CN114143109B - Visual processing method, interaction method and device for attack data - Google Patents
Visual processing method, interaction method and device for attack data Download PDFInfo
- Publication number
- CN114143109B CN114143109B CN202111490368.7A CN202111490368A CN114143109B CN 114143109 B CN114143109 B CN 114143109B CN 202111490368 A CN202111490368 A CN 202111490368A CN 114143109 B CN114143109 B CN 114143109B
- Authority
- CN
- China
- Prior art keywords
- attack
- node
- nodes
- layout
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003993 interaction Effects 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000003672 processing method Methods 0.000 title claims abstract description 8
- 230000000007 visual effect Effects 0.000 title claims description 10
- 238000012545 processing Methods 0.000 claims abstract description 25
- 238000010586 diagram Methods 0.000 claims abstract description 19
- 238000012800 visualization Methods 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims description 25
- 238000011144 upstream manufacturing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000012856 packing Methods 0.000 claims description 8
- 230000002452 interceptive effect Effects 0.000 claims description 7
- 239000000758 substrate Substances 0.000 claims 1
- 238000004458 analytical method Methods 0.000 abstract description 12
- 239000011159 matrix material Substances 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 239000003086 colorant Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 125000001475 halogen functional group Chemical group 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a visualized processing method, an interaction method and a device for attack data, wherein the visualized processing method for the attack data comprises the following steps: converting the attack data to be processed into graph data of an attack network; classifying nodes in the attack network according to the graph data to obtain subgraphs formed by the nodes under each classification; based on the attack relation among the nodes in each sub-graph, carrying out intra-sub-graph layout on the nodes in each sub-graph; and respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after the visualization processing. In the layout diagram of the attack network, the attack relationship among the nodes under the same classification can be displayed, and the attack relationship among different classifications can be displayed, so that an analyst can quickly acquire effective information from the displayed attack network, and further the analysis efficiency is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of data processing, in particular to a visualized processing method, an interaction method and a device for attack data.
Background
In recent years, with the continuous development of network technology, network attack events are increasing. Network security personnel typically analyze the association between network attack events using a visualized attack network.
In the prior art, a force-directed algorithm is generally directly adopted to perform visualization processing on an attack network. However, in the visual attack network obtained in the prior art, only the connection relation among the nodes can be displayed, and if an analyst needs to analyze the attack relation of the attack network, the analyst also needs to perform secondary manual adjustment layout, so that the workload is increased, and the analysis efficiency is affected.
Disclosure of Invention
Based on the problems that the workload of an analyst is increased and the analysis efficiency is affected by the existing visual processing method, the interaction method and the device of the attack network are provided, and the attack relation expressed by attack data can be intuitively displayed, so that the analysis efficiency of the analyst is improved.
In a first aspect, an embodiment of the present invention provides a method for processing attack data in a visualization manner, including:
converting the attack data to be processed into graph data of an attack network;
Classifying nodes in the attack network according to the graph data to obtain subgraphs formed by the nodes under each classification;
based on the attack relation among the nodes in each sub-graph, carrying out intra-sub-graph layout on the nodes in each sub-graph;
and respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after the visualization processing.
Preferably, the converting the attack data to be processed into graph data of the attack network includes:
extracting an attacker IP, an attacked IP and an attack type in each piece of attack data;
determining each extracted non-repeated IP as a node in the graph data, determining a connecting line in the graph data for each piece of attack data, determining the attack type in each piece of attack data as the type of the corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classifying nodes in the attack network according to the graph data comprises: nodes of the same type are classified into the same class.
Preferably, the determining the type of each node according to the type of the connection line of each node includes:
When the type of each connecting wire directly connected with the node is the same, determining the type of each connecting wire directly connected with the node as the type of the node; otherwise, the type of the node is determined to be the specified type.
Preferably, the sub-graph layout of each sub-graph as a whole includes:
and taking the subgraphs corresponding to the specified types as the center, and arranging the subgraphs corresponding to other types around the center.
Preferably, the intra-subgraph layout of the nodes in the subgraph includes:
determining a connected component in the subgraph according to the attack relation among the nodes in the subgraph;
aiming at each connected component, carrying out three-dimensional layout on nodes in the connected component;
and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
Preferably, the three-dimensional layout of the nodes in the connected components includes:
performing hierarchical configuration on each node in the connected component;
carrying out two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level;
and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinates of the layout of each node in the communication component in the subgraph.
Preferably, the hierarchically configuring each node in the connected component includes:
determining an attack target node which is only an attacked party and exists in the communication component currently, and configuring the determined level of the attack target node as an initial level;
deleting the node which is configured in the hierarchy at this time and the connection directly connected with the node, determining whether an attack target node which is only an attacked party exists in the communication component at present, if so, configuring the determined hierarchy of the attack target node as the next hierarchy level of the hierarchy level which is configured last time, and repeatedly executing the deleting step;
if the intermediate node is not present, determining whether an intermediate node serving as an attacker and an attacked exists in the communication component currently, if the intermediate node exists, configuring the hierarchy of the intermediate node as a hierarchy level next to the hierarchy level of the last configuration, and configuring the hierarchy of the attack source node serving as the attacker only as a hierarchy level next to the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node serving only as the attacker is configured as the next hierarchy level of the last configuration.
In a second aspect, an embodiment of the present invention provides an interaction method, including:
displaying the layout diagram of the attack network obtained based on any one of the methods;
when an interaction instruction to a target node in the attack network is received, determining characteristic information related to the target node in the attack network according to the interaction instruction;
and displaying the characteristics of the characteristic information.
Preferably, the interaction instruction is used for acquiring self information of the target node, and the characteristic information is the IP of the target node; or alternatively, the first and second heat exchangers may be,
the interaction instruction is used for acquiring relation information of the target node, and the feature information comprises: a link directly connected to the target node, and an adjacent upstream node that attacks the target node, an adjacent downstream node that is attacked by the target node; or alternatively, the first and second heat exchangers may be,
the interactive instruction is used for acquiring an attack link related to the target node, and the characteristic information comprises: an attack link comprising the target node; one end of the attack link is a node which is only used as an attacker, and the other end is a node which is only used as an attacked.
In a third aspect, an embodiment of the present invention provides a device for visualizing attack data, including:
The map data conversion unit is used for converting the attack data to be processed into map data of the attack network;
the classifying unit is used for classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
the layout unit is used for carrying out intra-subgraph layout on the nodes in each subgraph based on the attack relation among the nodes in each subgraph; and respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after the visualization processing.
In a fourth aspect, an embodiment of the present invention provides an interaction device, including:
the display unit is used for displaying the layout diagram of the attack network obtained by the visual processing device based on the attack data;
and the interaction processing unit is used for determining characteristic information related to the target node in the attack network according to the interaction instruction when receiving the interaction instruction to the target node in the attack network, and displaying the characteristic information.
In a fifth aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a sixth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program, which when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a visualized processing method, an interaction method and a device for attack data, which are characterized in that the attack data are converted into graph data of an attack network, then nodes in the attack network are classified by utilizing the graph data, so that the nodes in each classification correspond to a sub-graph, and because attack relations exist among the nodes in each sub-graph, the intra-sub-graph layout can be carried out on each sub-graph based on the attack relations so as to embody the attack relations among the nodes in the sub-graph; in addition, because attack relations exist among the sub-graphs, each sub-graph is used as a whole to further carry out sub-graph layout so as to reflect the attack relations among the sub-graphs. Therefore, in the layout diagram of the attack network, not only the attack relationship among the nodes under the same classification can be displayed, but also the attack relationship among different classifications can be displayed, so that an analyst can quickly acquire effective information from the displayed attack network, and further the analysis efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for visualizing attack data according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a matrix arrangement according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an inter-sub-graph layout according to an embodiment of the present invention;
FIG. 4 is a flow chart of an interaction method according to an embodiment of the present invention;
FIG. 5 is a block diagram of a visual processing apparatus for attack data according to an embodiment of the present invention;
fig. 6 is a block diagram of an interactive device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As mentioned above, in the prior art, the force steering algorithm is generally directly used to perform visualization processing on the attack network. However, in the visual attack network obtained in the prior art, only the connection relation between the nodes can be displayed, and the attack relation information expressed by the attack data cannot be intuitively displayed, so that if an analyst needs to analyze the attack relation of the attack network, the analyst also needs to manually adjust the layout for the second time, thereby not only increasing the workload, but also affecting the analysis efficiency. The method can consider the analysis result of the attack network to carry out visual processing on the nodes in the attack network, and the obtained layout diagram of the attack network after processing can intuitively show the attack relationship, so that an analyst can quickly obtain effective information in the layout diagram of the attack network.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for processing attack data in a visualization manner, where the method includes:
step 100, converting the attack data to be processed into graph data of the attack network.
Step 102, classifying nodes in the attack network according to the graph data to obtain subgraphs formed by the nodes under each classification;
104, carrying out intra-subgraph layout on the nodes in each subgraph based on the attack relation among the nodes in each subgraph;
and 106, respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after the visualization processing.
In the embodiment of the invention, the attack data are converted into the graph data of the attack network, and then the nodes in the attack network are classified by utilizing the graph data, so that the nodes in each classification correspond to one sub-graph, and because the attack relationship exists among the nodes in each sub-graph, the intra-sub-graph layout can be carried out on each sub-graph based on the attack relationship so as to embody the attack relationship among the nodes in the sub-graph; in addition, because attack relations exist among the sub-graphs, each sub-graph is used as a whole to further carry out sub-graph layout so as to reflect the attack relations among the sub-graphs. Therefore, in the layout diagram of the attack network, not only the attack relationship among the nodes under the same classification can be displayed, but also the attack relationship among different classifications can be displayed, so that an analyst can quickly acquire effective information from the displayed attack network, and further the analysis efficiency is improved.
The manner in which the individual steps shown in fig. 1 are performed is described below.
First, for step 100, attack data to be processed is converted into graph data of an attack network.
The attack data is a piece of structured data, and in order to realize that the attack data can be visualized, the attack data can be converted into graph data of an attack network.
In one embodiment of the present invention, data conversion may be performed by: extracting an attacker IP, an attacked IP and an attack type in each piece of attack data; and determining each extracted non-repeated IP as a node in the graph data, determining a connecting line in the graph data for each piece of attack data, determining the attack type in each piece of attack data as the type of the corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line.
In one embodiment of the invention, the attack type of the attack data can be positioned according to analysis requirements. For example, the number of the attack group to which the attacker belongs is determined as the attack type of the attack data, so that when the attack network is analyzed later, the attack characteristics initiated by different attack groups can be analyzed respectively. For another example, the attack level related to the attack data is determined as the attack type, so that when the attack network is analyzed later, the attack characteristics corresponding to the attack events with different attack levels can be analyzed.
In this embodiment, the number of the attack group to which the attacker belongs is taken as an example of the attack type. Numbering may be carried out using A, B, C.
In an embodiment of the present invention, the graph data at least includes: all node information and all link information of the attack network. Wherein, each IP appearing in all attack data corresponds to a node, and each attack data corresponds to a connecting line.
Each node information may include the following:
IP: the unique identifier of the node is the IP which appears in the attack data;
type: the type of the node can be determined according to the type of the connecting line;
links: a set of links of a node, i.e. a set of links directly connected to the node.
The information for each connection may include the following:
source: a source node of the connection corresponds to an attacker IP of the attack data;
target: the target node of the connection corresponds to the IP of the attacked party of the attack data;
type: the type of the connection line corresponds to the attack type of the attack data.
In one embodiment of the present invention, when determining the node type according to the type of the connection line, it may be determined by: when the type of each connecting wire directly connected with the node is the same, determining the type of each connecting wire directly connected with the node as the type of the node; otherwise, the type of the node is determined to be the specified type.
For example, if all the links in the link set of a node are of the a-clique class, then the node is also of the a-clique class. Otherwise, the type of the node is determined to be the specified type.
The designated type may be the same type or different types for different nodes. According to the attack characteristics, as the attacked party, the situation that a plurality of attacked parties attack may exist, and most of the situations that the plurality of attacked parties belong to the same attack group, namely, the situations that different types exist in the connection types directly connected with the nodes are less, so that the nodes with different types in the connection types can be determined to be the same type, and in the layout, the nodes of the type can be laid out as a whole, thereby being capable of showing the attack characteristics. That is, in the embodiment of the present invention, the designated types are the same type.
In addition, the specified type is different from the type of the connection line in the graph data. For example, the specified type is a center class. The method can be distinguished from the affiliated attack group, and further intuitively displays the association relationship between the center class and other types.
It should be noted that, other manners other than the above determination manners may be used for the node type, for example, the type with the largest number of links with the same type in the link set of the node is determined as the node type.
Then, for step 102, the nodes in the attack network are classified according to the graph data, and a subgraph formed by the nodes under each classification is obtained.
When nodes in the attack network are classified, the nodes can be classified according to the association relation of the nodes. In one embodiment, nodes in an aggressor network are classified according to node type, i.e., nodes of the same type are classified into the same class. For example, the following classification is obtained after division: group A, group B, group C, group D, group E and center.
Because each category includes several nodes, the nodes under each category form a corresponding subgraph.
Next, for step 104, the nodes in each sub-graph are intra-graph laid out based on the attack relationships between the nodes in each sub-graph.
For each sub-graph, the intra-graph layout mode can be the same mode or different modes. In this embodiment, the same layout mode is preferably used to layout each sub-graph, so that the overall layout of all nodes of the attack network is more hierarchical, and the layout is more coordinated and attractive. The layout in the subgraph will be described below by taking one subgraph as an example.
Firstly, analyzing the nodes in the subgraph, and dividing the nodes in the subgraph into three types according to the distinction between an attacker and an attacked party: the first type is an attack source node which is only an attacker; the second type is an attack target node which is only an attacked party; the third class is intermediate nodes that act as both aggressors and attacked.
Then, the sub-graph is subjected to sub-graph internal layout according to the following steps S1-S3:
s1: and determining a connected component in the subgraph according to the attack relation among the nodes in the subgraph.
Since not all nodes included in a sub-graph may be all connected, at least one connected component may be included in a sub-graph. Any two nodes in the communication component can be communicated through a connecting line.
S2: for each connected component, the nodes in the connected component are subjected to three-dimensional layout.
Specifically, in one embodiment of the present invention, the following (S21-S23) three-dimensional layout may be performed for nodes within the connected component:
s21: each node in the connected component is hierarchically configured.
In one embodiment of the present invention, the following hierarchical configuration may be performed in step S21:
S211: and determining the currently existing attack target nodes serving as only attacked parties in the subgraph, and configuring the determined hierarchy of the attack target nodes as an initial hierarchy. For example, the initial level is 0.
S212: and deleting the node which is subjected to hierarchical configuration at this time and the connecting line which is directly connected with the node.
S213: determining whether an attack target node serving as only an attacked party exists in the subgraph currently, if so, configuring the determined hierarchy of the attack target node as the next hierarchy level of the last configured hierarchy level, and repeatedly executing the steps S212-S213; if not, step S214 is performed.
S214: determining whether an intermediate node serving as an attacker and an attacked exists in the subgraph currently, if the intermediate node exists, configuring the hierarchy of the intermediate node as the next hierarchy level of the last configuration, and configuring the hierarchy of the attack source node serving as the attacker as the next hierarchy level of the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node serving only as the attacker is configured as the next hierarchy level of the last configuration.
After S214 is completed, all the levels of nodes in the sub-graph are configured, and the nodes at the same level are determined to be the same hierarchy.
Each time a hierarchical level is configured for a node, the last configured hierarchical level +1 may be determined as the currently configured hierarchical level. It can be seen that the hierarchical levels of the nodes within the sub-graph are 0, 1, 2, 3 … …, respectively.
The attack target node, the attack source node and the intermediate node are determined through node information and connection information in the steps.
S22: and carrying out two-dimensional horizontal layout on the nodes of each level to obtain the two-dimensional coordinates of each node on each level.
Since the nodes of the same hierarchical level are located in the same hierarchy, a two-dimensional horizontal layout can be performed for the nodes in the same hierarchy. In one embodiment of the present invention, the nodes for each hierarchy may be laid out horizontally in two dimensions in a matrix layout.
Specifically, the rows and columns of the matrix are calculated according to the number of all nodes of the layer, and then regular arrangement is performed at set node intervals. Please refer to fig. 2, which is a schematic diagram of a matrix arrangement, wherein each rectangular point is a node. In addition, in the matrix layout arrangement, the matrix layout may be performed centering on the origin (0, 0). In this way, two-dimensional coordinates of each node within the layer can be obtained.
In one embodiment of the invention, before the matrix layout is performed, all nodes of the layer can be sorted according to the IP size, and then the matrix layout is performed according to the sorted node sequence, so that the nodes in the same IP section are distributed at adjacent positions in the area. Therefore, when the attack analysis is carried out on the layout diagram of the attack network, the attack conditions in different IP sections can be analyzed.
S23: and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinates of the layout of each node in the communication component in the subgraph.
In one embodiment of the present invention, the product of the number of levels of the node and the set height may be determined as the level height.
S3: and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
Specifically, in this step S3, for each connected component, a layout radius of each level in the connected component may be calculated, and then the maximum layout radius of the level in the connected component is determined as the layout radius of the connected component. And then, taking each connected component as a whole, wherein the radius corresponding to the whole is the radius of the connected component, calculating the corresponding packing circle radius of each connected component after the layout is carried out in the subgraph according to a front chain packing layout algorithm, and determining the packing circle radius as the layout radius of the subgraph.
The above completes the intra-subgraph layout of the nodes in each subgraph.
And finally, aiming at the step 106, each sub-graph is respectively used as a whole to carry out sub-graph layout, and the layout graph of the attack network after the visualization processing is obtained.
In step 106, the sub-graph layout can be performed on each sub-graph with reference to the layout of the connected components in the sub-graph in step 104.
In one embodiment of the present invention, before the layout between sub-graphs is performed, the relationship between sub-graphs may be analyzed as follows: for each sub-graph, the nodes within the sub-graph are divided into an outer connection class and an inner connection class. Aiming at the current sub-graph, if one node in the current sub-graph has a connection relationship with nodes in other sub-graphs, the node in the current sub-graph is an external connection class; otherwise, the connection class is connected. It is understood that each node within the central class is an outer connection class.
The analysis results were: if other groups except the center class in each subgraph have nodes of the outer connection class, the outer connection class nodes in the other groups are connected with the nodes in the center class. Therefore, in the embodiment of the invention, when the sub-graph layout is performed, the sub-graph corresponding to the specified type can be taken as the center, and the sub-graphs corresponding to other types respectively are arranged around the center. Therefore, the connection relation is clearer, the intersections of the wires are reduced, and the neatness of the display interface in the layout is improved. Please refer to fig. 3, which is a schematic diagram of an inter-sub-graph layout.
When the sub-graphs corresponding to other types respectively are arranged around the center, the angles with corresponding duty ratios can be distributed for each sub-graph according to the radius of each sub-graph so as to be arranged around.
Further, since the node positions in the connected components in the subgraph are determined according to the three-dimensional coordinates, after the layout positions of the subgraphs are determined, the original three-dimensional coordinates of the nodes are also required to be adjusted, but the relative position relationship among the nodes is unchanged.
Further, layout adjustment needs to be performed on all connected components under all subgraphs together. The adjustment mode can comprise: the node under the connected component is divided into an external connected component and an internal connected component according to the fact that whether the node under the connected component contains the external connected node or not, and all the nodes under the special center class subgraph are the external connected components. And then converting the connection relation of the external connection nodes in all the external connection components into the connection relation between the external connection components, wherein repeated connection is not calculated. And finally, carrying out force guiding layout adjustment according to all the connected component nodes.
Wherein the force directed layout adjustment process may include: 1, limiting nodes in connected components under each sub-graph to be within the node layout range of the sub-graph; 2, mutually calculating repulsive force among all communicated components under the same subgraph; and 3, calculating the tensile force between connected communicating components.
Further, after the positions of all the connected component nodes are adjusted, the positions of the nodes of each layer under the connected component are adjusted, namely, the matrix center of each layer of nodes is moved to the center of the connected component node.
So far, the final three-dimensional coordinates of all nodes in the attack network are determined, and the three-dimensional coordinates of each system are laid out to obtain a three-dimensional layout of the attack network after visualization processing.
In one embodiment of the invention, the display interface of the three-dimensional layout can be further rendered, and different types of nodes and connecting lines can be distinguished according to different colors during rendering.
Referring to fig. 4, the embodiment of the invention further provides an interaction method, which includes:
step 400, displaying a layout diagram of the attack network obtained based on the method for visualizing the attack data according to any of the embodiments.
And step 402, when an interaction instruction to a target node in the attack network is received, determining characteristic information related to the target node in the attack network according to the interaction instruction.
And step 404, displaying the characteristic information.
In the embodiment of the invention, the layout diagram of the attack network obtained by the embodiment can show the attack relation among the nodes under the same category and the attack relation among different categories, so that an analyst can quickly acquire effective information from the shown attack network, and in the interaction process, after the characteristic information is determined according to the interaction instruction, the analyst can quickly acquire an analysis result through the characteristic display.
Step 402 and step 404 are described below.
When interaction is carried out, different interaction instructions can be generated according to different interaction modes, and the interaction modes at least comprise the following steps:
first, when it is detected that the mouse moves onto the target node, the generated interaction instruction may be for acquiring own information of the target node. Then the characteristic information associated with the target node is the IP of the target node and the response to the interaction instruction is: the IP of the target node is displayed on the target node to realize feature display.
Second, when a mouse left click on a target node is detected, the generated interaction instruction may be for acquiring relationship information of the target node. Then the characteristic information associated with the target node may include: a link directly connected to the target node, and an adjacent upstream node attacking the target node, an adjacent downstream node being attacked by the target node. The response to the interaction instruction at this time is: and performing feature display on a connection line directly connected with the target node in the layout, an adjacent upstream node attacking the target node and an adjacent downstream node attacked by the target node. The feature display may be highlighting and/or distinguished using an outer ring halo of a different color.
Wherein, in determining the adjacent upstream node and the adjacent downstream node, the attack and the attacked relation between the nodes can be utilized to determine.
Third, when a mouse left click on a target node is detected, the generated interaction instruction may be for acquiring an attack link related to the target node. Then the characteristic information associated with the target node may include: an attack link comprising a target node; one end of the attack link is a node which is only used as an attacker, and the other end is a node which is only used as an attacked. The response to the interaction instruction at this time is: all nodes and links on the attack link containing the target node are characterized. Similarly, the feature display may be a highlighting.
In one embodiment of the present invention, an attack link including a target node may be determined in the following manner:
first, a link set, an upstream set, and a downstream set are created for a target node. Wherein, no repeated element features exist in the set.
Then, through upper attribute and lower attribute of the target node, all upstream nodes of the target node are found to be added into the upstream set, all downstream nodes of the target node are found to be added into the downstream set, and the target node, all upstream nodes and all downstream nodes are added into the link set. Wherein, upper attribute is the set of all upstream nodes of node, and lower attribute node's set of all downstream nodes.
Next, all upstream nodes of each node in the upstream set are recursively searched, and these nodes are added to the link set until the attack source node is found. And recursively searching all downstream nodes of all nodes in the downstream set, and adding the nodes into the link set until the attack target node is searched.
And finally, according to all nodes in the link set and link attributes of the nodes, connecting lines among all nodes in the link set are found, and the connecting lines are added into the link set. At this time, all nodes and links included in the link set are attack links of the target node.
Referring to fig. 5, an embodiment of the present invention further provides a device for visualizing attack data, including:
a graph data conversion unit 501 for converting attack data to be processed into graph data of an attack network;
the classifying unit 502 is configured to classify nodes in the attack network according to the graph data, so as to obtain a subgraph formed by the nodes under each classification;
a layout unit 503, configured to perform intra-subgraph layout on the nodes in each subgraph based on the attack relationship between the nodes in each subgraph; and respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after the visualization processing.
In one embodiment of the present invention, the graph data conversion unit 501 is specifically configured to extract an attacker IP, an attacked IP and an attack type in each piece of attack data; determining each extracted non-repeated IP as a node in the graph data, determining a connecting line in the graph data for each piece of attack data, determining the attack type in each piece of attack data as the type of the corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classification unit 502 is specifically configured to divide the nodes of the same type into the same class.
In one embodiment of the present invention, when determining the type of each node according to the type of the connection line of each node, the graph data conversion unit 501 is specifically configured to determine, when the type of each connection line directly connected to the node is the same, the type of each connection line directly connected to the node as the type of the node; otherwise, the type of the node is determined to be the specified type.
In one embodiment of the present invention, when each sub-graph is respectively used as a whole to perform inter-sub-graph layout, the layout unit 503 is specifically configured to center the sub-graph corresponding to the specified type, and the sub-graphs corresponding to other types respectively are arranged around the center.
In one embodiment of the present invention, the layout unit 503 is specifically configured to determine a communication component in the subgraph according to an attack relationship between nodes in the subgraph when the nodes in the subgraph are laid out in the subgraph; aiming at each connected component, carrying out three-dimensional layout on nodes in the connected component; and respectively carrying out front chain packing layout on all connected components in the subgraph as a whole.
In one embodiment of the present invention, the layout unit 503 is specifically configured to perform hierarchical configuration on each node in the connected component when performing three-dimensional layout on the nodes in the connected component; carrying out two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level; and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinates of the layout of each node in the communication component in the subgraph.
In one embodiment of the present invention, the layout unit 503 is specifically configured to determine an attack target node that is only an attacked party currently existing in the communication component when performing hierarchical configuration on each node in the communication component, and configure the determined level of the attack target node as an initial level; deleting the node which is configured in the hierarchy at this time and the connection directly connected with the node, determining whether an attack target node which is only an attacked party exists in the communication component at present, if so, configuring the determined hierarchy of the attack target node as the next hierarchy level of the hierarchy level which is configured last time, and repeatedly executing the deleting step; if the intermediate node is not present, determining whether an intermediate node serving as an attacker and an attacked exists in the communication component currently, if the intermediate node exists, configuring the hierarchy of the intermediate node as a hierarchy level next to the hierarchy level of the last configuration, and configuring the hierarchy of the attack source node serving as the attacker only as a hierarchy level next to the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node serving only as the attacker is configured as the next hierarchy level of the last configuration.
Referring to fig. 6, an embodiment of the present invention further provides an interaction device, including:
a display unit 601, configured to display a layout diagram of an attack network obtained by the visualization processing device based on the attack data;
and the interaction processing unit 602 is configured to determine, when an interaction instruction for a target node in the attack network is received, feature information related to the target node in the attack network according to the interaction instruction, and perform feature display on the feature information.
In one embodiment of the present invention, the interaction instruction is used to obtain self information of the target node, and the feature information is an IP of the target node.
In one embodiment of the present invention, the interaction instruction is configured to obtain relationship information of the target node, and the feature information includes: and a link directly connected with the target node, and an adjacent upstream node attacking the target node and an adjacent downstream node attacked by the target node.
In one embodiment of the present invention, the interaction instruction is configured to obtain an attack link related to the target node, and the feature information includes: an attack link comprising the target node; one end of the attack link is a node which is only used as an attacker, and the other end is a node which is only used as an attacked.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which can comprise a memory and a processor, wherein the memory stores a computer program, and the processor realizes the visualized processing and interaction method of attack data in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program causes the processor to execute the method for visualizing and interacting attack data in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of additional identical elements in a process, method, article or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (16)
1. The visualized processing method of the attack data is characterized by comprising the following steps of:
converting the attack data to be processed into graph data of an attack network;
classifying nodes in the attack network according to the graph data to obtain subgraphs formed by the nodes under each classification;
based on the attack relation among the nodes in each sub-graph, carrying out intra-sub-graph layout on the nodes in each sub-graph;
respectively carrying out sub-graph layout on each sub-graph as a whole to obtain a layout graph of the attack network after visualization processing;
performing intra-subgraph layout on nodes in the subgraph, including: determining a connected component in the subgraph according to the attack relation among the nodes in the subgraph; any two nodes in the communication component can be communicated through a connecting line; aiming at each connected component, carrying out three-dimensional layout on nodes in the connected component; respectively carrying out front chain packing layout on all connected components in the subgraph as a whole;
The three-dimensional layout of the nodes in the connected components comprises the following steps: performing hierarchical configuration on each node in the connected component; carrying out two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level; and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinates of the layout of each node in the communication component in the subgraph.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the converting the attack data to be processed into the graph data of the attack network comprises the following steps:
extracting an attacker IP, an attacked IP and an attack type in each piece of attack data;
determining each extracted non-repeated IP as a node in the graph data, determining a connecting line in the graph data for each piece of attack data, determining the attack type in each piece of attack data as the type of the corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classifying nodes in the attack network according to the graph data comprises: nodes of the same type are classified into the same class.
3. The method of claim 2, wherein determining the type of each node based on the type of connection of each node comprises:
when the type of each connecting wire directly connected with the node is the same, determining the type of each connecting wire directly connected with the node as the type of the node; otherwise, determining the type of the node as a specified type; the specified type is different from the type of the connecting line in the graph data.
4. A method according to claim 3, wherein said sub-graph layout of each sub-graph as a whole comprises:
and taking the subgraphs corresponding to the specified types as the center, and arranging the subgraphs corresponding to other types around the center.
5. The method of claim 1, wherein hierarchically configuring each node in the connected component comprises:
determining an attack target node which is only an attacked party and exists in the communication component currently, and configuring the determined level of the attack target node as an initial level;
deleting the node which is configured in the hierarchy at this time and the connection directly connected with the node, determining whether an attack target node which is only an attacked party exists in the communication component at present, if so, configuring the determined hierarchy of the attack target node as the next hierarchy level of the hierarchy level which is configured last time, and repeatedly executing the deleting step;
If the intermediate node is not present, determining whether an intermediate node serving as an attacker and an attacked exists in the communication component currently, if the intermediate node exists, configuring the hierarchy of the intermediate node as a hierarchy level next to the hierarchy level of the last configuration, and configuring the hierarchy of the attack source node serving as the attacker only as a hierarchy level next to the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node serving only as the attacker is configured as the next hierarchy level of the last configuration.
6. An interaction method, comprising:
displaying a layout diagram of an attack network obtained based on the method of any one of the claims 1-5;
when an interaction instruction to a target node in the attack network is received, determining characteristic information related to the target node in the attack network according to the interaction instruction;
and displaying the characteristics of the characteristic information.
7. The method of claim 6, wherein the step of providing the first layer comprises,
the interactive instruction is used for acquiring self information of the target node, and the characteristic information is the IP of the target node; or alternatively, the first and second heat exchangers may be,
the interaction instruction is used for acquiring relation information of the target node, and the feature information comprises: a link directly connected to the target node, and an adjacent upstream node that attacks the target node, an adjacent downstream node that is attacked by the target node; or alternatively, the first and second heat exchangers may be,
The interactive instruction is used for acquiring an attack link related to the target node, and the characteristic information comprises: an attack link comprising the target node; one end of the attack link is a node which is only used as an attacker, and the other end is a node which is only used as an attacked.
8. A visual processing apparatus for attack data, comprising:
the map data conversion unit is used for converting the attack data to be processed into map data of the attack network;
the classifying unit is used for classifying the nodes in the attack network according to the graph data to obtain a subgraph formed by the nodes under each classification;
the layout unit is used for carrying out intra-subgraph layout on the nodes in each subgraph based on the attack relation among the nodes in each subgraph; each sub-graph is respectively used as a whole to carry out sub-graph layout, so that a layout graph of the attack network after visualization processing is obtained;
the layout unit is specifically used for determining a communication component in the subgraph according to the attack relationship among the nodes in the subgraph when the nodes in the subgraph are subjected to the subgraph internal layout; any two nodes in the communication component can be communicated through a connecting line; aiming at each connected component, carrying out three-dimensional layout on nodes in the connected component; respectively carrying out front chain packing layout on all connected components in the subgraph as a whole;
The layout unit is specifically used for carrying out hierarchical configuration on each node in the connected component when carrying out three-dimensional layout on the nodes in the connected component; carrying out two-dimensional horizontal layout on the nodes of each level to obtain two-dimensional coordinates of each node on each level; and determining the vertical height of each level, and determining the vertical height as the vertical height of each node on the corresponding level to obtain the three-dimensional coordinates of the layout of each node in the communication component in the subgraph.
9. The apparatus according to claim 8, wherein the graph data conversion unit is specifically configured to extract an attacker IP, an attacked IP, and an attack type in each piece of attack data; determining each extracted non-repeated IP as a node in the graph data, determining a connecting line in the graph data for each piece of attack data, determining the attack type in each piece of attack data as the type of the corresponding connecting line, and determining the type of each node in the graph data according to the type of the connecting line;
the classification unit is specifically configured to divide nodes of the same type into the same class.
10. The apparatus according to claim 9, wherein the graph data conversion unit is configured to determine, when the type of each node is determined according to the type of the connection line of each node, in particular when the type of each connection line directly connected to the node is the same, the type of each connection line directly connected to the node as the type of the node; otherwise, determining the type of the node as a specified type; the specified type is different from the type of the connecting line in the graph data.
11. The apparatus according to claim 10, wherein the layout unit is configured to, when each sub-graph is laid out as a whole, specifically, center the sub-graph corresponding to the specified type, and arrange the sub-graphs corresponding to the other types around the center.
12. The apparatus according to claim 8, wherein the layout unit is configured to determine, when each node in the communication component is configured in a hierarchy, an attack target node that is only an attacked party currently existing in the communication component, and configure the determined hierarchy of the attack target node as an initial hierarchy; deleting the node which is configured in the hierarchy at this time and the connection directly connected with the node, determining whether an attack target node which is only an attacked party exists in the communication component at present, if so, configuring the determined hierarchy of the attack target node as the next hierarchy level of the hierarchy level which is configured last time, and repeatedly executing the deleting step; if the intermediate node is not present, determining whether an intermediate node serving as an attacker and an attacked exists in the communication component currently, if the intermediate node exists, configuring the hierarchy of the intermediate node as a hierarchy level next to the hierarchy level of the last configuration, and configuring the hierarchy of the attack source node serving as the attacker only as a hierarchy level next to the hierarchy of the intermediate node; otherwise, the hierarchy of the attack source node serving only as the attacker is configured as the next hierarchy level of the last configuration.
13. An interactive apparatus, comprising:
a display unit, configured to display a layout diagram of an attack network obtained by the visual processing device based on the attack data in any one of claims 8 to 12;
and the interaction processing unit is used for determining characteristic information related to the target node in the attack network according to the interaction instruction when receiving the interaction instruction to the target node in the attack network, and displaying the characteristic information.
14. The apparatus of claim 13, wherein the device comprises a plurality of sensors,
the interactive instruction is used for acquiring self information of the target node, and the characteristic information is the IP of the target node; or alternatively, the first and second heat exchangers may be,
the interaction instruction is used for acquiring relation information of the target node, and the feature information comprises: a link directly connected to the target node, and an adjacent upstream node that attacks the target node, an adjacent downstream node that is attacked by the target node; or alternatively, the first and second heat exchangers may be,
the interactive instruction is used for acquiring an attack link related to the target node, and the characteristic information comprises: an attack link comprising the target node; one end of the attack link is a node which is only used as an attacker, and the other end is a node which is only used as an attacked.
15. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-7 when the computer program is executed.
16. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111490368.7A CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111490368.7A CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143109A CN114143109A (en) | 2022-03-04 |
| CN114143109B true CN114143109B (en) | 2023-11-10 |
Family
ID=80384862
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111490368.7A Active CN114143109B (en) | 2021-12-08 | 2021-12-08 | Visual processing method, interaction method and device for attack data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143109B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115037561B (en) * | 2022-08-10 | 2022-11-22 | 杭州悦数科技有限公司 | Network security detection method and system |
Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| US8881288B1 (en) * | 2008-10-28 | 2014-11-04 | Intelligent Automation, Inc. | Graphical models for cyber security analysis in enterprise networks |
| CN106936637A (en) * | 2017-03-15 | 2017-07-07 | 中国电子科技网络信息安全有限公司 | The panorama heuristic method for visualizing and device of a kind of cyberspace situation |
| CN108540322A (en) * | 2018-04-09 | 2018-09-14 | 南京理工大学 | A kind of optimization method of attack graph effect of visualization |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110336785A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | The method for visualizing and storage medium of network attack chain figure |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
| CN111818089A (en) * | 2020-07-31 | 2020-10-23 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN112839039A (en) * | 2021-01-05 | 2021-05-25 | 四川大学 | Interactive automatic restoration method for network threat event attack scene |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN112910865A (en) * | 2021-01-20 | 2021-06-04 | 西安电子科技大学 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
| CN112990285A (en) * | 2021-03-04 | 2021-06-18 | 中山大学 | Simplified attack method oriented to large-scale graph structure |
| CN113055375A (en) * | 2021-03-10 | 2021-06-29 | 华能国际电力股份有限公司 | Power station industrial control system physical network oriented attack process visualization method |
| CN113055386A (en) * | 2021-03-12 | 2021-06-29 | 哈尔滨安天科技集团股份有限公司 | Method and device for identifying and analyzing attack organization |
| CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
| CN113452548A (en) * | 2021-05-08 | 2021-09-28 | 浙江工业大学 | Index evaluation method and system for network node classification and link prediction |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9276951B2 (en) * | 2013-08-23 | 2016-03-01 | The Boeing Company | System and method for discovering optimal network attack paths |
| US11159555B2 (en) * | 2018-12-03 | 2021-10-26 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
-
2021
- 2021-12-08 CN CN202111490368.7A patent/CN114143109B/en active Active
Patent Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8881288B1 (en) * | 2008-10-28 | 2014-11-04 | Intelligent Automation, Inc. | Graphical models for cyber security analysis in enterprise networks |
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| CN106936637A (en) * | 2017-03-15 | 2017-07-07 | 中国电子科技网络信息安全有限公司 | The panorama heuristic method for visualizing and device of a kind of cyberspace situation |
| CN108540322A (en) * | 2018-04-09 | 2018-09-14 | 南京理工大学 | A kind of optimization method of attack graph effect of visualization |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110336785A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | The method for visualizing and storage medium of network attack chain figure |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN111818089A (en) * | 2020-07-31 | 2020-10-23 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
| CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN112839039A (en) * | 2021-01-05 | 2021-05-25 | 四川大学 | Interactive automatic restoration method for network threat event attack scene |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN112910865A (en) * | 2021-01-20 | 2021-06-04 | 西安电子科技大学 | Inference attack stage maximum likelihood estimation method and system based on factor graph |
| CN112990285A (en) * | 2021-03-04 | 2021-06-18 | 中山大学 | Simplified attack method oriented to large-scale graph structure |
| CN113055375A (en) * | 2021-03-10 | 2021-06-29 | 华能国际电力股份有限公司 | Power station industrial control system physical network oriented attack process visualization method |
| CN113055386A (en) * | 2021-03-12 | 2021-06-29 | 哈尔滨安天科技集团股份有限公司 | Method and device for identifying and analyzing attack organization |
| CN113452548A (en) * | 2021-05-08 | 2021-09-28 | 浙江工业大学 | Index evaluation method and system for network node classification and link prediction |
| CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
Non-Patent Citations (2)
| Title |
|---|
| "An Empirical Evaluation of the Effectiveness of Attack Graphs and Fault Trees in Cyber-Attack Perception";H. S. Lallie, K. Debattista and J. Bal;《 in IEEE Transactions on Information Forensics and Security》;全文 * |
| 基于可能图的攻击意图检测方法;李艳;黄光球;;计算机工程与科学(04);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143109A (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10083517B2 (en) | Segmentation of an image based on color and color differences | |
| JP4121125B2 (en) | Graphics image generation apparatus and method, data analysis apparatus and method, and program | |
| US20180032492A1 (en) | Generation of annotated computerized visualizations with explanations | |
| US9607414B2 (en) | Three-dimensional point-in-polygon operation to facilitate displaying three-dimensional structures | |
| US8799859B2 (en) | Augmented design structure matrix visualizations for software system analysis | |
| CN104115145A (en) | Generating visualizations of display group of tags representing content instances in objects satisfying search criteria | |
| CN114143109B (en) | Visual processing method, interaction method and device for attack data | |
| US20140172826A1 (en) | Social network analyzer | |
| CN111177497A (en) | Visual processing method, server and storage medium for incidence relation of hierarchical data | |
| KR102202139B1 (en) | Method for analyzing risk of cooperrator supply chain, computer readable medium for performing the method | |
| Yan et al. | Spatiotemporal Flow L-function: a new method for identifying spatiotemporal clusters in geographical flow data | |
| CN114399784A (en) | Automatic identification method and device based on CAD drawing | |
| US9026482B2 (en) | Method and system for analyzing a legacy system based on trails through the legacy system | |
| US20200301921A1 (en) | Feature value generation device, feature value generation method, and feature value generation program | |
| US11587330B2 (en) | Visual analytics platform for updating object detection models in autonomous driving applications | |
| CN107871128A (en) | A kind of high robust image-recognizing method based on SVG dynamic charts | |
| WO2018172221A1 (en) | Method for computer-implemented determination of the performance of a classification model | |
| CN115696337A (en) | Mobile terminal safety monitoring analysis method and device | |
| JPWO2006077666A1 (en) | Observation data display device, observation data display method, observation data display program, and computer-readable recording medium recording the same | |
| CN114154856A (en) | Power grid path planning node calculation method and system based on road network | |
| CN112750047A (en) | Behavior relation information extraction method and device, storage medium and electronic equipment | |
| CN111611322A (en) | User information correlation method and system | |
| CN112783986B (en) | Object grouping compiling method and device based on label, storage medium and terminal | |
| CN114218215B (en) | Optimized rendering method for large-scale GIS data | |
| Fournier-Viger et al. | Finding strongly correlated trends in dynamic attributed graphs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |