CN113642023A - Data security detection model training method, data security detection device and equipment - Google Patents

Data security detection model training method, data security detection device and equipment Download PDF

Info

Publication number
CN113642023A
CN113642023A CN202110982127.8A CN202110982127A CN113642023A CN 113642023 A CN113642023 A CN 113642023A CN 202110982127 A CN202110982127 A CN 202110982127A CN 113642023 A CN113642023 A CN 113642023A
Authority
CN
China
Prior art keywords
data
security detection
data security
detection model
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110982127.8A
Other languages
Chinese (zh)
Inventor
李强
史帅
尚程
杨满智
蔡琳
梁彧
傅强
王杰
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Hengan Jiaxin Safety Technology Co ltd
Eversec Beijing Technology Co Ltd
Original Assignee
Beijing Hengan Jiaxin Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Hengan Jiaxin Safety Technology Co ltd filed Critical Beijing Hengan Jiaxin Safety Technology Co ltd
Priority to CN202110982127.8A priority Critical patent/CN113642023A/en
Publication of CN113642023A publication Critical patent/CN113642023A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Automation & Control Theory (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Medical Informatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a data security detection model training method, a data security detection device and data security detection equipment. The data security detection model training method specifically comprises the following steps: collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data; training at least one data security detection model according to the data security detection associated data; and generating a user entity behavior baseline according to the data security detection model. The technical scheme of the embodiment of the invention can monitor various types of data leakage behaviors and improve the capability of discovering unknown threats.

Description

Data security detection model training method, data security detection device and equipment
Technical Field
The embodiment of the invention relates to the technical field of data processing, in particular to a method, a device, equipment and a medium for training a data security detection model and detecting data security.
Background
With the continuous development of cloud computing and big data technology, the data volume also shows an exponential rising trend, and along with this, various security events such as data leakage occur frequently. User abnormal behaviors such as data stealing, unauthorized access and the like not only easily cause the leakage of industry sensitive information and bring serious loss to the brand reputation of an organization, but also seriously infringe citizen privacy and increasingly threaten network information security.
The traditional Data security products for dealing with Data Leakage threats inside enterprises are mainly DLP (Data Leakage protection) products, and the products are characterized in that enterprise information security is guaranteed by means of presetting enterprise sensitive Data rules, controlling staff internet behavior and the like, namely, outgoing paths such as U disk copying, sensitive file sending, uploading and printing are controlled, and therefore risk of Leakage is blocked. However, for an unknown enterprise data leakage scene that an internal employee steals sensitive data and the like and cannot be prevented through a preset rule, because the internal employee has legal access authority of enterprise data assets and generally knows the storage position of the enterprise sensitive data, the behavior cannot be effectively detected through a traditional behavior analysis means such as a log and the like.
Disclosure of Invention
Embodiments of the present invention provide a data security detection model training method, a data security detection device, a data security detection apparatus, and a medium, which can monitor various types of data leakage behaviors and improve the capability of discovering unknown threats.
In a first aspect, an embodiment of the present invention provides a data security detection model training method, including:
collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
training at least one data security detection model according to the data security detection associated data;
and generating a user entity behavior baseline according to the data security detection model.
In a second aspect, an embodiment of the present invention further provides a data security detection method, including:
collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
inputting the data security detection associated data into at least one pre-trained data security detection model to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model;
the data security detection model is obtained by training through any data security detection model training method in the first aspect.
In a third aspect, an embodiment of the present invention provides a data security detection model training apparatus, including:
the data security detection associated data acquisition module is used for acquiring data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
the data security detection model training module is used for training at least one data security detection model according to the data security detection associated data;
and the user entity behavior baseline generation module is used for generating a user entity behavior baseline according to the data security detection model.
In a fourth aspect, an embodiment of the present invention provides a data security detection apparatus, including:
the data security detection associated data acquisition module is used for acquiring data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
the data security detection module is used for inputting the data security detection associated data into at least one pre-trained data security detection model so as to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model;
the data security detection model is obtained by training through any data security detection model training method in the first aspect.
In a fifth aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
storage means for storing one or more computer programs;
the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the data security detection model training method of any of the first aspects, or the data security detection method of any of the second aspects when the computer program is executed by the one or more processors.
In a sixth aspect, an embodiment of the present invention further provides a computer storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the data security detection model training method described in any of the first aspects, or the data security detection method described in any of the second aspects.
According to the embodiment of the invention, the data security detection associated data is collected, at least one data security detection model is trained according to the data security detection associated data, the user entity behavior base line is generated according to the data security detection model, and then the data security detection associated data is input into at least one pre-trained data security detection model, so that the data security detection associated data is subjected to data security detection through each data security detection model according to the user entity behavior base line, the problem that the existing data leakage prevention method cannot comprehensively detect data leakage behaviors is solved, various types of data leakage behaviors can be monitored, and the capability of finding unknown threats is improved.
Drawings
Fig. 1 is a schematic diagram of a technical architecture of a data security detection system according to an embodiment of the present invention;
FIG. 2 is a flowchart of a data security inspection model training method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a data security inspection model training method according to an embodiment of the present invention;
fig. 4 is a flowchart of a data security detection method according to a second embodiment of the present invention;
fig. 5 is an exemplary flowchart of a data security detection method according to a second embodiment of the present invention;
fig. 6 is a flowchart of a data security detection system according to a second embodiment of the present invention;
FIG. 7 is a schematic diagram of a data security inspection model training apparatus according to a third embodiment of the present invention;
fig. 8 is a schematic diagram of a data security detection apparatus according to a fourth embodiment of the present invention;
fig. 9 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention.
It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Fig. 1 is a schematic diagram of a technical architecture of a data security detection system according to an embodiment of the present invention. The technical architecture of the data security detection system is constructed based on UEBA (user and entity behavioral analysis), the system collects various data such as file system logs, business processing logs, click stream data, configuration files, database audit logs, WEB access logs, Windows event logs and the like, simultaneously detects and analyzes the behaviors of objects such as users, equipment, applications and the like, and detects behavior deviation by using an anomaly detection method and other machine learning methods. As shown in fig. 1, the data security detection system may include: the system comprises a data acquisition layer, a data storage layer, a detection analysis layer and a data display layer; wherein:
the data collection layer is used for collecting information generated by a plurality of nodes in the network, such as collecting data from network equipment, a system, an application, a database and a user to provide a data base of the system.
The data storage layer is used for cleaning and converting various types of heterogeneous data resources acquired by the data acquisition layer, wherein the heterogeneous data resources comprise: structured, semi-structured and unstructured data, and finally loading the cleaned and converted data into a distributed database system to realize data integration; and the data storage layer is also used for storing and managing the detection model generated by the system based on various machine learning algorithms and statistical calculation.
The detection analysis layer is used for creating a baseline and a model of the user entity behavior so as to determine the normal state under various different conditions; and carrying out anomaly detection of related operations such as data safety and the like in real time or off line based on the constructed model and a baseline.
The data display layer is used for realizing human-computer interaction with a terminal user, providing a data leakage event alarm function, presenting various applications such as users and entity portraits to the users by utilizing the latest big data visualization technology, providing thematic event analysis, displaying the result of big data analysis in a visual mode, and providing direct and efficient data support for decision making and judging; and provides the basic functions of user management, report generation and the like.
Example one
Fig. 2 is a flowchart of a data security inspection model training method according to an embodiment of the present invention, where the present embodiment is applicable to a case of training a data security inspection model for detecting various types of data leakage behaviors, and the method may be executed by a data security inspection model training apparatus, which may be implemented by software and/or hardware, and may be generally integrated in a computer device for executing the method. As shown in fig. 1, the data security detection model training method may specifically include the following steps:
s210, collecting data safety detection associated data; the data safety detection associated data comprises at least one of flow data, asset data, account data, log data, leak database data and threat intelligence data.
Wherein the data security detection associated data may be data associated with data security detection, such as one or more of traffic data, asset data, account data, log data, vulnerability database data, and threat intelligence data. The traffic data may be network traffic data. The asset data may be data related to the network asset, for example, the network asset name, the network asset type, or the network address (IP address) may be used, but the embodiment of the present invention is not limited thereto. The account data may be various account information, for example, an account that the user logs in, an account that the user browses, or the like, which is not limited in this embodiment of the present invention. The log data may be log file data generated by user behavior, for example, log file data generated by user login behavior, or log file data generated by user access event, and the like, which is not limited in the embodiment of the present invention. The vulnerability database data can be vulnerability behavior sample data and can be used for carrying out comparative analysis on user behaviors so as to detect whether the user behaviors conform to vulnerability characteristics. The threat intelligence data may be a data sample with a threat in user behavior, for example, a malicious website, a malicious domain name, or a malicious organization, which is not limited in the embodiment of the present invention.
In the embodiment of the invention, the data security detection system can acquire the data associated with the data security detection through network equipment, a software system, an application program, a database or a user so as to train the data security detection model according to the data associated with the data security detection. For example, traffic data may be accessed to the system network using bypass mirroring to capture various types of network traffic. The account data may be collected by associating the account with other relevant data information. The log data may be generated by the operating system and a security system (e.g., firewall, security software). It should be noted that, when the data security detection system collects the traffic data, it is required to base on not changing the existing network topology, not changing the existing service system, and not affecting the service.
S220, training at least one data security detection model according to the data security detection associated data.
The data security detection model can be used for monitoring whether user behaviors are abnormal or not.
In the embodiment of the invention, after the data security detection system collects the data security detection associated data, the data security detection model can be further trained according to the data security detection associated data. It will be appreciated that a plurality of different data security detection models may be trained on data security detection associated data to monitor different user behaviors. Optionally, a plurality of machine learning algorithms may be used to train the data security detection model, for example, supervised learning methods (such as logistic regression, KNN (K-Nearest Neighbor, K-neighborhood) classification algorithm, decision trees, etc.) or unsupervised learning methods (such as isolated forest algorithm, principal component dimension reduction analysis, KMeans clustering algorithm, etc.) may be used to train the data security detection model. Illustratively, when the isolated forest algorithm is adopted to train the data security detection model, the training and learning of the multi-dimensional comprehensive data characteristics can be carried out from the angles of time, IP, account numbers, interfaces and the like. The account dimensions may include: data such as account type, account login times, account interface calling number, account correlation system type and the like; the IP dimension can comprise the interface calling times of the IP, the interface type associated with the IP and the like; the time dimension may include: whether the work day, access duration, time interval, etc.; and training different data safety detection models based on the multi-dimensional data by combining an isolated forest algorithm.
In an optional implementation manner of the embodiment of the present invention, before training at least one data security detection model according to data security detection associated data, the method may further include: acquiring original data security detection associated data; filtering the original data security detection associated data to obtain filtered data security detection associated data; carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data; and extracting key element data from the standard data security detection associated data to obtain data security detection associated data.
The raw data security detection related data can be the raw data collected for data security detection. The filtered data security detection associated data may be data for data security detection obtained by filtering the original data. The data normalization process may be a process of filtering different data fields for target length field data. The standard data security detection related data may be standard data for data security detection obtained by standardizing the filtered data. The key element data may be key element data in the standard data security detection association data, for example, account data, user data, device data, or IP data, which is not limited in the embodiment of the present invention.
Specifically, after the data security detection system obtains the original data security detection associated data, the original data security detection associated data is filtered, and useless data is deleted to obtain filtered data security detection associated data. After the filtered data safety detection associated data is obtained, data standardization processing can be performed on the filtered data safety detection associated data, and data of a target length field can be screened out from the filtered data safety detection associated data of different fields, so that standard data safety detection associated data can be obtained. After the standard data security detection associated data is obtained, the key element data can be further extracted and stored, so that the data security detection associated data is obtained.
According to the technical scheme, the sensitive data can be found and identified by the data security detection system through filtering processing, data standardization processing and key element data extraction, and detection of data related to data security detection is facilitated.
In an optional implementation manner of the embodiment of the present invention, training the data security detection model according to the data security detection related data may include: determining at least one data security detection model to be trained according to the type of the data security detection associated data; extracting multi-dimensional associated data security behavior characteristics of data security detection associated data; the data security behavior characteristics comprise user daily interaction behavior characteristics and user attack behavior characteristics; and training each data security detection model to be trained according to the data security behavior characteristics.
The data security detection model to be trained may be an untrained data security detection model. The data security behavior features can be features in the data security detection associated data that can characterize user behavior. The user daily interaction behavior features may be features that characterize the daily interaction behavior of the user. The user attack behavior feature may be a feature that characterizes the user's attack behavior.
Specifically, after at least one data security detection model to be trained is determined according to the type of the data security detection associated data, multidimensional associated data security behavior features can be further extracted from the data security detection associated data, so that each data security detection model to be trained is trained according to the data security behavior features. It can be understood that different data security detection associated data types may correspond to different data security detection models to be trained, so as to monitor different user behaviors. For example, extracting the data security behavior feature of the multi-dimensional association may be extracting the data security behavior feature of a time series association, some statistical association, a logical association, or a scenario association. It can be understood that if data security behavior characteristics of a single dimension are obtained, it is difficult to monitor abnormal behavior among multiple types of user behavior.
And S230, generating a user entity behavior baseline according to the data security detection model.
The user entity behavior baseline can be a user entity behavior standard and can be used for judging whether user behavior is abnormal or not. It may be appreciated that if the user entity behavior deviates from the user entity behavior baseline, it may be determined that the user entity behavior is abnormal behavior.
In the embodiment of the invention, after the data security detection model is trained according to the data security detection associated data, a user entity behavior baseline can be further generated according to the data security detection model, so that whether the user behavior is abnormal or not can be determined according to the user entity behavior baseline, and the monitoring of the user behavior can be realized. It is to be understood that each data security detection model may correspond to one or more user entity behavior baselines, and correspondingly, if there are multiple data security detection models, multiple user entity behavior baselines. Optionally, the user entity behavior baseline may also be configured directly according to the behavior detection requirement, which is not limited in the embodiment of the present invention.
According to the technical scheme, the data security detection associated data are collected, at least one data security detection model is trained according to the data security detection associated data, the user entity behavior base line is generated according to the data security detection model, the problem that the data leakage behavior cannot be comprehensively detected by the conventional data leakage prevention method is solved, various types of data leakage behaviors can be monitored, and the capability of finding unknown threats is improved.
In order to make those skilled in the art better understand the training method of the data security detection model in this embodiment, a specific example is used for description below, fig. 3 is an exemplary flowchart of the training method of the data security detection model provided in one embodiment of the present invention, and as shown in fig. 3, the specific process includes:
(1) training data: the training data is a relatively stable and accurate data set of user entity feature description obtained after preprocessing, and can participate in the construction of a data security detection model in a 'sample' form.
(2) Creating a model: different data security detection models can be created according to different user entity behavior characteristics, and the data security detection models can be classified, such as a flow model and an access model of a certain system; the model creation process may set a model name, may also specify a machine learning algorithm, a type, a learning period, or the like, or may also specify a way to acquire training data, or the like.
(3) Feature generation and extraction: analyzing the characteristics of the user entity behaviors according to the acquired training data and extracting the characteristics from the characteristics so as to input the extracted characteristics into a model algorithm to train a data security detection model; the feature generation can be to obtain features which can specifically reflect daily interaction behaviors and various attack behaviors of a user in training data and use the features as learning data of a model; the feature extraction adopts a feature engineering mode to mine high-dimensional behavior data, and aiming at the characteristics of complex and fuzzy data presented by large-scale behavior feature data, a feature weight self-calculation method is adopted to calculate the importance of the weight characterization behavior feature of the feature, so that the deep processing and extraction of information contained in abnormal behavior features are realized.
(4) Training a model: and (3) training the model by adopting various machine learning algorithms, wherein the method comprises a supervised learning method (such as logistic regression, KNN classification algorithm, decision tree and the like) or an unsupervised learning method (such as isolated forest algorithm, principal component dimension reduction analysis, KMeans clustering algorithm and the like).
(5) And (4) saving the model: storing the result obtained by model training in a data security detection system, and managing and maintaining; the model may be maintained and updated periodically, including periodic retraining and assessing the reasonableness of the model, etc.
Example two
Fig. 4 is a flowchart of a data security detection method according to a second embodiment of the present invention, where this embodiment is applicable to a situation where a data security detection model in the above technical solutions is used to detect multiple types of data leakage behaviors, and the method may be executed by a data security detection apparatus, which may be implemented by software and/or hardware, and may be generally integrated in a computer device executing this method. As shown in fig. 4, the data security detection method may specifically include the following steps:
s410, collecting data security detection associated data; the data safety detection associated data comprises at least one of flow data, asset data, account data, log data, leak database data and threat intelligence data.
In the embodiment of the invention, the data security detection system can acquire the data related to the data security detection through network equipment, a software system, an application program, a database or a user so as to input the data related to the data security detection into the data security detection model, thereby realizing the detection of the data security.
S420, inputting the data safety detection associated data into at least one pre-trained data safety detection model, and performing data safety detection on the data safety detection associated data according to the user entity behavior baseline through each data safety detection model.
In the embodiment of the invention, after the data security detection system collects the data security detection associated data, different data security detection associated data can be further input into different pre-trained data security detection models, so that the data security detection associated data are subjected to data security detection through each data security detection model according to the user entity behavior baseline, and the monitoring of the user behavior is realized. It should be noted that the pre-trained data security detection model is obtained by pre-training according to any data security detection model training method in the first embodiment.
In an optional implementation manner of the embodiment of the present invention, before inputting the data security detection related data into at least one pre-trained data security detection model, the method may further include: filtering the data security detection associated data to obtain filtered data security detection associated data; carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data; extracting key element data from the standard data safety detection associated data, and reconstructing the data safety detection associated data according to the extracted key element data.
Specifically, before the data security detection associated data is input into the pre-trained data security detection model, the data security detection associated data may be further filtered, and useless data may be deleted, so as to obtain filtered data security detection associated data. After the filtered data safety detection associated data is obtained, data standardization processing can be performed on the filtered data safety detection associated data, and data of a target length field can be screened out from the filtered data safety detection associated data of different fields, so that standard data safety detection associated data can be obtained. After the standard data security detection associated data is obtained, key element data can be further extracted and stored, so that the data security detection associated data is reconstructed according to the extracted key element data, and the reconstructed data security detection associated data is input to a pre-trained data security detection model for data security detection.
In an optional implementation manner of the embodiment of the present invention, after inputting the data security detection related data into at least one pre-trained data security detection model, the method may further include: generating user behavior detection data and/or data leakage events according to the data security detection result; generating a user image according to the user behavior detection data; and/or, performing data leakage alarm processing according to the data leakage event; the data leakage event comprises at least one of an abnormal login event, a frequent login event, an abnormal access event, a cross-department operation event and a sensitive behavior operation event.
The data security detection result may be a detection result generated after the user behavior is detected. The user behavior detection data may be data that records the results of user behavior analysis. The data leakage event may be a behavior event of the user leaking data determined according to the user behavior analysis result. The user portrayal can be used for tracking and portraying all user and entity behaviors on the basis of time series and can be used for reflecting the behavior characteristics of the user and the entity. The abnormal login event may be a multi-device login event of a user account or a remote login event, and the embodiment of the present invention does not limit this. The frequent login event may be an event that the user frequently logs in to the account. The abnormal access event may be that the user logs in an abnormal website or that the user accesses sensitive data, and the like, which is not limited in the embodiment of the present invention. A cross-department operational event may be an event in which a user operates a transaction beyond the authority of the department. The sensitive behavior operation event may be a sending event of a sensitive file or an access event of an enterprise data asset, and the like, which is not limited by the embodiment of the present invention.
Specifically, after the data security detection associated data is input to the pre-trained data security detection model, user behavior detection data may be further generated according to the data security detection result, and a user image may be generated according to the user behavior detection data, so as to analyze the user entity behavior characteristics according to the user image. And when the data security detection result comprises a data leakage event, generating the data leakage event according to the data security detection result, and performing data leakage alarm processing according to the data leakage event to remind a user that the current behavior is abnormal and prevent the abnormal behavior of the user.
Fig. 5 is an exemplary flowchart of a data security detection method according to a second embodiment of the present invention, and as shown in fig. 5, the data security detection method includes data receiving, data security detection model comparison, abnormal score evaluation, and result output; the comparison of the data security detection models may be one or more, and may be performed on the behavior of the individual user entity, or may be performed on the behavior of the group user entity, which is not limited in the embodiments of the present invention. The data security detection method compares the received data with a data security detection model obtained by any data security detection model training method based on the first embodiment, and performs abnormal behavior detection from a multidimensional angle such as an access time interval, an IP (Internet protocol) calling frequency, an account login and logout frequency and the like. And finally, based on an iteration abnormal score evaluation mechanism, performing weighted combination of various behavior alarms, abnormal detection, group comparison analysis and the like, continuously optimizing iteration to obtain abnormal behavior scores, and outputting detection evaluation results.
Taking the threat of internal data leakage of an enterprise as an example, selecting the characteristics related to sensitive data access according to the technology, method and approach of data leakage to construct the normal activity baseline and user portrait of internal employees and a system of the enterprise, so as to judge whether the behavior of stealing sensitive data by the internal employees of the enterprise exists or not, and further realize the automatic detection and discovery of the abnormality related to the user behavior through a mathematical model on a time sequence and the alarm.
According to the technical scheme, data security detection associated data are collected and input into different pre-trained data security detection models, so that data security detection is performed on the data security detection associated data according to user entity behavior baselines through the data security detection models, the problem that data leakage behaviors cannot be comprehensively detected by an existing data leakage prevention method is solved, various types of data leakage behaviors can be monitored, and the capability of finding unknown threats is improved.
In order to make those skilled in the art better understand the work flow of the data security detection system of the embodiment, a specific example is used for description below, fig. 6 is a work flow diagram of a data security detection system provided in a second embodiment of the present invention, and as shown in fig. 6, the specific work flow of the data security detection system includes:
(1) collecting data; data acquisition is the basis for data security detection system construction and anomaly detection.
(2) Data identification, filtering and storage; the collected data is processed to discover and identify sensitive data.
(3) User and physical representations; portrayal of a user or entity primarily includes: attribute information such as a user account, an access application, a user habit access website, a use file, sensitive data, a used entity device, an online event or geographic position information and the like; the user entity portrayal process is a process of establishing a baseline, and completely visualizes all network activities of a user and an entity through portrayal.
(4) Performing multi-dimensional correlation analysis; and extracting multidimensional characteristics from the data so as to perform multidimensional association analysis.
(5) Modeling user and entity behaviors; the system analyzes individual users and group behaviors from multiple dimensions in a time sequence and a place domain by deep analysis of user entity behaviors and combining a statistical calculation method and a machine learning technology, extracts abnormal behavior characteristic data based on data of user entity behavior portrait and multi-dimension correlation analysis, establishes corresponding individual and group models by abstracting and defining abnormal modes, and then identifies the abnormal behaviors of the group or individual users based on the models.
(6) Detecting abnormal data leakage behaviors; detecting and discovering abnormal data leakage behaviors of users and entities based on the established model and the base line; the abnormal operation behavior of the user is discovered by detecting abnormal login, frequent login, abnormal access, cross-department operation or sensitive behavior operation and the like of the user; the abnormal detection result needs to be verified and fed back, the abnormal behavior is identified and found by combining special analysis technologies such as individual group comparison characteristics and the like, the range of misinformation is narrowed and reduced by risk scoring, and more accurate focusing on the abnormal behavior is realized. The abnormal behavior of the user entity that can be detected by the data security detection system is shown in table 1.
TABLE 1 user entity abnormal behavior detection Table
Figure BDA0003229539640000161
According to the technical scheme, the information such as enterprise database logs, session logs, user access logs and full flow is processed to generate relevant characteristics of sensitive data access, such as frequency, actions, access periods, time sequence and the like, and multiple detection scenes such as an accessed dynamic baseline, a user access dynamic baseline and a group access dynamic baseline of the sensitive database are generated through time sequence association and self-learning algorithms.
EXAMPLE III
Fig. 7 is a schematic diagram of a data security inspection model training apparatus according to a third embodiment of the present invention, and as shown in fig. 7, the apparatus includes: a data security detection associated data acquisition module 710, a data security detection model training module 720, and a user entity behavior baseline generation module 730, wherein:
a data security detection associated data acquisition module 710 for acquiring data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
a data security detection model training module 720, configured to train at least one data security detection model according to the data security detection related data;
and the user entity behavior baseline generation module 730 is configured to generate a user entity behavior baseline according to the data security detection model.
According to the technical scheme, the data security detection associated data are collected, at least one data security detection model is trained according to the data security detection associated data, the user entity behavior base line is generated according to the data security detection model, the problem that the data leakage behavior cannot be comprehensively detected by the conventional data leakage prevention method is solved, various types of data leakage behaviors can be monitored, and the capability of finding unknown threats is improved.
Optionally, the data security detection model training module 720 may be specifically configured to:
determining at least one data security detection model to be trained according to the type of the data security detection associated data; extracting multi-dimensional associated data security behavior characteristics of data security detection associated data; the data security behavior characteristics comprise user daily interaction behavior characteristics and user attack behavior characteristics; and training each data security detection model to be trained according to the data security behavior characteristics.
Optionally, the data security detection associated data acquisition module 710 may be specifically configured to:
acquiring original data security detection associated data; filtering the original data security detection associated data to obtain filtered data security detection associated data; carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data; and extracting key element data from the standard data security detection associated data to obtain data security detection associated data.
The data security detection model training device can execute the data security detection model training method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the data security detection model, reference may be made to a training method of the data security detection model provided in any embodiment of the present invention.
Since the above-described data security detection model training device is a device capable of executing the data security detection model training method in the embodiment of the present invention, based on the data security detection model training method described in the embodiment of the present invention, those skilled in the art can understand the specific implementation manner and various variations of the data security detection model training device in the embodiment, and therefore, how the data security detection model training device implements the data security detection model training method in the embodiment of the present invention is not described in detail here. As long as those skilled in the art implement the apparatus used in the training method of the data security detection model in the embodiment of the present invention, the apparatus is within the scope of the present application.
Example four
Fig. 8 is a schematic diagram of a data security detection apparatus according to a fourth embodiment of the present invention, and as shown in fig. 8, the apparatus includes: data security detection is associated with data acquisition module 810 and data security detection module 820, wherein:
a data security detection associated data acquisition module 810, configured to acquire data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
a data security detection module 820, configured to input the data security detection related data into at least one pre-trained data security detection model, so as to perform data security detection on the data security detection related data according to a user entity behavior baseline through each data security detection model; the data security detection model is obtained by training through the data security detection model training method in the first embodiment.
According to the technical scheme, data security detection associated data are collected and input into different pre-trained data security detection models, so that data security detection is performed on the data security detection associated data according to user entity behavior baselines through the data security detection models, the problem that data leakage behaviors cannot be comprehensively detected by an existing data leakage prevention method is solved, various types of data leakage behaviors can be monitored, and the capability of finding unknown threats is improved.
Optionally, the data security detection associated data acquisition module 810 may be specifically configured to:
filtering the data security detection associated data to obtain filtered data security detection associated data; carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data; extracting key element data from the standard data safety detection associated data, and reconstructing the data safety detection associated data according to the extracted key element data.
Optionally, the data security detecting module 820 may be specifically configured to:
generating user behavior detection data and/or data leakage events according to the data security detection result; generating a user image according to the user behavior detection data; and/or, performing data leakage alarm processing according to the data leakage event; the data leakage event comprises at least one of an abnormal login event, a frequent login event, an abnormal access event, a cross-department operation event and a sensitive behavior operation event.
The data security detection device can execute the data security detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. For details of the data security detection method provided in any embodiment of the present invention, reference may be made to the technical details not described in detail in this embodiment.
Since the data security detection apparatus described above is an apparatus capable of executing the data security detection method in the embodiment of the present invention, based on the data security detection method described in the embodiment of the present invention, a person skilled in the art can understand the specific implementation manner of the data security detection apparatus in the embodiment and various variations thereof, and therefore, how the data security detection apparatus implements the data security detection method in the embodiment of the present invention is not described in detail here. The device used by those skilled in the art to implement the data security detection method in the embodiments of the present invention is within the scope of the present application.
EXAMPLE five
Fig. 9 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. As shown in fig. 9, the computer apparatus includes a processor 910, a memory 920, an input device 930, and an output device 940; the number of the processors 910 in the computer device may be one or more, and one processor 910 is taken as an example in fig. 9; the processor 910, the memory 920, the input device 930, and the output device 940 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 9.
The memory 920 is used as a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the data security detection model training method in the first embodiment of the present invention (for example, the data security detection associated data acquisition module 710, the data security detection model training module 720, and the user entity behavior baseline generation module 730 in the data security detection model training apparatus). The processor 910 executes various functional applications and data processing of the computer device by executing the software programs, instructions and modules stored in the memory 920, that is, implementing the above-mentioned data security detection model training method: collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data; training at least one data security detection model according to the data security detection associated data; and generating a user entity behavior baseline according to the data security detection model.
Alternatively, the memory 920 is used as a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the data security detection method in the second embodiment of the present invention (for example, the data security detection related data acquisition module 810 and the data security detection module 820 in the data security detection apparatus). The processor 910 executes various functional applications and data processing of the computer device by running software programs, instructions and modules stored in the memory 920, that is, the above-mentioned data security detection method is implemented: collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data; inputting the data security detection associated data into at least one pre-trained data security detection model to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model; the data security detection model is obtained by training through any data security detection model training method in the first embodiment.
The memory 920 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 920 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 920 may further include memory located remotely from the processor 910, which may be connected to a computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 930 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. The output device 940 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a computer storage medium storing a computer program, where the computer program is executed by a computer processor to perform the data security detection model training method according to the first embodiment of the present invention: collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data; training at least one data security detection model according to the data security detection associated data; and generating a user entity behavior baseline according to the data security detection model.
Or the computer program, when executed by a computer processor, is configured to perform the data security detection method according to the second embodiment of the present invention: collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data; inputting the data security detection associated data into at least one pre-trained data security detection model to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model; the data security detection model is obtained by training through any data security detection model training method in the first embodiment.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM) or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A data security detection model training method is characterized by comprising the following steps:
collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
training at least one data security detection model according to the data security detection associated data;
and generating a user entity behavior baseline according to the data security detection model.
2. The method of claim 1, wherein training a data security detection model based on the data security detection-related data comprises:
determining at least one data security detection model to be trained according to the type of the data security detection associated data;
extracting multi-dimensional associated data security behavior characteristics of the data security detection associated data; the data security behavior characteristics comprise user daily interaction behavior characteristics and user attack behavior characteristics;
and training each data security detection model to be trained according to the data security behavior characteristics.
3. The method of claim 1, further comprising, prior to said training at least one data security detection model based on said data security detection correlation data:
acquiring original data security detection associated data;
filtering the original data security detection associated data to obtain filtered data security detection associated data;
carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data;
and extracting key element data from the standard data security detection associated data to obtain the data security detection associated data.
4. A data security detection method is characterized by comprising the following steps:
collecting data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
inputting the data security detection associated data into at least one pre-trained data security detection model to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model;
wherein, the data security detection model is obtained by training through the data security detection model training method of any one of claims 1 to 3.
5. The method of claim 4, wherein prior to said inputting said data security detection associated data into at least one pre-trained data security detection model, further comprising:
filtering the data security detection associated data to obtain filtered data security detection associated data;
carrying out data standardization processing on the filtered data security detection associated data to obtain standard data security detection associated data;
extracting key element data from the standard data safety detection associated data, and reconstructing the data safety detection associated data according to the extracted key element data.
6. The method of claim 4, wherein after the inputting the data security detection associated data into at least one pre-trained data security detection model, further comprising:
generating user behavior detection data and/or data leakage events according to the data security detection result;
generating a user image according to the user behavior detection data; and/or
Performing data leakage alarm processing according to the data leakage event;
wherein the data leakage event comprises at least one of an abnormal login event, a frequent login event, an abnormal access event, a cross-department operation event and a sensitive behavior operation event.
7. A data security detection model training device is characterized by comprising:
the data security detection associated data acquisition module is used for acquiring data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
the data security detection model training module is used for training at least one data security detection model according to the data security detection associated data;
and the user entity behavior baseline generation module is used for generating a user entity behavior baseline according to the data security detection model.
8. A data security detection apparatus, comprising:
the data security detection associated data acquisition module is used for acquiring data security detection associated data; the data security detection associated data comprises at least one item of flow data, asset data, account data, log data, leak database data and threat intelligence data;
the data security detection module is used for inputting the data security detection associated data into at least one pre-trained data security detection model so as to perform data security detection on the data security detection associated data according to the user entity behavior baseline through each data security detection model;
wherein, the data security detection model is obtained by training through the data security detection model training method of any one of claims 1 to 3.
9. A computer device, characterized in that the computer device comprises:
one or more processors;
storage means for storing one or more computer programs;
the one or more computer programs when executed by the one or more processors cause the one or more processors to implement the data security detection model training method of any one of claims 1-3 or the data security detection method of any one of claims 4-6 when the computer programs are executed.
10. A computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements a data security detection model training method as claimed in any one of claims 1 to 3, or implements a data security detection method as claimed in any one of claims 4 to 6.
CN202110982127.8A 2021-08-25 2021-08-25 Data security detection model training method, data security detection device and equipment Pending CN113642023A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110982127.8A CN113642023A (en) 2021-08-25 2021-08-25 Data security detection model training method, data security detection device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110982127.8A CN113642023A (en) 2021-08-25 2021-08-25 Data security detection model training method, data security detection device and equipment

Publications (1)

Publication Number Publication Date
CN113642023A true CN113642023A (en) 2021-11-12

Family

ID=78423831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110982127.8A Pending CN113642023A (en) 2021-08-25 2021-08-25 Data security detection model training method, data security detection device and equipment

Country Status (1)

Country Link
CN (1) CN113642023A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285596A (en) * 2021-11-16 2022-04-05 国网浙江省电力有限公司杭州供电公司 Transformer substation terminal account abnormity detection method based on machine learning
CN114352947A (en) * 2021-12-08 2022-04-15 天翼物联科技有限公司 Gas pipeline leakage detection method, system and device and storage medium
CN114491524A (en) * 2021-12-16 2022-05-13 中国通信建设第三工程局有限公司 Big data communication system applied to intelligent network security
CN114866434A (en) * 2022-03-09 2022-08-05 上海纽盾科技股份有限公司 Security assessment method and application of network assets
CN115118525A (en) * 2022-08-23 2022-09-27 天津天元海科技开发有限公司 Internet of things safety protection system and protection method thereof
CN115766282A (en) * 2022-12-12 2023-03-07 张家港金典软件有限公司 Data processing method and system for enterprise information safety supervision
CN117113199A (en) * 2023-10-23 2023-11-24 浙江星汉信息技术股份有限公司 File security management system and method based on artificial intelligence

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN111294332A (en) * 2020-01-13 2020-06-16 交通银行股份有限公司 Traffic anomaly detection and DNS channel anomaly detection system and method
CN112003838A (en) * 2020-08-06 2020-11-27 杭州安恒信息技术股份有限公司 Network threat detection method, device, electronic device and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN111294332A (en) * 2020-01-13 2020-06-16 交通银行股份有限公司 Traffic anomaly detection and DNS channel anomaly detection system and method
CN112003838A (en) * 2020-08-06 2020-11-27 杭州安恒信息技术股份有限公司 Network threat detection method, device, electronic device and storage medium

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285596A (en) * 2021-11-16 2022-04-05 国网浙江省电力有限公司杭州供电公司 Transformer substation terminal account abnormity detection method based on machine learning
CN114285596B (en) * 2021-11-16 2023-08-15 国网浙江省电力有限公司杭州供电公司 Transformer substation terminal account abnormity detection method based on machine learning
CN114352947A (en) * 2021-12-08 2022-04-15 天翼物联科技有限公司 Gas pipeline leakage detection method, system and device and storage medium
CN114352947B (en) * 2021-12-08 2024-03-12 天翼物联科技有限公司 Gas pipeline leakage detection method, system, device and storage medium
CN114491524A (en) * 2021-12-16 2022-05-13 中国通信建设第三工程局有限公司 Big data communication system applied to intelligent network security
CN114866434A (en) * 2022-03-09 2022-08-05 上海纽盾科技股份有限公司 Security assessment method and application of network assets
CN115118525A (en) * 2022-08-23 2022-09-27 天津天元海科技开发有限公司 Internet of things safety protection system and protection method thereof
CN115766282A (en) * 2022-12-12 2023-03-07 张家港金典软件有限公司 Data processing method and system for enterprise information safety supervision
CN117113199A (en) * 2023-10-23 2023-11-24 浙江星汉信息技术股份有限公司 File security management system and method based on artificial intelligence

Similar Documents

Publication Publication Date Title
US11336669B2 (en) Artificial intelligence cyber security analyst
US10909241B2 (en) Event anomaly analysis and prediction
CN113642023A (en) Data security detection model training method, data security detection device and equipment
Gupta et al. Layered approach using conditional random fields for intrusion detection
US10938845B2 (en) Detection of user behavior deviation from defined user groups
CN113486351A (en) Civil aviation air traffic control network safety detection early warning platform
US20170288974A1 (en) Graph-based fusing of heterogeneous alerts
Van Ede et al. Deepcase: Semi-supervised contextual analysis of security events
US10333952B2 (en) Online alert ranking and attack scenario reconstruction
US20230011004A1 (en) Cyber security sandbox environment
US9961047B2 (en) Network security management
US9607144B1 (en) User activity modelling, monitoring, and reporting framework
CN116662989B (en) Security data analysis method and system
US20230135660A1 (en) Educational Tool for Business and Enterprise Risk Management
US20230132703A1 (en) Capturing Importance In A Network Using Graph Theory
WO2019084072A1 (en) A graph model for alert interpretation in enterprise security system
CN115001934A (en) Industrial control safety risk analysis system and method
RU148692U1 (en) COMPUTER SECURITY EVENTS MONITORING SYSTEM
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
Xi et al. An ensemble approach for detecting anomalous user behaviors
CN113923037B (en) Anomaly detection optimization device, method and system based on trusted computing
Dey et al. DAEMON: Dynamic Auto-Encoders for contextualised anomaly detection applied to security MONitoring
US11973774B2 (en) Multi-stage anomaly detection for process chains in multi-host environments
WO2018071625A1 (en) Online alert ranking and attack scenario reconstruction
US20210273958A1 (en) Multi-stage anomaly detection for process chains in multi-host environments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination