CN113792296B - Cluster-based vulnerability combining method and system - Google Patents
Cluster-based vulnerability combining method and system Download PDFInfo
- Publication number
- CN113792296B CN113792296B CN202110976255.1A CN202110976255A CN113792296B CN 113792296 B CN113792296 B CN 113792296B CN 202110976255 A CN202110976255 A CN 202110976255A CN 113792296 B CN113792296 B CN 113792296B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- attack
- information
- tool
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a clustering-based vulnerability combining method, which comprises the following steps: step 1, obtaining vulnerability information, ATT & CK matrix information, information of vulnerabilities in CVE, attack tool information, all attack available resource information and attack target information of a system; step 2, formally describing the information obtained in the step 1 to obtain a vulnerability five-tuple model; step 3, constructing a vulnerability knowledge base according to vulnerability five-tuple patterns of all vulnerability information; and 4, clustering and combining the constructed vulnerability knowledge base to obtain a combined set of vulnerabilities. The scheme provided by the invention utilizes the vulnerability combination technology to defend the system, not only enhances the defending capability of the system, but also reduces the vulnerability quantity to a certain extent, provides support for the research of the system defending technology, and greatly enhances the pertinence and strength of the system defending; the system safety is guaranteed, and the defending capability of the system is effectively improved.
Description
Technical Field
The invention relates to the field of vulnerability detection, in particular to a vulnerability combining method and system based on clustering.
Background
In recent years, along with the massive increase of the number of software vulnerabilities, the types of vulnerabilities tend to be complex, and the classification of vulnerabilities and the construction of a vulnerability knowledge base are widely focused, but the traditional vulnerability classification research is insufficient to cope with the situation, and the defects of the traditional vulnerability classification research are mainly low in effective rate and limited. Experience shows that similar loopholes cannot be reused when an attacker carries out apt (advanced sustainable threat) attack, if a clustering algorithm is used for selecting similar loopholes from different categories to be combined, the number of the combination of the loopholes is greatly reduced, the possibility of successful attack is further increased, and otherwise, the system can be defended by using the combination of the loopholes.
Disclosure of Invention
Aiming at the problems existing in the prior art, the method and the system for combining the loopholes based on clustering are provided, more vulnerable points of the system can be found, the method firstly utilizes the existing loophole scanning tool to obtain the loophole information of the system, formally describes the scanned loophole information into a loophole quintuple model, utilizes the quintuple set to construct a loophole knowledge base, and then utilizes the clustering and the combination algorithm of the loopholes to obtain a combination set of the loopholes. The method provides support for the research of system defense technology, and greatly enhances the pertinence and strength of system defense.
The technical scheme adopted by the invention is as follows: a cluster-based vulnerability combining method comprising the steps of:
step 1, obtaining vulnerability information, ATT & CK matrix information, information of vulnerabilities in CVE, attack tool information, all attack available resource information and attack target information of a system;
step 2, formally describing the information obtained in the step 1 to obtain a vulnerability five-tuple model;
step 3, constructing a vulnerability knowledge base according to vulnerability five-tuple patterns of all vulnerability information;
and 4, clustering and combining the constructed vulnerability knowledge base to obtain a combined set of vulnerabilities.
Further, in the step 1, the vulnerability information includes a vulnerability name, a vulnerability ID, an attack utilization condition set, an attack tool set, an attack target component set, and an attack generation result set; and periodically scanning and updating the vulnerability information.
Further, in the step 1, the web crawler obtains the information of the ATT & CK matrix from the ATT & CK functional network, and obtains the vulnerability ID, the vulnerability name and the vulnerability action software version of the vulnerability in the CVE.
Further, in the step 1, the attack tool information acquisition method includes: the generalized hierarchical structure of the attack tool set is generated by scanning the attack machine installation tool file and classifying according to the attack tool types.
In step 1, the available resource information is obtained by scanning all the vulnerability attacks obtained by acquiring all the state authorities on the target aircraft, including the service of each node opening to the outside, the operating system, the IP address and the port number information.
Further, in the step 1, the attack condition and the attack generation result of the atomic attack are integrated to obtain all the attack target information.
Further, in the step 2, the vulnerability five-tuple model is { Conditions, tech, tool, target, results }, where Conditions are a vulnerability attack call asset set, tech is an ATT & CK module used by a vulnerability attack, tool is a vulnerability attack tool, target is a vulnerability attack target component, and Results is a vulnerability attack result asset set.
Further, in the step 4, the clustering process is as follows: and taking each tuple information in the vulnerability knowledge base as input, and clustering the vulnerabilities by a clustering algorithm based on a heuristic function to group similar vulnerabilities into one type.
Further, in the step 4, after clustering the vulnerability clusters of different attributes, combining different attributes of the clustered vulnerabilities by using an ACTS combination testing tool to obtain a vulnerability combination information set based on clustering.
The invention also provides a clustering-based computer vulnerability combination system, which comprises a target machine available resource module, a web crawler module, an attack tool information acquisition module, an attack target information acquisition module, a vulnerability formalization module, a vulnerability library construction module, a clustering module and a combination module;
the target aircraft can utilize a resource module, and by using an asset auditing tool and combining manual operation, all attributes which can be utilized by an attacker form a generalized hierarchical structure and are transmitted into a vulnerability formalization module;
the web crawler module is used for obtaining an ATT & CK frame table by using a web crawler technology, generating a generalized hierarchical structure of the technical and tactical technology, and transmitting the generalized hierarchical structure to the vulnerability formalization module;
the attack tool information acquisition module scans the attack tool folder on the attack machine according to the attack machine information, generates a generalized hierarchical structure of the attack tool, and transmits the generalized hierarchical structure into the vulnerability formalization module;
the attack target information acquisition module constructs an attack target generalized hierarchical structure according to a network topological structure and a logic structure among all components of the target aircraft, and transmits the attack target generalized hierarchical structure to the vulnerability formal description module;
the vulnerability formalization module is used for scanning the target machine by using a Nessus vulnerability scanning tool, an AWVS network vulnerability scanning tool, an Nmap network connection end scanning tool and a Nexpose scanning tool to mutually cooperate, acquiring all states and authorities of the target machine and a vulnerability list on the target machine, and describing the vulnerabilities in a five-tuple form by combining a generalized hierarchical structure transmitted by a target machine available resource module, a network crawler module, an attack tool information acquisition module and an attack target information acquisition module to obtain a vulnerability list described in the five-tuple form;
the vulnerability database construction module integrates all the generalized hierarchical structures and vulnerability lists described in five-tuple form to construct a vulnerability knowledge base;
the clustering module clusters the vulnerability list described in five-tuple form through a clustering algorithm based on a heuristic function in a plurality of generalized hierarchical structures in the vulnerability knowledge base, and classifies the vulnerabilities;
and the combination module is used for generating a vulnerability combination sequence from results generated by the vulnerability clustering by using an ACTS combination test tool.
Compared with the prior art, the beneficial effects of adopting the technical scheme are as follows: the combination method among the generated software vulnerability test cases realizes the automatic combination and utilization of the computer software vulnerabilities, utilizes the vulnerability combination technology to defend the system, not only enhances the defending capability of the system, but also reduces the vulnerability quantity to a certain extent, provides support for the research of the system defending technology, and greatly enhances the pertinence and the strength of the system defending
Drawings
FIG. 1 is a flowchart of a clustering-based vulnerability combining method provided by the invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Example 1
As shown in fig. 1, an embodiment proposes a clustering-based vulnerability combining method, which includes the following steps:
step 1, obtaining vulnerability information, ATT & CK matrix information, information of vulnerabilities in CVE, attack tool information, all attack available resource information and attack target information of a system;
step 2, formally describing the information obtained in the step 1 to obtain a vulnerability five-tuple model;
step 3, constructing a vulnerability knowledge base according to vulnerability five-tuple patterns of all vulnerability information;
and 4, clustering and combining the constructed vulnerability knowledge base to obtain a combined set of vulnerabilities.
Specifically, in this embodiment, an existing vulnerability scanning tool is invoked to perform vulnerability scanning of a target system, the obtained vulnerability information includes a vulnerability name, a vulnerability ID, an attack utilization condition set, an attack tool set, an attack target component set, an attack generation result set, and vulnerability information of the target system is periodically scanned to update the vulnerability information.
In addition to the acquisition of ATT & CK matrix information on ATT & CK functional networks by adopting a crawler technology, the vulnerability ID, vulnerability name, vulnerability action software version and the like of the vulnerability in the CVE can be acquired by utilizing the crawler technology.
The generalized hierarchical structure of the attack tool set is generated by scanning the attack tool file installed on the attack machine and classifying according to the attack tool types.
The resource information can be utilized by all attacks obtained by scanning the information of all state authorities on the target aircraft, including the services of all nodes which are open to the outside, the running operating system, the IP address, the port number and the like.
Integrating the attack conditions and the attack generation results through the atomic attack (single vulnerability attack), and generating a generalized hierarchical structure of the attack target according to the network topology structure by all the obtained attack target information;
the vulnerability formalized description is a five-tuple model provided by integrating vulnerability information into the invention, and is the basis for constructing a vulnerability knowledge base, wherein vulnerability information, frame information, an attack target, an attack tool and all attack available resource information are utilized for matching and processing, and five-tuple models { Conditions, tech, tool, target and Results } of the vulnerability are constructed, wherein Conditions are vulnerability attack call asset sets, tech is an ATT & CK module used by vulnerability attack, tool is a vulnerability attack tool, target is a vulnerability attack target component, and Results are vulnerability attack result asset sets.
Integrating all vulnerability formalized description quintuples, and constructing a vulnerability knowledge base according to the acquired CVE vulnerability ID and vulnerability name; and when the target plane is changed, re-acquiring attack target information to construct a vulnerability knowledge base.
After constructing the vulnerability knowledge base, clustering and combining processing are carried out, and the method specifically comprises the following steps:
taking each tuple information in the vulnerability knowledge base as input, clustering the vulnerabilities by a clustering algorithm based on a heuristic function, and clustering similar vulnerabilities into one type; after obtaining vulnerability clustering sets based on different attributes, combining different attributes of clustered vulnerabilities by using an ACTS combination testing tool to obtain a vulnerability combination information set based on clustering.
Example 2
The embodiment provides a clustering-based computer vulnerability combination system, which comprises a target machine available resource module, a web crawler module, an attack tool information acquisition module, an attack target information acquisition module, a vulnerability formalization module, a vulnerability library construction module, a clustering module and a combination module;
the target aircraft can utilize a resource module, and by using an asset auditing tool and combining manual operation, all attributes which can be utilized by an attacker form a generalized hierarchical structure and are transmitted into a vulnerability formalization module;
the web crawler module is used for obtaining an ATT & CK frame table by using a web crawler technology, generating a generalized hierarchical structure of the technical and tactical technology, and transmitting the generalized hierarchical structure to the vulnerability formalization module;
the attack tool information acquisition module scans the attack tool folder on the attack machine according to the attack machine information, generates a generalized hierarchical structure of the attack tool, and transmits the generalized hierarchical structure into the vulnerability formalization module;
the attack target information acquisition module constructs an attack target generalized hierarchical structure according to a network topological structure and a logic structure among all components of the target aircraft, and transmits the attack target generalized hierarchical structure to the vulnerability formal description module;
the vulnerability formalization module is used for scanning the target machine by using a Nessus vulnerability scanning tool, an AWVS network vulnerability scanning tool, an Nmap network connection end scanning tool and a Nexpose scanning tool to mutually cooperate, acquiring all states and authorities of the target machine and a vulnerability list on the target machine, and describing the vulnerabilities in a five-tuple form by combining a generalized hierarchical structure transmitted by a target machine available resource module, a network crawler module, an attack tool information acquisition module and an attack target information acquisition module to obtain a vulnerability list described in the five-tuple form;
the vulnerability database construction module integrates all the generalized hierarchical structures and vulnerability lists described in five-tuple form to construct a vulnerability knowledge base;
the clustering module clusters the vulnerability list described in five-tuple form through a clustering algorithm based on a heuristic function in a plurality of generalized hierarchical structures in the vulnerability knowledge base, and classifies the vulnerabilities;
and the combination module is used for generating a vulnerability combination sequence from results generated by the vulnerability clustering by using an ACTS combination test tool.
The invention is not limited to the specific embodiments described above. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification, as well as to any novel one, or any novel combination, of the steps of the method or process disclosed. It is intended that insubstantial changes or modifications from the invention as described herein be covered by the claims below, as viewed by a person skilled in the art, without departing from the true spirit of the invention.
All of the features disclosed in this specification, or all of the steps in a method or process disclosed, may be combined in any combination, except for mutually exclusive features and/or steps.
Any feature disclosed in this specification may be replaced by alternative features serving the same or equivalent purpose, unless expressly stated otherwise. That is, each feature is one example only of a generic series of equivalent or similar features, unless expressly stated otherwise.
Claims (7)
1. The vulnerability combining method based on clustering is characterized by comprising the following steps of:
step 1, obtaining vulnerability information, ATT & CK matrix information, information of vulnerabilities in CVE, attack tool information, all attack available resource information and attack target information of a system;
step 2, formally describing the information obtained in the step 1 to obtain a vulnerability five-tuple model;
step 3, constructing a vulnerability knowledge base according to vulnerability five-tuple patterns of all vulnerability information;
step 4, clustering and combining the constructed vulnerability knowledge base to obtain a combined set of vulnerabilities;
in the step 2, the vulnerability five-tuple model is { Conditions, tech, tool, target, results }, wherein the Conditions are vulnerability attack call asset sets, tech is an ATT & CK module used by vulnerability attack, tool is a vulnerability attack tool, target is a vulnerability attack target component, and Results is a vulnerability attack result asset set;
in the step 4, the clustering process is as follows: taking each tuple information in the vulnerability knowledge base as input, clustering the vulnerabilities by a clustering algorithm based on a heuristic function, and clustering similar vulnerabilities into one type;
in the step 4, after the vulnerability clusters of different attributes are clustered, an ACTS combination testing tool is used to combine different attributes of the clustered vulnerabilities, so as to obtain a vulnerability combination information set based on clustering.
2. The cluster-based vulnerability combining method of claim 1, wherein in step 1, the vulnerability information comprises vulnerability names, vulnerability IDs, attack utilization condition sets, attack tool sets, attack target component sets and attack generation result sets; and periodically scanning and updating the vulnerability information.
3. The method of claim 2, wherein in step 1, the web crawler obtains the ATT & CK matrix information from the ATT & CK functional network, and obtains the vulnerability ID, the vulnerability name, and the vulnerability action software version of the vulnerability in the CVE.
4. The method for clustering-based vulnerability combination of claim 3, wherein in step 1, the attack tool information acquisition method comprises: the generalized hierarchical structure of the attack tool set is generated by scanning the attack machine installation tool file and classifying according to the attack tool types.
5. The method of clustering-based vulnerability combining as claimed in claim 4, wherein in the step 1, all vulnerability attacks obtained by scanning all state authorities on the acquisition target machine including services of each node open to the outside, operating systems running, IP addresses and port number information can utilize resource information.
6. The method of claim 5, wherein in step 1, all attack target information is obtained by integrating attack conditions of an atomic attack and attack generation results.
7. A clustering-based computer vulnerability combination system comprises a target machine available resource module, a web crawler module, an attack tool information acquisition module, an attack target information acquisition module, a vulnerability formalization module, a vulnerability library construction module, a clustering module and a combination module;
the target aircraft can utilize a resource module, and by using an asset auditing tool and combining manual operation, all attributes which can be utilized by an attacker form a generalized hierarchical structure and are transmitted into a vulnerability formalization module;
the web crawler module is used for obtaining an ATT & CK frame table by using a web crawler technology, generating a generalized hierarchical structure of the technical and tactical technology, and transmitting the generalized hierarchical structure to the vulnerability formalization module;
the attack tool information acquisition module scans the attack tool folder on the attack machine according to the attack machine information, generates a generalized hierarchical structure of the attack tool, and transmits the generalized hierarchical structure into the vulnerability formalization module;
the attack target information acquisition module constructs an attack target generalized hierarchical structure according to a network topological structure and a logic structure among all components of the target aircraft, and transmits the attack target generalized hierarchical structure to the vulnerability formal description module;
the vulnerability formalization module is used for scanning the target machine by using a Nessus vulnerability scanning tool, an AWVS network vulnerability scanning tool, an Nmap network connection end scanning tool and a Nexpose scanning tool to mutually cooperate, acquiring all states and authorities of the target machine and a vulnerability list on the target machine, and describing the vulnerabilities in a five-tuple form by combining a generalized hierarchical structure transmitted by a target machine available resource module, a network crawler module, an attack tool information acquisition module and an attack target information acquisition module to obtain a vulnerability list described in the five-tuple form;
the vulnerability database construction module integrates all the generalized hierarchical structures and vulnerability lists described in five-tuple form to construct a vulnerability knowledge base;
the clustering module clusters the vulnerability list described in five-tuple form through a clustering algorithm based on a heuristic function in a plurality of generalized hierarchical structures in the vulnerability knowledge base, and classifies the vulnerabilities;
the combination module uses an ACTS combination test tool to generate a vulnerability combination sequence from results generated by vulnerability clustering;
the five-tuple form is { Conditions, tech, tool, target, results }, wherein the Conditions are vulnerability attack call asset sets, tech is an ATT & CK module used by vulnerability attack, tool is a vulnerability attack tool, target is a vulnerability attack target component, and Results is a vulnerability attack result asset set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110976255.1A CN113792296B (en) | 2021-08-24 | 2021-08-24 | Cluster-based vulnerability combining method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110976255.1A CN113792296B (en) | 2021-08-24 | 2021-08-24 | Cluster-based vulnerability combining method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113792296A CN113792296A (en) | 2021-12-14 |
| CN113792296B true CN113792296B (en) | 2023-05-30 |
Family
ID=79182196
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110976255.1A Active CN113792296B (en) | 2021-08-24 | 2021-08-24 | Cluster-based vulnerability combining method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113792296B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366120A (en) * | 2012-04-10 | 2013-10-23 | 中国信息安全测评中心 | Bug attack graph generation method based on script |
| CN104615542A (en) * | 2015-02-11 | 2015-05-13 | 中国科学院软件研究所 | Vulnerability correlation analysis assisted vulnerability mining method based on function calling |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN106845226A (en) * | 2016-12-26 | 2017-06-13 | 中国电子科技集团公司第三十研究所 | A kind of rogue program analysis method |
| US9825989B1 (en) * | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
| CN107426227A (en) * | 2017-08-02 | 2017-12-01 | 江苏省邮电规划设计院有限责任公司 | One kind automation safe penetration method of testing |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
| EP3416345A1 (en) * | 2017-06-16 | 2018-12-19 | Nokia Technologies Oy | Process for estimating a mean time for an attacker to compromise a vulnerability (mtacv) of a computer system |
| CN109302426A (en) * | 2018-11-30 | 2019-02-01 | 东软集团股份有限公司 | Unknown loophole attack detection method, device, equipment and storage medium |
| CN110381092A (en) * | 2019-08-29 | 2019-10-25 | 南京经纬信安科技有限公司 | A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat |
| CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
| CN111130947A (en) * | 2019-12-30 | 2020-05-08 | 成都科来软件有限公司 | Network space mapping method based on service verification |
| CN112039914A (en) * | 2020-09-07 | 2020-12-04 | 中国人民解放军63880部队 | Network attack chain efficiency modeling method |
| CN112131882A (en) * | 2020-09-30 | 2020-12-25 | 绿盟科技集团股份有限公司 | Multi-source heterogeneous network security knowledge graph construction method and device |
| CN112765613A (en) * | 2021-01-28 | 2021-05-07 | 北京明略昭辉科技有限公司 | Vulnerability detection method and system for vehicle-mounted terminal system |
| CN113591092A (en) * | 2021-06-22 | 2021-11-02 | 中国电子科技集团公司第三十研究所 | Attack chain construction method based on vulnerability combination |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170078309A1 (en) * | 2015-09-11 | 2017-03-16 | Beyondtrust Software, Inc. | Systems and methods for detecting vulnerabilities and privileged access using cluster movement |
| US10846308B2 (en) * | 2016-07-27 | 2020-11-24 | Anomalee Inc. | Prioritized detection and classification of clusters of anomalous samples on high-dimensional continuous and mixed discrete/continuous feature spaces |
| US10965712B2 (en) * | 2019-04-15 | 2021-03-30 | Qualys, Inc. | Domain specific language for defending against a threat-actor and adversarial tactics, techniques, and procedures |
-
2021
- 2021-08-24 CN CN202110976255.1A patent/CN113792296B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366120A (en) * | 2012-04-10 | 2013-10-23 | 中国信息安全测评中心 | Bug attack graph generation method based on script |
| CN104615542A (en) * | 2015-02-11 | 2015-05-13 | 中国科学院软件研究所 | Vulnerability correlation analysis assisted vulnerability mining method based on function calling |
| US9825989B1 (en) * | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN106845226A (en) * | 2016-12-26 | 2017-06-13 | 中国电子科技集团公司第三十研究所 | A kind of rogue program analysis method |
| EP3416345A1 (en) * | 2017-06-16 | 2018-12-19 | Nokia Technologies Oy | Process for estimating a mean time for an attacker to compromise a vulnerability (mtacv) of a computer system |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
| CN107426227A (en) * | 2017-08-02 | 2017-12-01 | 江苏省邮电规划设计院有限责任公司 | One kind automation safe penetration method of testing |
| CN109302426A (en) * | 2018-11-30 | 2019-02-01 | 东软集团股份有限公司 | Unknown loophole attack detection method, device, equipment and storage medium |
| CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
| CN110381092A (en) * | 2019-08-29 | 2019-10-25 | 南京经纬信安科技有限公司 | A kind of self-adapting closed loop solves the system of defense and method of Cyberthreat |
| CN111130947A (en) * | 2019-12-30 | 2020-05-08 | 成都科来软件有限公司 | Network space mapping method based on service verification |
| CN112039914A (en) * | 2020-09-07 | 2020-12-04 | 中国人民解放军63880部队 | Network attack chain efficiency modeling method |
| CN112131882A (en) * | 2020-09-30 | 2020-12-25 | 绿盟科技集团股份有限公司 | Multi-source heterogeneous network security knowledge graph construction method and device |
| CN112765613A (en) * | 2021-01-28 | 2021-05-07 | 北京明略昭辉科技有限公司 | Vulnerability detection method and system for vehicle-mounted terminal system |
| CN113591092A (en) * | 2021-06-22 | 2021-11-02 | 中国电子科技集团公司第三十研究所 | Attack chain construction method based on vulnerability combination |
Non-Patent Citations (3)
| Title |
|---|
| 僵尸网络分析及其防御;陈周国;;信息安全与通信保密(第06期);56-60 * |
| 基于ATT&CK的多源数据深度安全检测技术研究;贵重;;电信工程技术与标准化(第10期);81-86 * |
| 基于机器学习的软件漏洞挖掘方法综述;李韵;黄辰林;王中锋;袁露;王晓川;;软件学报(第07期);2040-2061 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113792296A (en) | 2021-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10701035B2 (en) | Distributed traffic management system and techniques | |
| Hubballi et al. | False alarm minimization techniques in signature-based intrusion detection systems: A survey | |
| Ahmed et al. | Mitigating DNS query-based DDoS attacks with machine learning on software-defined networking | |
| Zhou et al. | A survey of coordinated attacks and collaborative intrusion detection | |
| Xu et al. | Alert correlation through triggering events and common resources | |
| US11095670B2 (en) | Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane | |
| Stevanovic et al. | Machine learning for identifying botnet network traffic | |
| Yang et al. | CARDS: A distributed system for detecting coordinated attacks | |
| EP3905622A1 (en) | Botnet detection method and system, and storage medium | |
| Qassim et al. | Anomalies Classification Approach for Network-based Intrusion Detection System. | |
| WO2010017679A1 (en) | Method and device for intrusion detection | |
| Bisio et al. | Real-time behavioral DGA detection through machine learning | |
| Narang et al. | PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification | |
| Uddin et al. | Intrusion detection system to detect DDoS attack in gnutella hybrid P2P network | |
| Mallouli et al. | Online network traffic security inspection using mmt tool | |
| Zali et al. | Real-time attack scenario detection via intrusion detection alert correlation | |
| Pellegrino et al. | Learning behavioral fingerprints from netflows using timed automata | |
| Jiang et al. | BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks | |
| Hou et al. | Combating adversarial network topology inference by proactive topology obfuscation | |
| CN113792296B (en) | Cluster-based vulnerability combining method and system | |
| KR101182793B1 (en) | Method and system for detecting botnets using domain name service queries | |
| Tanaka et al. | Internet-wide scanner fingerprint identifier based on TCP/IP header | |
| Al-Musawi | Detecting BGP anomalies using recurrence quantification analysis | |
| Abaid et al. | Early detection of in-the-wild botnet attacks by exploiting network communication uniformity: An empirical study | |
| Pouget et al. | Internet attack knowledge discovery via clusters and cliques of attack traces |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |