CN115022063B - Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium - Google Patents
Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115022063B CN115022063B CN202210668131.1A CN202210668131A CN115022063B CN 115022063 B CN115022063 B CN 115022063B CN 202210668131 A CN202210668131 A CN 202210668131A CN 115022063 B CN115022063 B CN 115022063B
- Authority
- CN
- China
- Prior art keywords
- attack
- information element
- network
- matching
- intention
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a network air threat behavior attack intention analysis method, a system, electronic equipment and a storage medium, and relates to the technical field of network security. The method comprises the following steps: acquiring appointed category information of a user suffering from network attack; mapping the specified category information to corresponding information element classification sets respectively; matching the information element classification set with a network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and the network air threat behavior attack intention; and determining the attack intention of the cyber-air threat behavior body according to the matching result. The invention utilizes the data of the users suffering from the network attack, and is convenient for realizing the automatic analysis and judgment of the attack intention of the network air threat behavioural, thereby improving the efficiency and the accuracy of the analysis of the attack intention of the network air threat behavioural to a certain extent; the method is suitable for network space threat defense and related scenes.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for analyzing attack intention of a cyber-air threat behavior, an electronic device, and a storage medium.
Background
With the development of internet technology, the network space security situation is getting more and more severe, and many network space threat behaviors with different attack intentions continuously launch network attacks.
In the face of massive network attack events, the inventor of the application discovers in the process of realizing the creation of the application: currently, in the process of analyzing and studying and judging the attack intention of a network air (network space) threat behavior body by a network security defender, a multi-reliance network security practitioner manually analyzes and studies and judges, so that the working strength is high, and the attack intention related to a large number of network attack events is difficult to quickly and accurately judge in a short time, so that a user may suffer loss. In addition, the data of the users suffering from the network attack are taken as important analysis clues and judgment bases of the attack intention, and the current network air threat behavior analysis is limited to be mainly low in efficiency by means of manual mode, and cannot be fully utilized in the network air threat behavior analysis.
Disclosure of Invention
In view of the above, the embodiment of the application provides a method, a device, an electronic device and a storage medium for analyzing the attack intention of a cyber-air threat agent, which make full use of data of a user suffering from network attack and are convenient for realizing automatic analysis and judgment of the attack intention of the cyber-air threat agent, so that the efficiency and the accuracy of analyzing the attack intention of the cyber-air threat agent can be improved to a certain extent.
In order to achieve the aim of the invention, the following technical scheme is adopted:
in a first aspect, an embodiment of the present invention provides a method for analyzing attack intention of a cyber-air threat agent, including the steps of: acquiring appointed category information of a user suffering from network attack; mapping the specified category information to corresponding information element classification sets respectively; matching the information element classification set with a network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and network air threat behavior attack intention; and determining the attack intention of the cyber-air threat behavior body according to the matching result.
Optionally, the specified category information includes: information of a plurality of different categories, wherein the information element classification set correspondingly comprises a plurality of category information element sets; the matching the information element classification set with the network air threat behavior attack intention judgment rule set comprises the following steps:
performing logical OR and non-operation between the information element sets in the same information element classification set to obtain an information element combination; and/or the number of the groups of groups,
performing logical AND and non-operation between the information element sets of different information element classification sets to obtain an information element combination;
Matching the information element combination with a network air threat behavior attack intention judging rule set one by one; the network air threat behavior attack intention judgment rule set further comprises: and mapping relations between the logic combination element sets and corresponding network space threat behavior attack intentions respectively between the information element sets in the same type of information element set in the information element classification set and between the information element sets in different information element classification sets.
Optionally, the determining the network air threat behavior attack intention according to the matching result includes: and if the matching result is complete matching, judging results are given according to the corresponding attack intention elements in the matched attack intention set.
Optionally, the determining the network air threat behavior attack intention according to the matching result includes: if the matching result is partial matching, calculating matching proximity according to the number of attack intention items obtained by matching and the number of items in the attack intention set which is close to the matching result; and according to the attack intention items obtained by matching and the matching proximity obtained by calculation, a judging result is given.
Optionally, the attack intention set close to the matching result comprises a plurality of attack intention sets;
The step of giving a judging result according to the attack intention item obtained by matching and the matching proximity obtained by calculation comprises the following steps: calculating the closeness of all attack intention sets which are close to the number of the attack intention items obtained by matching; comparing the sizes of the proximity results; and giving a judging result according to the corresponding attack intention elements in the attack intention set with the maximum proximity.
Optionally, at the same time or after the decision result is given by the corresponding attack intention element in the attack intention set according to the maximum proximity, the method further includes: identifying the judging accuracy according to the maximum value of the matching proximity; the judging accuracy rate is more than or equal to 1 percent and less than or equal to 99 percent.
Optionally, before the cyber-space threat agent attack intent analysis is performed, the method includes: collecting the appointed category information of massive users suffering from network attack; constructing a specified category information element classification set of massive users suffering from network attack based on the specified category information; the specified category information element classification set includes: feature sets of each class of specified class information elements, combined feature sets between different feature sets of each class of specified class information elements, combined feature sets between feature sets of two classes or more of specified class information elements; and storing the specified category information element classification set.
Optionally, before the cyber-space threat agent attack intent analysis is performed, the method further includes: analyzing corresponding network space threat behavior attack intentions according to the collected attack conditions of massive users suffering from network attack; the attacked condition includes: the appointed category information of the attacked user; based on analysis, a large number of network air threat agent attack intentions and the appointed category information of the attacked user are obtained, and a network air threat agent attack intentions judging rule set is constructed; and storing the network air threat behavior attack intention judging rule set.
Optionally, the specified category information includes: victim importance, industry to which the victim belongs, victim organization properties, frequency of attack, intensity of attack, duration of attack, hardware victim condition, software victim condition, data victim condition, victim data content, victim data security, network victim condition, traffic victim condition, reputation victim condition, and/or degree of attack hazard.
In a second aspect, an embodiment of the present invention further provides a cyber-air threat agent attack intent analysis system, including: the acquisition program unit is used for acquiring the appointed category information of the user suffering from the network attack; a mapping program unit, configured to map the specified category information to corresponding information element classification sets respectively; the matching program unit is used for matching the information element classification set with the network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and network air threat behavior attack intention; and the determining program unit is used for determining the attack intention of the network air threat behavior body according to the matching result.
In a third aspect, an embodiment of the present invention provides an electronic device, including: one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory, and run a cyber-space threat agent attack intention analysis program corresponding to the executable program codes, so as to execute any cyber-space threat agent attack intention analysis method in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium, where one or more programs are stored, where the one or more programs are executable by one or more processors to implement the cyber-space threat agent attack intent analysis method according to any of the foregoing first aspects.
The network air threat behavior attack intention analysis method, the system, the electronic equipment and the storage medium provided by the embodiment of the invention are characterized in that a related information element classification set and a network air threat behavior attack intention judgment rule set are constructed in advance by utilizing data of massive users (victims) suffering from network attack, and when the attack intention of the network air threat behavior is required to be analyzed, the appointed category information of the users suffering from network attack is automatically acquired; mapping the specified category information to corresponding information element classification sets respectively; matching the information element classification set with a network air threat behavior attack intention judgment rule set; and determining the attack intention of the cyber-air threat behavior body according to the matching result. Compared with the existing manual analysis mode of the network air threat behavioural attack intention, the method has the advantages that the data of the users suffering from the network attack are fully utilized, and the network air threat behavioural attack intention is convenient to automatically analyze and judge, so that the efficiency and the accuracy of analyzing the network air threat behavioural attack intention can be improved to a certain extent.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for analyzing the attack intent of a cyber-air threat agent according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for analyzing the attack intent of a cyber-air threat agent according to another embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for analyzing the attack intent of a cyber-air threat agent according to still another embodiment of the present invention;
FIG. 4 is a schematic block diagram of a cyber-air threat agent attack intent analysis system architecture according to an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a cyber-air threat agent attack intent analysis system architecture in accordance with another embodiment of the invention;
fig. 6 is a schematic block diagram of another embodiment architecture of the electronic device of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
With the development of information technology, key systems and information sources carried on networks have become a valuable target for the benefit of some other interested entity or organization (collectively referred to as "cyber threat agent" as described herein). Since the network threat in the network space (simply referred to as the network space) is often very complex, the attack may involve attack bodies from inside or outside, and some highly organized attack bodies attack the laws are mature and sophisticated, which may have serious consequences for both military and civil network infrastructure. Such as SCADA systems controlling the power grid or water treatment facilities, banking systems, other systems carrying business intellectual property and personal identification information, etc.
Therefore, analysis and defense of cyber threats are increasingly important. However, due to the current massive network attack event, the network security practitioner only relies on the manual analysis and judgment, so that the working intensity is high, the data change is rapid, and the limit of the current manual analysis capability may be exceeded.
In addition, the attacked condition of the victim in the network attack event is used as data with important value in the network space threat behavior attack intention analysis, and the network attack victim condition data cannot be fully utilized because the network attack event is limited by available time, human resources and other factors and depends on a manual analysis mode.
The invention is based on at least the defects of the current network air threat manual analysis, and aims at the contradiction between the objective current situation of large data volume of network attack victims and the defects of the manual analysis, the embodiment provides a technical scheme capable of automatically analyzing the network air threat behavior attack intention, fully utilizes the data of users suffering from network attack, and is convenient for realizing the automatic analysis and judgment of the network air threat behavior attack intention, so that the efficiency and the accuracy of the analysis of the network air threat behavior attack intention can be improved to a certain extent, and new paths and guides are developed for the current network air threat analysis theory and practice.
Example 1
The network space threat behavior attack intention analysis method provided by the embodiment of the invention can be applied to network security analysis scenes, in particular to network space threat active defense and related scenes.
It should be noted that the method may be solidified in the form of software in a manufactured physical product, and the method flow of the present application may be reproduced when the user is using the product.
FIG. 1 is a flow chart of a method for analyzing the attack intention of a cyber-air threat agent according to an embodiment of the present application; referring to fig. 1, in some embodiments, the cyber-air threat agent attack intent analysis method may include the steps of:
s110, acquiring the appointed category information of the user suffering from the network attack.
In this embodiment, victim condition data of a user suffering from a network attack may be collected, and specified category information may be extracted from the victim condition data of the user suffering from the network attack, where the specified category information includes information elements of different categories. For example, the specified category information includes, but is not limited to: victim importance, industry to which the victim belongs, victim organization properties, frequency of attack, intensity of attack, duration of attack, hardware victim condition, software victim condition, data victim condition, victim data content, victim data security, network victim condition, business victim condition, reputation victim condition, and/or degree of attack hazard, etc.
And S120, mapping the specified category information to corresponding information element classification sets.
The information element classification set can be presented in a data table form (which is convenient for programming languages such as Python, etc.), and can also be presented in a plurality of data structure forms such as a list, a dictionary, etc. For convenience of explanation and illustration in Word text, the presentation in table form which is easy to intuitively understand in the present embodiment should not be considered as an exclusive limitation on the specific presentation data scheme of the information element classification set. In this embodiment, an information element classification set may be constructed in advance according to the collected categories of victim condition data of massive victims or documents related to network information security, where each category of information elements specified in the information element classification set may be classified into multiple levels. For example, the information classification set is divided into three levels of information element sets, subsets and elements thereof.
For example, please refer to the following table 1, taking a first class of specified class information element classification set as an example of a specified class information element classification set of victim importance class, the information element classification set governs three levels: a set, subset, and elements of category information elements are specified. Wherein, a category information element set 01-victim importance degree is specified; set 01-victim importance class covers both subsets 01.01 and 01.02.
TABLE 1
Wherein, the sub-collection 01.01 is mainly divided according to the importance degree of the information system in the classification and classification guideline of information security technology information security event (GB/Z20986-2007). The importance degree of the information system mainly considers the importance of the business carried by the information system to national security, economic construction and social life and the dependency degree of the business on the information system, and is divided into three elements of a particularly important information system, an important information system and a general information system.
The sub-set 01.02 is mainly referred to the definition of the key information infrastructure in the national institute of Electrical and network security laws, key information infrastructure security protection Act (Country 745). The key information infrastructure refers to important industries and fields of public communication and information service, energy, traffic, water conservancy, finance, public service, electronic government affairs, national defense and technology industry and the like, and other important network facilities, information systems and the like which can seriously harm national security, national folk life, public interests once being destroyed, losing functions or data leakage. For ease of distinction and explanation, all but the critical information infrastructure is referred to herein for the moment as the non-critical information infrastructure. That is, two types of elements are included under the sub-set 01.02, namely, critical information infrastructure and non-critical information infrastructure, respectively, as shown in table 1.
Taking the second class of specified category information element classification sets as an example of the specified category information element classification set of the industry class to which the victim belongs, table 2 below shows. The designated category information element set of the category information element classification set represents the industry to which the victim belongs in set 02.
TABLE 2
The collection 02-victim belongs to an industry type information element classification set, and mainly covers 20 categories of agriculture, forestry, pasture, fishery, mining industry, manufacturing industry, electric power, heating power, gas and water production and supply industry, construction industry, wholesale and retail industry, transportation, storage and postal industry, accommodation and catering industry, information transmission, software and information technology service industry, financial industry, house industry, leasing and business service industry, scientific research and technical service industry, water conservancy, environment and public facility management industry, resident service, repair and other service industry, education, sanitation and social work, culture, sports and entertainment industry, public management, social security and social organization, international organization and 97 categories contained in the category information element classification set.
Taking the victim organization property class designation category information element classification set as an example, set 03 represents the victim organization property, in one embodiment, the table contents are shown in Table 3 below.
| Sequence number | Aggregate 03-victim organization Properties |
| 1 | Party administration |
| 2 | National institution |
| 3 | All-people enterprise (national enterprise) |
| 4 | All system enterprises in collective |
| 5 | Affiliated enterprises |
| 6 | Three-sponsor enterprise |
| 7 | Private enterprises |
| 8 | Other enterprises |
| 9 | Non-profit organization |
TABLE 3 Table 3
Further, by way of example, the attack frequency class designation class information element classification set is set 04, which in one embodiment is shown in table 4 below.
| Sequence number | Set 04-frequency of attack suffered |
| 1 | N times/second |
| 2 | N times/min |
| 3 | N times/hour |
| 4 | N times/day |
| 5 | N times/week |
| 6 | N times/month |
| 7 | N times/quarters |
| 8 | N times/year |
TABLE 4 Table 4
Taking the class of attack strength class designation class information element classification set as an example, set 05 represents the attack strength, in one embodiment, the table is shown in table 5 below.
| Sequence number | Set 05-attack Strength |
| 1 | Attack traffic peak XMbps |
| 2 | Attack traffic peak XGbps |
| 3 | Attack traffic peak XTbps |
| 4 | Corrupted data volume YKB/S |
| 5 | Corrupted data volume YMB/S |
| 6 | Corrupted data volume YGB/S |
| 7 | Leakage data volume ZKB/S |
| 8 | Leakage data volume ZMB/S |
| 9 | Leakage data volume ZGB/S |
TABLE 5
Wherein, the corrupted data covers malicious deletion, luxury encryption and the like of the data of the victim by an attacker.
The class information element classification set is specified for the duration of attack class, which represents the duration of attack in set 06, in one example, the class information element classification set is shown in table 6 below.
| Sequence number | Set 06-duration of attack suffered |
| 1 | N seconds |
| 2 | N-point |
| 3 | N hours |
| 4 | For N days |
| 5 | N weeks |
| 6 | N month |
| 7 | Quaternary of N |
| 8 | For N years |
TABLE 6
For a hardware victim class designation category information element classification set, which represents a hardware victim as set 07, in one example, the class designation category information element classification set is shown in table 7 below.
TABLE 7
For a software victim class designation category information element classification set, which represents a software victim as set 08, in one example, the class designation category information element classification set is shown in Table 8 below.
| Sequence number | Set 08-software victim case |
| 1 | Software is discarded (key components of software running are maliciously deleted or destroyed) |
| 2 | Software is tampered with maliciously |
| 3 | Software is maliciously counterfeited and replaced |
| 4 | …… |
TABLE 8
For a data victim class designation category information element classification set, which represents a data victim in set 09, in one example, the class designation category information element classification set is shown in table 9 below.
/>
TABLE 9
For the victim data content class a class information element classification set is specified, which represents the victim data content in set 10, in one example the class specified class information element classification set is shown in table 10 below.
| Sequence number | Aggregation 10-victim data content |
| 1 | National secrets |
| 2 | Achievements of scientific research |
| 3 | Patent of the invention |
| 4 | Design scheme |
| 5 | Program source code |
| 6 | Commercial contract |
| 7 | Financial statement |
| 8 | Customer directory |
| 9 | Account number password |
| 10 | …… |
Table 10
A class information element classification set is specified for the victim data security (privacy level) class, which represents the victim data security in set 11, which in one example is shown in table 11 below.
TABLE 11
For a network victim class designation category information element classification set, which represents a network victim as set 12, in one example, the class designation category information element classification set is shown in table 12 below.
| Sequence number | Aggregate 12-network victim case |
| 1 | Network bandwidth resources are exhausted |
| 2 | Network connection resources are exhausted |
| 3 | Network session resources are exhausted |
| 4 | Network communication node is robbed control |
| 5 | Network communication links are hijacked |
| 6 | …… |
Table 12
For a traffic victim class designation category information element classification set, which represents traffic victim conditions in set 13, in one example, the class designation category information element classification set is shown in table 13 below.
| Sequence number | Aggregate 13-traffic victim case |
| 1 | Forced interruption of business production |
| 2 | The business transaction is forced to cancel |
| 3 | Business camping reduction |
| 4 | Business customer churn |
| 5 | …… |
TABLE 13
For the reputation victim class designation class information element classification set, which represents reputation victim cases in set 14, in one example, the class designation class information element classification set is shown in table 14 below.
TABLE 14
For a class of attack hazard level designation class information element classification set, which represents the degree of attack hazard being suffered as set 15, in one example, the class of class designation class information element classification set is shown in table 15 below.
| Sequence number | Set 15-degree of attack hazard suffered |
| 1 | Particularly severe |
| 2 | Severe severity of |
| 3 | In general |
| 4 | Slight |
| 5 | Has no influence on |
TABLE 15
It should be noted that, the above-mentioned sets 01 to 15 of the classification sets of specified category information elements are only used as typical examples or reference to basic data to help the public understand the embodiments of the present invention, and should not be construed as exclusive limitations of other types of classification sets of specified category information elements in the technical solutions of the embodiments of the present invention. In the process of actively defending the network air threat, a user can supplement and optimize the collection, the subset and the elements thereof according to the differentiated characteristics of different operation scenes.
S130, matching the information element classification set with a network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and network air threat behavior attack intention;
referring to fig. 2, in some embodiments, the specified category information may include: and the information element classification set correspondingly comprises a plurality of category information element sets. For this case, the matching the information element classification set with the cyber-space threat agent attack intention determination rule set (step S130) includes: and matching the information element classification sets of the multiple categories with the network air threat behavior attack intention judgment rule set one by one.
In this embodiment, based on the network space threat behavior attack intention determination rule set, the data obtained by mapping is matched with the rule items and the contents thereof item by item, so as to automatically identify and obtain a matching result.
Illustratively, an attack intent determination rule set configured attack intent set, one example of which is shown in Table 16 below:
/>
table 16
In some embodiments, the cyber-air threat agent attack intent determination rule set in this embodiment may be pre-constructed based on the attack intent set shown in 16, in combination with the element sets, subsets, and elements thereof in the specified category information element classification set illustrated in the foregoing tables 1 to 15.
Further, the elements in the plurality (the sets in tables 01 to 15) may be arranged and combined to form a set of reasonable specified class information element classification sets, and logic operation (including logical AND, "&", logical OR "|", logical NOT "|", etc.) is used to construct a comprehensive specified class information element classification set; and then establishing a mapping relation between the specified category information element classification set and elements thereof and the attack intention set and elements thereof to form a mapping relation rule set 'attack intention judging rule set'. An example of this mapping is shown in fig. 4.
With continued reference to fig. 3, in other embodiments, the matching the information element classification set with the cyber-space threat agent attack intent determination rule set includes:
performing logical OR and non-operation between the information element sets in the same information element classification set to obtain an information element combination; and/or the number of the groups of groups,
performing logical AND and non-operation between the information element sets of different information element classification sets to obtain an information element combination;
matching the information element combination with a network air threat behavior attack intention judging rule set one by one; the network air threat behavior attack intention judgment rule set further comprises: and mapping relations between the logic combination element sets and corresponding network space threat behavior attack intentions respectively between the information element sets in the same type of information element set in the information element classification set and between the information element sets in different information element classification sets.
Illustratively, the multiple (sets 01-15) specified category information element classification sets are combined to form a network attack victim condition comprehensive analysis element set array (still belonging to the specified category information element classification set), in the array, logic AND operation is adopted among the sets, and multiple subsets and elements thereof in each set are subjected to OR operation; taking a rectangular box mark in fig. 5 as an example, when the set 01-element 4"& (" set M-element 2"|" set M-element 6 ") &" set N-element 9 "is mapped to the attack intention set outside the array, the set-attack intention-element 4" is correspondingly used; the mapping relation is embodied in the attack intention judging rule set, namely, the mapping relation is shown in the following table 17:
TABLE 17
And S140, determining the attack intention of the cyber-sky threat behavior body according to the matching result.
In the embodiment, the judging result is automatically given according to the element data corresponding to the matched attack intention set, so that the automatic judgment of the attack intention of the network air threat behavior body based on the victim data is realized, and the analysis efficiency and accuracy can be improved to a certain extent.
It will be appreciated that in actual practice, the attack intent determination rule set will typically contain a plurality of rules, an example of which is shown in Table 18 below.
/>
/>
TABLE 18
As shown in table 18 above, according to the rationality of the actual scene and the cases of the prior key attack threat event, the element set, the subset and the elements thereof of the assigned category information element classification set corresponding to the same attack intention may have various different permutation and combination, i.e. "many-to-one" is reasonable; and corresponding to different attack intentions, not the element set, the subset and the elements of each specified category information element classification set have corresponding contents, namely, the attack intentions of the attack intentions judging rule set also have partial blank items, namely, the corresponding attack intentions cannot be matched, and the method is reasonable.
Therefore, there may be several cases of matching results obtained by matching the specified category information element classification set with the attack intention determination rule set as follows. With continued reference to fig. 2, in some embodiments, the determining the cyber threat agent attack intent based on the matching result (step S140) includes: and if the matching result is complete matching, judging results are given according to the corresponding attack intention elements in the matched attack intention set.
For example, if the matching result in step S130 corresponds to the set 07-hardware victim condition "motherboard discard/burn (BIOS is maliciously overwritten, motherboard chip is maliciously tampered with and overclocking)", the set 13-service victim condition "service transaction is forced to cancel", and the set 15-is "particularly serious" subject to attack hazard level, that is, the "rule_004" in the attack intention determination Rule set (multiple-examples) in the complete matching table 18, the determination result is given as "destroy paralysis-damage hardware" according to the attack intention set element of "rule_004"; a single example of "rule_004" is shown in table 19 below:
TABLE 19
With continued reference to FIG. 2, in other embodiments, there may be partial matches. In this case, the determining the cyber-space threat agent attack intention according to the matching result (step S140) includes: if the matching result is partial matching, calculating matching proximity (also called matching proximity) according to the number of attack intention items obtained by matching and the number of items in the attack intention set close to the matching result; and according to the attack intention items obtained by matching and the matching proximity obtained by calculation, a judging result is given.
In this embodiment, if the matching result in step S130 is a partial match, the matching proximity is calculated according to the number of attack intention items that can be matched and the number of items in the attack intention set that is close to the matching number, and the matching proximity is stored in the database.
Specifically, the step of providing a determination result according to the attack intention entry obtained by matching and the calculated matching proximity includes: calculating the closeness of all attack intention sets which are close to the number of the attack intention items obtained by matching; comparing the sizes of the proximity results; and giving a judging result according to the corresponding attack intention elements in the attack intention set with the maximum proximity.
Here, the matching proximity=the number of attack intention items (the number of content items that can be matched) obtained by matching ∈100% of the number of items in the attack intention set (the number of rule item content items that are close thereto) to which the matching result is close.
For example, the content that can be matched is the industry "scientific research and technical service industry" to which the set 02-victim belongs, the set 04-attack frequency "3 times/month", the set 05-attack intensity "revealed data amount 12.5MB/S", the set 06-attack duration "1 year", the set 09-data victim "data is stolen", the set 10-victim data content "scientific achievements", the set 11-victim data secret ", the set 12-network victim" network communication node is robbed and controlled ", the set 13-service victim" service production is forced to be interrupted ", the set 15-attack harm degree" serious ", and the matched content items total 10 items; and the Rule item close thereto is "rule_009", which contains 13 items of content, as shown in table 20 below:
Table 20
Then the matching proximity = 10 +.13 x 100% ≡76.92% is calculated accordingly.
When the portions match, the following is included. For example, if the matching result only partially matches a certain Rule (e.g., "rule_009") in the Rule set, then the proximity is considered to be the highest value and the proximity data is recorded and stored.
However, there may be cases where the actual situation is partially matched to different degrees with the plurality of rules. Therefore, if the matching result shows that the partial matching with different degrees can be realized with multiple rules, multiple proximity values need to be calculated and compared respectively, the highest value and the corresponding rule entry are taken, and the highest value proximity data is recorded and stored.
Thus, in some embodiments, the set of attack intents proximate to the matching result comprises a plurality of; the step of giving a judging result according to the attack intention item obtained by matching and the matching proximity obtained by calculation comprises the following steps: calculating the closeness of all attack intention sets which are close to the number of the attack intention items obtained by matching; comparing the sizes of the proximity results; and giving a judging result according to the corresponding attack intention elements in the attack intention set with the maximum proximity.
Illustratively, taking the foregoing example at table 20 as an example, if the Rule "rule_009" is also partially matched to other rules, the corresponding matching nearness is calculated, and according to the calculation result, the matching nearness to rule_009 "is 76.92% and the highest value compared to the matching nearness of other matching results, the attack intention set corresponding element data" information stealing-information collecting and data exuding "of rule_009" is given as the determination result.
To facilitate more presentation of analysis result information, in some embodiments, the method further includes, at the same time or after the determination result is given by the corresponding attack intention element in the attack intention set according to the maximum proximity: identifying the judging accuracy according to the maximum value of the matching proximity; the judging accuracy rate is more than or equal to 1 percent and less than or equal to 99 percent.
Wherein, the judgment accuracy is N% (N is more than or equal to 1 and less than or equal to 99). Referring to fig. 2 again, in the present embodiment, the identification is given with the value matching the highest proximity value as the determination accuracy while the determination result is given, for example, the identification determination accuracy is 76.92% with the proximity value result of the foregoing example, for reference by the user.
It will also be appreciated from the foregoing description that there may be a completely unmatched result in step S130, that is, the content to be matched does not match any rule in the attack intention determination rule set and the content item thereof, as shown in fig. 2. Then a similar conclusion that the judging result is ' temporary irregular matching ' and the attack intention is temporary ambiguous ' is given.
According to the technical conception of the embodiment of the invention, in order to automatically analyze the attack intention of the cyber-air threat agent, before the analysis of the attack intention of the cyber-air threat agent is performed, a specified category information element classification set and an attack intention judging rule set are constructed according to a large number of victim attack situations and/or in combination with documents or data related to the specified category information element classification set in the tables 1 to 15, and are stored in a database, so that the process of automatically analyzing the attack intention of the cyber-air threat agent is executed according to the steps of the embodiment during the analysis.
Thus, in some embodiments, prior to conducting the cyber-air threat agent attack intent analysis, the method comprises: collecting the appointed category information of massive users suffering from network attack; constructing a specified category information element classification set of massive users suffering from network attack at least based on the specified category information; the specified category information element classification set includes: feature sets of each class of specified class information elements, combined feature sets between different feature sets of each class of specified class information elements, combined feature sets between feature sets of two classes or more of specified class information elements; and storing the specified category information element classification set.
Before the cyber-space threat agent attack intention analysis is performed, the method further comprises: analyzing corresponding network space threat behavior attack intentions according to the collected attack conditions of massive users suffering from network attack; the attacked condition includes: the appointed category information of the attacked user; based on analysis, a large number of network air threat agent attack intentions and the appointed category information of the attacked user are obtained, and a network air threat agent attack intentions judging rule set is constructed; and storing the network air threat behavior attack intention judging rule set.
In order to help understand the embodiment of the invention, taking the typical network attack event in the past as an example, the two intermittent inaccessible hosting platforms Github facing the open source and private software projects start from the point xx of xxxx, the year xx, the month xx, the day xx of the east time of the X country.
Based on the victim condition analysis of the network attack victim Github, the network air threat behavior attack intention analysis method provided by the embodiment of the invention extracts the specified category information of the information victim, maps the extracted specified category information to the set, the subset and the elements of the specified category information element classification set, then matches the data obtained by mapping with the attack intention judgment Rule set, and can completely match or partially match a certain Rule item in the judgment Rule set with the highest matching proximity, for example, rule_No. YYY); examples are table 21 below:
According to the rule items obtained by matching, the attack intention set corresponds to element data, and the attack intention is automatically judged as 'scrambling-network side denial of service (DoS) -exhausting bandwidth resources', and the attack intention judging result is stored and output. Compared with the existing manual analysis method, the method can fully utilize the victim situation data, and is beneficial to improving the analysis efficiency and accuracy to a certain extent.
According to the above disclosure, according to the method for analyzing the attack intention of the cyber-air threat behavior, related information element classification sets and the cyber-air threat behavior attack intention judgment rule sets are pre-constructed by utilizing data of massive users (victims) suffering from network attack, and when the attack intention of the cyber-air threat behavior needs to be analyzed, specified category information of the users suffering from network attack is automatically obtained; mapping the specified category information to corresponding information element classification sets respectively; matching the information element classification set with a network air threat behavior attack intention judgment rule set; and determining the attack intention of the cyber-air threat behavior body according to the matching result. Compared with the existing manual analysis mode of the network air threat behavioural attack intention, the method has the advantages that the data of the users suffering from the network attack are fully utilized, and the network air threat behavioural attack intention is convenient to automatically analyze and judge, so that the efficiency and the accuracy of analyzing the network air threat behavioural attack intention can be improved to a certain extent.
Example two
Fig. 4 is a schematic block diagram of a cyber-air threat agent attack intention analysis system architecture according to an embodiment of the present invention, and fig. 5 is a schematic block diagram of a cyber-air threat agent attack intention analysis system architecture according to another embodiment of the present invention. Referring to fig. 4 and 5, based on the same technical concept as the foregoing embodiments, a cyber-air threat agent attack intent analysis system is further provided, including: an acquiring program unit 210, configured to acquire specified category information of a user suffering from a network attack; a mapping program unit 220, configured to map the specified category information to corresponding information element classification sets respectively; a matching program unit 230, configured to match the information element classification set with a network air threat behavior attack intention determination rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and corresponding network air threat behavior attack intention; and the determining program unit is used for determining the attack intention of the network air threat behavior body according to the matching result.
The network air threat agent attack intention judging rule set contains a plurality of attack intention judging rules, namely the mapping relation between the specified category information and the corresponding network air threat agent attack intention in the embodiment.
The system of the present embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar to those of the embodiment, and will not be described in detail herein, but can be referred to each other.
In addition, it is to be understood that the systems shown in fig. 4 and fig. 5 may also be used to perform other embodiments in the first embodiment, and on the premise of clarity and brevity, the remaining embodiments will not be described in detail, and may be referred to each other.
The technical scheme provided by the embodiment of the invention is different from a manual analysis mode from realizing automatic analysis of the attack intention of the network air threat behavior, fully utilizes the data of the network attack victim, and is convenient to realize automatic analysis and judgment of the attack intention of the network air threat behavior by adopting the mode of element automatic mapping and matching according to a great number of pre-constructed specified victim specified category information element classification sets and attack intention judgment rule sets, thereby improving the efficiency and accuracy of analysis of the attack intention of the network air threat behavior to a certain extent.
Example III
The embodiment of the invention also provides electronic equipment, which comprises: one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory, and run a cyber-air threat agent attack intention analysis program corresponding to the executable program codes, so as to execute any one of the cyber-air threat agent attack intention analysis methods according to the embodiments.
Fig. 6 is a schematic structural diagram of an embodiment of an electronic device according to the present invention, where any of the methods according to the embodiments of the present invention may be implemented, as shown in fig. 6, and as an alternative embodiment, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for executing the cyber-threat agent attack intention analysis method described in any of the foregoing embodiments.
The specific execution of the above steps by the processor 42 and the further execution of the steps by the processor 42 by executing the executable program code can be referred to the description of the first embodiment of the cyber-space threat agent attack intent analysis method of the present invention, and will not be repeated herein.
The electronic device exists in a variety of forms including, but not limited to: (1) a mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones, multimedia phones, functional phones, low-end phones, etc. (2) ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad. (3) portable entertainment device: such devices may display and play multimedia content. The device comprises: audio and video playback modules (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices. (4) server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like. (5) other electronic devices with data interaction function.
The present invention also provides a computer readable storage medium storing one or more programs executable by one or more processors to implement the cyber-pneumatic threat agent attack intent analysis method according to any of the foregoing embodiments.
In summary, according to the description of the embodiments, the method and the system for analyzing the attack intention of the cyber-air threat agent according to the embodiments of the present invention can automatically determine the attack intention of the cyber-air threat agent based on the analysis data of the condition of the cyber-attack victim and the pre-constructed information element classification set and the rule set for determining the attack intention of the cyber-air threat agent.
Further, since an automated attack intention determination method is adopted, the manual work pressure can be released.
In addition, the method in this embodiment may be cured in a solid product, and the apparatus may be in a form or a computer readable medium may be used as a carrier, so as to form an independent product.
Furthermore, according to the technical scheme provided by the embodiment of the invention, the data which is automatically judged to be dependent is the data which is strongly related to the attack intention of the network air threat behavior (mainly the network attack victim data), the full data is not needed, and the data demand, the data operation pressure and the data storage pressure are all smaller.
Further, the information element classification set constructed based on the network attack victim situation structure in the embodiment of the invention is presented in the form of an analysis element set array, covers a plurality of types of specified category information element sets, sub-sets and elements thereof, and further maps according to the extracted victim specified category information, so that the information element classification set for matching of a corresponding type can be rapidly formed.
Further, logic operation rules, such as inter-group logical AND, intra-group logical OR, logical NOT, and the like, are set in the information element classification set and between different classification sets, so that information covered by the information element classification set can be richer and more comprehensive.
Further, the network air threat behavior attack intention judging rule set constructed in the embodiment of the invention is generated by algorithms such as arrangement and combination which accords with actual scenes and has rationality according to element sets, subsets and elements thereof in a plurality of groups of designated category information element classification sets and element sets, subset and elements thereof in a network air threat behavior attack intention judging rule set, wherein rule items in the rule set are derived from a large number of typical network attack events and countermeasure experience accumulation of network security defenders, the data amount is larger, the applicability is wider, and the judging effectiveness is stronger.
Furthermore, the embodiment of the invention also provides a matching proximity calculation method and a decision result selection scheme in partial matching aiming at specific attack examples, and solves the problem that the decision result is given under the condition that the rule set is decided to be partially matched by attack intention.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-only Memory (ROM), a random-access Memory (RaidomAccess Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (11)
1. A method for analyzing the attack intention of a network air threat behavior body, which is characterized by comprising the following steps: acquiring appointed category information of a user suffering from network attack;
Mapping the specified category information to corresponding information element classification sets respectively;
matching the information element classification set with a network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and network air threat behavior attack intention;
determining the attack intention of the network air threat behavior body according to the matching result;
wherein the specified category information includes: information of a plurality of different categories, wherein the information element classification set correspondingly comprises a plurality of category information element sets;
the matching the information element classification set with the network air threat behavior attack intention judgment rule set comprises the following steps:
performing logical OR and non-operation between the information element sets in the same information element classification set to obtain an information element combination; and/or the number of the groups of groups,
performing logical AND and non-operation between the information element sets of different information element classification sets to obtain an information element combination;
matching the information element combination with a network air threat behavior attack intention judging rule set one by one; the network air threat behavior attack intention judgment rule set further comprises: and mapping relations between the logic combination element sets and corresponding network space threat behavior attack intentions respectively between the information element sets in the same type of information element set in the information element classification set and between the information element sets in different information element classification sets.
2. The method of claim 1, wherein the determining the cyber-air threat agent attack intent based on the matching result comprises: and if the matching result is complete matching, judging results are given according to the corresponding attack intention elements in the matched attack intention set.
3. The method of claim 1, wherein the determining the cyber-air threat agent attack intent based on the matching result comprises: if the matching result is partial matching, calculating matching proximity according to the number of attack intention items obtained by matching and the number of items in the attack intention set which is close to the matching result;
and according to the attack intention items obtained by matching and the matching proximity obtained by calculation, a judging result is given.
4. The method of claim 3, wherein the set of attack intents proximate to the matching result comprises a plurality of;
the step of giving a judging result according to the attack intention item obtained by matching and the matching proximity obtained by calculation comprises the following steps: calculating the closeness of all attack intention sets which are close to the number of the attack intention items obtained by matching;
comparing the sizes of the proximity results;
And giving a judging result according to the corresponding attack intention elements in the attack intention set with the maximum proximity.
5. The method of claim 4, wherein, simultaneously or after the corresponding attack intention element in the set of attack intents according to the maximum proximity gives the determination result, the method further comprises: identifying the judging accuracy according to the maximum value of the matching proximity; the judging accuracy rate is more than or equal to 1 percent and less than or equal to 99 percent.
6. The method of claim 1, wherein prior to performing the cyber-space threat agent attack intent analysis, the method comprises: collecting the appointed category information of massive users suffering from network attack;
constructing a specified category information element classification set of massive users suffering from network attack at least based on the specified category information; the specified category information element classification set includes: feature sets of each class of specified class information elements, combined feature sets between different feature sets of each class of specified class information elements, combined feature sets between feature sets of two classes or more of specified class information elements;
and storing the specified category information element classification set.
7. The method of claim 1 or 6, wherein prior to performing the cyber-space threat agent attack intent analysis, the method further comprises:
Analyzing corresponding network space threat behavior attack intentions according to the collected attack conditions of massive users suffering from network attack; the attacked condition includes: the appointed category information of the attacked user;
based on analysis, a large number of network air threat agent attack intentions and the appointed category information of the attacked user are obtained, and a network air threat agent attack intentions judging rule set is constructed;
and storing the network air threat behavior attack intention judging rule set.
8. The method of claim 1, wherein the specified category information comprises: victim importance, industry to which the victim belongs, victim organization properties, frequency of attack, intensity of attack, duration of attack, hardware victim condition, software victim condition, data victim condition, victim data content, victim data security, network victim condition, traffic victim condition, reputation victim condition, and/or degree of attack hazard.
9. A cyber-air threat agent attack intent analysis system, comprising: the acquisition program unit is used for acquiring the appointed category information of the user suffering from the network attack;
a mapping program unit, configured to map the specified category information to corresponding information element classification sets respectively;
The matching program unit is used for matching the information element classification set with the network air threat behavior attack intention judgment rule set; the network air threat behavior attack intention judging rule set comprises a mapping relation between specified category information in the information element classification set and corresponding network air threat behavior attack intention;
the program unit is determined, and the attack intention of the network air threat behavior body is determined according to the matching result;
wherein the specified category information includes: information of a plurality of different categories, wherein the information element classification set correspondingly comprises a plurality of category information element sets;
the matching program unit is specifically configured to:
performing logical OR and non-operation between the information element sets in the same information element classification set to obtain an information element combination; and/or the number of the groups of groups,
performing logical AND and non-operation between the information element sets of different information element classification sets to obtain an information element combination;
matching the information element combination with a network air threat behavior attack intention judging rule set one by one; the network air threat behavior attack intention judgment rule set further comprises: and mapping relations between the logic combination element sets and corresponding network space threat behavior attack intentions respectively between the information element sets in the same type of information element set in the information element classification set and between the information element sets in different information element classification sets.
10. An electronic device, comprising: one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory, and run a cyber-pneumatic threat agent attack intention analysis program corresponding to the executable program codes, so as to execute the cyber-pneumatic threat agent attack intention analysis method according to any one of claims 1 to 8.
11. A computer readable storage medium storing one or more programs executable by one or more processors to implement the cyber-pneumatic threat agent attack intent analysis method of any of the preceding claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210668131.1A CN115022063B (en) | 2022-06-14 | 2022-06-14 | Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210668131.1A CN115022063B (en) | 2022-06-14 | 2022-06-14 | Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115022063A CN115022063A (en) | 2022-09-06 |
| CN115022063B true CN115022063B (en) | 2023-08-29 |
Family
ID=83074930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210668131.1A Active CN115022063B (en) | 2022-06-14 | 2022-06-14 | Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115022063B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN111030986A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Attack organization traceability analysis method and device and storage medium |
| CN111224953A (en) * | 2019-12-25 | 2020-06-02 | 哈尔滨安天科技集团股份有限公司 | Method, device and storage medium for discovering threat organization attack based on abnormal point |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN111931173A (en) * | 2020-08-14 | 2020-11-13 | 广州纬通贸易有限公司 | APT attack intention-based operation authority control method |
| CN112738016A (en) * | 2020-11-16 | 2021-04-30 | 中国南方电网有限责任公司 | Intelligent security event correlation analysis system for threat scene |
| CN113556353A (en) * | 2021-07-28 | 2021-10-26 | 东莞市镁客教育科技有限公司 | Big data based information monitoring and reminding method and artificial intelligence cloud service system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9565204B2 (en) * | 2014-07-18 | 2017-02-07 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
| US11228610B2 (en) * | 2016-06-15 | 2022-01-18 | Cybereason Inc. | System and method for classifying cyber security threats using natural language processing |
-
2022
- 2022-06-14 CN CN202210668131.1A patent/CN115022063B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN111030986A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Attack organization traceability analysis method and device and storage medium |
| CN111224953A (en) * | 2019-12-25 | 2020-06-02 | 哈尔滨安天科技集团股份有限公司 | Method, device and storage medium for discovering threat organization attack based on abnormal point |
| CN111931173A (en) * | 2020-08-14 | 2020-11-13 | 广州纬通贸易有限公司 | APT attack intention-based operation authority control method |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112738016A (en) * | 2020-11-16 | 2021-04-30 | 中国南方电网有限责任公司 | Intelligent security event correlation analysis system for threat scene |
| CN113556353A (en) * | 2021-07-28 | 2021-10-26 | 东莞市镁客教育科技有限公司 | Big data based information monitoring and reminding method and artificial intelligence cloud service system |
Non-Patent Citations (1)
| Title |
|---|
| 面向网络空间安全情报的知识图谱综述;董聪;姜波;卢志刚;刘宝旭;李宁;马平川;姜政伟;刘俊荣;;信息安全学报(05);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115022063A (en) | 2022-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| US9160766B2 (en) | Systems and methods for protecting organizations against spear phishing attacks | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| CN106375331B (en) | Attack organization mining method and device | |
| Isacenkova et al. | Inside the scam jungle: A closer look at 419 scam email operations | |
| CN110868377B (en) | Method and device for generating network attack graph and electronic equipment | |
| CN113973012B (en) | Threat detection method and device, electronic equipment and readable storage medium | |
| Vidalis et al. | Assessing identity theft in the Internet of Things | |
| Verma et al. | A survey on data leakage detection and prevention | |
| CN117390657A (en) | Data encryption method, device, computer equipment and storage medium | |
| Kang et al. | Enhanced privacy preserving for social networks relational data based on personalized differential privacy | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN115022063B (en) | Network air threat behavior attack intention analysis method, system, electronic equipment and storage medium | |
| CN113806555B (en) | Operation abnormality identification method, system and device for APP and storage medium | |
| Chen et al. | Dynamic threshold strategy optimization for security protection in Internet of Things: An adversarial deep learning‐based game‐theoretical approach | |
| CN110457600B (en) | Method, device, storage medium and computer equipment for searching target group | |
| Li et al. | Post‐Quantum Privacy‐Preserving Provable Data Possession Scheme Based on Smart Contracts | |
| Mascetti et al. | Location privacy attacks based on distance and density information | |
| Kudtarkar | Android botnet detection using signature data and ensemble machine learning | |
| US20240195841A1 (en) | System and method for manipulation of secure data | |
| Wang et al. | Collaborative Prediction in Anti-Fraud System Over Multiple Credit Loan Platforms | |
| Ambani et al. | Secure Data Contribution and Retrieval in Social Networks Using Effective Privacy Preserving Data Mining Techniques | |
| CN116094847B (en) | Honeypot identification method, honeypot identification device, computer equipment and storage medium | |
| He et al. | Information Security Countermeasures for Big Data Platforms Based on Cloud Computing | |
| Fu et al. | An Improved Biometric Fuzzy Signature with Timestamp of Blockchain Technology for Electrical Equipment Maintenance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |