CN112866266A - Malicious code protection method based on self-culture algorithm and suitable for power industrial control network - Google Patents

Malicious code protection method based on self-culture algorithm and suitable for power industrial control network Download PDF

Info

Publication number
CN112866266A
CN112866266A CN202110111555.3A CN202110111555A CN112866266A CN 112866266 A CN112866266 A CN 112866266A CN 202110111555 A CN202110111555 A CN 202110111555A CN 112866266 A CN112866266 A CN 112866266A
Authority
CN
China
Prior art keywords
files
file
malicious code
industrial control
self
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110111555.3A
Other languages
Chinese (zh)
Inventor
毕玉冰
刘超飞
崔逸群
陈燕
殷儒希
朱博迪
介银娟
王文庆
董夏昕
邓楠轶
高原英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Thermal Power Research Institute Co Ltd
Huaneng Power International Inc
Original Assignee
Xian Thermal Power Research Institute Co Ltd
Huaneng Power International Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Thermal Power Research Institute Co Ltd, Huaneng Power International Inc filed Critical Xian Thermal Power Research Institute Co Ltd
Priority to CN202110111555.3A priority Critical patent/CN112866266A/en
Publication of CN112866266A publication Critical patent/CN112866266A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a malicious code protection method based on a self-culture algorithm, which is suitable for an electric power industrial control network, and comprises the steps of analyzing uploading and downloading flow of all files in the electric power industrial control network, extracting the files, putting the files into a culture room for execution and monitoring, monitoring the operation process and effect of the files, calculating a threat coefficient of the files by using the self-culture algorithm based on the monitoring condition, marking the files as malicious codes if the threat coefficient exceeds a specified threshold value, putting the malicious codes into a malicious code library, feeding back a monitoring result to a user host, searching whether the files exist by the user host, matching the files with the files in the malicious code library if the files exist, and starting a malicious code searching and killing process if the matching is successful. The malicious codes in the electric power industrial control network can be automatically identified, updated and checked and killed without manual intervention, and the problem that the function of checking and killing is invalid because the internal network malicious code protection system cannot update the feature library and the virus library in time due to physical isolation of the internal network and the external network of the electric power industrial control network is effectively solved.

Description

Malicious code protection method based on self-culture algorithm and suitable for power industrial control network
Technical Field
The invention belongs to the technical field of networks, and particularly relates to a malicious code protection method based on a self-culture algorithm and suitable for an electric power industrial control network.
Background
The electric power industrial control network is a network for realizing various functions of data acquisition, equipment control, data transmission, parameter adjustment, various signal alarms and the like of production and management information systems of various power plants such as thermal power plants, hydropower stations, wind power plants, photovoltaic power stations and the like, and is infrastructure for normal production and operation of the power plants. In order to ensure that an industrial control network of a power plant is not attacked by a network from the internet, an electric power industrial control system usually adopts a physical isolation mode to realize physical isolation from the internet, and meanwhile, in order to ensure that an application system in the electric power industrial control network is prevented from being infected by malicious codes such as viruses, trojans, worms and the like, a malicious code protection program is deployed in the application system to provide protection functions such as malicious code identification, analysis, searching and killing and the like for the application system.
Therefore, a protection method capable of automatically identifying, automatically updating, and automatically searching and killing malicious codes needs to be provided in combination with the actual service characteristics of the power industrial control network.
Disclosure of Invention
The invention aims to provide a malicious code protection method based on a self-culture algorithm and suitable for an electric power industrial control network, and effectively solves the problem that a searching and killing function is invalid because an internal network malicious code protection system cannot update a feature library and a virus library in time due to physical isolation of an internal network and an external network of the electric power industrial control system.
In order to achieve the purpose, the invention adopts the following technical scheme:
the malicious code protection method based on the self-culture algorithm and suitable for the power industrial control network comprises the following steps:
analyzing the uploading and downloading flow of all files in the electric power industrial control network, extracting the files from the files, putting the files into an incubation room for execution, continuously monitoring for a certain time, monitoring the operation process and effect of the files in the incubation room, calculating the threat coefficient of the files by using a self-incubation algorithm based on the monitoring condition, marking the files as malicious codes if the threat coefficient of the files exceeds a specified threshold value, putting the files into a malicious code library, feeding back the monitoring result to a user host, starting a self-scanning program by the user host, searching whether the files exist, matching the files with the files in the malicious code library if the files exist, and starting a malicious code searching and killing process if the files are successfully matched.
Therefore, in order to solve the problem that the virus library and the feature library cannot be updated in time due to physical isolation of an industrial control network, malicious code files are automatically extracted, a culture room consistent with the environment of a production host is created, malicious codes are placed in the culture room to monitor and record the operation process of the malicious codes, recorded data are analyzed and calculated through a self-culture algorithm to obtain threat coefficients of the files, then the threat coefficients are compared with a threshold value obtained through experimental statistics to realize automatic identification of the malicious codes, then the files are automatically placed in the malicious code library to realize automatic updating of the virus library and the feature library, finally a protection program of the industrial control host is automatically triggered to start a searching and killing process, and automatic searching and killing of the malicious codes are realized.
Therefore, after the method and the device are applied, the problem that how to update the virus library and the feature library of the malicious code protection program in time under the condition of physical isolation of the power industrial control network is effectively solved, the problem that the existing protection program depends on manual offline updating, the updating is not in time and incomplete, and the system is infected with the malicious code is solved, the safety of the power industrial control network is improved, and the safety of power production is ensured.
Drawings
Fig. 1 is a schematic flow chart of a malicious code protection method based on a self-culture algorithm according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Examples
The embodiment of the invention discloses a malicious code protection method based on a self-culture algorithm and suitable for an electric power industrial control network, which comprises the following steps, wherein a flow schematic diagram is shown in figure 1.
S01: analyzing the uploading and downloading flow of all files in the electric power industrial control network, extracting the files from the flow, putting the files into a culture room for execution, and continuously monitoring for a certain time.
The method for placing the file extracted from the file into the culture room is briefly described as follows:
comprises a file extraction method and a culture room creation method;
the file extraction method comprises the following steps: the method comprises the steps that a malicious code protection program is installed on each power industrial control host, the program monitors all flow generated by a local host and a network, when a file uploading behavior is found, an uploaded file is copied from the flow, the file is compressed by a zip compression algorithm and then stored in a temporary disk space, and the malicious code protection program is informed to create a culture room according to the current operating system environment; wherein, the notification content comprises: the type, version, disk space, memory size, extracted file and file format of the current operating system;
the method for creating the culture chamber comprises the following steps: after receiving the notice of creating the culture room, the malicious code protection program calls a container which meets the requirement by adopting a container technology according to the notice content and opens the container, if the container which does not meet the requirement does not exist, the malicious code protection program creates a container which comprises the type, the version, the disk space and the memory size of the corresponding operating system, deploys the program in the corresponding file format, opens the container and stores the file included in the notice in the container.
S02: the progress and effect of the file in the culture chamber is monitored.
The method for executing the file in the culture room and monitoring the operation process and effect of the file in the culture room is briefly described as follows:
the file is opened by adopting an executive program of the corresponding file already deployed in the container in the culture room, and the process of executing the file by a person through normal clicking is simulated.
The operation process and the effect of the monitoring file in the culture room comprise recording various changes of the operating system environment after the execution program opens the file, including registry information change, process change, memory change, file system change, network flow change, operating system picture change and user group change, and recording the changes in the text. The recording process was performed every 30 minutes for 24 hours, and 48 times were recorded in total, and the recorded results were added to the text.
S03: and calculating the threat coefficient of the file by adopting a self-culture algorithm based on the monitoring condition.
The method for calculating the file threat coefficient by adopting the self-culture algorithm is briefly introduced as follows:
the self-culture algorithm is based on a weighting model of Kohonen self-organizing feature mapping algorithm results, and the specific method comprises the following steps:
and (3) threat coefficient initialization: setting an initial value of a weight between an input layer and a mapping layer by using a random number;
input of the input vector: taking each data in the record text of the monitoring file in the culture room as an input vector x ═ x (x is x) of an input layer1,x2,x3…,x48)4Wherein x isiThe hash value representing each record normalizes the result of the process according to the following formula:
Figure BDA0002919485560000041
wherein max is the hash maximum of the sample data, and min is the hash minimum of the sample data;
calculating the distance between the weight vector of the mapping layer and the input vector: and calculating the Euclidean distance between the weight vector of each neuron and the input vector at the mapping layer. Here the distance between the jth neuron of the mapping layer and the input vector is:
Figure BDA0002919485560000042
wherein, wijIs a weight, x, between the i neuron of the input layer and the j neuron of the mapping layeriIndicating the result of the hash value normalization process for each record.
Selecting the neuron with the minimum distance in the weight vector: calculating and selecting the neuron that minimizes the distance between the input vector and the weight vector, e.g. djIf the minimum, it is called the winning neuron and is denoted as j*And giving a set of adjacent neurons;
the weight learning method comprises the following steps: the weights of the winning neurons and the critical neurons are updated through the following formula:
Δwxj=ηh(j,j*)(xi-wij)
where η is a constant greater than 0 and less than 1.
Figure BDA0002919485560000051
Wherein sigma2Decreases as learning progresses, so h (j, j)*) It also narrows slowly as learning progresses.
Obtaining a final threat coefficient: when the winning neuron and the neurons nearby the winning neuron are all close to the input vector at the time, the file is considered to be in accordance with a certain type of threat, and the i and j at the time are brought into a threat coefficient calculation formula:
Figure BDA0002919485560000052
where E is the threat coefficient.
S04: if the threat coefficient of the file exceeds a specified threshold value, the file is marked as a malicious code, then the malicious code is put into a malicious code library, and a monitoring result is fed back to a user host; and the user host starts a self-scanning program to search whether the file exists, if so, the file is matched with the file in the malicious code library, and if the matching is successful, the malicious code searching and killing process is started.
The method for setting the threshold of the invention is briefly described as follows:
selecting a proper threshold value according to industry statistical experience and laboratory test data:
thermal power industrial control environment: the threshold is 1000; water and electricity industrial control environment: the threshold value is 500; other industrial control environments: threshold value of 200
The method for the user host to start the self-scanning program and find whether the file exists in the invention is briefly introduced as follows:
the user host starts a self-scanning program, the user host is provided with a malicious code protection program, when a library of the malicious code protection program is updated, the malicious code protection program of the user host automatically carries out one-time malicious code scanning to search whether a file matched with the updated malicious code exists or not, and if the file is found, the malicious code is searched and killed;
the malicious code searching and killing mode comprises the following steps: malicious codes are put into an isolation area, files are deleted, and the file execution authority is changed into read-only.
In conclusion, the beneficial effects of the invention are as follows:
the invention is specially designed for the characteristics of physical isolation between an industrial power control network of power plants such as thermal power plants, hydropower stations, wind power plants, photovoltaic power stations and the like and the Internet, combines the characteristics of power production services, and starts from the aspect of malicious code characteristic self-culture to perform behavior monitoring and threat coefficient calculation on all files in the industrial power control network in a safe isolated culture room, thereby realizing automatic identification, automatic update and automatic searching and killing of malicious codes, and effectively solving the problem that a malicious code protection system in an internal network cannot update a characteristic library and a virus library in time and cause searching and killing function failure caused by physical isolation of internal and external networks of the industrial power control system.
The invention does not need the intervention of personnel, reduces the workload of the administrator, improves the management efficiency and does not influence the normal production business of the electric power.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. The malicious code protection method based on the self-culture algorithm and suitable for the power industrial control network is characterized by comprising the following steps of:
analyzing the uploading and downloading flow of all files in the electric power industrial control network, extracting the files from the files, putting the files into an incubation room for execution, continuously monitoring for a certain time, monitoring the operation process and effect of the files in the incubation room, calculating the threat coefficient of the files by using a self-incubation algorithm based on the monitoring condition, marking the files as malicious codes if the threat coefficient of the files exceeds a specified threshold value, putting the files into a malicious code library, feeding back the monitoring result to a user host, starting a self-scanning program by the user host, searching whether the files exist, matching the files with the files in the malicious code library if the files exist, and starting a malicious code searching and killing process if the files are successfully matched.
2. The method of claim 1, wherein the step of extracting the document from the document into the incubation chamber comprises:
a file extraction method and a culture room creation method;
the file extraction method comprises the following steps: the method comprises the steps that a malicious code protection program is installed on each power industrial control host, the program monitors all flow generated by a local host and a network, when a file uploading behavior is found, an uploaded file is copied from the flow, the file is compressed by a zip compression algorithm and then stored in a temporary disk space, and the malicious code protection program is informed to create a culture room according to the current operating system environment; wherein, the notification content comprises: the type, version, disk space, memory size, extracted file and file format of the current operating system;
the method for creating the culture chamber comprises the following steps: after receiving the notice of creating the culture room, the malicious code protection program calls a container which meets the requirement by adopting a container technology according to the notice content and opens the container, if the container which does not meet the requirement does not exist, the malicious code protection program creates a container which comprises the type, the version, the disk space and the memory size of the corresponding operating system, deploys the program in the corresponding file format, opens the container and stores the file included in the notice in the container.
3. The method of claim 1, wherein the document is executed in an incubation chamber and the method of monitoring the progress and effect of the document in the incubation chamber comprises:
the execution adopts the execution program of the corresponding file already deployed in the container to open the file, and simulates the process of executing the file by being clicked by a person normally;
the operation process and the effect of the monitoring file in the culture room comprise various changes of the operating system environment after the execution program opens the file, including registry information change, process change, memory change, file system change, network flow change, operating system picture change and user group change, and are recorded in a text; the recording process was performed every 30 minutes for 24 hours, and 48 times were recorded in total, and the recorded results were added to the text.
4. The method of claim 1, wherein the method of calculating the threat coefficients for the document using a self-culture algorithm based on the monitored condition comprises:
the self-culture algorithm is based on a weighting model of a Kohonen self-organizing feature mapping algorithm result, and the method for specifically calculating the threat coefficient of the file comprises the following steps:
and (3) threat coefficient initialization: setting an initial value of a weight between an input layer and a mapping layer by using a random number;
input of the input vector: taking each data in the record text of the monitoring file in the culture room as an input vector x ═ x (x is x) of an input layer1,x2,x3…,x48)4Wherein x isiThe hash value representing each record normalizes the result of the process according to the following formula:
Figure FDA0002919485550000021
wherein max is the hash maximum of the sample data, and min is the hash minimum of the sample data;
calculating the distance between the weight vector of the mapping layer and the input vector: calculating the weight vector of each neuron and the Euclidean distance of an input vector at a mapping layer; here the distance between the jth neuron of the mapping layer and the input vector is:
Figure FDA0002919485550000031
wherein, wijIs a weight, x, between the i neuron of the input layer and the j neuron of the mapping layeriRepresenting the result of hash value normalization processing of each record;
selecting the neuron with the minimum distance in the weight vector: calculating and selecting the neuron that minimizes the distance between the input vector and the weight vector, e.g. djIf the minimum, it is called the winning neuron and is denoted as j*And giving a set of adjacent neurons;
the weight learning method comprises the following steps: the weights of the winning neurons and the critical neurons are updated through the following formula:
Δwxj=ηh(j,j*)(xi-wij)
where eta is a constant greater than 0 and less than 1,
Figure FDA0002919485550000032
wherein sigma2Decreases as learning progresses, so h (j, j)*) It also narrows slowly as learning progresses;
obtaining a final threat coefficient: when the winning neuron and the neurons nearby the winning neuron are all close to the input vector at the time, the file is considered to be in accordance with a certain type of threat, and the i and j at the time are brought into a threat coefficient calculation formula:
Figure FDA0002919485550000033
where E is the threat coefficient.
5. The method of claim 1, wherein the threshold is set by a method comprising:
the threshold was chosen according to the following statistical experience:
thermal power industrial control environment: the threshold is 1000; water and electricity industrial control environment: the threshold value is 500; other industrial control environments: the threshold is 200.
6. The method of claim 1, wherein the user host initiates a self-scanning procedure, and the method of finding if the file exists comprises:
the user host starts the self-scanning program, wherein the user host is provided with a malicious code protection program, when the library of the malicious code protection program is updated, the malicious code protection program of the user host automatically carries out one-time malicious code scanning to search whether a file matched with the updated malicious code exists or not, and if the file is found, the malicious code is searched and killed;
the malicious code searching and killing mode comprises the following steps: malicious codes are put into an isolation area, files are deleted, and the file execution authority is changed into read-only.
CN202110111555.3A 2021-01-27 2021-01-27 Malicious code protection method based on self-culture algorithm and suitable for power industrial control network Pending CN112866266A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110111555.3A CN112866266A (en) 2021-01-27 2021-01-27 Malicious code protection method based on self-culture algorithm and suitable for power industrial control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110111555.3A CN112866266A (en) 2021-01-27 2021-01-27 Malicious code protection method based on self-culture algorithm and suitable for power industrial control network

Publications (1)

Publication Number Publication Date
CN112866266A true CN112866266A (en) 2021-05-28

Family

ID=76009601

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110111555.3A Pending CN112866266A (en) 2021-01-27 2021-01-27 Malicious code protection method based on self-culture algorithm and suitable for power industrial control network

Country Status (1)

Country Link
CN (1) CN112866266A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113688392A (en) * 2021-09-07 2021-11-23 南方电网科学研究院有限责任公司 Malicious code attack resisting method based on power Internet of things and related device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102651088A (en) * 2012-04-09 2012-08-29 南京邮电大学 Classification method for malicious code based on A_Kohonen neural network
CN111464526A (en) * 2020-03-30 2020-07-28 深信服科技股份有限公司 Network intrusion detection method, device, equipment and readable storage medium
CN112261029A (en) * 2020-10-16 2021-01-22 北京锐驰信安技术有限公司 DDoS malicious code detection and tracing method based on breeding

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102651088A (en) * 2012-04-09 2012-08-29 南京邮电大学 Classification method for malicious code based on A_Kohonen neural network
CN111464526A (en) * 2020-03-30 2020-07-28 深信服科技股份有限公司 Network intrusion detection method, device, equipment and readable storage medium
CN112261029A (en) * 2020-10-16 2021-01-22 北京锐驰信安技术有限公司 DDoS malicious code detection and tracing method based on breeding

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113688392A (en) * 2021-09-07 2021-11-23 南方电网科学研究院有限责任公司 Malicious code attack resisting method based on power Internet of things and related device

Similar Documents

Publication Publication Date Title
CN101924762B (en) Cloud security-based active defense method
Sharma et al. An improved network intrusion detection technique based on k-means clustering via Naïve bayes classification
CN112235283A (en) Vulnerability description attack graph-based network attack evaluation method for power engineering control system
CN108259498B (en) Intrusion detection method and system based on BP algorithm of artificial bee colony optimization
EP2737683A1 (en) Method and system for classifying a protocol message in a data communication network
Hodo et al. Anomaly detection for simulated iec-60870-5-104 trafiic
CN110830467A (en) Network suspicious asset identification method based on fuzzy prediction
CN116956282B (en) Abnormality detection system based on network asset memory time sequence multi-feature data
CN115396204A (en) Industrial control network flow abnormity detection method and device based on sequence prediction
Sezari et al. Anomaly-based network intrusion detection model using deep learning in airports
CN111935189B (en) Industrial control terminal strategy control system and industrial control terminal strategy control method
CN114090406A (en) Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium
CN112866266A (en) Malicious code protection method based on self-culture algorithm and suitable for power industrial control network
CN111144472A (en) Attack identification method based on GBDT algorithm and photovoltaic grid-connected interface device
CN116248362A (en) User abnormal network access behavior identification method based on double-layer hidden Markov chain
CN116865994A (en) Network data security prediction method based on big data
CN108121912B (en) Malicious cloud tenant identification method and device based on neural network
CN117675274A (en) Data center system based on SOAR
Alosefer et al. Predicting client-side attacks via behaviour analysis using honeypot data
KR102453253B1 (en) Systerm for detecting livestock respiratory disease based on deep learning sound analysis technology
CN116260627A (en) APT detecting system based on data tracing graph label
CN112839053B (en) Electric power industrial control network malicious code protection system based on self-culture
CN115473667A (en) APT attack sequence detection method based on subgraph matching
CN114935923A (en) New energy edge industrial control system vulnerability detection method based on raspberry group
CN111475380B (en) Log analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210528