CN114662096A - Threat hunting method based on graph kernel clustering - Google Patents

Threat hunting method based on graph kernel clustering Download PDF

Info

Publication number
CN114662096A
CN114662096A CN202210305603.7A CN202210305603A CN114662096A CN 114662096 A CN114662096 A CN 114662096A CN 202210305603 A CN202210305603 A CN 202210305603A CN 114662096 A CN114662096 A CN 114662096A
Authority
CN
China
Prior art keywords
threat
graph
behavior
nodes
dependency graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210305603.7A
Other languages
Chinese (zh)
Inventor
李家威
程杰
张茹
刘建毅
高雅婷
王婵
夏昂
崔博
孔汉章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Information and Telecommunication Co Ltd
Beijing University of Posts and Telecommunications
Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Information and Telecommunication Co Ltd
Beijing University of Posts and Telecommunications
Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Information and Telecommunication Co Ltd, Beijing University of Posts and Telecommunications, Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Information and Telecommunication Co Ltd
Priority to CN202210305603.7A priority Critical patent/CN114662096A/en
Publication of CN114662096A publication Critical patent/CN114662096A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a threat hunting method based on graph-kernel clustering, which is characterized in that an audit log is constructed into a behavior dependency graph, a graph-kernel clustering method is designed to realize the separation of normal behaviors from abnormal behaviors, and the behavior dependency graph can be subjected to threat quantitative evaluation to discover unknown attacks. The method comprises the following steps: the behavior dependency graph constructor is responsible for constructing the audit logs into a behavior dependency graph; the graph core clustering is responsible for embedding the behavior dependency graph into a high-dimensional space and calculating the similarity, and the clustering method is utilized to realize the separation of attack behaviors and abnormal behaviors; and threat assessment, which is responsible for judging which behavior dependency graphs in the cluster classes represent abnormal behaviors, and carrying out threat assessment on the abnormal behaviors to realize threat hunting. The invention provides a new design idea for threat hunting by constructing a method based on a behavior dependency graph and a graph core clustering.

Description

Threat hunting method based on graph kernel clustering
Technical Field
The invention belongs to the field of log analysis, and particularly relates to threat hunting based on an audit log.
Background
Advanced persistent threats are characterized by persistence and imperceptibility. These threats can bypass Threat Detection Software (TDS) to latency, and there may be attacks that have occurred but have not yet been detected in the enterprise information system. To better prevent and respond to such attacks, Endpoint detection and response tools (EDRs) are widely used for enterprise security. However, these tools rely on matching low level intrusion Indicators (IOCs), such as hashes of malware samples, suspicious IP or domain names, etc. This can lead to alarm fatigue problems and may not reveal the complete attack scenario. To overcome this challenge, recent studies have sought for cyber threats by performing causal analysis on audit logs. In fact, the causality and context information in the audit log implicitly contain the high-level behavior and goal of the attacker, which cannot be hidden.
Threat hunting is a process of actively searching for potential attacks, which has become a key component in defending against APT attacks. Existing work extracts attack behavior from threat intelligence and designs matching algorithms to search for these known attacks from audit logs. To accomplish this, graph matching based approaches build audit logs as proof graphs, which contain rich contextual information, and model threat hunting as a graph matching problem. In addition, the query-based approach designs a Threat Behavior Query Language (TBQL) to query audit logs stored in the database. However, these approaches rely heavily on threat intelligence, which leads to some limitations. On the one hand, when threat intelligence deviates from the fact, attack activity may be missed. On the other hand, descriptions of the same APT attack event may come from different reports, and the information in these reports may be different or contradictory. Many APT attacks have not been exposed by threat intelligence, and the techniques and strategies of APT attacks are continually updated, making knowledge-dependent methods frustrating in dealing with new and unknown attacks, and thus existing methods are unable to detect these unknown attacks.
Furthermore, some hunting solutions, such as matching a rule knowledge base or applying tagging strategies, require manual involvement by a domain expert. The completeness and accuracy of expert knowledge can affect the analysis results, and one anticipated bottleneck is the need for manual involvement by domain experts to specify these rules, which need to be constantly updated. In response to the above problems, there is work to construct an Event Frequency Database instead of a rule knowledge base, considering that audit events related to attacks are infrequent. However, to avoid detection, an attacker can masquerade as normal behavior or use some normal process, such as svchost.
In recent years, graph cores are widely applied to a plurality of fields including chemical information fields, social networks, network security and the like, and data of the fields are mostly graph data structures or can be converted into graph data representations. The graph kernel is a kernel function that computes the inner product of a graph, which can be intuitively understood as a function of the similarity between a metric graph and a graph. They allow nuclear learning algorithms (such as support vector machines) to work directly on the graph without having to perform feature extraction to convert them into real-valued feature vectors of fixed length. The classification or clustering task by using the graph core method has excellent effect in the field of graph data analysis.
Disclosure of Invention
The invention provides a threat hunting method based on graph-kernel clustering, which is characterized in that an audit log is constructed into a behavior dependency graph, a graph-kernel clustering method is designed to realize the separation of normal behaviors from abnormal behaviors, and the behavior dependency graph can be subjected to threat quantitative evaluation to discover unknown attacks.
The invention provides a threat hunting method based on image kernel clustering, which comprises the following steps:
1) extracting related attribute information of the entities and relationship information between the entities from the audit logs according to the entity types, constructing a dependency graph based on the information, distributing labels for nodes and edges, partitioning a process running for a long time, and generating a behavior dependency graph, wherein the behavior dependency graph is a directed graph with the labels, the nodes represent system layer entities, and the directed edges represent operation relationships between the entities;
2) designing a graph core clustering algorithm based on a behavior dependency graph, wherein a graph core consists of two parts, the first part calculates the core values between nodes through the iteration of neighbor nodes of the nodes, the second part constructs a mapping set between the nodes and calculates the core values between graphs according to the core values between the nodes to obtain a graph core matrix, and the graph core matrix can be regarded as a similarity matrix;
3) analyzing the graph core matrix by using an unsupervised clustering algorithm, and clustering similar behaviors into one class, so as to separate normal behaviors from abnormal behaviors;
4) judging abnormal behaviors according to the occurrence frequency of the behaviors, carrying out threat quantification on an abnormal behavior diagram from three aspects of suspicious IP, user authority and sensitive information, sequencing threat scores of an abnormal behavior dependency diagram, judging the abnormal behaviors as threat behaviors when the threat scores exceed a threshold value, and giving an alarm to realize threat hunting.
Further, the behavior dependency graph constructor and graph core clustering algorithm comprises:
a) the dependency graph constructor can accurately extract the relationship between entity information and entities in the audit log, wherein the entity types comprise processes, files, IP and users, the entity information comprises entity names, the relationship between the entities and the like, such as process names, process IDs, file name paths, file names, read-write operations of the processes on the files and the like, and node labels are distributed to the nodes according to the entity information;
b) partitioning the process running for a long time by using the density which occurs on a time axis in the process life cycle, wherein the calculation formula of the density is as follows:
Figure BDA0003564846510000031
wherein, TimestartIs the Time at which the first dependency occurs, TimeendIs the time at which the last dependency ended, TiRepresenting the time interval of the occurrence of the two dependencies, traversing all the dependencies and regarding continuous dependency items with density higher than the average density as belonging to the same partition, realizing the segmentation of the dependency graph and generating a behavior dependency graph;
c) the graph core in the graph core clustering algorithm plays a role in embedding a graph into a high-dimensional space and calculating the similarity, and the graph core can well represent the rich label information and context information of the behavior dependency graph;
d) distributing a new label for each node based on the neighbor nodes of the node:
Figure BDA0003564846510000032
u denotes a node viThe neighbor nodes of (a) are,
Figure BDA0003564846510000033
is a node viSet of neighbor nodes of le(viU) denotes a label of a directed edge, l (v)i) Numerical labels, M (v), representing nodesi) Is a node viThe first order kernel value between nodes of the new label set can be calculated by the following formula:
Figure BDA0003564846510000041
wherein v is1And v2Are nodes in two graphs respectively;
e) aiming at different types of directed edges, the accuracy is improved by introducing an edge kernel value calculation method, and the kernel values among the nodes are calculated according to the similarity degree iteration of the node label set, wherein the formula is as follows:
Figure BDA0003564846510000042
wherein the content of the first and second substances,
Figure BDA0003564846510000043
a kernel value representing an edge, both alpha and beta are non-negative constants,
Figure BDA0003564846510000044
representing a kernel value of order k between nodes;
f) calculating a kernel value between the graphs based on the kernel values between the nodes, and the formula is as follows:
Figure BDA0003564846510000045
wherein, B (V)1,V2) Representing the mapping between nodes, kG(G1G2) The kernel values between the graphs finally obtain a positive definite kernel value matrix KN×N,Ki,jIs GiAnd GjKernel value matrix can be regarded as a similarity matrix;
g) the unsupervised clustering algorithm is used for analyzing the graph core matrix, the number of classes does not need to be declared in advance, the robustness of outliers is good, and abnormal behaviors can be separated from normal behaviors more accurately.
Furthermore, four entity types are considered in the step 1), including processes, files, IP and users, and the relationship among different types of entities is defined, such as reading and writing of files by the processes, so that the filtering of unimportant information is realized, the scale of generated graphs is reduced, and the analysis efficiency is improved;
further, in the step 1), the attribute information of the entity is mapped into a label and distributed to the node by using a rule, for example, report, doc and data, xls under the path D: \ download \ is mapped into an office file, the mapping process filters information influencing similarity calculation, and the proper granularity is selected to represent the attribute information of the node.
Further, the graph core algorithm in the step 2) constructs a mapping set when calculating the core values between the graphs, and constructs a mapping relation between similar nodes in the two graphs, so that the computation efficiency and the accuracy of the graph core are improved;
further, in step 4), in order to carry out threat quantification on the behavior dependency graph, three databases are respectively constructed, wherein the three databases comprise an abnormal IP (Internet protocol) library, a user authority library and a sensitive information library;
the method of the invention can be used for better discovering the network threat hidden in the enterprise and the unknown threat, and has the following advantages compared with the prior art:
1. the invention provides a density-based partitioning method, which relieves the problem of dependence on explosion caused by a process running in the last time to a certain extent;
2. the invention provides a method for realizing threat hunting, which realizes the separation of threat behaviors from normal behaviors by comparing the difference between the behaviors, greatly reduces the dependence on expert knowledge, and can discover unknown attacks which are not disclosed compared with a threat hunting method based on threat information;
3. the invention uses the graph core to calculate the similarity between graphs, designs the graph core function of the behavior dependency graph aiming at the abundant node attribute and the context information of the behavior dependency graph based on the message transmission idea, can calculate the similarity between different behavior dependency graphs, and generates the similarity matrix.
Drawings
FIG. 1 is a diagram of the framework of the method of the present invention. The method mainly comprises a behavior dependency graph constructor, a graph core clustering module and a threat assessment module.
FIG. 2 is an entity type and relationship table for determining attribute information and relationship information for an entity from an audit log.
FIG. 3 is a density-based partitioning method with dependencies represented as points on a time axis.
FIG. 4 is a two-dimensional visualization of the mutual reach, with isolated points representing a threat behavior dependency graph.
FIG. 5 shows recall, accuracy, and F1-score for different sub-threshold methods.
Fig. 6 is an evaluation case of the method.
Detailed Description
In order to make the aforementioned and other features and advantages of the present invention more comprehensible, embodiments accompanying figures are described in further detail below.
The threat hunting method designed by the invention is based on image core clustering and is suitable for discovering threat behaviors from audit logs. The method is used for finally realizing the threat hunting by constructing the audit logs into the behavior dependency graphs and calculating the similarity between the graphs, the specific implementation flow is shown in figure 1, and the method mainly comprises the following steps:
step 101, extracting entities and attribute information thereof from the audit log, wherein the entity information comprises entity types, entity names, relationships among the entities and the like.
And 102, constructing a dependency graph based on the extracted entity information, wherein the nodes of the dependency graph represent the entities, and the nodes are distributed with proper node labels according to the attribute information of the entities, and the directed edges of the dependency graph represent the relationships among the entities.
And 103, partitioning the process running for a long time based on the occurrence density of the events in the life cycle of the process, and realizing the segmentation of the dependency graph and generating the behavior dependency graph.
Step 201, mapping a label set of a character string type into a digital label set, wherein each character string element corresponds to a unique value, and replacing character string labels in the behavior dependency graph with digital labels based on the mapping.
Step 202, distributing a new label to each node based on the neighbor nodes of the nodes, and computing the core values among the nodes according to the similarity degree iteration of the node label set.
Step 203, calculating the kernel value between the graphs by using the kernel value between the nodes to obtain a positive definite kernel value matrix KN×N,Ki,jIs GiAnd GjAnd (3) the kernel value matrix can be regarded as a similarity matrix, and the kernel value matrix is analyzed by using an unsupervised clustering method to realize the separation of normal behaviors from attack behaviors.
Step 301, counting the number of the behavior dependency graphs in each class cluster, and when the number is smaller than a threshold value, determining the behavior dependency graphs in the class clusters as abnormal behaviors.
Step 302, performing threat quantification on the obtained behavior dependency graphs representing abnormal behaviors, traversing each abnormal behavior dependency graph, and quantifying the abnormal behavior dependency graphs from three aspects of suspicious IP, user authority and sensitive information:
Figure BDA0003564846510000061
Figure BDA0003564846510000062
threat values representing IPs and URLs, calculated from public malicious IP libraries and domain name access rankings,
Figure BDA0003564846510000063
representing the quantification of the user's rights, the higher the rights the user has the higher the threat value,
Figure BDA0003564846510000071
representing quantification of sensitive information, typically by manual labeling or sensitive information recognition toolmarksNote that α, β, and γ represent weights, and can be adjusted as necessary.
And 303, sequencing the threat scores of the abnormal behavior dependency graph, judging the abnormal behavior as the threat behavior when the threat scores exceed a threshold value, and sending an alarm to realize threat hunting.
According to the method, experimental analysis is carried out on the feasibility, the accuracy and the false alarm rate of the method respectively by utilizing the simulation data set containing the malicious attack, the DAPRA CADETS data set and the data set under the real network environment, and the experimental result shows that the method can find the threat attack existing in the audit log, has a lower false alarm rate and can find unknown attack which is not disclosed.
The above description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (4)

1. A threat hunting method based on image kernel clustering is characterized by comprising the following steps:
A. constructing a behavior dependency graph: extracting the relationship between the entities from the audit log to construct a behavior dependency graph, and partitioning the process running for a long time based on density, wherein the behavior dependency graph is a directed graph with labels, the nodes represent system layer entities, and directed edges represent operation relationships between the entities;
B. similarity calculation and clustering: aiming at the characteristics of the behavior dependency graph, a graph core method is designed, the behavior dependency graph is embedded into a high-dimensional space, the similarity between graphs is calculated in the high-dimensional space to obtain a graph core matrix, the graph core matrix can be regarded as a similarity matrix, and then the graph core matrix is analyzed by using a clustering method to realize the separation of normal behaviors and abnormal behaviors;
C. threat assessment: judging which clusters contain abnormal behaviors according to the number of the graphs in the clusters, carrying out threat assessment quantification on the abnormal behavior graphs, calculating the threat value of the abnormal behavior graphs, and finally realizing the threat hunting.
2. The method for threat hunting based on image kernel clustering as claimed in claim 1, wherein step a further comprises the steps of:
a1, extracting entities and attribute information thereof from an audit log, wherein the types of the entities comprise processes, files, IP and users, the attribute information comprises entity names and relations between the entities, such as process names and process IDs, file name paths and file names, and read-write operations of the processes on the files;
a2, constructing a dependency graph based on the entity information extracted in the step A1, wherein the nodes of the dependency graph represent the entities, the nodes are distributed with node labels according to the attribute information of the entities, and the directed edges of the dependency graph represent the relationships among the entities;
a3, partitioning the process running for a long time by using the density which occurs on the time axis in the process life cycle, wherein the calculation formula of the density is as follows:
Figure FDA0003564846500000011
wherein, TimestartIs the Time at which the first dependency occurs, TimeendIs the time of occurrence of the last dependency, TiAnd representing the time interval of the occurrence of the two dependencies, traversing all the dependencies and regarding the continuous dependency items with the density higher than the average density as belonging to the same partition, realizing the segmentation of the dependency graph and generating the behavior dependency graph.
3. The method for threat hunting based on image kernel clustering as claimed in claim 1, wherein step B further comprises the steps of:
b1, mapping the label set of the character string type into a digital label set, wherein each character string element corresponds to a unique value, and replacing the character string labels in the behavior dependency graph with digital labels based on the mapping;
b2, distributing a new label for each node based on the neighbor nodes of the node:
Figure FDA0003564846500000021
u denotes a node viThe neighbor nodes of (a) are,
Figure FDA0003564846500000022
is a node viSet of neighbor nodes of le(viU) denotes a label with directed edges, l (v)i) Numerical labels, M (v), representing nodesi) Is a node viThe new set of tags of (2);
the first order kernel value between B4 and the node can be calculated by the following formula:
Figure FDA0003564846500000023
wherein v is1And v2Are nodes in the two graphs respectively;
b3, calculating a kernel value between nodes according to the similarity degree of the node label set:
Figure FDA0003564846500000024
wherein
Figure FDA0003564846500000025
A kernel value representing an edge, both alpha and beta being non-negative constants,
Figure FDA0003564846500000026
representing a kernel value of order k between nodes;
b4, calculating the kernel value between the graphs by using the kernel value between the nodes calculated in the step B3:
Figure FDA0003564846500000027
B(V1,V2) Representing the mapping between nodes, kG(G1G2) Is the calculated kernel value between the obtained graphs, and finally the positive definite kernel value matrix K is obtainedN×N,Ki,jIs GiAnd GjA kernel value matrix can be regarded as a similarity matrix;
and B5, analyzing the kernel value matrix by using an unsupervised clustering method to realize the separation of normal behaviors from attack behaviors.
4. The method for threat hunting based on image kernel clustering as claimed in claim 1, wherein step C further comprises the following steps:
c1, counting the number of the behavior dependency graphs in each cluster, and when the number is smaller than a threshold value, judging the behavior dependency graphs in the clusters to be abnormal behaviors;
c2, threat quantification is carried out on the behavior dependency graphs which are obtained in the step C1 and represent abnormal behaviors, each abnormal behavior dependency graph is traversed, and quantification is carried out on suspicious IP, user authority and sensitive information in three aspects:
Figure FDA0003564846500000031
Figure FDA0003564846500000032
threat values representing IPs and URLs, calculated from public malicious IP libraries and domain name access rankings,
Figure FDA0003564846500000033
representing the quantification of the user's rights, the higher the rights the user has the higher the threat value,
Figure FDA0003564846500000034
representing the quantification of the sensitive information, which is generally marked by manual marking or sensitive information identification tools, wherein alpha, beta and gamma represent weights and can be adjusted as required;
and C3, ranking the threat scores of the abnormal behavior dependency graph, and when the threat scores exceed a threshold value, judging the abnormal behaviors as threat behaviors and sending an alarm to realize threat hunting.
CN202210305603.7A 2022-03-25 2022-03-25 Threat hunting method based on graph kernel clustering Pending CN114662096A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210305603.7A CN114662096A (en) 2022-03-25 2022-03-25 Threat hunting method based on graph kernel clustering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210305603.7A CN114662096A (en) 2022-03-25 2022-03-25 Threat hunting method based on graph kernel clustering

Publications (1)

Publication Number Publication Date
CN114662096A true CN114662096A (en) 2022-06-24

Family

ID=82031420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210305603.7A Pending CN114662096A (en) 2022-03-25 2022-03-25 Threat hunting method based on graph kernel clustering

Country Status (1)

Country Link
CN (1) CN114662096A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567325A (en) * 2022-12-02 2023-01-03 浙江工业大学 Threat hunting method based on graph matching
CN116647406A (en) * 2023-06-21 2023-08-25 中国电子产业工程有限公司 Advanced persistent threat attack IP detection method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567325A (en) * 2022-12-02 2023-01-03 浙江工业大学 Threat hunting method based on graph matching
CN116647406A (en) * 2023-06-21 2023-08-25 中国电子产业工程有限公司 Advanced persistent threat attack IP detection method
CN116647406B (en) * 2023-06-21 2024-03-12 中国电子产业工程有限公司 Advanced persistent threat attack IP detection method

Similar Documents

Publication Publication Date Title
Zhu et al. OFS-NN: an effective phishing websites detection model based on optimal feature selection and neural network
Sahu et al. Network intrusion detection system using J48 Decision Tree
CN107517216B (en) Network security event correlation method
Hu et al. Large-scale malware indexing using function-call graphs
Ahmed Collective anomaly detection techniques for network traffic analysis
CN114662096A (en) Threat hunting method based on graph kernel clustering
CN112333195B (en) APT attack scene reduction detection method and system based on multi-source log correlation analysis
Elitzur et al. Attack hypothesis generation
Scarabeo et al. Mining known attack patterns from security-related events
CN115146271B (en) APT (advanced persistent threat) source tracing and researching method based on causal analysis
Liu et al. Functions-based CFG embedding for malware homology analysis
Tang et al. HSLF: HTTP header sequence based LSH fingerprints for application traffic classification
Ghodratnama et al. Am i rare? an intelligent summarization approach for identifying hidden anomalies
Studiawan et al. Automatic graph-based clustering for security logs
CN116938587A (en) Threat detection method and system based on trace-source diagram behavior semantic extraction
Li et al. LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering
Ahmed Reservoir-based network traffic stream summarization for anomaly detection
Fedorchenko et al. IOT Security event correlation based on the analysis of event types
Chouhan et al. A survey: Analysis of current approaches in anomaly detection
KR20210142443A (en) Method and system for providing continuous adaptive learning over time for real time attack detection in cyberspace
Boţocan et al. Hacga: An artifacts-based clustering approach for malware classification
Zhang et al. An approximate approach to frequent itemset mining
Tian et al. NeVe: A Log-based Fast Incremental Network Feature Embedding Approach
Mulyanto et al. Effectiveness of focal loss for minority classification in network intrusion detection systems. Symmetry. 2021; 13: 4
Qin et al. LMHADC: Lightweight method for host based anomaly detection in cloud using mobile agents

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination