CN112822194A - Method for identifying and judging DDoS attack group-partner behaviors - Google Patents

Method for identifying and judging DDoS attack group-partner behaviors Download PDF

Info

Publication number
CN112822194A
CN112822194A CN202110019665.7A CN202110019665A CN112822194A CN 112822194 A CN112822194 A CN 112822194A CN 202110019665 A CN202110019665 A CN 202110019665A CN 112822194 A CN112822194 A CN 112822194A
Authority
CN
China
Prior art keywords
attack
similarity
attackers
target
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110019665.7A
Other languages
Chinese (zh)
Other versions
CN112822194B (en
Inventor
严寒冰
朱天
饶毓
邱晓康
王琴琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202110019665.7A priority Critical patent/CN112822194B/en
Publication of CN112822194A publication Critical patent/CN112822194A/en
Application granted granted Critical
Publication of CN112822194B publication Critical patent/CN112822194B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a method for identifying and judging DDoS attack group-partner behaviors. The method comprises the following steps: 1) acquiring DDoS attack records, and inquiring whois information of a control end IP and an attack target IP; 2) the attack target similarity, zombie host similarity and attack time similarity of DDoS attack are integrated, and the attacker similarity is calculated; 3) and establishing a community network by taking attackers as nodes, and establishing a connection relation between the two attackers when the similarity of the two attackers exceeds a threshold value. 4) And applying a community discovery algorithm, calculating the consistency of the group characteristics, and mining and analyzing the group behaviors through visualization and consistency. The invention defines the multidimensional similarity of the attacker based on time and realizes the dimension reduction expression of data. The data is applied to a community discovery algorithm to mine the attack gangues, so that attackers with similar attack behaviors can be clustered, effective gangue mining and attribute calibration are realized, the attack gangues are rapidly and accurately judged, and police parties are assisted to solve the case.

Description

Method for identifying and judging DDoS attack group-partner behaviors
Technical Field
The invention relates to a method for identifying and judging DDoS attack in the technical field of network security, in particular to a method for identifying and judging grouping behavior of DDoS attack.
Background
DDoS attacks are one of the most common network attacks, with low attack thresholds but high destructiveness. The network attack is a cooperative network attack, and an attacker utilizes a large number of infected hosts as an attack platform to launch DDoS attack on a specific target. The attack scenario of DDoS attack may be described as: a few consoles control a large number of servers (i.e., botnets) to launch a large number of attacks on a particular target within a certain time frame to destroy the network, resulting in the network failing to provide normal services. DDoS attacks are controlled by a small number of attackers, botnets are important participants of the attacks, which are also usually victims, while controllers behind the scenes are the source of the network attacks. Therefore, analyzing the controllers hidden behind the DDoS attack, finding the real controllers and analyzing the attack characteristics of the real controllers have practical significance for tracking attack groups for a long time and preventing and controlling network attacks.
At present, the research aiming at DDoS attack focuses on the research of DDoS attack detection and defense mostly, and the research aiming at DDoS attack tracing is rarely carried out. The DDoS attack tracing research mainly aims at reconstructing an attack path and identifying an address of an attacker, so that individual attackers are traced. Network attack tracing is divided into two main categories: active tracing and passive tracing. The active tracing is to mark message information in the message transmission process, and once an attack occurs, a manager can use the information to trace a routing path and determine an attack source. Passive tracing is to take measures after judging that an attack occurs, and to use a tool to analyze information such as traffic conditions and the like for tracing. The data of the network attack tracing source is relatively limited, only partial attack data can be tracked, and the data is not enough to support the mining and analysis of the attack group.
In view of the above-mentioned defects of the existing DDoS attack identification and determination methods, the present inventors have conducted continuous research and design, and after repeated trial and improvement, finally created the present invention with practical value.
Disclosure of Invention
The invention aims to overcome the defects of the existing DDoS attack identification and judgment method, provides a new DDoS attack group identification and judgment method, and aims to solve the technical problem of excavating and analyzing a group of attackers working cooperatively on the basis of analysis results of CNCERT massive DDoS attack events, realize effective group excavation and attribute calibration, accurately judge attack groups and assist police to solve the problems, thereby being very practical.
Another objective of the present invention is to solve the high-dimensional and sparse problem of DDoS attack data, and provide a new DDoS attack group discovery and analysis method, and the core technical problems to be solved include an attacker multidimensional similarity definition method and an attack group judgment method, so that the method is more practical.
The purpose of the invention and the technical problem to be solved are realized by adopting the following technical scheme. The invention provides a method for identifying and judging DDoS attack group behavior, which is characterized by comprising the following steps:
step 1: collecting and processing DDoS attack data
Acquiring and processing DDoS attack records, converting the DDoS attack records into a data set, and inquiring whois information of a control end IP and an attack target IP;
step 2: setting hyper-parameters
The super parameters are: weight of attack target similarity, weight of zombie host similarity, weight of attack time similarity and threshold value of similarity of two attackers, | alphaABT=1, | α according to empirical parameter rangeA∈[0.3,0.85],αB∈[0.1,0.45],|γ∈[0.01,0.1],
Wherein alpha isA,αB,αTRespectively are the weight of the similarity of an attack target, the similarity of a zombie host and the similarity of attack time, and gamma is SijThe optimal parameter values determined through a large number of experiments are: alpha is alphaA=0.55,αB=0.2,αT=0.25,γ=0.05
Through a large number of experiments, the parameter value setting can obtain an optimal community finding result, and the community finding result is measured by modularity, a contour Coefficient (Silhouette Coefficient) or a CH Coefficient (Calinski-Harabasz Index);
and step 3: computing attacker similarities
Calculating the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times, and comprehensively judging the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times of DDoS attack;
step 4, building a community network
Constructing a community network by taking attackers as nodes when two attackers (c)i,cj) Is greater than or equal to the threshold value (S)ijMore than or equal to gamma), constructing a connection relation for the two nodes;
and 5: and applying a community discovery algorithm, mining and analyzing an attack group application community discovery algorithm, calculating the relationship between visual peer members and an attack target, and calculating the consistency of group characteristics according to the whois information of the query control terminal IP and the attack target IP, thereby analyzing and obtaining the method for describing the behavior characteristics of the attack group, and mining and analyzing the group behaviors by quantifying the characteristic consistency and visualization.
The object of the present invention and the technical problems solved thereby can be further achieved by the following technical measures.
In the method for identifying and determining DDoS attack group behavior, the data of the attack target in step 1 includes a control end (C & C) IP, a zombie host IP, an attack target IP, and attack time;
and acquiring whois information of the attacker IP and the attack target IP, wherein the whois information comprises a port, a network segment, a geographical position and an owner.
In the method for identifying and determining DDoS attack group-partner behaviors, in the step 3, the influence of time on the behavior mining of the attacker is also considered in calculating the similarity of the attack target and the similarity of the zombie host.
In the method for identifying and determining DDoS attack group-partner behaviors, the specific algorithm for calculating the similarity of the attackers in the step 3 is to calculate the similarity of every two attackers according to the weight of the similarity of the attack targets, the weight of the similarity of the zombie hosts and the weight of the similarity of attack time.
The foregoing method for identifying and determining a group behavior of DDoS attack, wherein the group characteristics in step 5 include: malicious domain names, domain name registrars, network segments, attack time preferences, attack tools, ports, geographical locations of attack targets, and attack targets.
The foregoing method for identifying and determining a DDoS attack group behavior, wherein the community discovery algorithm in step 5 includes: GN algorithm, tag propagation algorithm, Informap algorithm, LFM algorithm.
Compared with the prior art, the invention has obvious advantages and beneficial effects. It has at least the following advantages:
1. the identification and judgment of the attack group behavior is a high-level stage of network security event tracing and analysis, and is a core step of large-scale attack and punishment of network attacks, so that a group of attackers working cooperatively can be excavated and analyzed, and the attack group can be excavated quickly, effectively and accurately to assist police to solve the case quickly.
2. DDoS attacks are few attackers that control a large number of botnet to launch a large number of attacks on a particular target within a particular time frame to destroy the network. Therefore, DDoS attack data is huge and complex, and mining of DDoS attack groups faces problems of high dimension, sparseness and the like of the data. The invention defines the multidimensional similarity of the attacker based on time and realizes the dimension reduction expression of data.
3. The DDoS attack network has the information propagation characteristic similar to that of a community network, so that the invention introduces community discovery to help to mine the aggregation structure among individuals in a complex system, analyze the association among the individuals and master the development rule of the complex network. The community discovery algorithm can effectively solve the core technical problem of attacker similarity definition in DDoS attack group analysis, a community network is constructed, and data is applied to the community discovery algorithm to mine attack groups, so that attackers with similar attack behaviors can be clustered, and group mining is efficiently realized.
3. The present invention uses visualization and feature consistency for further group analysis. Visualization makes the similarity of attack behavior within a gang more intuitive. The feature consistency quantifies the similarity of member features in the group, so that the similarity degree of attackers in the digital group is more consistent, and the group analysis is more convincing.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical means of the present invention more clearly understood, the present invention may be implemented in accordance with the content of the description, and in order to make the above and other objects, features, and advantages of the present invention more clearly understood, the following preferred embodiments are described in detail with reference to the accompanying drawings.
Drawings
Fig. 1 is a flow chart of the method for identifying and determining the DDoS attack group-partner behavior of the invention.
Wherein:
1: collecting and processing DDoS attack data
2: setting hyper-parameters
3: computing attacker similarities
4: building a community network
5: applying community discovery algorithms
6: query Whois information of attack target and attacker
7: visualizing relationships of group members to attack targets
8: computing group feature consistency
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined object, the following detailed description will be provided with reference to the accompanying drawings and preferred embodiments for a method for identifying and determining DDoS attack partnership behaviors, and specific implementation methods, steps, features and effects thereof according to the present invention.
Referring to fig. 1, a method for identifying and determining DDoS attack group behavior according to a preferred embodiment of the present invention mainly includes the following steps:
1. collecting and processing DDoS attack data
Acquiring and processing DDoS attack records, converting the DDoS attack records into a data set, and inquiring whois information of a control end IP and an attack target IP; wherein:
the attack data includes control end (C & C) IP, zombie host IP, attack target IP and attack time.
And acquiring whois information of the IP of the attacker and the IP of the attack target, such as ports, network segments, geographical positions, owners and the like.
2. Setting hyper-parameters
The super parameters are: the weight of the similarity of the attack target, the weight of the similarity of the zombie host, the weight of the similarity of the attack time and the threshold value of the similarity of two attackers are set as follows: | αABT1, the parameter range is, | αA∈[0.3,0.85],|αB∈[0.1,0.45],|γ∈[0.01,0.1],
Wherein: alpha is alphaA,αB,αTRespectively are the weight of the similarity of an attack target, the similarity of a zombie host and the similarity of attack time, and gamma is SijThe optimal parameter values determined through a large number of experiments are:
αA=0.55,αB=0.2,αT=0.25,γ=0.05
through a large number of experiments, the parameter value setting can obtain an optimal community finding result, and the community finding result is measured by modularity, a contour Coefficient (Silhouette Coefficient) or a CH Coefficient (Calinski-Harabasz Index);
3. computing attacker similarities
Calculating the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times, and comprehensively judging the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times of DDoS attack;
the specific algorithm of the attacker similarity is to calculate the similarity of every two attackers through the weight of the attack target similarity, the weight of the zombie host similarity and the weight of the attack time similarity. The calculation formula is as follows:
(1) make itBy | SijTo calculate attacker ciAnd attacker cjThe similarity of (c).
Figure BDA0002888208910000051
Wherein: alpha is alphaA,αB,αTRespectively are the weight of the similarity of the attack target, the similarity of the zombie host and the similarity of the attack time,
Figure BDA0002888208910000052
respectively represent ci,cjSimilarity in attack target host, zombie host, attack time.
(2) Computing similarities on attacking target hosts
Figure BDA0002888208910000053
Wherein:
Figure BDA0002888208910000054
represents an attacker ci,cjthe similarity of the network attack initiated at time t on the attack target host,
Figure BDA0002888208910000055
denotes ciAnd (4) IP list of the target host initiating the attack at t time, wherein t is a day unit.
(3) Calculate the similarity of the attack on the zombie host,
Figure 1
wherein:
Figure DEST_PATH_IMAGE002
represents an attacker ci,cjt time hairThe similarity of emerging cyber attacks on zombie hosts,
Figure BDA0002888208910000062
to represent
Figure BDA0002888208910000063
A list of zombie host IPs used for attacks launched on day t.
(4) Computing similarity of attacks over time
Figure BDA0002888208910000064
Wherein:
Figure 282299DEST_PATH_IMAGE002
represents an attacker ci,cjthe similarity in time of the network attacks initiated at time t,
Figure BDA0002888208910000066
represents | ciThe particular moment the attack was initiated on day t, exactly to the time, e.g. the attack occurred at 9 am on day 5,
Figure BDA0002888208910000067
4. building a community network
Constructing a community network by taking attackers as nodes, and taking two attackers c as nodesi,cjSimilarity of (2)ijAnd when the gamma is more than or equal to gamma, constructing a connection relation for the two nodes.
5. Mining and analyzing attack gangs by applying community discovery algorithm
And calculating the relationship between the visual partner member and the attack target by applying a community discovery algorithm, and calculating the consistency of the partner characteristics according to the query control end IP and the whois information of the attack target IP, so as to analyze the method for obtaining the behavior characteristic description of the attack partner, and mining and analyzing the partner behavior by quantifying the characteristic consistency and visualization.
The community discovery algorithm comprises: GN algorithm, tag propagation algorithm, Informap algorithm, LFM algorithm. The attack group is mined by taking a community network application label propagation algorithm as an example, and the specific process is as follows:
i. allocating a group tag for each node, namely the node i corresponds to the tag i;
ii, traversing all nodes, finding out the neighbor of the corresponding node, acquiring the neighbor label of the node, finding out the label with the most occurrence times, and replacing the label with the label of the node; if the number of the labels is more than one at most, one label is randomly selected to be replaced by the node label;
and iii, if the node label does not change any more (or the set maximum iteration number is reached) after the label is marked again in the current round, stopping iteration, and otherwise, repeating the operation in the second step.
The algorithm is applied to obtain the result of the group mining of the attackers, namely each node (attacker) has a group tag.
In order to verify the effectiveness of the group and analyze the group characteristics, the group analysis is performed from the consistency of the attack target visualization and the group characteristics of the attack group. And the relationship between the group member and the attack target is visualized, and whether the attackers in the group have the same attack target or not is analyzed. Use of
Figure BDA0002888208910000071
Representing the consistency of the group characteristics including malicious domain name, domain name registrars, network segments, attack time preferences, attack tools, ports, geographical location of the attack target, etc.
Figure BDA0002888208910000072
The consistency of the group u on the feature F is expressed by the following formula:
Figure BDA0002888208910000073
wherein:
Figure BDA0002888208910000074
indicating the consistency of the party u on the feature F,
Nuis the number of members in the group u,
Figure BDA0002888208910000075
indicating the number of parties in a party u with the same feature value F1 on feature F,
max (..) refers to the number of parties in party u that have the most identical feature values in feature F.
The invention tracks more than 250 DDoS attack groups, supports CNCERT to continuously issue DDoS attack resource analysis reports for three years, is applied to attack DDoS attack crimes, and obtains good actual combat effect
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (6)

1. A method for identifying and judging DDoS attack group-partner behaviors is characterized by comprising the following steps:
step 1: collecting and processing DDoS attack data
Acquiring and processing DDoS attack records, converting the DDoS attack records into a data set, and inquiring whois information of a control end IP and an attack target IP;
step 2: setting hyper-parameters
The super parameters are: weight of attack target similarity, weight of zombie host similarity and attack time similarityAnd the threshold of similarity of two attackers, | αABT1, according to empirical parameters, | αA∈[0.3,0.85],|αB∈[0.01,0.45],|γ∈[0.01,0.1],
Wherein alpha isA,αB,αTRespectively are the weight of the similarity of an attack target, the similarity of a zombie host and the similarity of attack time, and gamma is SijThe optimal parameter values determined through a large number of experiments are: alpha is alphaA=0.55,αB=0.2,αT=0.25,γ=0.05
Through a large number of experiments, the parameter value setting can obtain an optimal community finding result, and the community finding result is measured by modularity, a contour Coefficient (Silhouette Coefficient) or a CH Coefficient (Calinski-Harabasz Index);
and step 3: computing attacker similarities
Calculating the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times, and comprehensively judging the similarity of a plurality of attack targets, the similarity of a plurality of zombie hosts and the similarity of a plurality of attack times of DDoS attack;
step 4, building a community network
Constructing a community network by taking attackers as nodes when two attackers (c)i,cj) Is greater than or equal to the threshold value (S)ijMore than or equal to gamma), constructing a connection relation for the two nodes;
and 5: mining and analyzing attack gangs by applying community discovery algorithm
And calculating the relationship between the visual partner member and the attack target by applying a community discovery algorithm, and calculating the consistency of the partner characteristics according to the query control end IP and the whois information of the attack target IP, so as to analyze the method for obtaining the behavior characteristic description of the attack partner, and mining and analyzing the partner behavior by quantifying the characteristic consistency and visualization.
2. The method as claimed in claim 1, wherein the data of the attack target in step 1 includes a control end (C & C) IP, a zombie host IP, an attack target IP, and an attack time;
and acquiring whois information of the attacker IP and the attack target IP, wherein the whois information comprises a port, a network segment, a geographical position and an owner.
3. The method as claimed in claim 1, wherein the influence of time on the behavior mining of the attacker is also considered in the step 3 of calculating the similarity of the attack targets and the similarity of the zombie hosts.
4. The method as claimed in claim 1, wherein the specific algorithm for calculating the similarity between the attackers in the step 3 is to calculate the similarity between every two attackers by using the weight of the similarity between the attack targets, the weight of the similarity between the zombie hosts and the weight of the similarity between attack times.
5. The method of claim 1, wherein the group characteristics in step 5 comprise: malicious domain names, domain name registrars, network segments, attack time preferences, attack tools, ports, geographical locations of attack targets, and attack targets.
6. The method of claim 1, wherein the community discovery algorithm in step 5 comprises: GN algorithm, tag propagation algorithm, Informap algorithm, LFM algorithm.
CN202110019665.7A 2021-01-07 2021-01-07 Method for identifying and determining DDoS attack group-partner behaviors Active CN112822194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110019665.7A CN112822194B (en) 2021-01-07 2021-01-07 Method for identifying and determining DDoS attack group-partner behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110019665.7A CN112822194B (en) 2021-01-07 2021-01-07 Method for identifying and determining DDoS attack group-partner behaviors

Publications (2)

Publication Number Publication Date
CN112822194A true CN112822194A (en) 2021-05-18
CN112822194B CN112822194B (en) 2022-12-09

Family

ID=75868807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110019665.7A Active CN112822194B (en) 2021-01-07 2021-01-07 Method for identifying and determining DDoS attack group-partner behaviors

Country Status (1)

Country Link
CN (1) CN112822194B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389857A (en) * 2021-12-24 2022-04-22 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resources
CN115118491A (en) * 2022-06-24 2022-09-27 北京天融信网络安全技术有限公司 Botnet detection method and device, electronic device and readable storage medium
CN115150052A (en) * 2022-06-08 2022-10-04 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for tracking and identifying attack group
CN115333768A (en) * 2022-06-29 2022-11-11 国家计算机网络与信息安全管理中心 Rapid studying and judging method for massive network attacks
CN115333768B (en) * 2022-06-29 2024-06-04 国家计算机网络与信息安全管理中心 Rapid studying and judging method for mass network attack

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8881288B1 (en) * 2008-10-28 2014-11-04 Intelligent Automation, Inc. Graphical models for cyber security analysis in enterprise networks
CN108173884A (en) * 2018-03-20 2018-06-15 国家计算机网络与信息安全管理中心 Based on network attack with the ddos attack population analysis method of behavior

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8881288B1 (en) * 2008-10-28 2014-11-04 Intelligent Automation, Inc. Graphical models for cyber security analysis in enterprise networks
CN108173884A (en) * 2018-03-20 2018-06-15 国家计算机网络与信息安全管理中心 Based on network attack with the ddos attack population analysis method of behavior

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HUA ZHANG等: "Webshell Traffic Detection With Character-Level Features Based on Deep Learning", 《IEEE ACCESS》 *
王琴琴等: "基于恶意代码传播日志的网络安全态势分析", 《信息安全学报》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389857A (en) * 2021-12-24 2022-04-22 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resources
CN114389857B (en) * 2021-12-24 2024-04-05 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resource
CN115150052A (en) * 2022-06-08 2022-10-04 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for tracking and identifying attack group
CN115118491A (en) * 2022-06-24 2022-09-27 北京天融信网络安全技术有限公司 Botnet detection method and device, electronic device and readable storage medium
CN115118491B (en) * 2022-06-24 2024-02-09 北京天融信网络安全技术有限公司 Botnet detection method, device, electronic equipment and readable storage medium
CN115333768A (en) * 2022-06-29 2022-11-11 国家计算机网络与信息安全管理中心 Rapid studying and judging method for massive network attacks
CN115333768B (en) * 2022-06-29 2024-06-04 国家计算机网络与信息安全管理中心 Rapid studying and judging method for mass network attack

Also Published As

Publication number Publication date
CN112822194B (en) 2022-12-09

Similar Documents

Publication Publication Date Title
CN112822194B (en) Method for identifying and determining DDoS attack group-partner behaviors
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
CN108076040B (en) APT attack scene mining method based on killer chain and fuzzy clustering
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN109450721B (en) Network abnormal behavior identification method based on deep neural network
Zhang et al. Distributed intrusion detection based on clustering
CN102685145A (en) Domain name server (DNS) data packet-based bot-net domain name discovery method
CN113064932B (en) Network situation assessment method based on data mining
CN112333195B (en) APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN110830490B (en) Malicious domain name detection method and system based on area confrontation training deep network
Lakhno et al. Design of adaptive system of detection of cyber-attacks, based on the model of logical procedures and the coverage matrices of features
Wang et al. A data-driven study of DDoS attacks and their dynamics
CN109067778B (en) Industrial control scanner fingerprint identification method based on honeynet data
Weaver et al. Fishing for phishes: Applying capture-recapture methods to estimate phishing populations
CN115118525B (en) Internet of things safety protection system and protection method thereof
Promrit et al. Traffic flow classification and visualization for network forensic analysis
CN114172697B (en) Method for defending IP address spoofing DDoS attack in high-speed network
KR102562671B1 (en) Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm
CN113709097B (en) Network risk sensing method and defense method
CN111371727A (en) Detection method for NTP protocol covert communication
Fatima et al. Data fusion & visualization application for network forensic investigation-a case study
Kanna et al. A defensive mechanism based on PCA to defend denial of-service attack
Lv et al. Coordinated scan detection algorithm based on the global characteristics of time sequence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant