CN112910865B - Inference attack stage maximum likelihood estimation method and system based on factor graph - Google Patents
Inference attack stage maximum likelihood estimation method and system based on factor graph Download PDFInfo
- Publication number
- CN112910865B CN112910865B CN202110076266.4A CN202110076266A CN112910865B CN 112910865 B CN112910865 B CN 112910865B CN 202110076266 A CN202110076266 A CN 202110076266A CN 112910865 B CN112910865 B CN 112910865B
- Authority
- CN
- China
- Prior art keywords
- attack
- factor
- factor graph
- node
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N7/00—Computing arrangements based on specific mathematical models
- G06N7/01—Probabilistic graphical models, e.g. probabilistic networks
Abstract
A maximum likelihood estimation method and a system for an inference attack stage based on a factor graph are disclosed, wherein the method comprises the following steps: extracting a binary sequence of an attack event-attack stage from the APT data set; training based on the binary sequence of the attack event-attack stage to obtain related parameters and generate a probability transfer matrix; receiving an attack chain and constructing a corresponding factor graph, and converting an attack stage of the attack chain into nodes and factor functions of the factor graph; and processing the factor graph to obtain the maximum likelihood estimation of the attack stage sequence corresponding to the attack chain. The system comprises a sequence extraction module, a probability transition matrix generation module, a factor graph construction module and an attack stage inference module. The method has the advantages of high accuracy, high calculation speed and strong expandability.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a factor graph-based maximum likelihood estimation method and system for inferring an attack stage, which are used for processing an attack which has already occurred and inferring the attack stage of the attack.
Background
With the rapid development of the interconnected digital technology, the demand of people for network bandwidth increases year by year, and higher demands are made on the convenience and safety of network access, and the importance of network safety is self-evident.
APT, an advanced persistent threat, can stage into the target system and stay there for a long time without being discovered. The goals of these attacks are carefully chosen and studied, especially for large enterprises or government networks, with serious consequences. However, they are difficult to detect or prevent. But these attacks leave clues in different places, so it is also vital to make an inference analysis on the attack chain, construct a factor graph to understand the malicious processes of the attack chain and prevent system damage.
Since the relevant personnel cannot train a large amount of data, the judgment can be made only by experience. However, the judgment requires a very high experience, and the person must have a great deal of experience and be familiar with various attack means. The attack occurs almost instantaneously, so the conventional method described above is inefficient. In view of the above, it is important to develop a method for efficiently deducing the attack stage corresponding to the attack chain, but the method is relatively complex to implement.
Disclosure of Invention
The invention aims to provide a method and a system for inferring the maximum likelihood of an attack stage based on a factor graph, aiming at the problems of low inference efficiency and poor inference effect of the attack stage in the prior art, so as to infer the attack stage quickly and efficiently.
In order to achieve the purpose, the invention has the following technical scheme:
a maximum likelihood estimation method for an inference attack stage based on a factor graph comprises the following steps:
-extracting a binary sequence of attack events-attack phases from the APT dataset;
-training based on the binary sequence of the attack event-attack phase to obtain the relevant parameters and generate a probability transition matrix;
-receiving the attack chain and constructing a corresponding factor graph, and converting the attack stage of the attack chain into nodes and factor functions of the factor graph;
and processing the factor graph to obtain a maximum likelihood estimation of the attack phase sequence corresponding to the attack chain.
Preferably, the factor graph factorizes a global function with multiple variables to obtain a product of several local functions, so as to express probability relations between different events; the factor function is used for connecting related nodes.
Preferably, the joint probability of the variables in the factor graph is as follows:
the stability of variables in the factor graph is represented by an energy function, which is expressed as follows as a measure of the accuracy of the inferred model of the factor graph:
preferably, the relevant parameters are: factor function f1-Basic(x)、f1-Commonality(x) And f2(x,y);
f1(x) Is a function of the connecting nodes e, s, representing the relationship of the event e and the corresponding attack phase s; f. of1(x) Is f1-Basic(x) And f1-Commonality(x) A common expression expressed in the form of an exponential function; f. of2(x, y) is a transition function between the connection nodes s, and shows the relationship of mutual influence of attack stages in a time dimension; f. of2The expression of (x, y) is: f. of2(x,y)=Matrix[x][y]Wherein the Matrix is a single-step probability transition Matrix of a homogeneous Markov chain obtained through a training phase, and the x-th row and y-th column of the Matrix are expressed by sigmaxTriggers the next time sigmayThe probability of (c).
Preferably, the factor graph is processed by a Loopy Belief Propagation algorithm to obtain a maximum likelihood estimation of the attack stage sequence.
Preferably, the Loopy Belief Propagation algorithm sets a cycle number and an energy function, and the smaller the energy function value is, the more stable the probability distribution is; the conditions for message delivery stop are: the number of cycles reaches a set value or the value of the energy function is less than a critical value.
Preferably, the method for optimizing the Loopy Belief Propagation algorithm comprises the following specific steps:
-initializing;
the principle of initializing the information is such that the sum of all information around the node is 1, i.e.
-a message update;
enabling the node to transmit the message to receive and integrate the messages from other nodes and transmitting a new message to the selected node;
message updates are divided into two types:
1) the nodes of the factor graph pass messages to the factor function:
ne(s) represents a node adjacent to the s node;
the node transmitting information multiplies the information of other adjacent nodes except the node receiving the information and transmits the multiplied information to the target node;
2) the factor function passes messages to the nodes of the factor graph:
when the message is sent, the message is a summation operation, the summation operation object comprises all variable values related to f, f is a message sending node, but the summation operation object can keep the value of s unchanged, s is an object node to be sent with the message, and the value of s is assumed to be i;
then multiply the messages of all other adjacent variable nodes s ', except the node that is sending the message to it, multiply all messages that s ' sends f, while taking into account in this summation the value taken by the variable s ' that this factor relates to.
The invention also provides a system for estimating the maximum likelihood of the inference attack stage based on the factor graph, which comprises the following steps:
the sequence extraction module is used for extracting a binary sequence of an attack event-attack stage from the APT data set;
the probability transition matrix generation module is used for training based on the binary sequence of the attack event-attack stage to obtain related parameters and generate a probability transition matrix;
the factor graph construction module is used for receiving the attack chain and constructing a corresponding factor graph, and converting the attack stage of the attack chain into nodes and factor functions of the factor graph;
and the attack stage inference module is used for processing the factor graph to obtain the maximum likelihood estimation of the attack stage sequence corresponding to the attack chain.
The invention also proposes a computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method for maximum likelihood estimation of an inference attack phase based on a factor graph.
Compared with the prior art, the invention has the following beneficial effects: the whole inference process comprises three phases: training, factor graph construction and factor graph inference. Through the inference of the factor graph model, the attack stage behind the attack event is analyzed, so that the source tracing construction of the attack is better carried out. And obtaining a factor function through a training stage, then constructing nodes through a factor graph construction stage, and selecting a proper factor graph to be added from the factor function obtained in the training stage. And finally, in a factor graph inference stage, utilizing the factor graph completed in the previous stage to obtain the maximum likelihood estimation of the attack stage chain, and completing inference. The invention takes a large number of APT reports as training samples, and fully utilizes the existing APT reports to improve the self inference capability of the system. By constructing the factor graph, the system can accurately and efficiently deduce the attack stage instead of passively waiting for the next attack. The invention can be effectively applied to the field of network security and is used as an effective means for analyzing the generated APT.
Furthermore, the factor graph is calculated in stages and modules through the Loopy Belief Propagation algorithm, so that a large amount of joint probability calculation is avoided, and the calculation is further accelerated compared with a traditional marginal probability calculation-based method.
Drawings
FIG. 1 is a flow chart of the method for maximum likelihood estimation of an inference attack stage based on a factor graph;
FIG. 2 the present invention infers a time consumption statistical map of the attack phase.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
Referring to fig. 1, the method for estimating maximum likelihood of an inference attack stage based on a factor graph mainly includes the following three stages: training, factor graph construction and factor graph inference. First, collect APT data from a source (published APT data set, APT data in paper) pre-process normalizes the data. Then, the normalized data are trained to obtain the corresponding parameters needed by the system. Secondly, receiving an input attack chain, and constructing a corresponding factor node and a factor function. And finally, obtaining the maximum likelihood estimation of the attack stage by using a Loopy Belief Propagation algorithm.
The embodiment of the invention discloses a method for inferring the maximum likelihood estimation of an attack stage based on a factor graph, which comprises the following steps:
(1) defining the APT sequence:
a single event ei: an event occurring at time i;
single attack phase si: an attack phase at time i;
in fact, an APT is composed of a plurality of events and their corresponding attack phases, and therefore the following definitions are given:
Ec: a sequence of events e that occur sequentially in order;
Sc: the sequence of attack phases corresponding to each event in the sequence;
(2) defining APT sampling;
the ith APT is recorded as Ai;
(3) Preprocessing and normalizing data;
(4) inputting the sampled data into a system;
each APT inputs its information into the system for processing in the form of (sequence of events, sequence of attack phases) doublets. E.g., (32311220,15014352) (the numbers representing the corresponding attack events or attack phases are given in the table below).
| Stage | Name |
| σ0 | Initial Reconnaissance |
| σ1 | Initial Compromise |
| σ2 | Establish Foothold |
| σ3 | Escalate Privileges |
| σ4 | Internal Reconnaissance |
| σ5 | Maintain Presence |
| σ6 | Complete Mission |
Step 2, training by using the obtained data set to obtain corresponding parameters;
the following parameters were obtained:
f1(x)=exp{q(Ec,Sc) In which P (E)c,Sc) Represents Ec-ScAnd has:
f2(x,y)=Matrix[x][y];
the Matrix is a single step probabilistic transition Matrix of a homogeneous markov chain derived through a training phase.
The x-th row of the matrix, the y-th column by σxTriggers the next time sigmayThe probability of (c).
Step 3, receiving the input of the attack chain and constructing a factor graph;
(1) and (3) constructing a node: reading the events of the test data in sequence, and adding an event node e into the factor graphiAnd adding eiCorresponding unknown attack stage si
(2) Selecting a factor function and adding the factor function into a factor graph:
adding f1(x) The method comprises the following steps According to event eiThe two characteristics are classified, so that a factor function is constructed according to the classification condition, the complexity of a factor graph is improved, the fault tolerance of subsequent inference is increased, and the inference deviation is smaller.
Adding f2(x, y): adjacent siAnd si-1By a single f2(x, y) are connected.
To this end, the system has constructed a complete factor graph.
And 4, step 4: using a Loopy Belief Propagation algorithm to carry out factor graph inference;
and calculating the maximum likelihood estimation of the attack stage by using a Loopy Belief Propagation algorithm.
A factor graph-based inference attack stage maximum likelihood estimation system, comprising:
the sequence extraction module is used for extracting a binary sequence of an attack event-attack stage from the APT data set;
the probability transition matrix generation module is used for training based on the binary sequence of the attack event-attack stage to obtain related parameters and generate a probability transition matrix;
the factor graph construction module is used for receiving the attack chain and constructing a corresponding factor graph, and converting the attack stage of the attack chain into nodes and factor functions of the factor graph;
and the attack stage inference module is used for processing the factor graph to obtain the maximum likelihood estimation of the attack stage sequence corresponding to the attack chain.
A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the factor graph-based inference attack phase maximum likelihood estimation method.
The computer program may be divided into one or more modules/units, which are stored in the memory and executed by the processor to perform the method of the invention.
Referring to fig. 2, by counting the time consumed by the attack phase inference for event chains of different lengths, it can be seen that the invention performs the phased and block-wise computation on the factor graph by using the Loopy Belief Propagation algorithm, and because a large amount of joint probability computations are avoided, the computation is further accelerated compared with the method based on the traditional marginal probability computation.
The above description is only one specific embodiment of the present invention, and does not constitute any limitation to the technical solution of the present invention. It will be apparent to those skilled in the art that various modifications and changes in form and detail can be made without departing from the principles and concepts of the invention without departing from the invention, but such modifications and changes are intended to be within the scope of the appended claims.
Claims (6)
1. A maximum likelihood estimation method for an inference attack stage based on a factor graph is characterized by comprising the following steps:
extracting a binary sequence of an attack event-attack stage from the APT data set;
training based on the binary sequence of the attack event-attack stage to obtain related parameters and generate a probability transfer matrix;
the method specifically comprises the following steps:
(1) defining the APT sequence:
a single event ei: an event occurring at time i;
single attack phase si: an attack phase at time i;
in fact, an APT is composed of a plurality of events and their corresponding attack phases, and therefore the following definitions are given:
Ec: a sequence of events e that occur sequentially in order;
Sc: the sequence of attack phases corresponding to each event in the sequence;
(2) defining APT sampling;
the ith APT is recorded as Ai;
(3) Preprocessing and normalizing data;
(4) inputting the sampled data into a system;
each APT inputs the information thereof into the system for processing in the form of event sequence or attack phase sequence binary;
the phases mentionedThe relevant parameters are as follows: factor function f1-Basic(x)、f1-Commonality(x) And f2(x,y);
f1(x) Is a function of the connecting nodes e, s, representing the relationship of the event e and the corresponding attack phase s; f. of1(x) Is f1-Basic(x) And f1-Commonality(x) A common expression expressed in the form of an exponential function; f. of2(x, y) is a transition function between the connection nodes s, and shows the relationship of mutual influence of attack stages in a time dimension; f. of2The expression of (x, y) is: f. of2(x,y)=Matrix[x][y]Wherein the Matrix is a single-step probability transition Matrix of a homogeneous Markov chain obtained through a training phase, and the x-th row and y-th column of the Matrix are expressed by sigmaxTriggers the next time sigmayThe probability of (d);
training by using the obtained data set to obtain corresponding parameters;
the following parameters were obtained:
f1(x)=exp{q(Ec,Sc) In which P (E)c,Sc) Represents Ec-ScAnd has:
f2(x,y)=Matrix[x][y];
the Matrix is a single-step probability transition Matrix of a homogeneous Markov chain obtained through a training phase;
the x-th row of the matrix, the y-th column by σxTriggers the next time sigmayThe probability of (d);
receiving an attack chain and constructing a corresponding factor graph, and converting an attack stage of the attack chain into nodes and factor functions of the factor graph;
the method specifically comprises the following steps:
receiving the input of an attack chain and constructing a factor graph;
(1) and (3) constructing a node: reading the events of the test data in sequence, and adding event nodes into the factor grapheiAnd adding eiCorresponding unknown attack stage si
(2) Selecting a factor function and adding the factor function into a factor graph:
adding f1(x) The method comprises the following steps According to event eiThe two characteristics are classified, so that a factor function is constructed according to the classification condition, the complexity of a factor graph is improved, the fault tolerance of subsequent inference is increased, and the inference deviation is smaller;
adding f2(x, y): adjacent siAnd si-1By a single f2(x, y) are linked;
to this end, the system has constructed a complete factor graph;
processing the factor graph to obtain the maximum likelihood estimation of an attack stage sequence corresponding to an attack chain;
specifically, the factor graph is processed through a Loopy Belief Propagation algorithm to obtain the maximum likelihood estimation of the attack stage sequence; the method specifically comprises the following steps:
initializing;
the principle of initializing the information is such that the sum of all information around the node is 1, i.e.
Updating the message;
enabling the node to transmit the message to receive and integrate the messages from other nodes and transmitting a new message to the selected node;
message updates are divided into two types:
1) the nodes of the factor graph pass messages to the factor function:
ne(s) represents a node adjacent to the s node;
the node transmitting information multiplies the information of other adjacent nodes except the node receiving the information and transmits the multiplied information to the target node;
2) the factor function passes messages to the nodes of the factor graph:
when the message is sent, the message is a summation operation, the summation operation object comprises all variable values related to f, f is a message sending node, but the summation operation object can keep the value of s unchanged, s is an object node to be sent with the message, and the value of s is assumed to be i;
then multiply the messages of all other adjacent variable nodes s ', except the node that is sending the message to it, multiply all messages that s ' sends f, while taking into account in this summation the value taken by the variable s ' that this factor relates to.
2. The method for estimating maximum likelihood of inference attack stage based on factor graph according to claim 1, wherein: the factor graph factorizes a global function with multiple variables to obtain a product of several local functions so as to express probability relations among different events; the factor function is used for connecting related nodes.
3. The method for inference attack stage maximum likelihood estimation based on factor graph according to claim 2, wherein the joint probability of the variables in the factor graph is:
the stability of variables in the factor graph is represented by an energy function, which is expressed as follows as a measure of the accuracy of the inferred model of the factor graph:
4. the method for estimating maximum likelihood of inference attack stage based on factor graph according to claim 1, wherein: the Loopy Belief Propagation algorithm sets a cycle number and an energy function, and the smaller the energy function value is, the more stable the probability distribution is; the conditions for message delivery stop are: the number of cycles reaches a set value or the value of the energy function is less than a critical value.
5. A system for inference attack stage maximum likelihood estimation based on a factor graph, comprising:
the sequence extraction module is used for extracting a binary sequence of an attack event-attack stage from the APT data set;
the probability transition matrix generation module is used for training based on the binary sequence of the attack event-attack stage to obtain related parameters and generate a probability transition matrix; the method specifically comprises the following steps:
(1) defining the APT sequence:
a single event ei: an event occurring at time i;
single attack phase si: an attack phase at time i;
in fact, an APT is composed of a plurality of events and their corresponding attack phases, and therefore the following definitions are given:
Ec: a sequence of events e that occur sequentially in order;
Sc: the sequence of attack phases corresponding to each event in the sequence;
(2) defining APT sampling;
the ith APT is recorded as Ai;
(3) Preprocessing and normalizing data;
(4) inputting the sampled data into a system;
each APT inputs the information thereof into the system for processing in the form of event sequence or attack phase sequence binary;
the relevant parameters are as follows: factor function f1-Basic(x)、f1-Commonality(x) And f2(x,y);
f1(x) Is a function of the connecting nodes e, s, representing the relationship of the event e and the corresponding attack phase s; f. of1(x) Is f1-Basic(x) And f1-Commonality(x) A common expression expressed in the form of an exponential function; f. of2(x, y) is a transition function between the connection nodes s, and shows the relationship of mutual influence of attack stages in a time dimension; f. of2The expression of (x, y) is: f. of2(x,y)=Matrix[x][y]Wherein the Matrix is a single-step probability transition Matrix of a homogeneous Markov chain obtained through a training phase, and the x-th row and y-th column of the Matrix are expressed by sigmaxTriggers the next time sigmayThe probability of (d);
training by using the obtained data set to obtain corresponding parameters;
the following parameters were obtained:
f1(x)=exp{q(Ec,Sc) In which P (E)c,Sc) Represents Ec-ScAnd has:
f2(x,y)=Matrix[x][y];
the Matrix is a single-step probability transition Matrix of a homogeneous Markov chain obtained through a training phase;
the x-th row of the matrix, the y-th column by σxTriggers the next time sigmayThe probability of (d);
the factor graph construction module is used for receiving the attack chain and constructing a corresponding factor graph, and converting the attack stage of the attack chain into nodes and factor functions of the factor graph; the method specifically comprises the following steps:
receiving the input of an attack chain and constructing a factor graph;
(1) and (3) constructing a node: reading the events of the test data in sequence, and adding an event node e into the factor graphiAnd adding eiCorresponding unknown attack stage si
(2) Selecting a factor function and adding the factor function into a factor graph:
adding f1(x) The method comprises the following steps According to event eiThe two characteristics are classified, so that a factor function is constructed according to the classification condition, the complexity of a factor graph is improved, the fault tolerance of subsequent inference is increased, and the inference deviation is smaller;
adding f2(x, y): adjacent siAnd si-1By a single f2(x, y) are linked;
to this end, the system has constructed a complete factor graph;
the attack stage inference module is used for processing the factor graph to obtain the maximum likelihood estimation of an attack stage sequence corresponding to an attack chain; specifically, the factor graph is processed through a Loopy Belief Propagation algorithm to obtain the maximum likelihood estimation of the attack stage sequence; the method specifically comprises the following steps:
initializing;
the principle of initializing the information is such that the sum of all information around the node is 1, i.e.
Updating the message;
enabling the node to transmit the message to receive and integrate the messages from other nodes and transmitting a new message to the selected node;
message updates are divided into two types:
1) the nodes of the factor graph pass messages to the factor function:
ne(s) represents a node adjacent to the s node;
the node transmitting information multiplies the information of other adjacent nodes except the node receiving the information and transmits the multiplied information to the target node;
2) the factor function passes messages to the nodes of the factor graph:
when the message is sent, the message is a summation operation, the summation operation object comprises all variable values related to f, f is a message sending node, but the summation operation object can keep the value of s unchanged, s is an object node to be sent with the message, and the value of s is assumed to be i;
then multiply the messages of all other adjacent variable nodes s ', except the node that is sending the message to it, multiply all messages that s ' sends f, while taking into account in this summation the value taken by the variable s ' that this factor relates to.
6. A computer-readable storage medium storing a computer program, characterized in that: the computer program when executed by a processor implements the steps of the factor graph-based inference attack stage maximum likelihood estimation method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110076266.4A CN112910865B (en) | 2021-01-20 | 2021-01-20 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110076266.4A CN112910865B (en) | 2021-01-20 | 2021-01-20 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112910865A CN112910865A (en) | 2021-06-04 |
| CN112910865B true CN112910865B (en) | 2022-04-05 |
Family
ID=76116772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110076266.4A Active CN112910865B (en) | 2021-01-20 | 2021-01-20 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112910865B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143109B (en) * | 2021-12-08 | 2023-11-10 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN115334505A (en) * | 2022-06-21 | 2022-11-11 | 西安电子科技大学 | Multimode intelligent terminal safety communication method and system facing 5G + Beidou |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425821A (en) * | 2008-12-15 | 2009-05-06 | 哈尔滨工程大学 | Iterative pseudo-code capture apparatus and method based on information optimization |
| CN103795891A (en) * | 2014-03-04 | 2014-05-14 | 山东科技大学 | Method for coding, embedding and decoding of watermark resistant to range zooming attack |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN111783982A (en) * | 2020-06-30 | 2020-10-16 | 平安国际智慧城市科技股份有限公司 | Attack sample acquisition method, device, equipment and medium |
| CN112104633A (en) * | 2020-09-07 | 2020-12-18 | 西安电子科技大学 | Attack chain construction method based on log correlation analysis |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6714607B2 (en) * | 2001-12-20 | 2004-03-30 | Sbc Technology Resources, Inc. | Joint demodulation using a viterbi equalizer having an adaptive total number of states |
| CN102934100B (en) * | 2010-02-22 | 2016-06-15 | 美国亚德诺半导体公司 | Distributed factor graphics system |
| CN108364014A (en) * | 2018-01-08 | 2018-08-03 | 东南大学 | A kind of multi-sources Information Fusion Method based on factor graph |
| US11190538B2 (en) * | 2018-01-18 | 2021-11-30 | Risksense, Inc. | Complex application attack quantification, testing, detection and prevention |
-
2021
- 2021-01-20 CN CN202110076266.4A patent/CN112910865B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425821A (en) * | 2008-12-15 | 2009-05-06 | 哈尔滨工程大学 | Iterative pseudo-code capture apparatus and method based on information optimization |
| CN103795891A (en) * | 2014-03-04 | 2014-05-14 | 山东科技大学 | Method for coding, embedding and decoding of watermark resistant to range zooming attack |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN111783982A (en) * | 2020-06-30 | 2020-10-16 | 平安国际智慧城市科技股份有限公司 | Attack sample acquisition method, device, equipment and medium |
| CN112104633A (en) * | 2020-09-07 | 2020-12-18 | 西安电子科技大学 | Attack chain construction method based on log correlation analysis |
Non-Patent Citations (3)
| Title |
|---|
| Loopy belief propagation based data association for extended target tracking;ZhenzhenSU;《Chinese Journal of Aeronautics》;20200831;全文 * |
| 网络信息传输中对攻击快速防御仿真研究;赖清等;《计算机仿真》;20171115(第11期);全文 * |
| 面向工业控制网络的安全监管方案;陈晓兵等;《信息网络安全》;20160710(第07期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112910865A (en) | 2021-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922069B (en) | Multidimensional association analysis method and system for advanced persistent threats | |
| CN112910865B (en) | Inference attack stage maximum likelihood estimation method and system based on factor graph | |
| CN112052404B (en) | Group discovery method, system, equipment and medium of multi-source heterogeneous relation network | |
| Liu et al. | A scalable redefined stochastic blockmodel | |
| Liu et al. | Enhancing the privacy of federated learning with sketching | |
| WO2022267960A1 (en) | Federated attention dbn collaborative detection system based on client selections | |
| CN112217674B (en) | Alarm root cause identification method based on causal network mining and graph attention network | |
| Liu et al. | Adaptive multi-channel bayesian graph attention network for iot transaction security | |
| Song et al. | Short-term forecasting based on graph convolution networks and multiresolution convolution neural networks for wind power | |
| CN115051929B (en) | Network fault prediction method and device based on self-supervision target perception neural network | |
| CN105228185B (en) | Method used for identifying identity of fuzzy redundant node in communication network | |
| Xiao et al. | Network security situation prediction method based on MEA-BP | |
| CN115168443A (en) | Anomaly detection method and system based on GCN-LSTM and attention mechanism | |
| CN115862751A (en) | Quantum chemistry property calculation method for updating polymerization attention mechanism based on edge features | |
| CN116582349A (en) | Attack path prediction model generation method and device based on network attack graph | |
| CN113515519A (en) | Method, device and equipment for training graph structure estimation model and storage medium | |
| Chen et al. | Adversarial learning from crowds | |
| CN117272195A (en) | Block chain abnormal node detection method and system based on graph convolution attention network | |
| Xiang | Direct causal structure extraction from pairwise interaction patterns in NAT modeling Bayesian networks | |
| CN116151369A (en) | Bayesian-busy robust federal learning system and method for public audit | |
| CN115189939A (en) | HMM model-based power grid network intrusion detection method and system | |
| CN112256756B (en) | Influence discovery method based on ternary association diagram and knowledge representation | |
| CN113807370A (en) | Data processing method, device, equipment, storage medium and computer program product | |
| CN112950222A (en) | Resource processing abnormity detection method and device, electronic equipment and storage medium | |
| Baccelli et al. | On spatial point processes with uniform births and deaths by random connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |