CN113923037A - Credible computing-based anomaly detection optimization device, method and system - Google Patents
Credible computing-based anomaly detection optimization device, method and system Download PDFInfo
- Publication number
- CN113923037A CN113923037A CN202111212808.2A CN202111212808A CN113923037A CN 113923037 A CN113923037 A CN 113923037A CN 202111212808 A CN202111212808 A CN 202111212808A CN 113923037 A CN113923037 A CN 113923037A
- Authority
- CN
- China
- Prior art keywords
- user
- risk
- data information
- detection
- anomaly detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 183
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000005457 optimization Methods 0.000 title claims abstract description 15
- 230000006399 behavior Effects 0.000 claims description 102
- 238000004458 analytical method Methods 0.000 claims description 73
- 230000002159 abnormal effect Effects 0.000 claims description 52
- 230000005856 abnormality Effects 0.000 claims description 50
- 238000012545 processing Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 11
- 238000012549 training Methods 0.000 claims description 8
- 238000010801 machine learning Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 description 15
- 238000013480 data collection Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 206010000117 Abnormal behaviour Diseases 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000003211 malignant effect Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 238000012163 sequencing technique Methods 0.000 description 2
- 206010035148 Plague Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 241000607479 Yersinia pestis Species 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 235000013372 meat Nutrition 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention relates to an anomaly detection optimization device, method and system based on trusted computing. The anomaly detection optimization system includes at least: the data acquisition module is configured to be capable of acquiring data information of a user, which is related to a risk scene to be dealt with; the abnormity detection module is configured to be capable of inputting the data information of the acquired user, which is related to the risk scene to be responded, into an abnormity detection model group, and the abnormity detection model in the abnormity detection model group performs abnormity detection judgment on the data information of the acquired user, which is related to the risk scene to be responded, according to the abnormity detection judgment strategy and outputs a detection result.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an anomaly detection optimization device, method and system based on trusted computing.
Background
The 21 st century is an era of the great development of data information, mobile internet, social networks, electronic commerce and the like greatly expand the boundary and application range of the internet, and various data are rapidly expanding and becoming large. The internet (social contact, search, e-commerce), the mobile internet (microblog), the internet of things (sensor, smart earth), the car networking, the GPS, medical images, security monitoring, finance (bank, stock market, insurance), and telecommunication (communication, short message) all produce data at wide ranging rates, and huge amount of data implies huge information. Data is the carrier of information and, in case of a data disaster, may cause immeasurable losses to the user. Therefore, it is desirable to provide a method for detecting an anomaly, so as to effectively monitor the behavior of a user.
For example, chinese patent publication No. CN112364286A discloses a method, an apparatus and a related product for abnormality detection based on UEBA. The method for detecting the abnormality based on the UEBA comprises the following steps: capturing system operation log source data related to user entity behaviors in real time; inputting system operation log source data captured in real time into an abnormality detection model group, wherein the abnormality detection model group comprises a plurality of abnormality detection models; and carrying out anomaly detection judgment on the system operation log source data captured in real time by the anomaly detection model in the anomaly detection model group according to the anomaly detection judgment strategy and outputting a detection result. The embodiment of the application can carry out anomaly detection, thereby establishing effective monitoring on the behavior of the user. However, the invention still has the following technical defects: 1) since the location and the speciality of the user entity behavior analysis technology used for anomaly detection optimization are means for solving a certain very specific risk scenario, it cannot solve a too extensive problem, such as analyzing behavior habits of thirty thousand users. Before the user entity behavior analysis technology is prepared to be implemented, firstly, the specific risk scene is considered to be solved on the right, for example, the problem of risk detection of electronic bank collision or the problem of stealing policy information by utilizing a legal account is solved, the specific risk scene is defined on the premise of implementing the user entity behavior analysis technology, and the subsequent analysis work can be pertinently carried out only if the solved risk scene is clearly defined, but the prior user entity behavior analysis technology lacks a technical scheme for defining an application scene; 2) extensive data collection is the basis for the user entity behavior analysis application floor. If the input data volume is small or the data quality is not high, the final analysis result of the user entity behavior analysis is definitely not high in value, even if the system platform and the model algorithm are good. The more data required for user entity behavior analysis is not the better. This is because much more data can only be a burden if it is not relevant to the risk scenario that needs to be analyzed. The precondition for data acquisition is to match the particular scene to be analyzed, i.e. to acquire the data required for the particular scene. In the prior art, no classification measure aiming at a specific risk scene is carried out on source data used for a user entity behavior analysis technology. Therefore, improvement is necessary to overcome the disadvantages of the prior art.
Furthermore, on the one hand, due to the differences in understanding to the person skilled in the art; on the other hand, since the inventor has studied a lot of documents and patents when making the present invention, but the space is not limited to the details and contents listed in the above, however, the present invention is by no means free of the features of the prior art, but the present invention has been provided with all the features of the prior art, and the applicant reserves the right to increase the related prior art in the background.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an anomaly detection optimization method based on trusted computing, which at least comprises the following steps: acquiring data information of a user related to a risk scene to be responded through a data acquisition module; inputting acquired data information of a user, which is related to a risk scene to be responded, into an abnormality detection model group through an abnormality detection module, wherein the abnormality detection model group comprises a plurality of abnormality detection models; and carrying out anomaly detection judgment on the data information of the acquired user related to the risk scene to be responded according to the anomaly detection judgment strategy by the anomaly detection model in the anomaly detection model group and outputting a detection result.
According to a preferred embodiment, the method for acquiring the data information of the user related to the risk scenario to be dealt with by the data acquisition module comprises the following steps: and inputting a risk scene to be responded as a risk scene to be responded by the abnormity detection module through an input module, and acquiring only data information of the user related to the risk scene to be responded through the data acquisition module.
The input module is used for inputting the risk scene required to be responded by the user, so that the clear risk scene to be solved is defined for the subsequent user entity behavior analysis, and the specific risk required to be responded by the user entity behavior analysis system is determined. For example, risk scenarios include, but are not limited to: the method comprises the following steps of stealing sensitive data, losing an account number, losing a host, leaking data, preventing financial fraud, bypassing control behaviors, colliding a bank by an electronic bank, stealing policy information by utilizing a legal account and the like by internal personnel.
Due to the positioning and the speciality of the user entity behavior analysis technology, the method is a means for solving a certain very specific risk scenario. The method cannot solve a problem that the method is too extensive, for example, the method analyzes behavior habits of thirty-thousand users, the requirement is too extensive and does not form a specific risk scene to be dealt with, and further the method is not suitable for being solved by a user entity behavior analysis technology. Therefore, before preparing to implement the user entity behavior analysis technology, it should be considered to solve the specific risk scenario, such as solving the risk detection of electronic bank collision or solving the problem of stealing policy information by using a legal account. Defining a specific risk scene is the premise of implementing a user entity behavior analysis technology, and subsequent analysis work can be pertinently carried out only if the solved risk scene to be responded is clearly defined. Therefore, the user entity behavior analysis system clearly defines the risk scene required by the user entity behavior analysis system to be dealt with and analyzed by arranging the input module.
Secondly, extensive data acquisition is the basis for landing of user entity behavior analysis applications. If the input data volume is small or the data quality is not high, the final analysis result of the user entity behavior analysis is definitely not high in value, even if the system platform and the model algorithm are good. If a pile of garbage data is input, the final result is affirmation or a pile of analysis results with low value. However, the more data required for user entity behavior analysis is not as good. This is because much more data can only be a burden if it is not relevant to the risk scenario that needs to be analyzed. Therefore, the premise of data collection is to match the specific scene to be analyzed, i.e. to analyze what data is needed for the specific scene, rather than having a pile of data to see what results can be analyzed. On this premise, the main points of data acquisition are high quality and variety. Therefore, the user entity behavior analysis system only collects the data information of the user related to the risk scenario defined by the input module by arranging the data collection module, so as to provide high-quality and various analysis data sources for the subsequent analysis process.
The data acquisition module can acquire the risk scene input by the input module and acquire data information corresponding to the user according to the risk scene. Preferably, the input module is capable of transmitting the risk scenario input by the user through the input module to the data collection module. Preferably, the risk scenario may be defined by the user himself. For example, a user can input internal personnel stealing sensitive data, a lost account, a lost host, data leakage, risk ranking, business API security, remote office security and the like through the input module. And the data acquisition module in data connection with the input module acquires the risk scene which is input by the user through the input module and needs to be dealt with. For example, when the content input by the user through the input module steals sensitive data for the inside person, the input module defines the risk scenario as a first risk scenario. Under the condition of responding to the first risk scene input by the input module, the data acquisition module in data connection with the input module acquires the first risk scene and only acquires data information of the user related to the first risk scene, such as database logs, call-back logs, user access logs and access full flow, work and rest time of personnel, work places, behavior characteristics (such as operation frequency and work and hot zone time periods), personal characteristics (age and affiliated mechanisms) and the like of the user. And so on. Through the configuration mode, the data acquisition module can only acquire the data information related to the risk scene needing to be responded, and sends the acquired related data information to the anomaly detection module, namely, high-quality and various analysis data sources are provided for the subsequent anomaly detection module, so that the accuracy of the subsequent analysis of the anomaly detection module is improved.
According to a preferred embodiment, the anomaly detection module comprises a white list generation unit and a user entity behavior analysis unit. The white list generating unit is configured to be capable of generating a white list matched with the security requirement of the user based on the application scenes of different users and/or the security situation monitored by the anomaly detection module; the user entity behavior analysis unit is configured to at least monitor and analyze the processes or programs running on the white list by the user so as to monitor whether the processes or programs running on the white list by the user have abnormality. Preferably, the anomaly detection module is further capable of monitoring the security posture of the user server in a time-sequential manner. Preferably, the security posture includes at least user system version information. Preferably, the security posture may also include updates of applications used by the user, changes of networks used by the user, and the like. The user server may be a personal computer, a workstation, etc. The system version information may be system version basic information, time and interval of system version upgrade or downgrade, and the like. The applications may be various application software used by the user. It is particularly preferred that the anomaly detection module is capable of identifying system version information for the user. The anomaly detection module is also capable of identifying updates to applications used by the user, changes to networks used by the user. For example, if the user's server is gradually upgraded over time, the anomaly detection module determines that the user's security posture is benign. When the security situation of the user is benign, the white list generating unit is configured to regard the abnormal activity related to the system upgrade, which is discovered by the user entity behavior analyzing unit, as benign abnormality, and add the benign abnormality into the original white list. And when the server of the user is gradually degraded or is unchanged for a long time along with the time, the abnormity detection module judges that the security situation of the user is malignant. When the security situation of the user is malignant, the white list generation unit is configured to regard the abnormal activity related to the system upgrade, which is found by the user entity behavior analysis unit, as a real abnormality, and send the real abnormality to the abnormality detection module for early warning or alarm.
According to a preferred embodiment, the anomaly detection module further comprises a white list database unit. The white list database unit is configured to be capable of at least collecting white lists of a plurality of different users to form a white list database, so that the white list monitored by the user entity behavior analysis unit in an abnormal state is analyzed and compared through the white list database, and the false alarm rate of the user entity behavior analysis unit is reduced. Preferably, the trusted white list in the white list database is obtained by solving the maximum intersection of the white lists of a plurality of different users by the white list database unit.
According to a preferred embodiment, the method for continuously updating the white list by the anomaly detection module comprises the following steps: if the user entity behavior analysis unit analyzes and compares the white list monitored as the abnormal state by the user entity behavior analysis unit through the white list database, and finds that the white list in the abnormal state is in the range of the white list database, the user entity behavior analysis unit judges the white list in the abnormal state as an error alarm, and meanwhile, the white list generation unit acquires the instruction and immediately updates the white list of the corresponding server and adds the benign abnormality found by the user entity behavior analysis unit into the original white list; if the user entity behavior analysis unit analyzes and compares the white list which is monitored by the user entity behavior analysis unit as the abnormal state through the white list database, and finds that the white list of the abnormal state is not in the range of the white list database, the user entity behavior analysis unit judges the white list of the abnormal state as a real alarm and sends the activity of the white list of the abnormal state to an abnormal detection module; and if the user entity behavior analysis unit compares and analyzes once or for multiple times through the white list database and confirms the security threat of the abnormal white list behavior, the white list generation unit acquires the instruction and immediately updates the white list of the corresponding server and deletes the abnormal white list found by the user entity behavior analysis unit from the original white list. Through the configuration mode, the user entity behavior analysis unit continuously performs data interaction with the white list database to continuously modify and update the original white list, so that the false alarm rate and the missing report rate of the user entity behavior analysis unit are reduced.
According to a preferred embodiment, the performing, by the anomaly detection model in the anomaly detection model group, an anomaly detection judgment on the data information of the acquired user, which is related to the risk scene to be responded, according to the anomaly detection judgment policy and outputting a detection result includes: and if the detection result shows that the data information related to the to-be-responded risk scene is abnormal, generating an alarm event.
According to a preferred embodiment, a plurality of the anomaly detection models have a cascaded logical processing relationship; the abnormality detection judgment strategy is determined according to the cascaded logic processing relation; the abnormal detection module in the abnormal detection module group performs abnormal detection judgment on the data information of the acquired user related to the risk scene to be responded according to the abnormal detection judgment strategy and outputs a detection result, and the method comprises the following steps: if the output of the previous abnormality detection model indicates that the data information of the acquired user related to the risk scene to be responded is normal, the previous abnormality detection model forwards the data information of the acquired user related to the risk scene to be responded to the next abnormality detection model to perform abnormality detection judgment on the data information of the acquired user related to the risk scene to be responded and output a detection result.
According to a preferred embodiment, a plurality of the abnormality detection models have parallel logic processing relations; the abnormality detection judgment strategy is determined according to the cascaded logic processing relation; the abnormal detection module in the abnormal detection module group performs abnormal detection judgment on the acquired data information related to the risk scene to be responded according to the abnormal detection judgment strategy and outputs a detection result, and the method comprises the following steps: and the plurality of abnormality detection models perform abnormality detection judgment on the acquired data information related to the risk scene to be responded in parallel and output detection results.
According to a preferred embodiment, a system for anomaly detection optimization based on trusted computing comprises at least: the data acquisition module is configured to be capable of acquiring data information of a user, which is related to a risk scene to be dealt with; the anomaly detection module is configured to be capable of inputting the data information of the acquired user, which is related to the risk scene to be responded, into an anomaly detection model group, and the anomaly detection model in the anomaly detection model group performs anomaly detection judgment on the data information of the acquired user, which is related to the risk scene to be responded, according to the anomaly detection judgment strategy and outputs a detection result.
According to a preferred embodiment, an electronic device comprises: a memory having computer-executable instructions stored thereon and a processor for executing the computer-executable instructions to perform the steps of: and establishing an anomaly detection model according to the data information related to the risk scene to be responded and a machine learning training model.
Drawings
Fig. 1 is a simplified schematic diagram of a preferred embodiment of the present invention.
List of reference numerals
1: a data acquisition module; 2: an anomaly detection module; 201: a white list generation unit;
202: a user entity behavior analysis unit; 203: and a white list database unit.
Detailed Description
The following detailed description is made with reference to the accompanying drawings.
Fig. 1 shows an anomaly detection optimization system based on trusted computing, which is characterized by at least comprising: a data acquisition module 1 and an abnormality detection module 2.
The data acquisition module 1 is configured to acquire the risk scene input by the input module and acquire data information corresponding to the user according to the risk scene.
The anomaly detection module 2 can at least acquire the data information acquired by the data acquisition module 1.
The anomaly detection module 2 is configured to analyze according to the risk scene input by the input module and the data information related to the risk scene acquired by the data acquisition module 1, so as to take a user portrait of the user and the information system by using user entity behavior analysis, judge whether the user and the information system have abnormal activities and/or abnormal processes according to the formed user portrait, and further monitor and warn the risk for anomalies.
Preferably, the users include, but are not limited to: personal computers, workstations, etc.
Preferably, the input module is configured for the user to input the risk scenario to be dealt with.
Preferably, the risk scenarios to be dealt with include, but are not limited to: the method comprises the following steps of stealing sensitive data, losing an account number, losing a host, leaking data, preventing financial fraud, bypassing control behaviors, colliding a bank by an electronic bank, stealing policy information by utilizing a legal account and the like by internal personnel.
Stealing sensitive data by insiders is a typical internal threat scenario for enterprises. Since the insiders have legal access rights to enterprise data assets and generally know the storage location of the enterprise sensitive data, such behaviors cannot be detected by the conventional behavior auditing means.
Account collapse or account theft has been a pain point that plagues various organizations, and involves the benefits and experience of end users, privileged accounts being even more targeted by hackers.
The host is one of typical internal threats of an enterprise, and an attacker often forms a 'meat machine' by invading an intranet server and then performs a transverse attack on the enterprise network.
Data leakage may cause severe loss to the organization's brand reputation, resulting in significant public concern pressure, one of the most interesting security threats for the organization.
The risk ranking is that all organizations almost face the problem of excessive alarms due to limited human resources of security teams, and it is difficult to comprehensively process the security alarms triggered by each security device. How to put in limited precious human resources brings the maximum safe operation income, which becomes the value of risk ranking.
The business API security is that an enterprise WEB business system usually provides a large number of business Application Programming Interfaces (APIs), such as a login API, a data acquisition API, a business call API and the like, an attacker can acquire the approximate range of an enterprise business API entrance by capturing specific website access data or request data, and malicious call is performed on the APIs, so that malicious access, data theft and other related malicious activities can be realized, and normal business development of an enterprise is seriously influenced.
The remote office security is that enterprises generally carry out remote office through VPN, so that isolation is realized, external personnel can directly access internal resources, and certain security risk is brought.
Preferably, the input module may include, but is not limited to: a keyboard, a touch screen, a microphone, a camera, etc. Preferably, the input module is capable of sending the risk scenario to be dealt with, which is input by the user through the input module, to the data acquisition module 1. Preferably, the risk scenario to be dealt with can be defined by the user himself, for example, the user can input that internal personnel steal sensitive data, a lost account, a lost host, data leakage, risk ranking, service API security, remote office security, and the like through the input module.
And the data acquisition module 1 in data connection with the input module acquires the risk scene to be responded, which is input by the user through the input module and needs to be responded to. When the content input by the user through the input module steals sensitive data for the inside personnel, the input module defines the risk scene to be dealt with as a first risk scene. In response to the first risk scenario input by the input module, the data collection module 1 in data connection with the input module acquires the first risk scenario and collects only data information of the user related to the first risk scenario, such as database logs, call logs, user access logs and access full flow, work and rest time of personnel, work place, behavior characteristics (such as operation frequency and work and hot zone time period), personal characteristics (age and affiliated mechanism), and the like of the user.
When the risk scene to be dealt with, which is input by the user through the input module, is the lost account, the input module defines the risk scene to be dealt with as a second risk scene. In response to the second risk scenario input by the input module, the data collection module 1 in data connection with the input module acquires the second risk scenario input by the input module and collects only data information of the user related to the second risk scenario, such as frequent login and logout, information systems or data assets that have not been visited in the access history, abnormal time and place login, and the like.
When the risk scene to be responded input by the user through the input module is the collapse host, the input module defines the risk scene to be responded as a third risk scene. Under the condition of responding to the third risk scenario input by the input module, the data acquisition module 1 in data connection with the input module acquires the third risk scenario input by the input module, and only acquires data information of the user related to the third risk scenario, such as historical time sequence fluctuation rules of time sequence characteristics of an intranet host or a server, and characteristics of requesting a domain name, account login, flow size, frequency of accessing a security zone, standard deviation of a link host, and the like.
When the risk scene to be dealt with, input by the user through the input module, is data leakage, the input module defines the risk scene to be dealt with as a fourth risk scene. Under the condition of responding to the fourth risk scenario input by the input module, the data acquisition module 1 in data connection with the input module acquires the fourth risk scenario input by the input module and only acquires data information of the user related to the fourth risk scenario, such as enterprise database logs, call-back logs, user access logs, access full flow, access period, time sequence, actions, frequency and the like.
When the risk scenes to be responded input by the user through the input module are in risk grading sequencing, the input module defines the risk scenes to be responded as fifth risk scenes. In response to the fifth risk scenario input by the input module, the data collection module 1 in data connection with the input module obtains the fifth risk scenario input by the input module, and collects only data information of the user related to the fifth risk scenario, such as organization structure, asset criticality, personnel role, access level, and the like.
And when the risk scene to be responded input by the user through the input module is the business API security, the input module defines the risk scene to be responded as a sixth risk scene. In response to the sixth risk scenario input by the input module, the data collection module 1 in data connection with the input module acquires the sixth risk scenario input by the input module and collects only data information of the user related to the sixth risk scenario, such as enterprise business API access frequency characteristics, requester access frequency characteristics, parameter transformation standard deviation, and request time day and night distribution.
When the risk scene to be responded, which is input by the user through the input module, is the remote office safety, the input module defines the risk scene to be responded as a seventh risk scene. Under the condition of responding to the seventh risk scenario input by the input module, the data acquisition module 1 in data connection with the input module acquires the seventh risk scenario input by the input module and only acquires data information of the user related to the seventh risk scenario, such as data information of a VPN and an internal traffic log, a staff login place, login time, online duration, network behavior, protocol distribution and the like.
Due to the positioning and the speciality of the user entity behavior analysis technology, the method is a means for solving a certain very specific risk scenario. The method cannot solve a problem that the method is too extensive, for example, the method analyzes behavior habits of thirty-thousand users, the requirement is too extensive and does not form a specific risk scene to be dealt with, and further the method is not suitable for being solved by a user entity behavior analysis technology. Therefore, before preparing to implement the user entity behavior analysis technology, it should be considered to solve the specific risk scenario, such as solving the risk detection of electronic bank collision or solving the problem of stealing policy information by using a legal account. Defining a specific risk scene is the premise of implementing a user entity behavior analysis technology, and subsequent analysis work can be pertinently carried out only if the solved risk scene to be responded is clearly defined. Therefore, the user entity behavior analysis system clearly defines the risk scene required by the user entity behavior analysis system to be dealt with and analyzed by arranging the input module.
Secondly, extensive data acquisition is the basis for landing of user entity behavior analysis applications. If the input data volume is small or the data quality is not high, the final analysis result of the user entity behavior analysis is definitely not high in value, even if the system platform and the model algorithm are good. If a pile of garbage data is input, the final result is affirmation or a pile of analysis results with low value. However, the more data required for user entity behavior analysis is not as good. This is because much more data can only be a burden if it is not relevant to the risk scenario that needs to be analyzed. Therefore, the premise of data collection is to match the specific scene to be analyzed, i.e. to analyze what data is needed for the specific scene, rather than having a pile of data to see what results can be analyzed. On this premise, the main points of data acquisition are high quality and variety. Therefore, the user entity behavior analysis system only collects the data information of the user related to the risk scenario defined by the input module by arranging the data collection module 1, so as to provide high-quality and various analysis data sources for the subsequent analysis process.
Preferably, the risk scenario to be dealt with can be defined by the user himself via the input module. Preferably, the input module is capable of sending the risk scenario to be dealt with, which is input by the user through the input module, to the data acquisition module 1.
According to a preferred embodiment, the anomaly detection module 2 comprises:
the sample data analysis unit is configured to acquire data information which is acquired by the data acquisition module 1 and related to the risk scene to be dealt with, and analyze and process the data information to obtain key log sample data;
and the model establishing unit is configured to establish an abnormality detection model according to the plurality of types of key log sample data and the machine learning training model.
The sample data analysis unit is further used for establishing a plurality of log templates according to the message type of the data information related to the risk scene to be responded; and analyzing the data information related to the risk scene to be responded according to the established log templates to obtain key log sample data.
Optionally, in this embodiment, the sample data parsing unit is further configured to determine a message type according to the template word and the parameter word in the data information related to the risk scene to be dealt with, and establish a plurality of log templates according to the determined message type.
Specifically, the sample data parsing unit includes a message type determining subunit and a log template establishing subunit, and the log template establishing subunit is configured to determine a message type according to the template word and the parameter word in the data information related to the risk scene to be responded, and establish a plurality of log templates according to the determined message type.
Specifically, in this embodiment, the message type may be understood as a group of data information related to the risk scene to be dealt with, which has similar message characteristics, and the principle of the message type of the template word and the parameter word in the data information related to the risk scene to be dealt with is simple and easy to implement. Because massive data information related to the risk scene to be responded may exist, the message type is determined by the mode of template words and parameter words, a plurality of log templates can be effectively established, and massive data information related to the risk scene to be responded can be analyzed and processed conveniently, so that key log sample data can be quickly and accurately obtained.
The data information related to the corresponding risk scenario to be responded acquired by the data acquisition module 1 is related to the user entity behavior, that is, the user entity behavior can be indirectly reflected by the data information related to the risk scenario to be responded acquired by the data acquisition module 1.
Preferably, the user entity behavior may include: time, place, people, interactions, content of interactions. Such as user search: at what time, what platform, ID, whether to do a search, what the content of the search is.
Preferably, the user's downloaded order may be monitored by loading a monitoring code (otherwise known as a buried point) on the sample data source by which to monitor whether the user clicks a registration button.
Preferably, the data information related to the corresponding risk scenario to be dealt with, acquired by the data acquisition module 1, is not limited in form, such as txt document or list mode.
Preferably, the data information collected by the data collecting module 1 and related to the corresponding risk scenario to be dealt with is stored on various terminals used by the user.
Preferably, in view of that the data information acquired by the data acquisition module 1 and related to the corresponding risk scene to be dealt with may be a large amount of unstructured sample data, and direct use may cause low efficiency of sample data processing and consume a large amount of computing power, in this embodiment, the data information acquired by the data acquisition module 1 and related to the corresponding risk scene to be dealt with is preprocessed or pre-analyzed, so as to achieve the purpose of structuring, and the data information acquired by the data acquisition module 1 and related to the corresponding risk scene to be dealt with is directly used in the subsequent steps, so that efficiency of sample data processing is improved, and computing power is saved.
Preferably, a series of analysis rules, such as analyzed log keywords, analyzed sample data step size, and sample data format or structure, are defined in the log template, so as to analyze the data information acquired by the data acquisition module 1 and related to the corresponding risk scene to be dealt with, to obtain key log sample data. Or, the log template may also be referred to as a sample data parsing model.
Preferably, since the terminal used by the user is different from product forms, or the operating systems of the terminal are different from each other, for this reason, a log template is configured for each product form or each operating system.
As mentioned before, the user entity behavior caused by the user entity behavior typically includes five dimensions: time, place, people, interactions, content of interactions, thus leading to key log sample data may actually also include the five dimensions. As previously described, the terminals where user entity behavior occurs have various product modalities or they have different operating systems, resulting in key log sample data actually having dimensions in these aspects as well.
Preferably, in order to reflect the user entity behavior, the Key Log sample data may be classified through a plurality of sample data classification dimensions in step S103 to obtain a plurality of types of Key Log sample data, which is also referred to as Log Key, for example.
In this embodiment, the anomaly monitoring model may be established by training the neural network model according to the several types of key log sample data. Specifically, the neural network model is not particularly limited, and may be, for example, LSTM. The anomaly detection model can be based on a density method or a distance method when anomaly detection is carried out.
Optionally, in the density-based method, defining: the density of the normal sample data point is similar to that of the neighbor, and the density of the abnormal point is different from that of the neighbor, so that when the abnormality is detected, the density around a certain sample data point is compared with that around the local neighbor sample data point, the relative density of the sample data point and the neighbor is counted as an abnormality score, and if the abnormality score exceeds a set threshold value, the sample data point is abnormal, and the behavior of the user entity is abnormal.
Optionally, because there are several types of key log sample data, when the anomaly detection model is established, an anomaly detection model may be established based on each type of key log sample data, so that whether the data information related to the corresponding to-be-responded risk scene, which is acquired by the data acquisition module 1, is abnormal or not may be determined from multiple dimensions, and then the abnormal condition of the user entity behavior is detected.
For example, for a first risk scenario, the anomaly detection model generates relevant characteristics such as a sensitive data access period, a time sequence, an action, a frequency and the like through database logs, call-back logs, user access logs, access full flow and the like of a management organization, and generates a dynamic baseline for the sensitive data to be accessed, a dynamic baseline for the user to access, and a dynamic baseline for group access through a time sequence association and self-learning algorithm. Firstly, the abnormal detection model utilizes outlier analysis to mine the individual with abnormal behavior. Under the premise that the abnormality detection model does not need to carry out any direct operation on a user application system, log data within a certain time are automatically selected, and outlier analysis is carried out on a plurality of circumferences of working and rest time, working places, behavior characteristics (such as operation frequency and working hot area time periods), personal characteristics (age and affiliated mechanisms) and the like of personnel, so that the personnel with abnormal behaviors, namely users or account numbers, are mined; 2) and constructing a behavior baseline by the anomaly detection model and disclosing individual questioning behaviors. According to the requirements of the user, a behavior baseline is established by combining the user or the account, for example, an abnormality detection model can specify which accounts can access a service system at any time; what the access rights of the account are, etc. And when the abnormal detection model finds that the daily access volume of the user is mutated, judging the behavior as individual query behavior. 3) And judging the abnormal notebook of the individual based on the query behavior. For example, the anomaly detection model extracts the anomaly behavior information of the account work and rest time. 4) The anomaly detection model can trace the source of suspicious associated personnel by using a relationship graph, and performs association analysis on the suspicious personnel, the account and the user so as to analyze the personnel with the association from multiple dimensions (such as mechanisms, applications, contents and the like); 5) and restoring log information and listing suspicious personnel operations. And the abnormal detection model backtracks the query operation by utilizing log search according to the screened list of suspicious personnel, thereby finally confirming the threat behavior.
For another example, for the second risk scenario, the anomaly detection model generates an individual behavior representation and a group behavior representation by abstracting normal behaviors and people through a big data technology. On the basis, whether abnormal behaviors exist in the account activities, such as frequent login and quit, information systems or data assets which are not accessed in the access history, abnormal time and place login and the like, are compared, whether the account activities deviate from personal behavior portraits and group (such as departments or project groups) behavior portraits or not is analyzed, the suspected embezzlement risk score of the account is comprehensively judged, and the security team is helped to find the account lost in time. The anomaly detection model provides an optimal safety view angle for detecting the lost account number, improves the signal-to-noise ratio of data, can combine and reduce the alarm amount, enables a safety team to preferentially process ongoing threats and promotes response investigation. Meanwhile, the abnormity detection model can also monitor and analyze user behaviors aiming at the established account number, identify excessive privilege or abnormal access authority, and is suitable for all types of users and accounts such as privileged users and service accounts. The use of the anomaly detection model may also be used to help clear dormant accounts and user permissions whose account and permissions set higher than desired permissions. Through the behavior analysis of the anomaly detection model, the identity recognition and access management (IAM) and the Privileged Account Management (PAM) system can more comprehensively evaluate the security of an access subject and support a Zero Trust (Zero Trust) network security architecture and a deployment scene.
For another example, for a third risk scenario, the anomaly detection model may construct a time sequence anomaly detection model, and construct a dynamic behavior baseline of a single server and a dynamic behavior baseline of servers of a group (such as a service type and a security domain) according to a historical time sequence fluctuation rule of a host or a server time sequence feature of an enterprise intranet and features such as a request domain name, account login, traffic size, access security domain frequency, and a link host standard deviation. By utilizing the baseline, specific suspected host computer collapse scenes such as botnets, Lesox viruses, command control (C & C or C2) and the like are considered, comprehensive abnormal scores of different entities of different models in different time periods are given, so that the collapse host computer is detected, the specific time period and host computer information are positioned by combining the asset information, and the enterprise is assisted to find the collapse host computer in time and trace the source.
For another example, for a fourth risk scenario, the anomaly detection model generates sensitive data access related characteristics such as an access period, a time sequence, an action, a frequency and the like by managing information such as enterprise database logs, call-back logs, user access logs and access full flow, and generates a plurality of detection scenarios such as an accessed dynamic baseline, a user access dynamic baseline and a group access dynamic baseline of the sensitive database by time sequence association and a self-learning algorithm.
For another example, for a fifth risk scenario, the anomaly detection model uses a baseline and a threat model, and also constructs behavior timelines of users and entities according to alarms generated in all security solutions, so as to perform risk aggregation. The weights are also typically evaluated in conjunction with organizational structure, asset criticality, personnel roles and access levels, etc., to perform comprehensive risk ranking and ordering to clarify the scope of priority handling of users, entities, events or potential events. Through risk grading and sequencing, the current situation of manpower shortage of a safety team can be greatly relieved.
For another example, for a sixth risk scenario, an attacker may have reached the goal of maliciously invoking the API by transforming multiple different request parameters. The anomaly detection model generally comprises a URL request parameter and a request main body corresponding to an API by analyzing the composition and the use mode of the API commonly used at present, and constructs a plurality of detection scenes such as an API request frequency dynamic baseline, an API request time sequence dynamic baseline, a parameter transformation dynamic baseline and the like by extracting the characteristics of enterprise business API access frequency characteristics, requester access frequency characteristics, parameter transformation standard deviations, request time day and night distribution and the like. Based on a dynamic baseline, abnormal behaviors such as sudden change and abnormal detection of API request quantity, periodic abnormality, unknown users, suspicious group latent users (a user uses a large number of different IPs) and the like are detected, specific service attributes of the API are further combined, the abnormal request behavior detection of the API of the WEB service system is realized, specific time periods and service and data information can be positioned, enterprises are assisted to find abnormal calling behaviors in time, and the overall service and data safety is guaranteed.
For another example, for a seventh risk scenario, the anomaly detection model can find suspicious personnel accounts at the first time by comparing historical behavior baselines of users and behavior baselines of people in the same group, and prevent VPN account violation operations or account collapse risks in time by investigation and analysis.
According to a preferred embodiment, the method for acquiring the data information related to the risk scene to be dealt with from the data acquisition module 1 and analyzing the data information to obtain the key log sample data includes:
establishing a plurality of log templates according to the data information related to the risk scene to be responded; and analyzing the data information related to the risk scene to be responded according to the established log templates to obtain key log sample data.
According to a preferred embodiment, the method for establishing a plurality of log templates according to the data information related to the risk scenario to be dealt with comprises the following steps:
determining the message type according to the template words and the parameter words in the data information related to the risk scene to be responded;
and establishing a plurality of log templates according to the determined message types.
An electronic device includes: a memory having computer-executable instructions stored thereon and a processor for executing the computer-executable instructions to perform the steps of:
and establishing an anomaly detection model according to the sample data of the key logs of the plurality of types and the machine learning training model.
The hardware structure of the electronic device may include: a processor, a communication interface, a computer readable medium, and a communication bus; the processor, the communication interface and the computer readable medium complete mutual communication through a communication bus;
preferably, the communication interface may be an interface of a communication module, such as an interface of a GSM module;
the processor may be specifically configured to run an executable program stored in the memory, so as to perform all or part of the processing steps of any of the above-described method embodiments.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
A computer storage medium having computer-executable instructions stored thereon that, when executed, build an anomaly detection model based on classes of key log sample data and a machine learning training model.
The computer storage medium having stored thereon computer-executable instructions that, when executed, perform the steps of:
acquiring data information related to the to-be-responded risk scene and related to user entity behaviors from a data acquisition module 1;
analyzing the data information related to the risk scene to be responded according to the established log template to obtain key log sample data;
and establishing an anomaly detection model according to the sample data of the key logs of the plurality of types and a machine learning training model.
A method of user entity behavior analysis for a continuous immune security system, the method comprising:
a user inputs a risk scene to be dealt with which the user needs to deal with through an input module;
the data acquisition module 1 acquires a risk scene to be responded input by the input module and acquires data information corresponding to a user according to the risk scene to be responded;
the abnormity detection module 2 analyzes according to the risk scene to be responded input by the input module and the data information which is collected by the data collection module 1 and is related to the risk scene to be responded, so as to take a picture of a user and/or an information system by utilizing a user entity behavior analysis technology, and judge whether abnormal activities and/or abnormal processes exist in the user and/or the information system based on the formed picture of the user.
An electronic device includes: a memory having computer-executable instructions stored thereon and a processor for executing the computer-executable instructions to perform the steps of:
and establishing an anomaly detection model according to the sample data of the key logs of the plurality of types and the machine learning training model.
It should be noted that the above-mentioned embodiments are exemplary, and that those skilled in the art, having benefit of the present disclosure, may devise various arrangements that are within the scope of the present disclosure and that fall within the scope of the invention. It should be understood by those skilled in the art that the present specification and figures are illustrative only and are not limiting upon the claims. The scope of the invention is defined by the claims and their equivalents.
The present specification encompasses multiple inventive concepts and the applicant reserves the right to submit divisional applications according to each inventive concept. The present description contains several inventive concepts, such as "preferably", "according to a preferred embodiment" or "optionally", each indicating that the respective paragraph discloses a separate concept, the applicant reserves the right to submit divisional applications according to each inventive concept.
Claims (10)
1. An anomaly detection optimization method based on trusted computing,
characterized in that it at least comprises:
acquiring data information of a user related to a risk scene to be responded through a data acquisition module (1);
the data information of the acquired user related to the risk scene to be responded is input into an abnormality detection model group through an abnormality detection module (2), the abnormality detection model group comprises a plurality of abnormality detection models, and the abnormality detection models in the abnormality detection model group perform abnormality detection judgment on the data information of the acquired user related to the risk scene to be responded according to the abnormality detection judgment strategy and output detection results.
2. The anomaly detection optimization method according to claim 1, wherein the data acquisition module (1) acquires data information of a user related to a risk scenario to be dealt with by: the risk scene to be dealt with is input through an input module (3) to serve as the risk scene to be dealt with by the abnormity detection module (2), and only data information of a user related to the risk scene to be dealt with is acquired through the data acquisition module (1).
3. The anomaly detection optimization method according to claim 2, wherein the data acquisition module (1) is capable of acquiring a risk scenario input by the input module (3), and the input module (3) is capable of sending the risk scenario to the data acquisition module (1), wherein the risk scenario is capable of being defined by a user.
4. The method according to claim 3, wherein the performing, by the anomaly detection model in the anomaly detection model group, anomaly detection judgment on the data information of the acquired user, which is related to the risk scenario to be dealt with, according to the anomaly detection judgment policy and outputting a detection result comprises: and if the detection result shows that the data information related to the to-be-responded risk scene is abnormal, generating an alarm event.
5. The method of claim 4, wherein the plurality of anomaly detection models have a cascaded logical processing relationship; the abnormality detection judgment strategy is determined according to the cascaded logic processing relation; the abnormal detection module in the abnormal detection module group performs abnormal detection judgment on the data information of the acquired user related to the risk scene to be responded according to the abnormal detection judgment strategy and outputs a detection result, and the method comprises the following steps: if the output of the previous abnormality detection model indicates that the data information of the acquired user related to the risk scene to be responded is normal, the previous abnormality detection model forwards the data information of the acquired user related to the risk scene to be responded to the next abnormality detection model to perform abnormality detection judgment on the data information of the acquired user related to the risk scene to be responded and output a detection result.
6. The method of claim 5, wherein the plurality of anomaly detection models have parallel logical processing relationships; the abnormality detection judgment strategy is determined according to the cascaded logic processing relation; the abnormal detection module in the abnormal detection module group performs abnormal detection judgment on the acquired data information related to the risk scene to be responded according to the abnormal detection judgment strategy and outputs a detection result, and the method comprises the following steps: and the plurality of abnormality detection models perform abnormality detection judgment on the acquired data information related to the risk scene to be responded in parallel and output detection results.
7. An anomaly detection optimization apparatus based on trusted computing, characterized in that an anomaly detection module (2) comprises a white list generation unit (201) and a user entity behavior analysis unit (202), wherein,
the white list generating unit (201) is configured to be capable of generating a white list matched with the security requirement of the user based on the application scenes of different users and/or the security situation monitored by the anomaly detection module;
the user entity behavior analysis unit (202) is configured to at least monitor and analyze processes or programs running on a white list by a user so as to monitor whether the processes or programs running on the white list by the user have an abnormality.
8. The anomaly detection optimization device according to claim 7, characterized in that said anomaly detection module (2) further comprises a white list database unit (203), wherein,
the white list database unit (203) is configured to be capable of collecting at least white lists of a plurality of different users to form a white list database, so that the white list monitored as an abnormal state by the user entity behavior analysis unit (202) is analyzed and compared by the white list database to reduce the false alarm rate of the user entity behavior analysis unit (202).
9. An anomaly detection optimization system based on trusted computing, comprising at least:
the data acquisition module (1) is configured to be capable of acquiring data information of a user, which is related to a risk scene to be dealt with;
the anomaly detection module (2) is configured to be capable of inputting the data information of the acquired user, which is related to the risk scene to be responded, into an anomaly detection model group, and the anomaly detection model in the anomaly detection model group performs anomaly detection judgment on the data information of the acquired user, which is related to the risk scene to be responded, according to the anomaly detection judgment strategy and outputs a detection result.
10. An electronic device, comprising: a memory having computer-executable instructions stored thereon and a processor for executing the computer-executable instructions to perform the steps of:
and establishing an anomaly detection model according to the data information related to the risk scene to be responded and a machine learning training model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212808.2A CN113923037B (en) | 2021-10-18 | 2021-10-18 | Anomaly detection optimization device, method and system based on trusted computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212808.2A CN113923037B (en) | 2021-10-18 | 2021-10-18 | Anomaly detection optimization device, method and system based on trusted computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113923037A true CN113923037A (en) | 2022-01-11 |
| CN113923037B CN113923037B (en) | 2024-03-26 |
Family
ID=79241413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111212808.2A Active CN113923037B (en) | 2021-10-18 | 2021-10-18 | Anomaly detection optimization device, method and system based on trusted computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923037B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115146263A (en) * | 2022-09-05 | 2022-10-04 | 北京微步在线科技有限公司 | User account collapse detection method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505196A (en) * | 2019-07-02 | 2019-11-26 | 中国联合网络通信集团有限公司 | Internet of Things network interface card method for detecting abnormality and device |
| WO2020038353A1 (en) * | 2018-08-21 | 2020-02-27 | 瀚思安信(北京)软件技术有限公司 | Abnormal behavior detection method and system |
| CN110855649A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Method and device for detecting abnormal process in server |
| CN111865960A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Network intrusion scene analysis processing method, system, terminal and storage medium |
| CN112364286A (en) * | 2020-11-23 | 2021-02-12 | 北京八分量信息科技有限公司 | Method and device for abnormality detection based on UEBA and related product |
-
2021
- 2021-10-18 CN CN202111212808.2A patent/CN113923037B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020038353A1 (en) * | 2018-08-21 | 2020-02-27 | 瀚思安信(北京)软件技术有限公司 | Abnormal behavior detection method and system |
| CN110505196A (en) * | 2019-07-02 | 2019-11-26 | 中国联合网络通信集团有限公司 | Internet of Things network interface card method for detecting abnormality and device |
| CN110855649A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Method and device for detecting abnormal process in server |
| CN111865960A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Network intrusion scene analysis processing method, system, terminal and storage medium |
| CN112364286A (en) * | 2020-11-23 | 2021-02-12 | 北京八分量信息科技有限公司 | Method and device for abnormality detection based on UEBA and related product |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115146263A (en) * | 2022-09-05 | 2022-10-04 | 北京微步在线科技有限公司 | User account collapse detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113923037B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sun et al. | Data-driven cybersecurity incident prediction: A survey | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| US10764297B2 (en) | Anonymized persona identifier | |
| CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
| US11811805B1 (en) | Detecting fraud by correlating user behavior biometrics with other data sources | |
| US8707431B2 (en) | Insider threat detection | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| US20150206214A1 (en) | Behavioral device identifications of user devices visiting websites | |
| US10740164B1 (en) | Application programming interface assessment | |
| CN113642023A (en) | Data security detection model training method, data security detection device and equipment | |
| CN111915468B (en) | Network anti-fraud active inspection and early warning system | |
| CN113918938A (en) | User entity behavior analysis method and system of continuous immune safety system | |
| US11315010B2 (en) | Neural networks for detecting fraud based on user behavior biometrics | |
| US11968184B2 (en) | Digital identity network alerts | |
| Solomon et al. | Contextual security awareness: A context-based approach for assessing the security awareness of users | |
| Sarkar et al. | Mining user interaction patterns in the darkweb to predict enterprise cyber incidents | |
| Folino et al. | An ensemble-based framework for user behaviour anomaly detection and classification for cybersecurity | |
| CN113923037B (en) | Anomaly detection optimization device, method and system based on trusted computing | |
| Elshoush et al. | Intrusion alert correlation framework: An innovative approach | |
| Altalbe et al. | Assuring enhanced privacy violation detection model for social networks | |
| US11575702B2 (en) | Systems, devices, and methods for observing and/or securing data access to a computer network | |
| Ju et al. | Detection of malicious code using the direct hashing and pruning and support vector machine | |
| Ouiazzane et al. | Toward a network intrusion detection system for geographic data | |
| Rajwar et al. | Comparative Evaluation of Machine Learning Methods for Network Intrusion Detection System | |
| Sonawane et al. | New Approach for Detecting Spammers on Twitter using Machine Learning Framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |