CN112839039A - Interactive automatic restoration method for network threat event attack scene - Google Patents
Interactive automatic restoration method for network threat event attack scene Download PDFInfo
- Publication number
- CN112839039A CN112839039A CN202110006579.2A CN202110006579A CN112839039A CN 112839039 A CN112839039 A CN 112839039A CN 202110006579 A CN202110006579 A CN 202110006579A CN 112839039 A CN112839039 A CN 112839039A
- Authority
- CN
- China
- Prior art keywords
- attack
- threat
- event
- threat event
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/906—Clustering; Classification
Abstract
The invention discloses an interactive automatic reduction method for attack scenes of a network threat event, which extracts key information key points from various types of structured and unstructured data and constructs a unified description frame of the attack scenes of the multi-dimensional threat event; enhancing data mining depth of the description framework, extracting entities and entity relations to form a key information sequence, and classifying according to a layering and structuring mode; constructing a spatial-temporal sequence threat event description model which accords with logic for the whole attack life cycle of the threat event by using a hierarchical structure; and carrying out attack scene restoration on the space-time sequence threat event description model in a visual interactive mode. The method can automatically, accurately and comprehensively present the attack scene of the network threat event in the attack life cycle, help to identify the attacker/attack organization with malicious attack behaviors in time, and improve the efficiency of analyzing the attack event and the accuracy of tracing the source of the network threat analyst.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an interactive automatic restoration method for an attack scene of a network threat event.
Background
Network defense and attack are also called network countermeasure. Network attack and network protection are combined. The network attack refers to the attack of comprehensively utilizing the loopholes and security defects existing in a target network to the hardware, software and data in the system of the network system, and mainly comprises the steps of stepping on points, scanning, obtaining access authority, authority promotion, control information, trace covering, backdoor creation and the like; the network protection means that the functions and technical means of the own network system are comprehensively utilized to protect the own network and equipment, so that information data is not intercepted, counterfeited, stolen, tampered or eliminated in the storage and transmission processes, and the network protection means comprises an encryption technology, an access control technology, a detection technology, a monitoring technology, an audit technology and the like. Network attacks and network protections are a pair of "spears" and "shields," with network attacks generally leading network protections.
In recent years, network attack and defense countermeasures are increasingly violent, network attack events are more and more, attack means are continuously evolving, and with diversification of attack means, an attack team is specialized and organized. Attack scene restoration is used as an important component of an industrial information security protection system, can provide powerful information support for security reinforcement, and has gradually become the research focus of scientific researchers. The attack and defense inequality is aggravated, a large number of traditional safety devices deployed by enterprise users are still difficult to effectively deal with the increasingly severe threat situation, and it is very difficult to trace and trace a certain attack event. The system not only needs a lot of professional safety analysis and operation and maintenance personnel to search and compare, but also has lower tracing efficiency and poorer accuracy.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide an interactive automatic reduction method for an attack scenario of a network threat event, which can accurately and comprehensively present an attack life cycle of the network threat event, can automatically reduce the attack scenario of the event from three dimensions of an object, a phase, and a behavior, and can improve the efficiency of a network threat analyst analyzing the attack event. The technical scheme is as follows:
an interactive automatic construction method for a network threat event attack scene comprises the following steps:
s1: key information key points are extracted from various types of structured and unstructured data, and a unified description framework of a multi-dimensional threat information attack scene is constructed;
s2: enhancing data mining depth for the description framework, automatically extracting key entities and entity relations from key information main points to form key information sequences, classifying according to a layering and structuring mode, and constructing an entity classification incidence relation network;
s3: constructing a logical space-time sequence threat event attack scene description model for the whole attack life cycle of the threat event by using the hierarchical structure of the entity classification relationship network;
s4: restoring the time-space sequence threat event description model to a threat event attack scene in an interactive visualization mode;
s5: and the attack scene restoration process of various network threat events is counted and evaluated, so that the similar events can be conveniently predicted and traced.
Further, the constructing a unified description framework of the multi-dimensional threat information attack scenario in S1 specifically includes: in the aspects of target objects and event attack steps of the threat events and the reflected attack behavior characteristics, the complex attack context information is subjected to unified structural description, an attack chain is integrated into the whole threat event, and then a multi-dimensional threat information attack scene unified description framework capable of effectively describing a complete attack period is constructed.
Further, in S2, the key entities and entity relationships are automatically extracted from the key information points to form a key information sequence, and classified according to a hierarchical and structured manner to construct an entity classification association relationship network, which specifically includes:
s21: cleaning various data, extracting entities and entity relations, and determining a core attack step of a threat event, a key technology and a hierarchical classification entity for realizing details;
s22: an entity analysis system is adopted to automatically extract key entities and entity relations, key information sequences are formed, and an entity classification association relation network is constructed;
s23: an expert system is utilized to assist in adjusting and optimizing the key information sequence, so that the key information sequence has hierarchical characteristics;
s24: and improving the entity analysis system by using the optimization result to achieve a better classification effect.
Further, the constructing a logical spatio-temporal sequence threat event attack scenario description model in S3 specifically includes:
s31: according to the attack steps and the attack mode, an attack life cycle framework of the threatening event is constructed by taking the space-time sequence relation as a main body;
s32: according to the attack life cycle model architecture, inputting entity and relationship attribute data, and constructing a threat event attack scene description model meeting a time-space sequence;
s33: and forming a threat event attack scene description model with a time-space sequence and an affiliation simultaneously according to the entity classification association relationship network.
Further, the method for restoring the attack scenario of the threat event in the S4 in an interactive visualization manner specifically includes:
s41: displaying a space-time sequence threat event attack scene description model by using a visualization means, supporting interaction between a user and the model to obtain deeper understanding, and simultaneously completing more detailed information;
s42: providing statistics and process analysis evaluation on event related information by adopting different visual data analysis modes according to requirements;
s43: and analyzing and evaluating the opinion according to the reduction process to optimize the attack scene description model.
Furthermore, the statistics and evaluation of the attack scenario restoration process of various network threat events include: the method comprises the steps of evaluating the rationality of a description frame, carrying out statistical analysis on the use frequency of an entity and a key information sequence to adjust the score, and evaluating and analyzing the applicability of the attack scene of the threat event, thereby facilitating the prediction and tracing of the similar event.
The invention has the beneficial effects that: the method can automatically restore the attack scene of the network threat event from three dimensions of an object, a behavior and a stage, accurately and comprehensively present the attack life cycle of the network threat event, and mainly aims to provide a key clue for tracing so as to improve the analysis efficiency, thereby solving the technical difficult problems of high manual analysis cost, low tracing efficiency, incapability of ensuring the tracing accuracy and the like caused by the traditional tracing mode at present; the method helps users to find attackers with malicious attack behaviors in time, and improves the efficiency of analyzing attack events by network threat analysts; and the system can help the user to find a network attack clue by automatically restoring the network attack scene into an interactive attack scene, so that the accuracy of tracing the source is improved.
Drawings
FIG. 1 is a flow diagram of an interactive automatic recovery method for a network threat event attack scenario according to the present invention.
FIG. 2 is a detailed flowchart of the interactive automatic recovery method for the attack scenario of the cyber threat event according to the present invention.
Fig. 3 is a result diagram of the interactive automatic restoration method for the attack scenario of the network threat event according to the present invention.
Fig. 4 is a reduction effect diagram of a threat event attack stage of the interactive automatic reduction method of the attack scene of the network threat event.
Fig. 5 is a diagram illustrating the effect of reducing the attack behavior of the network threat event by the interactive automatic reduction method for the attack scene of the network threat event.
Detailed Description
The invention is described in further detail below with reference to the figures and specific embodiments. The method aims at the technical difficult problems that the traditional tracing mode causes higher labor cost, lower tracing efficiency and can not ensure the tracing accuracy. The invention provides an interactive automatic construction method of a network threat event attack scene, which comprises the following steps: extracting information key points from various types of structured and unstructured data and constructing a multidimensional uniform threat information attack scene description framework; enhancing data mining depth of the description model, extracting entities and entity relations, and classifying according to a layering and structuring mode; constructing a space-time sequence threat event description model which accords with logic for the whole attack life cycle of the threat event by using the hierarchical structure; and carrying out scene restoration on the space-time sequence threat event description model in an interactive visualization mode.
The flow of the tracing method for the attack event of the invention is shown in fig. 1 and fig. 2, and the specific steps are as follows:
101. constructing a unified description framework of a multidimensional threat information attack scene: and extracting key information from multiple types of structured and unstructured data and constructing a unified threat information attack scene description framework.
The complex attack context information is subjected to unified structural description from multiple dimensions such as the object, behavior, stage (event attack step) and the like of the network threat event, an attack chain is integrated into the whole threat event, and then a unified threat information attack scene description framework capable of effectively depicting a complete attack sequence is constructed.
As shown in fig. 3, in this embodiment, the attack scene description framework is mainly composed of a plurality of different types of structured and unstructured data, such as open source intelligence data, network traffic data, malicious sample data, hidden channel data, system log data, and the like, and is used for extracting information points from multidimensional data and extracting key fields to describe various network threat events.
102. Forming an entity classification incidence relation network according to the threat information attack scene description framework: and enhancing data mining depth of the description framework, extracting entities and entity relations to form a key information sequence, and classifying according to a layering and structuring mode to form an entity classification incidence relation network.
In the embodiment, the data mining depth is enhanced for the description framework, the entity and the entity relation are cleaned and extracted for various data, and the core attack step, the key technology, the implementation detail and other hierarchical classification entities of each event are determined; automatically extracting entities and entity relations by utilizing an independently developed entity analysis system to form an entity classification incidence relation network; optimizing and adjusting the key information sequence by the aid of an expert system to enable the key information sequence to have a hierarchical entity classification effect; and inputting the improved analysis result into an automatic entity analysis system so as to achieve better entity classification effect through subsequent analysis. For example: the identification accuracy of the attack technology in open source intelligence data is improved.
103. Constructing a space-time sequence threat event attack scene description model: and constructing a logical space-time sequence threat event description model for the whole attack life cycle of the threat event by using the hierarchical structure of the entity classification relation network.
Because the attack mode of the network threat event has a space-time sequence relation, in the embodiment, an attack life cycle framework of the threat event is constructed by taking the space-time sequence relation as a main body according to the attack step and the attack mode; according to the attack life cycle model architecture, inputting entity and relationship data, and constructing a threat event attack scene description model meeting a time-space sequence; and forming a threat event description model simultaneously meeting the space-time sequence and the dependency relationship according to the entity classification incidence relation network.
For example: as shown in fig. 3, the cyber threat event object hierarchy is represented by the L0 hierarchy, which generally constitutes a key information sequence by an attacker/attack organization, a cyber threat event and an attack target/attack industry; the L1 level is the attack tactical layer, which generally constitutes the attack lifecycle of the threat event by the attack phase; the L2 level is an attack level, and each entity constitutes a corresponding attack within a threat event.
104. Constructing an interactive visual threat event scene restoration: and based on the space-time sequence threat event description model, carrying out threat event scene restoration on the threat event in an interactive visualization mode.
As shown in fig. 4, based on the attack phase corresponding to the attack chain, the attack life cycle of the threat event is restored in a time sequence mode, and each phase is identified by using a number and a name, so that the purpose achieved by each phase can be accurately described. In fig. 4, (a) is shown by numbering, and (b) is shown by name.
Fig. 5 is an effect diagram for restoring the attack behavior included in the attack phase of the threat event in the interactive automatic restoration method for the attack scenario of the network threat event according to the present invention. The time sequence relation of the attack behavior of the threat event is restored by using a visualization means, and the interaction between the user and the model is supported to obtain deeper understanding, and more detailed information can be supplemented; providing statistical display and process analysis evaluation of relevant information of the network threat event by adopting a visual analysis mode according to different requirements; and adjusting the scene restoration mode according to the process analysis evaluation opinion. For example, the whole network attack event is used as template data to construct the space-time sequence relation between nodes.
105. And (3) counting and evaluating the reduction process of the threat event: and the recovery process of various network threat events is counted and evaluated, so that the similar events can be conveniently predicted and traced.
Counting and evaluating the reduction process of each network threat event, wherein the reduction process comprises four aspects of description frame reasonability, entity effectiveness, attribute completeness, attack scene applicability and the like, and counting and analyzing the same event and cross events of the entities; performing statistical analysis on the entity use frequency and the key information sequence to adjust the score; the applicability of the attack scene of the network threat event is evaluated and analyzed, and the prediction and tracing of similar events are facilitated.
Through the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software. By applying the technical scheme of the application, the threat event is hierarchically associated with various feature information of the same or different dimensions extracted according to the attack life cycle, a visual attack scene is constructed according to the association relation, the attack scene reduction degree of the threat event is graded, the scene reduction condition of the same event is effectively improved according to the grading, the next attack mode of an attacker is effectively predicted, and finally the same attacker or attack organization can be traced according to the attack scene. Compared with the prior art, the method can save manual analysis cost, improve the efficiency and accuracy of tracing and tracing, and help to identify the attacker/attack organization with malicious attack behaviors in time.
By means of the technical scheme, the attack scene of the network threat event is automatically restored, the high-efficiency analysis premise is provided for tracing, the technical difficult problems that the labor cost is high, the tracing efficiency is low, the tracing accuracy cannot be guaranteed and the like caused by the traditional tracing mode at present are solved, and a user is helped to find an attacker with malicious attack behaviors in time.
Finally, it should be noted that: the accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. Although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that various changes, modifications, equivalents and substitutions may be made in the technical solutions described in the foregoing embodiments; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (6)
1. An interactive automatic restoration method for a network threat event attack scene is characterized by comprising the following steps:
s1: key information key points are extracted from various types of structured and unstructured data, and a unified description framework of a multi-dimensional threat information attack scene is constructed;
s2: enhancing data mining depth for the description framework, automatically extracting key entities and entity relations from key information main points to form key information sequences, classifying according to a layering and structuring mode, and constructing an entity classification incidence relation network;
s3: constructing a logical space-time sequence threat event attack scene description model for the whole attack life cycle of the threat event by using the hierarchical structure of the entity classification relationship network;
s4: restoring the time-space sequence threat event description model to a threat event attack scene in an interactive visualization mode;
s5: and the attack scene restoration process of various network threat events is counted and evaluated, so that the similar events can be conveniently predicted and traced.
2. The interactive automatic restoration method for the attack scenario of the cyber threat event according to claim 1, wherein the step S1 of constructing a unified description framework for the attack scenario of the multidimensional threat information specifically includes: in the aspects of target objects and event attack steps of the threat events and the reflected attack behavior characteristics, the complex attack context information is subjected to unified structural description, an attack chain is integrated into the whole threat event, and then a multi-dimensional threat information attack scene unified description framework capable of effectively describing a complete attack period is constructed.
3. The interactive automatic restoration method for the attack scenario of the cyber-threat event according to claim 2, wherein in S2, the key entities and the entity relationships are automatically extracted from key information points to form key information sequences, and the key information sequences are classified in a hierarchical and structured manner to construct an entity classification association relationship network, which specifically includes:
s21: cleaning various data, extracting entities and entity relations, and determining a core attack step of a threat event, a key technology and a hierarchical classification entity for realizing details;
s22: an entity analysis system is adopted to automatically extract key entities and entity relations, key information sequences are formed, and an entity classification association relation network is constructed;
s23: an expert system is utilized to assist in adjusting and optimizing the key information sequence, so that the key information sequence has hierarchical characteristics;
s24: and improving the entity analysis system by using the optimization result to achieve a better classification effect.
4. The interactive automatic restoration method for attack scenarios of cyber-threat events according to claim 3, wherein the constructing a description model of the attack scenarios of cyber-threat events in a logical spatio-temporal sequence in S3 specifically includes:
s31: according to the attack steps and the attack mode, an attack life cycle framework of the threatening event is constructed by taking the space-time sequence relation as a main body;
s32: according to the attack life cycle model architecture, inputting entity and relationship attribute data, and constructing a threat event attack scene description model meeting a time-space sequence;
s33: and forming a threat event attack scene description model with a time-space sequence and an affiliation simultaneously according to the entity classification association relationship network.
5. The interactive automatic restoring method for attack scenarios of network threat events according to claim 4, wherein the method for restoring attack scenarios of threat events in an interactive visualization manner in S4 specifically includes:
s41: displaying a space-time sequence threat event attack scene description model by using a visualization means, supporting interaction between a user and the model to obtain deeper understanding, and simultaneously completing more detailed information;
s42: providing statistics and process analysis evaluation on event related information by adopting different visual data analysis modes according to requirements;
s43: and analyzing and evaluating the opinion according to the reduction process to optimize the attack scene description model.
6. The method according to claim 4, wherein said counting and evaluating the attack scenario reduction process of each type of cyber threat event comprises: the method comprises the steps of evaluating the rationality of a description frame, carrying out statistical analysis on the use frequency of an entity and a key information sequence to adjust the score, and evaluating and analyzing the applicability of the attack scene of the threat event, thereby facilitating the prediction and tracing of the similar event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110006579.2A CN112839039B (en) | 2021-01-05 | 2021-01-05 | Interactive automatic restoration method for network threat event attack scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110006579.2A CN112839039B (en) | 2021-01-05 | 2021-01-05 | Interactive automatic restoration method for network threat event attack scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112839039A true CN112839039A (en) | 2021-05-25 |
| CN112839039B CN112839039B (en) | 2022-02-08 |
Family
ID=75927642
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110006579.2A Active CN112839039B (en) | 2021-01-05 | 2021-01-05 | Interactive automatic restoration method for network threat event attack scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112839039B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572781A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Method for collecting network security threat information |
| CN113591465A (en) * | 2021-07-30 | 2021-11-02 | 四川大学 | Method and device for identifying multidimensional IoC entity based on correlation enhancement network threat intelligence |
| CN114143109A (en) * | 2021-12-08 | 2022-03-04 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114666239A (en) * | 2022-03-21 | 2022-06-24 | 北京永信至诚科技股份有限公司 | Visual display method, device and equipment for network shooting range and readable storage medium |
| CN115567305A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | Sequential network attack prediction analysis method based on deep learning |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN104883356A (en) * | 2015-04-24 | 2015-09-02 | 北京邮电大学 | Target model-based network attack detection method |
| CN111917792A (en) * | 2020-08-10 | 2020-11-10 | 武汉思普崚技术有限公司 | Method and system for analyzing and mining flow safety |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN111988339A (en) * | 2020-09-07 | 2020-11-24 | 珠海市一知安全科技有限公司 | Network attack path discovery, extraction and association method based on DIKW model |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
-
2021
- 2021-01-05 CN CN202110006579.2A patent/CN112839039B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN104883356A (en) * | 2015-04-24 | 2015-09-02 | 北京邮电大学 | Target model-based network attack detection method |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
| CN111917792A (en) * | 2020-08-10 | 2020-11-10 | 武汉思普崚技术有限公司 | Method and system for analyzing and mining flow safety |
| CN111988339A (en) * | 2020-09-07 | 2020-11-24 | 珠海市一知安全科技有限公司 | Network attack path discovery, extraction and association method based on DIKW model |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| JIAZHONG LU.ET: ""APT Traffic Detection Based on Time Transform"", 《2016 INTERNATIONAL CONFERENCE ON INTELLIGENT TRANSPORTATION,BIG DATA& SMART CITY》 * |
| 王文娟等: ""基于因果知识和时空关联的云平台攻击场景重构"", 《计算机科学》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572781A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Method for collecting network security threat information |
| CN113591465A (en) * | 2021-07-30 | 2021-11-02 | 四川大学 | Method and device for identifying multidimensional IoC entity based on correlation enhancement network threat intelligence |
| CN113591465B (en) * | 2021-07-30 | 2023-05-09 | 四川大学 | Correlation enhancement-based network threat intelligence multidimensional IoC entity identification method and device |
| CN114143109A (en) * | 2021-12-08 | 2022-03-04 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114143109B (en) * | 2021-12-08 | 2023-11-10 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114666239A (en) * | 2022-03-21 | 2022-06-24 | 北京永信至诚科技股份有限公司 | Visual display method, device and equipment for network shooting range and readable storage medium |
| CN114666239B (en) * | 2022-03-21 | 2023-01-20 | 北京永信至诚科技股份有限公司 | Visual display method, device and equipment for network shooting range and readable storage medium |
| CN115567305A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | Sequential network attack prediction analysis method based on deep learning |
| CN115567305B (en) * | 2022-09-29 | 2024-05-07 | 中国人民解放军国防科技大学 | Sequential network attack prediction analysis method based on deep learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112839039B (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112839039B (en) | Interactive automatic restoration method for network threat event attack scene | |
| Li et al. | Analysis framework of network security situational awareness and comparison of implementation methods | |
| CN102075516A (en) | Method for identifying and predicting network multi-step attacks | |
| Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
| CN113064932B (en) | Network situation assessment method based on data mining | |
| CN115459965A (en) | Multistep attack detection method for network security of power system | |
| Okutan et al. | Forecasting cyber attacks with imbalanced data sets and different time granularities | |
| Rengarajan et al. | Anomaly detection using user entity behavior analytics and data visualization | |
| Moorthy et al. | A study of Intrusion Detection using data mining | |
| CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
| Zhong et al. | Can cyber operations be made autonomous? an answer from the situational awareness viewpoint | |
| Zhu et al. | Business process mining based insider threat detection system | |
| Xu | Design of intrusion detection system for intelligent mobile network teaching | |
| Falowo et al. | Exploration of various machine learning techniques for identifying and mitigating DDoS attacks | |
| Kao et al. | MITC Viz: Visual analytics for man-in-the-cloud threats awareness | |
| Higuera et al. | Building a dataset through attack pattern modeling and analysis system | |
| Huynh et al. | Process mining and security: visualization in database intrusion detection | |
| Zhang et al. | Hybrid intrusion detection based on data mining | |
| Miao et al. | A study of intrusion detection system based on data mining | |
| Yao et al. | A Data Fusion Framework of Multi-Source Heterogeneous Network Security Situational Awareness Based on Attack Pattern | |
| Khan et al. | Learning time-based rules for prediction of alarms from telecom alarm data using ant colony optimization | |
| Khobzaoui et al. | Data mining Contribution to Intrusion Detection Systems Improvement | |
| Yang et al. | A Multi-step Attack Detection Framework for the Power System Network | |
| Chen et al. | Vulnerability Correlation, Multi-step Attack and Exploit Chain in Breach and Attack Simulation | |
| Lallement | The cybercrime process: an overview of scientific challenges and methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |