CN112528275A - APT network attack detection method based on meta-path learning and sub-graph sampling - Google Patents

APT network attack detection method based on meta-path learning and sub-graph sampling Download PDF

Info

Publication number
CN112528275A
CN112528275A CN202011319217.0A CN202011319217A CN112528275A CN 112528275 A CN112528275 A CN 112528275A CN 202011319217 A CN202011319217 A CN 202011319217A CN 112528275 A CN112528275 A CN 112528275A
Authority
CN
China
Prior art keywords
meta
node
graph
sampling
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011319217.0A
Other languages
Chinese (zh)
Other versions
CN112528275B (en
Inventor
王婷
董程昱
吕明琪
朱添田
陈铁明
顾国民
陈波
江颉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202011319217.0A priority Critical patent/CN112528275B/en
Publication of CN112528275A publication Critical patent/CN112528275A/en
Application granted granted Critical
Publication of CN112528275B publication Critical patent/CN112528275B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Virology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An APT network attack detection method based on meta-path learning and sub-graph sampling comprises the following steps: 1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors; 2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path; 3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis. The invention carries out APT network attack monitoring based on the system log data, which is convenient for discovering the real damage behavior of the network attack to the system; the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented; a detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.

Description

APT network attack detection method based on meta-path learning and sub-graph sampling
Technical Field
The invention relates to the technical field of network security and machine learning, in particular to an APT network attack detection method.
Background
APT network attacks are planned, persistent network attacks launched against governments, core infrastructure, important industries, etc. Compared with the traditional network attack, the APT network attack has the characteristics of high imperceptibility, long latency period, various attack means and the like, so that the traditional detection means based on network flow is difficult to deal with. Therefore, the comprehensive monitoring of the system behavior to find the actual damage behavior of the APT network attack to the system is one of the effective means for dealing with the concealment and diversity of the APT network attack.
On the other hand, with the development of machine learning technology, the network attack detection method based on machine learning is receiving wide attention. Machine learning techniques for cyber attack detection include conventional shallow learning techniques and deep learning techniques. The deep learning technology can automatically learn complex nonlinear hidden features, and generally has higher accuracy and generalization capability. Deep learning models commonly used for cyber attack detection include MLP (multi-layer perceptron), CNN (convolutional neural network), LSTM (long short term memory network), automatic coding machines, and the like. However, since the system behavior contained in the system log data is very complex, it is difficult for a general deep learning network to model it. If artificially predefined features are extracted directly from the system log data, a significant loss of information is caused by the complexity of APT network attacks.
In order to solve the above problems, how to design a reasonable data structure to represent system log data, and on the basis, a detection model for automatically learning the APT network attack by deep learning is an urgent problem to be solved.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an APT network attack detection method based on meta-path learning and sub-graph sampling, which is used for carrying out APT network attack monitoring based on system log data and is convenient for discovering the real damage behavior of the network attack to the system; the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented; a detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.
The technical scheme adopted by the invention for solving the technical problems is as follows:
an APT network attack detection method based on meta-path learning and sub-graph sampling comprises the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis.
In the step 1), the heterogeneous graph construction based on the log data comprises the following steps:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks and node attributes according to system behaviors related to log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creating relationships among the processes and the files, access relationships among the processes and the network, and containing relationships among the files and file attributes; finally, constructing a system behavior conceptual diagram T (A, R) based on the node type and the relationship type, wherein A is a node type set, and R is a relationship type set;
(1-2) construction of a heterogeneous map: and corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G (V, E), wherein G is a directed diagram, V is a node set, E is a relationship set, any node in V corresponds to one node type in A, and any relationship in E corresponds to one relationship type in R.
In the step 2), the meta path definition and the meta path learning steps are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
Figure BDA0002792295940000021
Figure BDA0002792295940000022
Figure BDA0002792295940000023
Figure BDA0002792295940000024
Figure BDA0002792295940000025
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi
Figure BDA0002792295940000031
In the step 3), a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each node v in the SG is calculated by adopting an attention mechanismiWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,
Figure BDA0002792295940000034
is an activation function; then, the overall characterization vector e of SG is calculated based on the formula (8)SG
Figure BDA0002792295940000032
Figure BDA0002792295940000033
(3-3) attack detection: with eSGAnd as a feature vector, training to obtain a network attack detection model by using a multilayer perceptron as a classifier.
The invention has the following beneficial effects: 1. and network attack monitoring is carried out based on system log data, so that the real damage behavior of the APT network attack to the system can be conveniently found. 2. And the heterogeneous graph is adopted for modeling, so that complex system behaviors can be represented. 3. A detection model is constructed by adopting sub-graph sampling, so that the latency of the attack behavior of the APT network can be overcome to a certain degree.
Drawings
FIG. 1 is a flow chart of an APT network attack detection method based on meta-path learning and sub-graph sampling;
FIG. 2 is a conceptual diagram and a heterogeneous diagram of system behavior, wherein (a) represents a conceptual diagram of system behavior and (b) represents a heterogeneous diagram of system behavior;
FIG. 3 is a schematic diagram of a detection model construction method based on sub-graph sampling.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1 to 3, an APT network attack detection method based on meta-path learning and sub-graph sampling includes the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
in the step 1), the heterogeneous graph construction based on the log data comprises the following steps:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks, node attributes and the like according to system behaviors related in log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creation relationships among the processes and the files, access relationships among the processes and networks, inclusion relationships among the files and file attributes and the like; finally, constructing a system behavior concept graph T ═ a, R based on the node type and the relationship type, where a is a node type set and R is a relationship type set (refer to the case shown in fig. 2 (a));
(1-2) construction of a heterogeneous map: corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G ═ V, E, where G is a directed graph, V is a node set, E is a relationship set, any node in V corresponds to a certain node type in a, and any relationship in E corresponds to a certain relationship type in R (refer to the case shown in fig. 2(b), where N represents a network and P represents a caseiRepresentative Process, FiRepresentative files);
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
in the step 2), the meta path definition and the meta path learning steps are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
Figure BDA0002792295940000041
Figure BDA0002792295940000042
Figure BDA0002792295940000043
Figure BDA0002792295940000044
Figure BDA0002792295940000045
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi
Figure BDA0002792295940000051
3) Constructing a detection model based on sub-graph sampling: sampling a subgraph representing an element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis;
in said step 3), referring to fig. 3, a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each of SG is calculated by using attention mechanismA node viWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,
Figure BDA0002792295940000054
to activate the function, then, the overall characterization vector e of the SG is calculated based on equation (8)SG
Figure BDA0002792295940000052
Figure BDA0002792295940000053
(3-3) attack detection: with eSGAnd as a feature vector, training by using a multilayer perceptron as a classifier to obtain an APT network attack detection model.
The embodiments described in this specification are merely illustrative of implementations of the inventive concepts, which are intended for purposes of illustration only. The scope of the present invention should not be construed as being limited to the particular forms set forth in the examples, but rather as being defined by the claims and the equivalents thereof which can occur to those skilled in the art upon consideration of the present inventive concept.

Claims (4)

1. An APT network attack detection method based on meta-path learning and sub-graph sampling is characterized by comprising the following steps:
1) heterogeneous graph construction based on log data: defining system behaviors involved in system log data, and constructing a heterogeneous graph representing the system behaviors on the basis of the system behaviors;
2) meta path definition and meta path learning: defining a meta path in the heterogeneous graph, and performing node sequence sampling and node embedding learning based on the meta path;
3) constructing a detection model based on sub-graph sampling: and sampling a subgraph representing the element to be detected from the heterogeneous graph, and performing network attack detection by using the subgraph on the basis.
2. The APT network attack detection method based on meta-path learning and sub-graph sampling as claimed in claim 1, wherein in the step 1), the step of heterogeneous graph construction based on log data is as follows:
(1-1) conceptual diagram definition: firstly, defining node types including processes, files, networks and node attributes according to system behaviors related to log data; then, defining relationship types according to the interactive behaviors among the nodes, wherein the relationship types comprise derivation relationships among processes, reading relationships among the processes and files, creating relationships among the processes and the files, access relationships among the processes and the network, and containing relationships among the files and file attributes; finally, constructing a system behavior conceptual diagram T (A, R) based on the node type and the relationship type, wherein A is a node type set, and R is a relationship type set;
(1-2) construction of a heterogeneous map: and corresponding actual log data to a system behavior conceptual diagram, and constructing a system behavior heterogeneous diagram G (V, E), wherein G is a directed diagram, V is a node set, E is a relationship set, any node in V corresponds to one node type in A, and any relationship in E corresponds to one relationship type in R.
3. The APT network attack detection method based on meta-path learning and sub-graph sampling as claimed in claim 1 or 2, wherein in the step 2), the steps of meta-path definition and meta-path learning are as follows:
(2-1) meta path definition: defining a plurality of meta-paths on T according to the interaction rule among the nodes to obtain a meta-path set MPS, wherein the form of each meta-path is shown in formula (1), AiRepresents the ith node type, RiRepresents AiAnd Ai+1Type of relationship between, A1=AL+1Equations (2) - (5) list some representative meta-paths;
Figure FDA0002792295930000011
Figure FDA0002792295930000012
Figure FDA0002792295930000013
Figure FDA0002792295930000014
Figure FDA0002792295930000015
(2-2) meta path learning: firstly, random walk sampling is carried out on the heterogeneous graph G based on the element path set MPS, wherein the sampling probability of the ith step node in the random walk process is calculated by formula (6), wherein MPkFor the meta path currently used for sampling, viThe node type of is At,vi+1The node type of is At+1,N(vi,At+1) Is v isiIs of the type At+1The number of nodes of (a) is the first two nodes are processes and At+1The proportion of meta-paths of (c); then, learning a large number of node sequences obtained by sampling based on Skip-Gram algorithm to obtain each node viEmbedded token vector e ofi
Figure FDA0002792295930000021
4. The method of claim 3The APT network attack detection method based on meta-path learning and sub-graph sampling is characterized in that in the step 3), a process p to be detected is giveniThe detection model construction method based on sub-graph sampling comprises the following steps:
(3-1) sub-graph sampling: with piAs a root node, obtaining a directed subgraph SG by adopting a tree breadth-first search algorithm, wherein the SG is a homogeneous graph, and each node is represented as a characterization vector learned in the step (2-2);
(3-2) sub-graph characterization: first, each node v in the SG is calculated by adopting an attention mechanismiWeight of alphaiThe calculation method is formula (7), wherein eiIs v isiIs characterized by a vector of piIs v isiA characterization vector of the number of hops from the root node, WA、bAAnd hATrainable weight matrices, offset vectors and mapping vectors, respectively,
Figure FDA0002792295930000023
is an activation function; then, the overall characterization vector e of SG is calculated based on the formula (8)SG
Figure FDA0002792295930000022
Figure FDA0002792295930000024
(3-3) attack detection: with eSGAnd as a feature vector, training to obtain a network attack detection model by using a multilayer perceptron as a classifier.
CN202011319217.0A 2020-11-23 2020-11-23 APT network attack detection method based on meta-path learning and sub-graph sampling Active CN112528275B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011319217.0A CN112528275B (en) 2020-11-23 2020-11-23 APT network attack detection method based on meta-path learning and sub-graph sampling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011319217.0A CN112528275B (en) 2020-11-23 2020-11-23 APT network attack detection method based on meta-path learning and sub-graph sampling

Publications (2)

Publication Number Publication Date
CN112528275A true CN112528275A (en) 2021-03-19
CN112528275B CN112528275B (en) 2021-11-23

Family

ID=74992768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011319217.0A Active CN112528275B (en) 2020-11-23 2020-11-23 APT network attack detection method based on meta-path learning and sub-graph sampling

Country Status (1)

Country Link
CN (1) CN112528275B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221109A (en) * 2021-03-30 2021-08-06 浙江工业大学 Intelligent malicious file analysis method based on generation countermeasure network
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114020593A (en) * 2021-11-08 2022-02-08 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114338147A (en) * 2021-12-28 2022-04-12 中国银联股份有限公司 Method and device for detecting password blasting attack
CN114679332A (en) * 2022-04-14 2022-06-28 浙江工业大学 APT detection method of distributed system
CN114900364A (en) * 2022-05-18 2022-08-12 桂林电子科技大学 High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network
CN115567306A (en) * 2022-09-29 2023-01-03 中国人民解放军国防科技大学 APT attack tracing analysis method based on bidirectional long-time and short-time memory network
CN115883213A (en) * 2022-12-01 2023-03-31 南京南瑞信息通信科技有限公司 APT detection method and system based on continuous time dynamic heterogeneous graph neural network
CN116155626A (en) * 2023-04-20 2023-05-23 浙江工业大学 Complex network attack detection method based on cross-host abnormal behavior recognition
CN116738445A (en) * 2023-08-16 2023-09-12 中国信息通信研究院 Construction method and detection method of data security event detection model

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108959924A (en) * 2018-06-12 2018-12-07 浙江工业大学 A kind of Android malicious code detecting method of word-based vector sum deep neural network
CN110555050A (en) * 2018-03-30 2019-12-10 华东师范大学 heterogeneous network node representation learning method based on meta-path
US20200137083A1 (en) * 2018-10-24 2020-04-30 Nec Laboratories America, Inc. Unknown malicious program behavior detection using a graph neural network
CN111737535A (en) * 2020-06-22 2020-10-02 复旦大学 Network characterization learning method based on element structure and graph neural network
CN111930859A (en) * 2020-07-30 2020-11-13 北京邮电大学 Node processing method, device and equipment based on heterogeneous graph neural network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110555050A (en) * 2018-03-30 2019-12-10 华东师范大学 heterogeneous network node representation learning method based on meta-path
CN108959924A (en) * 2018-06-12 2018-12-07 浙江工业大学 A kind of Android malicious code detecting method of word-based vector sum deep neural network
US20200137083A1 (en) * 2018-10-24 2020-04-30 Nec Laboratories America, Inc. Unknown malicious program behavior detection using a graph neural network
CN111737535A (en) * 2020-06-22 2020-10-02 复旦大学 Network characterization learning method based on element structure and graph neural network
CN111930859A (en) * 2020-07-30 2020-11-13 北京邮电大学 Node processing method, device and equipment based on heterogeneous graph neural network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
T. LIANG等: "《Meta-Path Generation Online for Heterogeneous Network Embedding》", 《2020 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN)》 *
陈铁明等: "《基于时间自动机的CPS安全建模和验证》", 《息安全研究》 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221109B (en) * 2021-03-30 2022-06-28 浙江工业大学 Intelligent malicious file analysis method based on generation countermeasure network
CN113221109A (en) * 2021-03-30 2021-08-06 浙江工业大学 Intelligent malicious file analysis method based on generation countermeasure network
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114020593A (en) * 2021-11-08 2022-02-08 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114020593B (en) * 2021-11-08 2024-05-14 山东理工大学 Heterogeneous process log sampling method and system based on track clustering
CN114338147A (en) * 2021-12-28 2022-04-12 中国银联股份有限公司 Method and device for detecting password blasting attack
CN114338147B (en) * 2021-12-28 2023-08-11 中国银联股份有限公司 Password blasting attack detection method and device
CN114679332A (en) * 2022-04-14 2022-06-28 浙江工业大学 APT detection method of distributed system
CN114900364B (en) * 2022-05-18 2024-03-08 桂林电子科技大学 Advanced continuous threat detection method based on traceability graph and heterogeneous graph neural network
CN114900364A (en) * 2022-05-18 2022-08-12 桂林电子科技大学 High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network
CN115567306A (en) * 2022-09-29 2023-01-03 中国人民解放军国防科技大学 APT attack tracing analysis method based on bidirectional long-time and short-time memory network
CN115567306B (en) * 2022-09-29 2024-06-18 中国人民解放军国防科技大学 APT attack traceability analysis method based on bidirectional long-short-term memory network
CN115883213A (en) * 2022-12-01 2023-03-31 南京南瑞信息通信科技有限公司 APT detection method and system based on continuous time dynamic heterogeneous graph neural network
CN115883213B (en) * 2022-12-01 2024-04-02 南京南瑞信息通信科技有限公司 APT detection method and system based on continuous time dynamic heterogeneous graph neural network
CN116155626A (en) * 2023-04-20 2023-05-23 浙江工业大学 Complex network attack detection method based on cross-host abnormal behavior recognition
CN116738445B (en) * 2023-08-16 2023-10-31 中国信息通信研究院 Construction method and detection method of data security event detection model
CN116738445A (en) * 2023-08-16 2023-09-12 中国信息通信研究院 Construction method and detection method of data security event detection model

Also Published As

Publication number Publication date
CN112528275B (en) 2021-11-23

Similar Documents

Publication Publication Date Title
CN112528275B (en) APT network attack detection method based on meta-path learning and sub-graph sampling
CN109902183B (en) Knowledge graph embedding method based on diverse graph attention machine mechanism
CN111783100A (en) Source code vulnerability detection method for code graph representation learning based on graph convolution network
CN113536383B (en) Method and device for training graph neural network based on privacy protection
CN109978060B (en) Training method and device of natural language element extraction model
CN112256981B (en) Rumor detection method based on linear and nonlinear propagation
CN113032238B (en) Real-time root cause analysis method based on application knowledge graph
CN111859454B (en) Privacy protection method for defending link prediction based on graph neural network
James Online traffic speed estimation for urban road networks with few data: A transfer learning approach
CN113850381A (en) Graph neural network training method and device
JP7052879B2 (en) Learner estimation device, learner estimation method, risk assessment device, risk assessment method, program
CN115147353B (en) Training method, device, equipment, medium and program product of defect detection model
CN115270954A (en) Unsupervised APT attack detection method and system based on abnormal node identification
CN116340524A (en) Method for supplementing small sample temporal knowledge graph based on relational adaptive network
CN113626826A (en) Intelligent contract security detection method, system, equipment, terminal and application
CN116976536A (en) Webgis-based vehicle movement route planning system and method thereof
Chen et al. Dynamic path flow estimation using automatic vehicle identification and probe vehicle trajectory data: A 3D convolutional neural network model
CN113660236B (en) Abnormal flow detection method based on optimized stacked noise reduction convolution self-coding network, memory and processor
CN115238134A (en) Method and apparatus for generating a graph vector representation of a graph data structure
CN115131605A (en) Structure perception graph comparison learning method based on self-adaptive sub-graph
Zhu et al. Self-explainable graph neural networks for link prediction
CN111556017A (en) Network intrusion detection method based on self-coding machine and electronic device
CN115658926B (en) Element estimation method and device of knowledge graph, electronic equipment and storage medium
CN117787379A (en) Heterogeneous graph neural network noise-tolerant method based on Transform and contrast learning
KR20230059160A (en) Training method of artificial intelligence for industrial robots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant