CN112528275A - APT network attack detection method based on meta-path learning and sub-graph sampling - Google Patents
APT network attack detection method based on meta-path learning and sub-graph sampling Download PDFInfo
- Publication number
- CN112528275A CN112528275A CN202011319217.0A CN202011319217A CN112528275A CN 112528275 A CN112528275 A CN 112528275A CN 202011319217 A CN202011319217 A CN 202011319217A CN 112528275 A CN112528275 A CN 112528275A
- Authority
- CN
- China
- Prior art keywords
- meta
- node
- graph
- sampling
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computing Systems (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Artificial Intelligence (AREA)
- Virology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An APT network attack detection method based on meta-path learning and sub-graph sampling comprises the following steps: 1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors; 2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path; 3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis. The invention carries out APT network attack monitoring based on the system log data, which is convenient for discovering the real damage behavior of the network attack to the system; the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented; a detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.
Description
Technical Field
The invention relates to the technical field of network security and machine learning, in particular to an APT network attack detection method.
Background
APT network attacks are planned, persistent network attacks launched against governments, core infrastructure, important industries, etc. Compared with the traditional network attack, the APT network attack has the characteristics of high imperceptibility, long latency period, various attack means and the like, so that the traditional detection means based on network flow is difficult to deal with. Therefore, the comprehensive monitoring of the system behavior to find the actual damage behavior of the APT network attack to the system is one of the effective means for dealing with the concealment and diversity of the APT network attack.
On the other hand, with the development of machine learning technology, the network attack detection method based on machine learning is receiving wide attention. Machine learning techniques for cyber attack detection include conventional shallow learning techniques and deep learning techniques. The deep learning technology can automatically learn complex nonlinear hidden features, and generally has higher accuracy and generalization capability. Deep learning models commonly used for cyber attack detection include MLP (multi-layer perceptron), CNN (convolutional neural network), LSTM (long short term memory network), automatic coding machines, and the like. However, since the system behavior contained in the system log data is very complex, it is difficult for a general deep learning network to model it. If artificially predefined features are extracted directly from the system log data, a significant loss of information is caused by the complexity of APT network attacks.
In order to solve the above problems, how to design a reasonable data structure to represent system log data, and on the basis, a detection model for automatically learning the APT network attack by deep learning is an urgent problem to be solved.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an APT network attack detection method based on meta-path learning and sub-graph sampling, which is used for carrying out APT network attack monitoring based on system log data and is convenient for discovering the real damage behavior of the network attack to the system; the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented; a detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.
The technical scheme adopted by the invention for solving the technical problems is as follows:
an APT network attack detection method based on meta-path learning and sub-graph sampling comprises the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis.
In the step 1), the heterogeneous graph construction based on the log data comprises the following steps:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks and node attributes according to system behaviors related to log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creating relationships among the processes and the files, access relationships among the processes and the network, and containing relationships among the files and file attributes; finally, constructing a system behavior conceptual diagram T (A, R) based on the node type and the relationship type, wherein A is a node type set, and R is a relationship type set;
(1-2) construction of a heterogeneous map: and corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G (V, E), wherein G is a directed diagram, V is a node set, E is a relationship set, any node in V corresponds to one node type in A, and any relationship in E corresponds to one relationship type in R.
In the step 2), the meta path definition and the meta path learning steps are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi;
In the step 3), a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each node v in the SG is calculated by adopting an attention mechanismiWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,is an activation function; then, the overall characterization vector e of SG is calculated based on the formula (8)SG;
(3-3) attack detection: with eSGAnd as a feature vector, training to obtain a network attack detection model by using a multilayer perceptron as a classifier.
The invention has the following beneficial effects: 1. and network attack monitoring is carried out based on system log data, so that the real damage behavior of the APT network attack to the system can be conveniently found. 2. And the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented. 3. A detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.
Drawings
FIG. 1 is a flow chart of an APT network attack detection method based on meta-path learning and sub-graph sampling;
FIG. 2 is a conceptual diagram and a heterogeneous diagram of system behavior, wherein (a) represents a conceptual diagram of system behavior and (b) represents a heterogeneous diagram of system behavior;
FIG. 3 is a schematic diagram of a detection model construction method based on sub-graph sampling.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1 to 3, an APT network attack detection method based on meta-path learning and sub-graph sampling includes the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
in the step 1), the heterogeneous graph construction based on the log data comprises the following steps:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks, node attributes and the like according to system behaviors related in log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creation relationships among the processes and the files, access relationships among the processes and networks, inclusion relationships among the files and file attributes and the like; finally, constructing a system behavior concept graph T ═ a, R based on the node type and the relationship type, where a is a node type set and R is a relationship type set (refer to the case shown in fig. 2 (a));
(1-2) construction of a heterogeneous map: corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G ═ V, E, where G is a directed graph, V is a node set, E is a relationship set, any node in V corresponds to a certain node type in a, and any relationship in E corresponds to a certain relationship type in R (refer to the case shown in fig. 2(b), where N represents a network and P represents a caseiRepresentative Process, FiRepresentative files);
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
in the step 2), the meta path definition and the meta path learning steps are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi;
3) Constructing a detection model based on sub-graph sampling: sampling a subgraph representing an element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis;
in said step 3), referring to fig. 3, a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each of SG is calculated by using attention mechanismA node viWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,to activate the function, then, the overall characterization vector e of the SG is calculated based on equation (8)SG;
(3-3) attack detection: with eSGAnd as a feature vector, training by using a multilayer perceptron as a classifier to obtain an APT network attack detection model.
The embodiments described in this specification are merely illustrative of implementations of the inventive concepts, which are intended for purposes of illustration only. The scope of the present invention should not be construed as being limited to the particular forms set forth in the examples, but rather as being defined by the claims and the equivalents thereof which can occur to those skilled in the art upon consideration of the present inventive concept.
Claims (4)
1. An APT network attack detection method based on meta-path learning and sub-graph sampling is characterized by comprising the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis.
2. The APT network attack detection method based on meta-path learning and sub-graph sampling as claimed in claim 1, wherein in the step 1), the step of heterogeneous graph construction based on log data is as follows:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks and node attributes according to system behaviors related to log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creating relationships among the processes and the files, access relationships among the processes and the network, and containing relationships among the files and file attributes; finally, constructing a system behavior conceptual diagram T (A, R) based on the node type and the relationship type, wherein A is a node type set, and R is a relationship type set;
(1-2) construction of a heterogeneous map: and corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G (V, E), wherein G is a directed diagram, V is a node set, E is a relationship set, any node in V corresponds to one node type in A, and any relationship in E corresponds to one relationship type in R.
3. The APT network attack detection method based on meta-path learning and sub-graph sampling as claimed in claim 1 or 2, wherein in the step 2), the steps of meta-path definition and meta-path learning are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi;
4. The method of claim 3The APT network attack detection method based on meta-path learning and sub-graph sampling is characterized in that in the step 3), a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each node v in the SG is calculated by adopting an attention mechanismiWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,is an activation function; then, the overall characterization vector e of SG is calculated based on the formula (8)SG;
(3-3) attack detection: with eSGAnd as a feature vector, training to obtain a network attack detection model by using a multilayer perceptron as a classifier.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011319217.0A CN112528275B (en) | 2020-11-23 | 2020-11-23 | APT network attack detection method based on meta-path learning and sub-graph sampling |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011319217.0A CN112528275B (en) | 2020-11-23 | 2020-11-23 | APT network attack detection method based on meta-path learning and sub-graph sampling |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112528275A true CN112528275A (en) | 2021-03-19 |
CN112528275B CN112528275B (en) | 2021-11-23 |
Family
ID=74992768
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011319217.0A Active CN112528275B (en) | 2020-11-23 | 2020-11-23 | APT network attack detection method based on meta-path learning and sub-graph sampling |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112528275B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113221109A (en) * | 2021-03-30 | 2021-08-06 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
CN113596037A (en) * | 2021-07-31 | 2021-11-02 | 南京云利来软件科技有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN114020593A (en) * | 2021-11-08 | 2022-02-08 | 山东理工大学 | Heterogeneous process log sampling method and system based on track clustering |
CN114338147A (en) * | 2021-12-28 | 2022-04-12 | 中国银联股份有限公司 | Method and device for detecting password blasting attack |
CN114679332A (en) * | 2022-04-14 | 2022-06-28 | 浙江工业大学 | APT detection method of distributed system |
CN114900364A (en) * | 2022-05-18 | 2022-08-12 | 桂林电子科技大学 | High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network |
CN115567306A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | APT attack tracing analysis method based on bidirectional long-time and short-time memory network |
CN115883213A (en) * | 2022-12-01 | 2023-03-31 | 南京南瑞信息通信科技有限公司 | APT detection method and system based on continuous time dynamic heterogeneous graph neural network |
CN116155626A (en) * | 2023-04-20 | 2023-05-23 | 浙江工业大学 | Complex network attack detection method based on cross-host abnormal behavior recognition |
CN116738445A (en) * | 2023-08-16 | 2023-09-12 | 中国信息通信研究院 | Construction method and detection method of data security event detection model |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108959924A (en) * | 2018-06-12 | 2018-12-07 | 浙江工业大学 | A kind of Android malicious code detecting method of word-based vector sum deep neural network |
CN110555050A (en) * | 2018-03-30 | 2019-12-10 | 华东师范大学 | heterogeneous network node representation learning method based on meta-path |
US20200137083A1 (en) * | 2018-10-24 | 2020-04-30 | Nec Laboratories America, Inc. | Unknown malicious program behavior detection using a graph neural network |
CN111737535A (en) * | 2020-06-22 | 2020-10-02 | 复旦大学 | Network characterization learning method based on element structure and graph neural network |
CN111930859A (en) * | 2020-07-30 | 2020-11-13 | 北京邮电大学 | Node processing method, device and equipment based on heterogeneous graph neural network |
-
2020
- 2020-11-23 CN CN202011319217.0A patent/CN112528275B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110555050A (en) * | 2018-03-30 | 2019-12-10 | 华东师范大学 | heterogeneous network node representation learning method based on meta-path |
CN108959924A (en) * | 2018-06-12 | 2018-12-07 | 浙江工业大学 | A kind of Android malicious code detecting method of word-based vector sum deep neural network |
US20200137083A1 (en) * | 2018-10-24 | 2020-04-30 | Nec Laboratories America, Inc. | Unknown malicious program behavior detection using a graph neural network |
CN111737535A (en) * | 2020-06-22 | 2020-10-02 | 复旦大学 | Network characterization learning method based on element structure and graph neural network |
CN111930859A (en) * | 2020-07-30 | 2020-11-13 | 北京邮电大学 | Node processing method, device and equipment based on heterogeneous graph neural network |
Non-Patent Citations (2)
Title |
---|
T. LIANG等: "《Meta-Path Generation Online for Heterogeneous Network Embedding》", 《2020 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN)》 * |
陈铁明等: "《基于时间自动机的CPS安全建模和验证》", 《息安全研究》 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113221109B (en) * | 2021-03-30 | 2022-06-28 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
CN113221109A (en) * | 2021-03-30 | 2021-08-06 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
CN113596037A (en) * | 2021-07-31 | 2021-11-02 | 南京云利来软件科技有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN114020593A (en) * | 2021-11-08 | 2022-02-08 | 山东理工大学 | Heterogeneous process log sampling method and system based on track clustering |
CN114020593B (en) * | 2021-11-08 | 2024-05-14 | 山东理工大学 | Heterogeneous process log sampling method and system based on track clustering |
CN114338147A (en) * | 2021-12-28 | 2022-04-12 | 中国银联股份有限公司 | Method and device for detecting password blasting attack |
CN114338147B (en) * | 2021-12-28 | 2023-08-11 | 中国银联股份有限公司 | Password blasting attack detection method and device |
CN114679332A (en) * | 2022-04-14 | 2022-06-28 | 浙江工业大学 | APT detection method of distributed system |
CN114900364B (en) * | 2022-05-18 | 2024-03-08 | 桂林电子科技大学 | Advanced continuous threat detection method based on traceability graph and heterogeneous graph neural network |
CN114900364A (en) * | 2022-05-18 | 2022-08-12 | 桂林电子科技大学 | High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network |
CN115567306A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | APT attack tracing analysis method based on bidirectional long-time and short-time memory network |
CN115567306B (en) * | 2022-09-29 | 2024-06-18 | 中国人民解放军国防科技大学 | APT attack traceability analysis method based on bidirectional long-short-term memory network |
CN115883213A (en) * | 2022-12-01 | 2023-03-31 | 南京南瑞信息通信科技有限公司 | APT detection method and system based on continuous time dynamic heterogeneous graph neural network |
CN115883213B (en) * | 2022-12-01 | 2024-04-02 | 南京南瑞信息通信科技有限公司 | APT detection method and system based on continuous time dynamic heterogeneous graph neural network |
CN116155626A (en) * | 2023-04-20 | 2023-05-23 | 浙江工业大学 | Complex network attack detection method based on cross-host abnormal behavior recognition |
CN116738445B (en) * | 2023-08-16 | 2023-10-31 | 中国信息通信研究院 | Construction method and detection method of data security event detection model |
CN116738445A (en) * | 2023-08-16 | 2023-09-12 | 中国信息通信研究院 | Construction method and detection method of data security event detection model |
Also Published As
Publication number | Publication date |
---|---|
CN112528275B (en) | 2021-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112528275B (en) | APT network attack detection method based on meta-path learning and sub-graph sampling | |
CN109902183B (en) | Knowledge graph embedding method based on diverse graph attention machine mechanism | |
CN111783100A (en) | Source code vulnerability detection method for code graph representation learning based on graph convolution network | |
CN113536383B (en) | Method and device for training graph neural network based on privacy protection | |
CN109978060B (en) | Training method and device of natural language element extraction model | |
CN112256981B (en) | Rumor detection method based on linear and nonlinear propagation | |
CN113032238B (en) | Real-time root cause analysis method based on application knowledge graph | |
CN111859454B (en) | Privacy protection method for defending link prediction based on graph neural network | |
James | Online traffic speed estimation for urban road networks with few data: A transfer learning approach | |
CN113850381A (en) | Graph neural network training method and device | |
JP7052879B2 (en) | Learner estimation device, learner estimation method, risk assessment device, risk assessment method, program | |
CN115147353B (en) | Training method, device, equipment, medium and program product of defect detection model | |
CN115270954A (en) | Unsupervised APT attack detection method and system based on abnormal node identification | |
CN116340524A (en) | Method for supplementing small sample temporal knowledge graph based on relational adaptive network | |
CN113626826A (en) | Intelligent contract security detection method, system, equipment, terminal and application | |
CN116976536A (en) | Webgis-based vehicle movement route planning system and method thereof | |
Chen et al. | Dynamic path flow estimation using automatic vehicle identification and probe vehicle trajectory data: A 3D convolutional neural network model | |
CN113660236B (en) | Abnormal flow detection method based on optimized stacked noise reduction convolution self-coding network, memory and processor | |
CN115238134A (en) | Method and apparatus for generating a graph vector representation of a graph data structure | |
CN115131605A (en) | Structure perception graph comparison learning method based on self-adaptive sub-graph | |
Zhu et al. | Self-explainable graph neural networks for link prediction | |
CN111556017A (en) | Network intrusion detection method based on self-coding machine and electronic device | |
CN115658926B (en) | Element estimation method and device of knowledge graph, electronic equipment and storage medium | |
CN117787379A (en) | Heterogeneous graph neural network noise-tolerant method based on Transform and contrast learning | |
KR20230059160A (en) | Training method of artificial intelligence for industrial robots |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |