, and the online operation is carried out again after the abnormal repair;
(5) and (3) re-detection of the repair module: and (4) launching the same attack to the abnormal executor repaired in the step (4), comparing the result of the rule matching module with the judgment result, if the comparison result is consistent, self-healing is completed, otherwise, repeating the processes in the steps (3) to (4), and if the self-healing fails after repeating for 2-3 times, performing offline inspection.
2. The performing body self-healing method of the mimicry WAF according to claim 1, wherein in the step (3.1), if the database is finally checked for abnormal failure, the step of re-mirroring the WAF database from the full database in the server is directly performed.
CN202011238258.7A 2020-11-09 2020-11-09 Execution body self-healing method of mimicry WAF Active CN112383527B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011238258.7A CN112383527B (en) 2020-11-09 2020-11-09 Execution body self-healing method of mimicry WAF

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011238258.7A CN112383527B (en) 2020-11-09 2020-11-09 Execution body self-healing method of mimicry WAF

Publications (2)

Publication Number Publication Date
CN112383527A CN112383527A (en) 2021-02-19
CN112383527B true CN112383527B (en) 2021-12-17

Family

ID=74579608

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011238258.7A Active CN112383527B (en) 2020-11-09 2020-11-09 Execution body self-healing method of mimicry WAF

Country Status (1)

Country Link
CN (1) CN112383527B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411937A (en) * 2016-11-15 2017-02-15 中国人民解放军信息工程大学 Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof
CN107454082A (en) * 2017-08-07 2017-12-08 中国人民解放军信息工程大学 Secure cloud service construction method and device based on mimicry defence
CN109688138A (en) * 2018-12-27 2019-04-26 北京天融信网络安全技术有限公司 A kind of network-based data processing method and electronic equipment
US10289857B1 (en) * 2009-06-22 2019-05-14 Jeffrey E. Brinskelle Enforcement of same origin policy for sensitive data
US10440048B1 (en) * 2018-11-05 2019-10-08 Peking University Shenzhen Graduate School Anti-attacking modelling for CMD systems based on GSPN and Martingale theory
CN110380961A (en) * 2019-07-05 2019-10-25 中国人民解放军战略支援部队信息工程大学 A kind of device and method of conventional router mimicryization transformation
CN110401601A (en) * 2019-08-20 2019-11-01 之江实验室 A kind of mimicry Routing Protocol system and method
CN110445787A (en) * 2019-08-09 2019-11-12 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Heterogeneous testing device and method based on DHR framework mimicry defense platform
CN110852873A (en) * 2019-11-14 2020-02-28 深圳前海微众银行股份有限公司 Data trust method, device, equipment and computer readable storage medium
CN111343139A (en) * 2020-01-14 2020-06-26 浙江大学 Multi-mode judgment method for industrial control mimicry security gateway
CN111585952A (en) * 2020-03-23 2020-08-25 浙江大学 Solution method for coping with virtual host layer attack by Web application on cloud

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150156170A1 (en) * 2013-12-03 2015-06-04 Alcatel-Lucent Usa Inc. Security Event Routing In a Distributed Hash Table
US10291646B2 (en) * 2016-10-03 2019-05-14 Telepathy Labs, Inc. System and method for audio fingerprinting for attack detection
CN110324417B (en) * 2019-06-29 2020-10-27 河南信大网御科技有限公司 Cloud service execution body dynamic reconstruction method based on mimicry defense
CN111049677B (en) * 2019-11-27 2021-11-23 网络通信与安全紫金山实验室 Cleaning and recovering method and device for mimic switch heterogeneous execution body

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10289857B1 (en) * 2009-06-22 2019-05-14 Jeffrey E. Brinskelle Enforcement of same origin policy for sensitive data
CN106411937A (en) * 2016-11-15 2017-02-15 中国人民解放军信息工程大学 Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof
CN107454082A (en) * 2017-08-07 2017-12-08 中国人民解放军信息工程大学 Secure cloud service construction method and device based on mimicry defence
US10440048B1 (en) * 2018-11-05 2019-10-08 Peking University Shenzhen Graduate School Anti-attacking modelling for CMD systems based on GSPN and Martingale theory
CN109688138A (en) * 2018-12-27 2019-04-26 北京天融信网络安全技术有限公司 A kind of network-based data processing method and electronic equipment
CN110380961A (en) * 2019-07-05 2019-10-25 中国人民解放军战略支援部队信息工程大学 A kind of device and method of conventional router mimicryization transformation
CN110445787A (en) * 2019-08-09 2019-11-12 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Heterogeneous testing device and method based on DHR framework mimicry defense platform
CN110401601A (en) * 2019-08-20 2019-11-01 之江实验室 A kind of mimicry Routing Protocol system and method
CN110852873A (en) * 2019-11-14 2020-02-28 深圳前海微众银行股份有限公司 Data trust method, device, equipment and computer readable storage medium
CN111343139A (en) * 2020-01-14 2020-06-26 浙江大学 Multi-mode judgment method for industrial control mimicry security gateway
CN111585952A (en) * 2020-03-23 2020-08-25 浙江大学 Solution method for coping with virtual host layer attack by Web application on cloud

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Evolving Defense Mechanism for Future Network Security;Haifeng Zhou, Chunming Wu, Ming Jiang, Boyang Zhou, Wen Gao, Tin;《IEEE Communications Magazine》;20150430;45-51 *
Mimic Defense Techniques of Edge-Computing Terminal;Xiaonan Sang, Qianmu Li;《2019 IEEE Fifth International Conference on Big Data Computing Service and Applications》;20190926;247-251 *
基于异构冗余架构的拟态防御建模技术;秦俊宁,韩嘉佳,周升,吴春明,陈双喜,赵若琰,张江瑜;《电信科学》;20200520;31-38 *
拟态防御Web服务器设计与实现;仝青, 张铮, 张为华, 邬江兴;《软件学报》;20200425;883-897 *

Also Published As

Publication number Publication date
CN112383527A (en) 2021-02-19

Similar Documents

Publication Publication Date Title
CN106874755B (en) Most consistent escape error processing apparatus and method
US8761490B2 (en) System and method for automated borescope inspection user interface
EP3515039A1 (en) Decision system and method for separating faults from attacks
US20180159879A1 (en) Systems and methods for cyber-attack detection at sample speed
US20190228110A1 (en) System and method for abstracting characteristics of cyber-physical systems
EP3105644B1 (en) Method of identifying anomalies
DE102017128693A1 (en) Feature and limit setting for threat detection in an industrial plant control system
US8196106B2 (en) Autonomic verification of HDL models using real-time statistical analysis and layered feedback stages
CN108512841B (en) Intelligent defense system and method based on machine learning
CA2931624A1 (en) Systems and methods for event detection and diagnosis
CN108510001B (en) Wind driven generator blade defect classification method and classification system thereof
CN112966879A (en) Environmental test chamber fault prediction method and device, computer equipment and storage medium
CN111510339B (en) Industrial Internet data monitoring method and device
CN112383527B (en) Execution body self-healing method of mimicry WAF
CN115022072B (en) Network security state monitoring system and method based on big data
Alhaidari et al. Network anomaly detection using two-dimensional hidden markov model based viterbi algorithm
Barnard Ten things you should know about HALT & HASS
RadhaKrishna Design and analysis of novel kernel measure for software fault localization
CN114050937A (en) Processing method and device for mailbox service unavailability, electronic equipment and storage medium
CN112422540B (en) Dynamic transformation method for executive body in mimicry WAF
Blood et al. Reliability assurance for AI systems
CN114625009B (en) Fault detection method based on system identification and optimal filtering
Yang et al. Regression identification of coincidental correctness via weighted clustering
Sejfia A pilot study on architecture and vulnerabilities: Lessons learned
CN116614421B (en) S5 protocol robustness testing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant