CN112905996A - Information security traceability system and method based on multi-dimensional data association analysis - Google Patents
Information security traceability system and method based on multi-dimensional data association analysis Download PDFInfo
- Publication number
- CN112905996A CN112905996A CN202110310024.7A CN202110310024A CN112905996A CN 112905996 A CN112905996 A CN 112905996A CN 202110310024 A CN202110310024 A CN 202110310024A CN 112905996 A CN112905996 A CN 112905996A
- Authority
- CN
- China
- Prior art keywords
- attack
- tracing
- trace data
- attacker
- dimension
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/9038—Presentation of query results
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/906—Clustering; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2216/00—Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
- G06F2216/03—Data mining
Abstract
The invention relates to the technical field of network information security, in particular to an information security traceability system and method based on multidimensional data correlation analysis, wherein the system comprises: the acquisition module is used for acquiring attack trace data and target trace data; the carding module is used for carrying out deep correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; the construction module is used for establishing an attacker relation model based on the characteristic attributes and establishing an attack trace dimension model based on the attack trace data; the judging module is used for matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker or not, and if the visitor is the attacker, sending a command for tracing; and the source tracing module is used for receiving the instruction for tracing the source and tracing the source. The invention can perform depth tracing and solves the technical problem that the prior art cannot perform depth tracing.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to an information security traceability system and an information security traceability method based on multi-dimensional data correlation analysis.
Background
At present, various network attacks pose a serious threat to network security, and it is necessary to trace back the source of the attack to know an attacker in detail. The attack path playback is carried out through the network attack tracing, and although the position where the attacker comes from can be known, the behavior characteristics of the attacker cannot be found; meanwhile, an attacker usually cleans the log of the system when the attack action is finished so as to remove the trace of the attack, thereby bringing difficulty to tracing.
In view of the above, chinese patent CN108769077A discloses a method and an apparatus for network security traceability analysis, wherein the method includes the steps of: collecting log information of various network devices in real time, and solidifying and storing the log information; carrying out deep correlation analysis and data mining on the collected log information from multiple dimensions of time and space, and combing out the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of an attack event, extracting characteristic attributes from the relevant information and behaviors of the attacker, and establishing an attacker relation model based on the characteristic attributes; and collecting the relevant information and behaviors of the visitor, matching the characteristic attributes of the visitor with the attacker relation model, and determining whether the visitor is an attacker.
For the multi-source attack trace fusion aspect, a hierarchical fusion method is mostly adopted, firstly, data-level fusion is carried out, then, feature-level fusion is carried out, and finally, decision-level fusion is carried out; in the aspect of association tracing, the association tracing is usually based on time sequence, and the attack steps are determined by analyzing the time sequence relation. In the technical scheme, the targeted data source is single, the fused data source is few, and the data source cannot be expanded, so that the source tracing can only stay at the level of a host or an IP address, and the deep source tracing cannot be performed.
Disclosure of Invention
The invention provides an information security traceability system and method based on multi-dimensional data correlation analysis, and solves the technical problem that the prior art cannot perform deep traceability.
The basic scheme provided by the invention is as follows: an information security traceability system based on multi-dimensional data association analysis comprises:
the acquisition module is used for acquiring attack trace data and target trace data;
the carding module is used for carrying out deep correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
the construction module is used for establishing an attacker relation model based on the characteristic attributes and establishing an attack trace dimension model based on the attack trace data;
the judging module is used for matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker or not, and if the visitor is the attacker, sending a command for tracing;
and the source tracing module is used for receiving the instruction for tracing the source and tracing the source.
The working principle and the advantages of the invention are as follows:
(1) an attack trace dimension model is established based on the attack trace data, multi-source attack trace data such as network flow, alarm information, equipment logs and threat information can be fused, a grading processing mode is broken, the difficulty of data processing is reduced, and therefore deep tracing can be conducted.
(2) The method comprises the steps of collecting attack trace data and target trace data in real time, carrying out deep correlation analysis and data mining on the collected attack trace data, and combing out the occurrence venation and the attack path of an attack event so as to obtain the relevant information and behavior of an attacker; the characteristic attributes are extracted to establish an attacker relation model, which is beneficial to quickly and accurately determining whether the visitor is an attacker.
The invention breaks through a hierarchical processing mode, reduces the difficulty of data processing, can perform deep tracing, and solves the technical problem that the prior art cannot perform deep tracing.
Further, the tracing module comprises:
the analysis unit is used for analyzing the attack trace dimension model to obtain dimension reliability, and analyzing the attack trace data to obtain source reliability; establishing a label for the attack trace data according to the attack trace dimension model based on the dimension reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability;
the correlation unit is used for carrying out fingerprint database comparison and matching on the trace data after the label is established and carrying out correlation analysis on the attack trace data according to the label so as to establish a correlation pair; calculating the association degree of the association pair according to the label, and forming an association network according to the association pair;
and the output unit is used for fusing the attack related information of the attack trace data related to the target trace data in the correlation network and the attack related information of the target trace data according to the correlation degree to obtain a tracing result and outputting the tracing result.
Has the advantages that: the tracing and tracing can be realized by performing dimension analysis, credibility judgment, label establishment and association fusion on the attack trace data; attack trace data may be analyzed to discover tracing-related clues and match the purpose of a deep tracing attacker through correlation.
Furthermore, the combing unit is also used for carrying out deep correlation analysis and data mining on the collected attack trace data from multiple dimensions of time and space before combing out the occurrence venation and the attack path of the attack event, and establishing a rule base; and comparing the tracing information of the suspected attack with the information in the rule base, constructing a tracing graph by transmitting query and tracing query, and acquiring the occurrence venation and the attack path of the attack event according to the tracing graph.
Has the advantages that: by adopting the mode, the tracing graph is constructed by transmitting the query and the tracing query, the occurrence venation and the attack path of the attack event are obtained according to the tracing graph, and whether the visitor is the attacker or not is determined rapidly and accurately.
Further, establishing an attack trace dimension model based on the attack trace data specifically comprises: classifying the attack trace data to obtain a classification result; extracting relevant clues of attackers from the classification result, fusing the relevant clues of the attackers to obtain dynamic dimensions, and extracting dimension data relevant to the preset dimensions from the classification result based on the preset dimensions to be used as static dimensions; and combining the dynamic dimension and the static dimension to obtain an attack trace dimension model.
Has the advantages that: and firstly, obtaining the dynamic dimension and the static dimension, and then combining the dynamic dimension and the static dimension to obtain an attack trace dimension model, which is beneficial to depth tracing.
The invention also provides an information security tracing method based on multi-dimensional data correlation analysis, which comprises the following steps:
s1, collecting attack trace data and target trace data;
s2, carrying out depth correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
s3, establishing an attacker relation model based on the characteristic attributes, and establishing an attack trace dimension model based on the attack trace data;
s4, matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker, and if the visitor is the attacker, sending a command for tracing;
and S5, receiving the command for tracing the source and tracing the source.
The working principle and the advantages of the invention are as follows: an attack trace dimension model is established based on the attack trace data, multi-source attack trace data such as network flow, alarm information, equipment logs and threat information can be fused, a grading processing mode is broken, the difficulty of data processing is reduced, and therefore deep tracing can be conducted.
Further, S5 specifically includes:
s51, analyzing the attack trace dimension model to obtain dimension reliability, and analyzing the attack trace data to obtain source reliability; establishing a label for the attack trace data according to the attack trace dimension model based on the dimension reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability;
s52, performing fingerprint database comparison and matching on the trace data after the label is established, and performing correlation analysis on the attack trace data according to the label to establish a correlation pair; calculating the association degree of the association pair according to the label, and forming an association network according to the association pair;
and S53, fusing the attack related information of the attack trace data related to the target trace data in the correlation network with the attack related information of the target trace data according to the correlation degree to obtain a tracing result, and outputting the tracing result.
Has the advantages that: the tracing and tracing can be realized by performing dimension analysis, credibility judgment, label establishment and association fusion on the attack trace data; attack trace data may be analyzed to discover tracing-related clues and match the purpose of a deep tracing attacker through correlation.
Drawings
Fig. 1 is a system structure block diagram of an embodiment of an information security traceability system based on multidimensional data association analysis.
Detailed Description
The following is further detailed by the specific embodiments:
example 1
An embodiment is substantially as shown in figure 1, comprising:
the acquisition module is used for acquiring attack trace data and target trace data;
the carding module is used for carrying out deep correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
the construction module is used for establishing an attacker relation model based on the characteristic attributes and establishing an attack trace dimension model based on the attack trace data;
the judging module is used for matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker or not, and if the visitor is the attacker, sending a command for tracing;
and the source tracing module is used for receiving the instruction for tracing the source and tracing the source.
In this embodiment, the acquisition module, the carding module, the construction module, the judgment module and the tracing module are all integrated on a server, and the functions thereof are realized through software/program/code/computer instructions.
The specific implementation process is as follows:
firstly, an acquisition module acquires attack trace data and target trace data, for example, log information of various network devices, and after the acquisition is finished, the log information is solidified and stored.
Then, the carding module carries out deep correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; and according to the occurrence venation and the attack path of the attack event, acquiring the relevant information and behavior of the attacker, and extracting the characteristic attribute from the relevant information and behavior of the attacker.
And then, the construction module establishes an attacker relation model based on the characteristic attributes and establishes an attack trace dimension model based on the attack trace data. In this embodiment, establishing an attack trace dimension model based on the attack trace data specifically includes the following steps: classifying attack trace data to obtain a classification result; secondly, extracting relevant clues of the attackers from the classification results, fusing the relevant clues of the attackers to obtain dynamic dimensions, and extracting dimension data relevant to the preset dimensions from the classification results based on the preset dimensions to serve as static dimensions; and thirdly, combining the dynamic dimension and the static dimension to obtain an attack trace dimension model. By the method, the dynamic dimension and the static dimension are obtained firstly, and then the dynamic dimension and the static dimension are combined to obtain the attack trace dimension model, so that the depth tracing is facilitated.
And then, the judging module matches the characteristic attribute with the attacker relation model to judge whether the visitor is the attacker, and if the visitor is the attacker, a command for tracing is sent.
And finally, the tracing module receives the instruction for tracing and traces the source. In this embodiment, the tracing module includes an analysis unit, an association unit, and an output unit, and the tracing process includes the following steps: the method comprises the steps that firstly, an analysis unit analyzes a dimensional model of an attack trace to obtain dimensional reliability, analyzes attack trace data to obtain source reliability, and establishes a label for the attack trace data according to the dimensional model of the attack trace based on the dimensional reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability; secondly, the correlation unit compares and matches the fingerprint database of the trace data after the label is established, performs correlation analysis on the attack trace data according to the label to establish a correlation pair, calculates the correlation degree of the correlation pair according to the label and forms a correlation network according to the correlation pair; and thirdly, the output unit fuses the attack related information of the attack trace data associated with the target trace data in the associated network and the attack related information of the target trace data according to the association degree to obtain a tracing result, and outputs the tracing result.
Based on the above embodiment, the present invention also discloses an information security tracing method based on multi-dimensional data association analysis, which includes:
s1, collecting attack trace data and target trace data;
s2, carrying out depth correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
s3, establishing an attacker relation model based on the characteristic attributes, and establishing an attack trace dimension model based on the attack trace data;
s4, matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker, and if the visitor is the attacker, sending a command for tracing;
and S5, receiving the command for tracing the source and tracing the source.
Wherein, S5 specifically includes:
s51, analyzing the attack trace dimension model to obtain dimension reliability, and analyzing the attack trace data to obtain source reliability; establishing a label for the attack trace data according to the attack trace dimension model based on the dimension reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability;
s52, performing fingerprint database comparison and matching on the trace data after the label is established, and performing correlation analysis on the attack trace data according to the label to establish a correlation pair; calculating the association degree of the association pair according to the label, and forming an association network according to the association pair;
and S53, fusing the attack related information of the attack trace data related to the target trace data in the correlation network with the attack related information of the target trace data according to the correlation degree to obtain a tracing result, and outputting the tracing result.
Example 2
The method is different from the embodiment 1 only in that before the occurrence venation and the attack path of the attack event are combed, the combing unit also carries out deep correlation analysis and data mining on the collected attack trace data from multiple dimensions of time and space, and a rule base is established; and comparing the tracing information of the suspected attack with the information in the rule base, constructing a tracing graph by transmitting query and tracing query, and acquiring the occurrence venation and the attack path of the attack event according to the tracing graph. By adopting the mode, the tracing graph is constructed by transmitting the query and the tracing query, the occurrence venation and the attack path of the attack event are obtained according to the tracing graph, and whether the visitor is the attacker or not is determined rapidly and accurately.
Example 3
The difference from embodiment 2 is only that the information security is mainly for the system bug, and the system bug is brought by software. At present, tracing to system vulnerabilities is mainly based on the following ideas: the log is used as a basis, the alarm information is used for verification, the auxiliary judgment is carried out through the traffic use condition, and the tracing mode of the response mechanism is static rather than dynamic. In this embodiment, considering the case where the system bug is caused by software, first, it is determined whether the software is regular software or extraordinary software according to the use frequency of the user. For example, the use frequency is greater than or equal to 1 time/day, which is the normal software, and vice versa, which is the abnormal software. For the non-use software, the data is automatically migrated to the network disk, and the connection or the address of the data in the network disk is generated. In this embodiment, the policy of the adaptive adjustment determination is performed according to the increase rate of the usage frequency. For example, the increase rate of the usage frequency is 0.2, which indicates that the usage frequency increases 0.2 times per day, that is, the usage frequency is higher and higher, and the usage frequency is adjusted from the non-use software to the use software; on the contrary, the increase rate of the use frequency is-0.2, which indicates that the use frequency is reduced by 0.2 times per day, namely, the use frequency is lower and lower, and the use frequency is adjusted to be the non-use software from the common software. Then, the adaptive matching of the software is judged. Specifically, in the present embodiment, for this case of software upgrade, it is assumed that there are two kinds of software, i.e., software a whose upgrade version is a1 or a2 and software B whose upgrade version is B1 or B2, and if a1 is compatible with B1 but a2 is not compatible with B2, then a2 is preferentially upgraded while upgrading a2 or B2, and B2 is deleted or replaced with the version of B1. By the method, the situation that the system bug is not judged to be the system bug by mistake can be avoided, and subsequent judgment and tracing are influenced.
The foregoing is merely an example of the present invention, and common general knowledge in the field of known specific structures and characteristics is not described herein in any greater extent than that known in the art at the filing date or prior to the priority date of the application, so that those skilled in the art can now appreciate that all of the above-described techniques in this field and have the ability to apply routine experimentation before this date can be combined with one or more of the present teachings to complete and implement the present invention, and that certain typical known structures or known methods do not pose any impediments to the implementation of the present invention by those skilled in the art. It should be noted that, for those skilled in the art, without departing from the structure of the present invention, several changes and modifications can be made, which should also be regarded as the protection scope of the present invention, and these will not affect the effect of the implementation of the present invention and the practicability of the patent. The scope of the claims of the present application shall be determined by the contents of the claims, and the description of the embodiments and the like in the specification shall be used to explain the contents of the claims.
Claims (6)
1. Information security traceability system based on multi-dimensional data correlation analysis is characterized by comprising:
the acquisition module is used for acquiring attack trace data and target trace data;
the carding module is used for carrying out deep correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
the construction module is used for establishing an attacker relation model based on the characteristic attributes and establishing an attack trace dimension model based on the attack trace data;
the judging module is used for matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker or not, and if the visitor is the attacker, sending a command for tracing;
and the source tracing module is used for receiving the instruction for tracing the source and tracing the source.
2. The information security traceability system based on multi-dimensional data association analysis, as claimed in claim 1, wherein the traceability module comprises:
the analysis unit is used for analyzing the attack trace dimension model to obtain dimension reliability, and analyzing the attack trace data to obtain source reliability; establishing a label for the attack trace data according to the attack trace dimension model based on the dimension reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability;
the correlation unit is used for carrying out fingerprint database comparison and matching on the trace data after the label is established and carrying out correlation analysis on the attack trace data according to the label so as to establish a correlation pair; calculating the association degree of the association pair according to the label, and forming an association network according to the association pair;
and the output unit is used for fusing the attack related information of the attack trace data related to the target trace data in the correlation network and the attack related information of the target trace data according to the correlation degree to obtain a tracing result and outputting the tracing result.
3. The information security traceability system based on multi-dimensional data association analysis as claimed in claim 2, wherein the combing unit is further configured to perform deep association analysis and data mining on the collected attack trace data from multiple dimensions of time and space before combing out the occurrence context and the attack path of the attack event, and establish a rule base; and comparing the tracing information of the suspected attack with the information in the rule base, constructing a tracing graph by transmitting query and tracing query, and acquiring the occurrence venation and the attack path of the attack event according to the tracing graph.
4. The information security traceability system based on multi-dimensional data association analysis as claimed in claim 3, wherein the establishment of the attack trace dimension model based on the attack trace data specifically comprises: classifying the attack trace data to obtain a classification result; extracting relevant clues of attackers from the classification result, fusing the relevant clues of the attackers to obtain dynamic dimensions, and extracting dimension data relevant to the preset dimensions from the classification result based on the preset dimensions to be used as static dimensions; and combining the dynamic dimension and the static dimension to obtain an attack trace dimension model.
5. The information security tracing method based on the multidimensional data correlation analysis is characterized by comprising the following steps:
s1, collecting attack trace data and target trace data;
s2, carrying out depth correlation analysis on the attack trace data from multiple dimensions of time and space to obtain the occurrence venation and the attack path of the attack event; acquiring relevant information and behaviors of an attacker according to the occurrence context and the attack path of the attack event, and extracting characteristic attributes from the relevant information and behaviors of the attacker;
s3, establishing an attacker relation model based on the characteristic attributes, and establishing an attack trace dimension model based on the attack trace data;
s4, matching the characteristic attributes with the attacker relation model to judge whether the visitor is an attacker, and if the visitor is the attacker, sending a command for tracing;
and S5, receiving the command for tracing the source and tracing the source.
6. The information security tracing method based on multi-dimensional data correlation analysis according to claim 5, wherein S5 specifically includes:
s51, analyzing the attack trace dimension model to obtain dimension reliability, and analyzing the attack trace data to obtain source reliability; establishing a label for the attack trace data according to the attack trace dimension model based on the dimension reliability and the source reliability, wherein the label comprises attack related information and corresponding reliability;
s52, performing fingerprint database comparison and matching on the trace data after the label is established, and performing correlation analysis on the attack trace data according to the label to establish a correlation pair; calculating the association degree of the association pair according to the label, and forming an association network according to the association pair;
and S53, fusing the attack related information of the attack trace data related to the target trace data in the correlation network with the attack related information of the target trace data according to the correlation degree to obtain a tracing result, and outputting the tracing result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110310024.7A CN112905996A (en) | 2021-03-23 | 2021-03-23 | Information security traceability system and method based on multi-dimensional data association analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110310024.7A CN112905996A (en) | 2021-03-23 | 2021-03-23 | Information security traceability system and method based on multi-dimensional data association analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112905996A true CN112905996A (en) | 2021-06-04 |
Family
ID=76106140
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110310024.7A Pending CN112905996A (en) | 2021-03-23 | 2021-03-23 | Information security traceability system and method based on multi-dimensional data association analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112905996A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
CN113742718A (en) * | 2021-07-30 | 2021-12-03 | 国家工业信息安全发展研究中心 | Industrial Internet equipment attack path restoration method, related equipment and system |
CN114185937A (en) * | 2021-11-03 | 2022-03-15 | 王伟强 | Big data tracing method and system based on digital finance |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140230059A1 (en) * | 2011-12-07 | 2014-08-14 | Beijing Runstone Technology Incorporation | Method and Apparatus for Tracing Attack Source of Abnormal Network Traffic |
CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
CN110545250A (en) * | 2018-05-29 | 2019-12-06 | 国际关系学院 | Tracing method for fusion association of multi-source attack traces |
-
2021
- 2021-03-23 CN CN202110310024.7A patent/CN112905996A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140230059A1 (en) * | 2011-12-07 | 2014-08-14 | Beijing Runstone Technology Incorporation | Method and Apparatus for Tracing Attack Source of Abnormal Network Traffic |
CN110545250A (en) * | 2018-05-29 | 2019-12-06 | 国际关系学院 | Tracing method for fusion association of multi-source attack traces |
CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
CN113742718A (en) * | 2021-07-30 | 2021-12-03 | 国家工业信息安全发展研究中心 | Industrial Internet equipment attack path restoration method, related equipment and system |
CN113742718B (en) * | 2021-07-30 | 2022-04-19 | 国家工业信息安全发展研究中心 | Industrial Internet equipment attack path restoration method, related equipment and system |
CN114185937A (en) * | 2021-11-03 | 2022-03-15 | 王伟强 | Big data tracing method and system based on digital finance |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11003773B1 (en) | System and method for automatically generating malware detection rule recommendations | |
US9300682B2 (en) | Composite analysis of executable content across enterprise network | |
CN112905996A (en) | Information security traceability system and method based on multi-dimensional data association analysis | |
US20180191755A1 (en) | Network security using inflated files for anomaly detection | |
CN110602029B (en) | Method and system for identifying network attack | |
CN107294953B (en) | Attack operation detection method and device | |
CN111931173A (en) | APT attack intention-based operation authority control method | |
KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
CN107547490B (en) | Scanner identification method, device and system | |
CN112491779B (en) | Abnormal behavior detection method and device and electronic equipment | |
EP3272097B1 (en) | Forensic analysis | |
CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
CN109547466B (en) | Method and device for improving risk perception capability based on machine learning, computer equipment and storage medium | |
US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
CN113079141A (en) | Network security situation perception system and method based on artificial intelligence | |
CN113190839A (en) | Web attack protection method and system based on SQL injection | |
US20190294803A1 (en) | Evaluation device, security product evaluation method, and computer readable medium | |
CN112668005A (en) | Webshell file detection method and device | |
CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
US11436322B2 (en) | Vehicle unauthorized access countermeasure taking apparatus and vehicle unauthorized access countermeasure taking method | |
CN110233848B (en) | Asset situation analysis method and device | |
CN115051874B (en) | Multi-feature CS malicious encrypted traffic detection method and system | |
CN108540471B (en) | Mobile application network traffic clustering method, computer readable storage medium and terminal | |
CN115859305A (en) | Knowledge graph-based industrial control security situation sensing method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210604 |