CN114944956A - Attack link detection method and device, electronic equipment and storage medium - Google Patents
Attack link detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114944956A CN114944956A CN202210594626.4A CN202210594626A CN114944956A CN 114944956 A CN114944956 A CN 114944956A CN 202210594626 A CN202210594626 A CN 202210594626A CN 114944956 A CN114944956 A CN 114944956A
- Authority
- CN
- China
- Prior art keywords
- attack
- node
- alarm data
- knowledge graph
- attack link
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims description 58
- 230000015654 memory Effects 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012163 sequencing technique Methods 0.000 claims description 8
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 238000004458 analytical method Methods 0.000 description 10
- 239000000243 solution Substances 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 8
- 238000011160 research Methods 0.000 description 8
- 230000001360 synchronised effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000001914 filtration Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 230000000737 periodic effect Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000010845 search algorithm Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241001465754 Metazoa Species 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000003908 quality control method Methods 0.000 description 1
- 238000005295 random walk Methods 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention is suitable for the technical field of computers and provides an attack link detection method, an attack link detection device, electronic equipment and a storage medium, wherein the attack link detection method comprises the following steps: creating a knowledge graph based on the at least two alarm data; the nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges; and acquiring an attack link in the knowledge graph.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting an attack link, an electronic device, and a storage medium.
Background
When the related technology detects the attack link, the detection is usually performed from the directions of parameters, request fields, contents and the like, and the attack link detected by the detection method is not accurate enough, so that the attack link detection method is not beneficial to attack research and judgment analysis.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide a method and an apparatus for detecting an attack link, an electronic device, and a storage medium, so as to at least solve a problem that an attack link detected by a related technology is not favorable for performing attack analysis.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an attack link detection method, where the method includes:
creating a knowledge graph based on the at least two alarm data; nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges;
and acquiring an attack link in the knowledge graph.
In the above solution, after acquiring the attack link in the knowledge graph, the method further includes:
determining threat information of an attack link based on node characteristics of nodes in the knowledge graph;
and sequencing all attack links based on the threat information.
In the above scheme, the determining threat information of the attack link includes:
scoring each node of the knowledge graph based on the node characteristics to obtain a first score value of each node;
and calculating a second score value of the corresponding attack link based on the first score value of the node on each attack link, and taking the second score value as threat information of the attack link.
In the above solution, the creating a knowledge graph based on at least two alarm data includes:
taking each alarm data as a node;
determining each node on each attack link based on a source host or a destination host in each alarm data;
determining the connection relation between each node on each attack link based on the time information of each alarm data;
and constructing the knowledge graph based on the nodes and the connection relation.
In the above solution, before creating the knowledge-graph based on at least two alarm data, the method further comprises:
aggregating the same alarm data in the historical alarm data to obtain at least two alarm data; the same alarm data represents alarm data with the same information except the time information.
In the above solution, after creating the knowledge-graph based on at least two alarm data, the method further comprises:
updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram; the set condition represents that the difference value of the timestamps corresponding to the first node and the second node on the attack link is smaller than a set value;
in the above solution, the node characteristics at least include any one of:
the attack type corresponding to the node;
the out-degree and in-degree of the node;
and the alarm level corresponding to the node.
In a second aspect, an embodiment of the present invention provides an attack link detection apparatus, where the apparatus includes:
the creating module is used for creating a knowledge graph based on at least two alarm data; nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges;
and the acquisition module is used for acquiring the attack link in the knowledge graph.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the steps of the attack link detection method provided in the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. The computer program, when executed by a processor, implements the steps of the attack link detection method as provided by the first aspect of an embodiment of the present invention.
The method and the device for acquiring the attack link in the knowledge graph establish the knowledge graph based on at least two alarm data and acquire the attack link in the knowledge graph. The nodes of the knowledge graph represent alarm data, and the edges of the knowledge graph represent the association relationship between two nodes corresponding to the edges. Because the nodes on the attack link correspond to different alarm data and the connected nodes have an incidence relation, the attack process can be clearly known according to the attack link in the knowledge graph acquired by the application, the attack reason can be judged and analyzed according to the attack link, and the accuracy and efficiency of attack judgment and analysis can be improved.
Drawings
Fig. 1 is a schematic diagram of an implementation flow of an attack link detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a knowledge-graph provided by an embodiment of the present invention;
fig. 3 is a schematic flow chart of an implementation of another attack link detection method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of an implementation of another attack link detection method provided in the embodiment of the present invention;
fig. 5 is a schematic flow chart of an implementation of another attack link detection method according to an embodiment of the present invention;
fig. 6 is a schematic flowchart illustrating a process of detecting an attack link by graph computation according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an attack link detection apparatus according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Besides the technical solutions mentioned in the background art, the related art also has a technical solution of detecting an attack link through a knowledge graph, but the related art uses a host as a node of the knowledge graph and detects the attack link in the knowledge graph through a community discovery algorithm. A community is a local structure, the internal connection of the local structure is tight, the connection of different local structures is sparse, and the local structure is a community. The community discovery algorithm is essentially a clustering algorithm, the nodes of the knowledge graph are judged to be similar through indexes such as distance, and the nodes with large similarity are classified into one class, so that an attack link is formed. The method has a general detection effect, for example, nodes of different security events may be gathered in the same security link, so that the detection accuracy of an attack link is low, the false alarm rate of the TOP10 attack link is high, and the TOP10 attack link refers to the attack link with the first 10-degree of harm.
In view of the above disadvantages of the related art, embodiments of the present invention provide a method for detecting an attack link, which can improve the detection accuracy of the attack link. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Fig. 1 is a schematic view of an implementation flow of an attack link detection method according to an embodiment of the present invention, where an execution subject of the attack link detection method is an electronic device, and the electronic device includes a desktop computer, a notebook computer, a server, and the like. The server may be an entity device or a virtualization device deployed in the cloud. Referring to fig. 1, the attack link detection method includes:
s101, creating a knowledge graph based on at least two alarm data; the nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges.
Here, the at least two alarm data may be alarm logs generated by the network security product detecting alarm behaviors in the historical time period, and the security product may be antivirus software, a firewall, and the like.
In an embodiment, prior to creating the knowledge-graph based on the at least two alarm data, the method further comprises:
and filtering historical alarm data based on a periodic filtering algorithm to obtain the at least two alarm data.
In practical applications, some normal operations of the user may also trigger an alarm, for example, when the user clicks a file without access rights, the alarm may also trigger an alarm, but such an alarm behavior is a normal behavior of the user and does not cause harm to the computer. These alarm data are not useful for the application, so it is desirable to filter out such alarm data. The embodiment of the invention only needs the alarm data of abnormal operation, such as the alarm data generated by a hacker accessing the system file in an unauthorized way.
The periodic filtering algorithm can be adopted to filter the historical alarm data, filter the alarm data corresponding to the normal operation of the user and only keep the alarm data corresponding to the abnormal operation. In practical applications, the periodic filtering algorithm may be a fourier algorithm or a Dynamic Time Warping (DTW) algorithm.
In an embodiment, prior to creating the knowledge-graph based on the at least two alarm data, the method further comprises:
aggregating the same alarm data in the historical alarm data to obtain at least two alarm data; the same alarm data represents alarm data with the same information except the time information.
The electronic device may trigger the same alerts at different points in time, such as when the user clicks on the same file at different times that are not authorized to access, and the alerts are all substantially the same. That is, the alarm data with the same information (such as IP address, user information, etc.) is the same alarm data except that the alarm trigger time is different. The embodiment of the invention aggregates the same alarm data in the historical alarm data and only stores one part of the same alarm data generated at different time.
The knowledge graph is a data structure based on a graph, and is a large-scale semantic network for describing knowledge and modeling incidence relation among all things in the world by using a graph model. The semantic network is a form of expressing human knowledge structure in a network format, and is a directed graph expressing knowledge by using entities and semantic relations thereof.
The knowledge-graph is composed of nodes and edges, for example, referring to fig. 2, fig. 2 is a schematic diagram of a knowledge-graph provided by an embodiment of the present invention, the knowledge-graph on the left side of fig. 2 only contains nodes and edges of one type, and the knowledge-graph on the right side of fig. 2 contains nodes and edges of multiple types. For example, node types include humans, animals, and plants.
And creating a knowledge graph based on at least two alarm data, wherein each alarm data in the at least two alarm data corresponds to a node in the knowledge graph, and the nodes are connected according to the association relationship. Here, the association relationship may be that the nodes correspond to the same source host or to the same destination host. That is, the connected nodes in the knowledge-graph all correspond to the same source host or the same destination host.
S102, acquiring an attack link in the knowledge graph.
In practical applications, the attack link mainly refers to a resistant tactical, technical and Knowledge base (ATT & CK, advanced technologies and Common Knowledge) hacker attack link, and the ATT & CK is an attack model framework and is composed of tactical and enterprise technologies commonly used by attackers in network attacks.
And if the knowledge graph is constructed, the attack link is also constructed correspondingly, and each link in the knowledge graph is the attack link because the node is the alarm data. In practical application, a knowledge graph spectrum can be subjected to path search by adopting a graph path search algorithm to find out all attack links.
Due to the fact that the nodes on the attack link correspond to different alarm data and the connected nodes have the incidence relation, the attack link in the knowledge graph obtained by the method can clearly show the attack occurrence process, and attack research, judgment and analysis are convenient to conduct.
The method and the device for acquiring the attack link in the knowledge graph establish the knowledge graph based on at least two alarm data and acquire the attack link in the knowledge graph. The nodes of the knowledge graph represent alarm data, and the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges. According to the attack link in the knowledge graph acquired by the method, the process of attack occurrence can be clearly known, and the attack reason can be researched and analyzed according to the attack link, so that the accuracy and efficiency of attack research and judgment analysis can be improved.
Further, with reference to fig. 3, in an embodiment, the creating a knowledge-graph based on at least two alarm data includes:
and S301, taking each alarm data as a node.
Each of the at least two alarm data is a node in the knowledge-graph.
S302, based on the source host or the destination host in each alarm data, each node on each attack link is determined.
The knowledge graph comprises a plurality of attack links, and nodes on each attack link are related, for example, all the nodes on the attack links correspond to the same source host or the same destination host.
The alarm data includes detailed information of the alarm behavior, which may include information such as a timestamp, an Internet Protocol (IP) address of the source host, an IP address of the destination host, an attack type, and an attack threat level.
By obtaining the source host IP address and the destination host IP address in each alarm data, each node on each attack link can be determined.
And S303, determining the connection relation between each node on each attack link based on the time information of each alarm data.
The occurrence time of the corresponding alarm behavior can be determined according to the time information of the alarm data, wherein the connection relation refers to the sequence of the occurrence time of the alarm behavior corresponding to the nodes, and the nodes on each attack link are sequentially connected according to the time sequence, so that the attack link of the knowledge graph can be obtained.
S304, constructing the knowledge graph based on the nodes and the connection relation.
And connecting the nodes according to the connection relation among the nodes on each attack link to construct a knowledge graph.
According to the embodiment of the invention, the alarm data is used as the node of the knowledge graph, the node is connected according to the connection relation to obtain the attack link, and the attack link in the knowledge graph obtained by the method can clearly show the process of attack occurrence, so that the attack research, judgment and analysis are convenient.
Referring to fig. 4, in an embodiment, after acquiring the attack link in the knowledge-graph, the method further includes:
s401, determining threat information of the attack link based on the node characteristics of the nodes in the knowledge graph.
In one embodiment, the node characteristics include at least any one of:
the attack type corresponding to the node;
the out-degree and in-degree of the node;
and the alarm level corresponding to the node.
The attack types corresponding to the nodes comprise: account breaking, remote behavior, trojans, worms, mining, system command injection, etc.
The degree (degree) of a node refers to the number of edges associated with the node. In a directed graph, degrees are further divided into in-degree and out-degree. The degree of income is as follows: the sum of the times that a certain node of the directed graph is taken as an end point. The output degree is as follows: the sum of the number of times a certain vertex of the directed graph is taken as a starting point.
And the alarm level corresponding to the node represents the severity of the alarm corresponding to the node. Multiple alert levels may be set, e.g., level 3> level 2> level 1, with the higher the alert level, the higher the severity of the corresponding alert. The network security product can trigger different levels of alarms according to the threat degree of the alarm behavior to the computer.
Determining threat information of the attack link according to the node characteristics, for example, calculating a threat score of the attack link according to the node characteristics of the node on the attack link, where the threat score is one of the threat information, for example, the higher the alarm level is, the higher the threat score of the attack link is; the greater the degree of a node, the higher the threat score of an attacking link. The threat score characterizes the degree of threat of attacking the link.
S402, sequencing all attack links based on the threat information.
The threat information can represent the damage degree of the attack links, the attack links are ranked according to the damage degree, and the higher the damage degree is, the higher the ranking is.
For example, the attack links are ranked according to the threat scores, and the greater the threat score, the higher the attack link rank. The attack link with higher rank shows that the threat degree to the computer is higher, and the threat research and judgment value is higher.
Further, referring to fig. 5, in an embodiment, the determining threat information of the attack link includes:
s501, scoring each node of the knowledge graph based on the node characteristics to obtain a first score value of each node.
For example, in the case that the node characteristic is an attack type, the alarm data may store a corresponding attack type, the damage degree of different attack types to the computer is different, the corresponding relationship between the attack type and the first score value may be stored in the database in advance, and when the first score value of the node needs to be determined, the corresponding first score value is read according to the attack type.
Under the condition that the node features are the out degree and the in degree of the node, the out degree and the in degree of the node can be accumulated, and the accumulated value is the first score value when the accumulated value is larger. Here, the accumulated value may represent the degree of importance of the node.
In practical applications, the PageRank algorithm may be used to score all nodes in the knowledge-graph. The PageRank algorithm is a representative algorithm for link analysis of the graph and belongs to an unsupervised learning method on graph data. The basic idea of the PageRank algorithm is to define a random walk model, i.e., a first-order markov chain, on a directed graph, describing the behavior of a random walker in randomly accessing nodes along the directed graph. Under certain conditions, the probability of accessing each node under the limit condition converges to stationary distribution, the stationary probability value of each node is the PageRank value of each node, the PageRank value represents the importance of the node, and the PageRank value is the first score value.
And under the condition that the node characteristics are the alarm levels corresponding to the nodes, the alarm data can comprise the alarm levels, and the higher the alarm level is, the higher the severity of the corresponding alarm is, and the greater the harm to the computer is. The corresponding relation between the alarm level and the first score value can be preset, the corresponding relation is stored in a database, and when the first score value of the node needs to be determined, the corresponding first score value is read according to the alarm level.
In other embodiments, the first score value of the node may also be comprehensively calculated according to the attack type, the out-degree and the in-degree corresponding to the node, and the alarm level. Each node characteristic can be calculated to obtain a score value, and the score values of all the node characteristics are accumulated, averaged or weighted to obtain a first score value of the node.
S502, calculating a second score value of the corresponding attack link based on the first score value of the node on each attack link, and taking the second score value as threat information of the attack link.
Here, the first score values of all nodes on the attack link may be accumulated, averaged, or weighted to obtain a second score value of the attack link, and the second score value may be used as threat information of the attack link. The higher the second score value, the higher the threat level of the attacking link.
Further, when all attack links are ranked based on the threat information, all attack links may be ranked according to the second score value, and the higher the second score value is, the higher the ranking of the attack links is. The higher the ranking of the attack links, the greater the threat level, and the higher the value of the threat research.
In practical application, TOP10 attack links are generally required to be output, the application can sort the attack links according to the second score, output the attack links ranked 10 TOP according to the sorting result, and submit the attack links to security analysts for threat research and judgment analysis. According to the method and the device, threat information of each attack link of the knowledge graph is determined through the node characteristics, the attack links in the knowledge graph are sequenced according to the threat information, the accuracy of the method and the device for determining the TOP10 attack links is high, and the misjudgment rate is smaller compared with that of related technologies.
In an embodiment, after creating the knowledge-graph based on the at least two alert data, the method further comprises:
updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram; and the set condition represents that the difference value of the timestamps corresponding to the first node and the second node on the attack link is smaller than a set value.
Correspondingly, the determining threat information of the attack link based on the node characteristics of the nodes in the knowledge-graph comprises:
determining threat information of an attack link in an update graph based on node characteristics of nodes in the update graph.
Here, the first node and the second node may be connected nodes on the attack link, or may be head-to-tail nodes on the attack link.
Updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram, comprising: and deleting the attack links which do not meet the set conditions from the knowledge graph.
All nodes in an attack link should belong to the same security event, and if the difference value of the timestamps of the first node and the second node is greater than a second set value, the 2 alarms are not considered to belong to the same security event, so that the 2 alarms cannot be classified into the same attack link. And deleting the attack link which does not meet the set condition from the knowledge graph to obtain an updated graph. And determining an attack link corresponding to the knowledge graph based on the node characteristics of the nodes in the updated graph. The attack links in the updated map are more accurate, and when all the attack links are sequenced based on the threat information, the sequencing result is more accurate, so that the threat degree of the attack links can be more accurately reflected.
Referring to fig. 6, fig. 6 is a schematic flowchart illustrating a process of detecting an attack link by graph computation according to an embodiment of the present invention.
Firstly, filtering an original alarm log.
Here, the original alarm log may be an alarm log generated by the network security product during a historical period of time. The original alarm logs can be filtered by adopting a periodic filtering algorithm, the alarm logs of normal operation behaviors are filtered, only the alarm logs of abnormal operation behaviors are reserved, and the periodic filtering algorithm can be a Fourier algorithm or a Dynamic Time Warping (DTW) algorithm and other algorithms.
And secondly, carrying out alarm clustering.
The original alarms with close association are aggregated according to a certain rule, and the electronic device may trigger the same alarm at different time points, for example, the user clicks the same file without access right at different time points, and the alarms are substantially the same. The embodiment of the invention aggregates the same alarm data, and only one part of the same alarm data generated at different time is stored.
And thirdly, performing alarm association and constructing a knowledge graph.
And taking each alarm data as a node, and determining each node on each attack link based on a source host or a destination host in each alarm data. And determining the connection relation between each node on each attack link based on the time information of each alarm data, and constructing a knowledge graph based on the nodes and the connection relation.
And fourthly, performing path search on the knowledge graph.
Here, the path refers to an attack link, the knowledge graph includes at least two attack links, and a graph path search algorithm is adopted to search for all the attack links.
Updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram; and the set condition represents that the difference value of the timestamps corresponding to the first node and the second node on the attack link is smaller than a set value. The first node and the second node can be connected nodes on the attack link or head and tail nodes on the attack link.
And fifthly, scoring the paths in the knowledge graph.
Scoring each node of the knowledge graph based on the node characteristics to obtain a first score value of each node; and calculating a second score value of the corresponding attack link based on the first score value of the node on each attack link, and taking the second score value as threat information of the attack link.
In practical applications, the PageRank algorithm may be used to score all nodes in the knowledge-graph.
In an embodiment, the first score values of all nodes on the attacking link may be accumulated to obtain a second score value of the attacking link.
And sixthly, sorting the paths according to the scores.
And sequencing the attack links according to the second score, outputting the attack links ranked at the top10 according to the sequencing result, and submitting the attack links to security analysts for threat study and judgment analysis.
The embodiment of the invention constructs the knowledge graph by using the alarm data, scores the attack links according to the node characteristics, and can accurately rank the threat degree of the attack links in the knowledge graph according to the scores, thereby reducing the misjudgment of the TOP10 attack links. The embodiment of the invention fully utilizes the graph structure characteristics of the attack link and improves the detection accuracy of the attack link. According to the attack link in the knowledge graph acquired by the method, the attack occurrence process can be clearly known, and the attack reason is researched and analyzed according to the attack link, so that the accuracy and efficiency of attack research and judgment analysis can be improved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.
In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
Referring to fig. 7, fig. 7 is a schematic diagram of an attack link detection apparatus according to an embodiment of the present invention, and as shown in fig. 7, the apparatus includes: the device comprises an acquisition module and a creation module.
The creating module is used for creating a knowledge graph based on at least two alarm data; the nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges;
and the acquisition module is used for acquiring the attack link in the knowledge graph.
In one embodiment, the apparatus further comprises:
the determining module is used for determining threat information of an attack link based on node characteristics of nodes in the knowledge graph;
and the sequencing module is used for sequencing all attack links based on the threat information.
In one embodiment, the determining module determines threat information of the attack link, for:
scoring each node of the knowledge graph based on the node characteristics to obtain a first score value of each node;
and calculating a second score value of the corresponding attack link based on the first score value of the node on each attack link, and taking the second score value as threat information of the attack link.
In one embodiment, the creation module creates a knowledge-graph based on at least two alarm data for:
taking each alarm data as a node;
determining each node on each attack link based on a source host or a destination host in each alarm data;
determining the connection relation between each node on each attack link based on the time information of each alarm data;
and constructing the knowledge graph based on the nodes and the connection relation.
In one embodiment, the apparatus further comprises:
the aggregation module is used for aggregating the same alarm data in the historical alarm data to obtain the at least two alarm data; the same alarm data represents alarm data with the same information except the time information.
In one embodiment, the apparatus further comprises:
the updating module is used for updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram; and the set condition represents that the difference value of the timestamps corresponding to the first node and the second node on the attack link is smaller than a set value.
In one embodiment, the node characteristics include at least any one of:
the attack type corresponding to the node;
the out-degree and in-degree of the node;
and the alarm level corresponding to the node.
In practical applications, the obtaining module and the creating module may be implemented by a Processor in an electronic device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA).
It should be noted that: in the attack link detection device provided in the above embodiment, when performing attack detection, only the division of the above modules is taken as an example, and in practical application, the processing distribution may be completed by different modules as needed, that is, the internal structure of the device is divided into different modules to complete all or part of the above-described processing. In addition, the attack link detection device and the attack link detection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
The attack link detection device may be in the form of an image file, and after the image file is executed, the image file may be run in the form of a container or a virtual machine, so as to implement the attack link detection method described in the present application. Of course, the method is not limited to the image file form, and any software form capable of implementing the data processing method described in the present application is within the protection scope of the present application.
Based on the hardware implementation of the program module, in order to implement the method of the embodiment of the present application, an embodiment of the present application further provides an electronic device. Fig. 8 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 8, the electronic device includes:
the communication interface can carry out information interaction with other equipment such as network equipment and the like;
and the processor is connected with the communication interface to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes on the electronic equipment side when running a computer program. And the computer program is stored on the memory.
Of course, in practice, the various components in an electronic device are coupled together by a bus system. It will be appreciated that a bus system is used to enable communications among the components. The bus system includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as a bus system in fig. 8.
The electronic device may be in a cluster form, for example, a cloud computing platform, where the cloud computing platform is a service form that organizes a plurality of independent server physical hardware resources into pooled resources by using computing virtualization, network virtualization, and storage virtualization technologies, and is a software-defined resource structure based on virtualization technology development, and may provide resource capabilities in the form of virtual machines, containers, and the like. The fixed relation between hardware and an operating system is eliminated, the resource scheduling is unified by the communication of a network, and then required virtual resources and services are provided.
The current cloud computing platform supports several service modes:
SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full rights;
PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development, quality control or production server;
IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.
The memory in the embodiments of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous Dynamic Random Access Memory), Synchronous link Dynamic Random Access Memory (DRAM, Synchronous Dynamic Random Access Memory), Direct Memory (DRmb Random Access Memory). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in a memory where a processor reads the programs in the memory and in combination with its hardware performs the steps of the method as previously described.
Optionally, when the processor executes the program, the corresponding process implemented by the electronic device in each method of the embodiment of the present application is implemented, and for brevity, is not described again here.
In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a first memory storing a computer program, where the computer program is executable by a processor of an electronic device to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.
In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for detecting an attack link, the method comprising:
creating a knowledge graph based on the at least two alarm data; the nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges;
and acquiring an attack link in the knowledge graph.
2. The method of claim 1, wherein after obtaining the attack links in the knowledge-graph, the method further comprises:
determining threat information of an attack link based on node characteristics of nodes in the knowledge graph;
and sequencing all attack links based on the threat information.
3. The method of claim 2, wherein determining threat information for the attacking link comprises:
scoring each node of the knowledge graph based on the node characteristics to obtain a first score value of each node;
and calculating a second score value of the corresponding attack link based on the first score value of the node on each attack link, and taking the second score value as threat information of the attack link.
4. The method of claim 1, wherein creating a knowledge-graph based on at least two alarm data comprises:
taking each alarm data as a node;
determining each node on each attack link based on a source host or a destination host in each alarm data;
determining the connection relation between each node on each attack link based on the time information of each alarm data;
and constructing the knowledge graph based on the nodes and the connection relation.
5. The method of claim 1, wherein prior to creating a knowledge-graph based on at least two alarm data, the method further comprises:
aggregating the same alarm data in the historical alarm data to obtain at least two alarm data; the same alarm data represents the alarm data with the same information except the time information.
6. The method of claim 1, wherein after creating a knowledge-graph based on at least two alarm data, the method further comprises:
updating the knowledge spectrogram based on set conditions to obtain an updated spectrogram; and the set condition represents that the difference value of the timestamps corresponding to the first node and the second node on the attack link is smaller than a set value.
7. The method according to claim 2, wherein the node characteristics comprise at least any one of:
the attack type corresponding to the node;
the out-degree and in-degree of the node;
and the alarm level corresponding to the node.
8. An attack link detection apparatus, comprising:
the creating module is used for creating a knowledge graph based on at least two alarm data; the nodes of the knowledge graph represent alarm data; the edges of the knowledge graph represent the incidence relation between two nodes corresponding to the edges;
and the acquisition module is used for acquiring the attack link in the knowledge graph.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the attack link detection method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the attack link detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210594626.4A CN114944956B (en) | 2022-05-27 | 2022-05-27 | Attack link detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210594626.4A CN114944956B (en) | 2022-05-27 | 2022-05-27 | Attack link detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114944956A true CN114944956A (en) | 2022-08-26 |
| CN114944956B CN114944956B (en) | 2024-07-09 |
Family
ID=82908276
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210594626.4A Active CN114944956B (en) | 2022-05-27 | 2022-05-27 | Attack link detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114944956B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426246A (en) * | 2022-09-01 | 2022-12-02 | 中国农业银行股份有限公司 | Alarm processing method, device, server and storage medium |
| CN116032724A (en) * | 2022-12-20 | 2023-04-28 | 广域铭岛数字科技有限公司 | Security event alarm association aggregation method, device and medium thereof |
| CN116488941A (en) * | 2023-06-19 | 2023-07-25 | 上海观安信息技术股份有限公司 | Attack chain detection method, device and equipment |
| CN116032724B (en) * | 2022-12-20 | 2024-09-27 | 广域铭岛数字科技有限公司 | Security event alarm association aggregation method, device and medium thereof |
Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106250288A (en) * | 2016-07-29 | 2016-12-21 | 浪潮软件集团有限公司 | Root alarm analysis and identification method based on data mining |
| US20180048662A1 (en) * | 2016-08-15 | 2018-02-15 | International Business Machines Corporation | Cognitive offense analysis using enriched graphs |
| CN108021492A (en) * | 2016-11-04 | 2018-05-11 | 华为技术有限公司 | One kind alarm merging method and equipment |
| CN108829794A (en) * | 2018-06-04 | 2018-11-16 | 北京交通大学 | Alert analysis method based on interval graph |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109784043A (en) * | 2018-12-29 | 2019-05-21 | 北京奇安信科技有限公司 | Attack restoring method, device, electronic equipment and storage medium |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110309009A (en) * | 2019-05-21 | 2019-10-08 | 北京云集智造科技有限公司 | Situation-based operation and maintenance fault root cause positioning method, device, equipment and medium |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN112241439A (en) * | 2020-10-12 | 2021-01-19 | 绿盟科技集团股份有限公司 | Attack organization discovery method, device, medium and equipment |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN113486192A (en) * | 2021-07-06 | 2021-10-08 | 中国建设银行股份有限公司 | Alarm aggregation method and related equipment |
| CN113595994A (en) * | 2021-07-12 | 2021-11-02 | 深信服科技股份有限公司 | Abnormal mail detection method and device, electronic equipment and storage medium |
| CN113660225A (en) * | 2021-07-29 | 2021-11-16 | 广州大学 | Network attack event prediction method, system, device and medium based on time sequence point |
| CN113987492A (en) * | 2021-10-29 | 2022-01-28 | 绿盟科技集团股份有限公司 | Method and device for determining alarm event |
| US20220051111A1 (en) * | 2020-08-17 | 2022-02-17 | Accenture Global Solutions Limited | Knowledge graph enhancement by prioritizing cardinal nodes |
| CN114238526A (en) * | 2022-02-23 | 2022-03-25 | 浙江大华技术股份有限公司 | Image gathering method, electronic equipment and storage medium |
| CN114301712A (en) * | 2021-12-31 | 2022-04-08 | 西安交通大学 | Industrial internet alarm log correlation analysis method and system based on graph method |
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114422325A (en) * | 2021-12-30 | 2022-04-29 | 优刻得科技股份有限公司 | Content distribution network abnormity positioning method, device, equipment and storage medium |
| US20220159033A1 (en) * | 2020-11-15 | 2022-05-19 | Cymptom Labs Ltd. | System, Device, and Method of Determining Cyber Attack Vectors and Mitigating Cyber Attacks |
-
2022
- 2022-05-27 CN CN202210594626.4A patent/CN114944956B/en active Active
Patent Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106250288A (en) * | 2016-07-29 | 2016-12-21 | 浪潮软件集团有限公司 | Root alarm analysis and identification method based on data mining |
| US20180048662A1 (en) * | 2016-08-15 | 2018-02-15 | International Business Machines Corporation | Cognitive offense analysis using enriched graphs |
| CN108021492A (en) * | 2016-11-04 | 2018-05-11 | 华为技术有限公司 | One kind alarm merging method and equipment |
| CN108829794A (en) * | 2018-06-04 | 2018-11-16 | 北京交通大学 | Alert analysis method based on interval graph |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109784043A (en) * | 2018-12-29 | 2019-05-21 | 北京奇安信科技有限公司 | Attack restoring method, device, electronic equipment and storage medium |
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110309009A (en) * | 2019-05-21 | 2019-10-08 | 北京云集智造科技有限公司 | Situation-based operation and maintenance fault root cause positioning method, device, equipment and medium |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| US20220051111A1 (en) * | 2020-08-17 | 2022-02-17 | Accenture Global Solutions Limited | Knowledge graph enhancement by prioritizing cardinal nodes |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN112241439A (en) * | 2020-10-12 | 2021-01-19 | 绿盟科技集团股份有限公司 | Attack organization discovery method, device, medium and equipment |
| US20220159033A1 (en) * | 2020-11-15 | 2022-05-19 | Cymptom Labs Ltd. | System, Device, and Method of Determining Cyber Attack Vectors and Mitigating Cyber Attacks |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN113486192A (en) * | 2021-07-06 | 2021-10-08 | 中国建设银行股份有限公司 | Alarm aggregation method and related equipment |
| CN113595994A (en) * | 2021-07-12 | 2021-11-02 | 深信服科技股份有限公司 | Abnormal mail detection method and device, electronic equipment and storage medium |
| CN113660225A (en) * | 2021-07-29 | 2021-11-16 | 广州大学 | Network attack event prediction method, system, device and medium based on time sequence point |
| CN113987492A (en) * | 2021-10-29 | 2022-01-28 | 绿盟科技集团股份有限公司 | Method and device for determining alarm event |
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114422325A (en) * | 2021-12-30 | 2022-04-29 | 优刻得科技股份有限公司 | Content distribution network abnormity positioning method, device, equipment and storage medium |
| CN114301712A (en) * | 2021-12-31 | 2022-04-08 | 西安交通大学 | Industrial internet alarm log correlation analysis method and system based on graph method |
| CN114238526A (en) * | 2022-02-23 | 2022-03-25 | 浙江大华技术股份有限公司 | Image gathering method, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 吴东;郭春;申国伟;: "一种基于多因素的告警关联方法", 计算机与现代化, no. 06, pages 34 - 41 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426246A (en) * | 2022-09-01 | 2022-12-02 | 中国农业银行股份有限公司 | Alarm processing method, device, server and storage medium |
| CN115426246B (en) * | 2022-09-01 | 2024-05-14 | 中国农业银行股份有限公司 | Alarm processing method, device, server and storage medium |
| CN116032724A (en) * | 2022-12-20 | 2023-04-28 | 广域铭岛数字科技有限公司 | Security event alarm association aggregation method, device and medium thereof |
| CN116032724B (en) * | 2022-12-20 | 2024-09-27 | 广域铭岛数字科技有限公司 | Security event alarm association aggregation method, device and medium thereof |
| CN116488941A (en) * | 2023-06-19 | 2023-07-25 | 上海观安信息技术股份有限公司 | Attack chain detection method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114944956B (en) | 2024-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10972493B2 (en) | Automatically grouping malware based on artifacts | |
| US20210019674A1 (en) | Risk profiling and rating of extended relationships using ontological databases | |
| US10200390B2 (en) | Automatically determining whether malware samples are similar | |
| US9998484B1 (en) | Classifying potentially malicious and benign software modules through similarity analysis | |
| US10592666B2 (en) | Detecting anomalous entities | |
| CN112564988B (en) | Alarm processing method and device and electronic equipment | |
| CN109074454B (en) | Automatic malware grouping based on artifacts | |
| CN114944956B (en) | Attack link detection method and device, electronic equipment and storage medium | |
| US20210092160A1 (en) | Data set creation with crowd-based reinforcement | |
| US11716337B2 (en) | Systems and methods of malware detection | |
| CN115061841A (en) | Alarm merging method and device, electronic equipment and storage medium | |
| US20240231909A1 (en) | System and method for universal computer asset normalization and configuration management | |
| CN114650187A (en) | Abnormal access detection method and device, electronic equipment and storage medium | |
| CN105468975A (en) | Method, device and system for tracking malicious code misinformation | |
| US11372904B2 (en) | Automatic feature extraction from unstructured log data utilizing term frequency scores | |
| US20230252144A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| WO2023205349A1 (en) | Method, apparatus, system, and non-transitory computer readable medium for identifying and prioritizing network security events | |
| US20230048076A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| Cordeiro de Amorim et al. | On partitional clustering of malware | |
| De Amorim et al. | Partitional clustering of malware using k-means | |
| CN115118464B (en) | Method and device for detecting collapse host, electronic equipment and storage medium | |
| CN110166421B (en) | Intrusion control method and device based on log monitoring and terminal equipment | |
| US20230306113A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| US20240020391A1 (en) | Log-based vulnerabilities detection at runtime | |
| US20240214396A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |