CN115086071A - Data stealing detection method, system and equipment based on cause and effect tracing of logs - Google Patents
Data stealing detection method, system and equipment based on cause and effect tracing of logs Download PDFInfo
- Publication number
- CN115086071A CN115086071A CN202210850109.9A CN202210850109A CN115086071A CN 115086071 A CN115086071 A CN 115086071A CN 202210850109 A CN202210850109 A CN 202210850109A CN 115086071 A CN115086071 A CN 115086071A
- Authority
- CN
- China
- Prior art keywords
- log
- dependency graph
- value
- data
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0609—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a data stealing detection method, system and device based on cause and effect tracing of logs, mainly relates to the technical field of data stealing detection, and aims to solve the problems that an existing data stealing detection method lacks cause and effect semantics, and detection accuracy is low. The method comprises the following steps: acquiring a pre-processing log through a terminal unified log platform; abstracting the pre-processing log into an initial dependency graph through a computing engine; wherein the dependency graph includes operational relationships; determining a priority score corresponding to each operation relation based on the integral relation ratio and the entity node ratio corresponding to the operation relation; to obtain a final dependency graph; obtaining an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists. According to the method, the data stealing behavior is effectively detected, and the safety operation workload is greatly reduced.
Description
Technical Field
The application relates to the technical field of data theft detection, in particular to a data theft detection method, system and device based on log causal tracing.
Background
Massive alarm logs are reported every day in enterprises or units, and network analysts often fall into an alarm fatigue state due to overlarge working intensity, so that real threatening events are missed.
At present, methods for detecting internal data theft mainly include: (1) a rule + manual-based traditional detection means; (2) a single point detection means based on machine learning; (3) and event correlation detection means based on a local host.
However, the manual detection is not suitable for the abnormal detection of mass files; since APT attacks are characterized by long latency periods, it is difficult to identify greater threats by single-point detection alone; moreover, event correlation detection relies inherently on implementing well-defined rules, but the well-defined rules lack causal semantics, making anomaly detection less accurate.
Disclosure of Invention
In order to solve the technical problems, the invention provides a data theft detection method, system and device based on causal tracing of logs to solve the technical problems.
In a first aspect, the present application provides a data theft detection method based on causal tracing of logs, including: acquiring an original log corresponding to a preset log acquisition time period through a terminal unified log platform; performing data cleaning on the original log to obtain a preprocessed log; abstracting the pre-processing log into an initial dependency graph through a computing engine; the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation; determining a priority score corresponding to each operation relation based on the integral relation ratio and the entity node ratio corresponding to the operation relation; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph; leading the final dependency graph into a trained causal model to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
Further, the calculation engine is divided into a real-time calculation engine and a batch calculation engine, and before the preprocessing log is abstracted into the initial dependency graph by the calculation engine, the method further comprises: and acquiring a calculation instruction to determine a calculation engine for processing the preprocessing log from the real-time calculation engine and the batch calculation engine.
Further, after abstracting, by the compute engine, the pre-processed log into an initial dependency graph, the method further comprising: storing an initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
Further, determining a priority score corresponding to each operation relationship based on the overall relationship proportion value and the entity node proportion value corresponding to the operation relationship, specifically comprising: determining a rarity score based on the integral relation ratio corresponding to the operation relation; determining a fan-out score based on the entity node ratio corresponding to the operation relationship; according to a preset priority score formula: (ii) a priority score = α -rarity score + b-fan-out score; calculating a priority score; where α is a predetermined rarity correction constant and B is a predetermined fanout correction constant.
Further, after determining whether data theft behavior exists, the method further comprises: when the data stealing behavior is determined to exist, marking an implicit behavior sequence corresponding to the data stealing behavior; and packaging and sending the marked implicit behavior sequence, the IP related to the marked implicit behavior sequence, the MD5 value of the file, the process ID and the acquisition time period to a preset safe operation terminal.
In a second aspect, the present application provides a data theft detection system based on causal tracing of logs, the system including: the acquisition module is used for acquiring an original log corresponding to a preset log acquisition time period through the terminal unified log platform; performing data cleaning on the original log to obtain a preprocessed log; the abstraction module is used for abstracting the preprocessing log into an initial dependency graph through the calculation engine; the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation; the obtaining module is further used for determining the priority score corresponding to each operation relation based on the integral relation proportion value and the entity node proportion value corresponding to the operation relation; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph; the determining module is used for leading the final dependency graph into the trained causal model so as to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
Further, the system also comprises a storage module; the storage module is used for storing the initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
In a third aspect, the present application provides a data theft detection device based on log causal tracing, where the device includes: a processor; and a memory having executable code stored thereon, wherein when executed, the executable code causes the processor to perform any one of the above methods for detecting data theft based on causal tracing of logs.
As can be appreciated by those skilled in the art, the present invention has at least the following beneficial effects:
according to the method and the device, the designated collection of the original log is realized through the terminal unified log platform. Through the calculation engine, the preprocessed logs are converted into the initial dependency graph, the massive logs are converted into the dependency graph, the capability of abstracting the original logs into the behavior dependency graph with the causal semantics is improved, and the processing quantity of data is reduced. By calculating the priority score corresponding to the operation relation in the initial dependency graph, the operation relation corresponding to the low data stealing behavior is screened out, and the initial dependency graph is simplified. Through a cause and effect module, a plurality of implicit behavior sequences in a final dependency graph are extracted, and then through comparing the implicit behavior sequences with implicit behavior call chains corresponding to data stealing behaviors, effective detection of the data stealing behaviors is achieved, safe operation workload is greatly reduced, future requirements for investigation and evidence obtaining work of internal data stealing events are met, and APT attacks with increasing complexity can be continuously and completely and rapidly configured.
Drawings
Some embodiments of the disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a data theft detection method based on causal tracing of logs according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of a data theft detection system based on causal tracing of logs according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an internal structure of a data theft detection device based on causal tracing of logs according to an embodiment of the present application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not mean that the present disclosure can be implemented only by the preferred embodiments, which are merely intended to explain the technical principles of the present disclosure and not to limit the scope of the present disclosure. All other embodiments that can be derived by one of ordinary skill in the art from the preferred embodiments provided by the disclosure without undue experimentation will still fall within the scope of the disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The technical solutions proposed in the embodiments of the present application are described in detail below with reference to the accompanying drawings.
The embodiment of the present application further provides a data theft detection method based on causal tracing of logs, as shown in fig. 1, the method provided by the embodiment of the present application mainly includes the following steps:
step 110, collecting an original log corresponding to a preset log collection time period through a terminal unified log platform; and performing data cleaning on the original log to obtain a preprocessed log.
It should be noted that the terminal unified log platform is a platform that is arbitrary and feasible and can collect original logs (for example, audit logs and flow logs) of each terminal by using a unified framework, and perform data cleaning on the original logs to further obtain preprocessed logs.
The pre-processed logs are abstracted by the compute engine into an initial dependency graph, step 120.
It should be noted that the initial dependency graph includes IP, file MD5 value, process ID, and operation relationship. The operational relationship here may be: call, copy paste, compress, send, open, etc. The initial dependency graph is a process graph with the IP, the file MD5 value and the process ID as nodes and the operation relationship as connecting lines.
Before the computation engine abstracts the pre-processing log into an initial dependency graph, the terminal unified log platform sends the pre-processing log abstraction to the computation engine for processing through a message queue.
The computing engine in the step can be divided into a real-time computing engine and a batch computing engine, wherein the real-time computing engine consists of a message queue and a streaming big data processing component, the big data processing component detects preprocessing logs according to preset rules, detects alarm events and abnormal behaviors from a plurality of preprocessing logs, and records information such as corresponding IP, a file MD5 value, a process ID, an operation relation, operation time and the like; the batch calculation engine is composed of components supporting batch processing of big data, and can calculate pre-processing logs in a period of time, detect alarm events and abnormal behaviors, and record information such as corresponding IP (Internet protocol), a file MD5 value, a process ID (identity), an operation relation, operation time and the like. Thus, prior to abstracting the pre-processed log into the initial dependency graph by the compute engine, the method further comprises: and acquiring a calculation instruction to determine a calculation engine for processing the preprocessing log from the real-time calculation engine and the batch calculation engine.
After the preprocessing log is abstracted into the initial dependency graph through the computing engine, the initial dependency graph can be stored through a preset KV-database so as to be convenient for calling of the subsequent initial dependency graph. Specifically, storing an initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
As can be understood by those skilled in the art, the step converts the massive logs into the initial dependency graph, so that the processing quantity of data is reduced, and the processing efficiency of the massive logs is improved.
Step 130, determining a priority score corresponding to each operation relation based on the integral relation ratio and the entity node ratio corresponding to the operation relation; and removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph.
Note that the physical node is IP, file MD5 value, and process ID. The integral relation occupation ratio refers to a ratio between the number of the current operation relations and the number of the whole operation relations. The entity node occupation ratio value refers to the ratio of the number of entity nodes connected by the operation relation to all the entity nodes.
In this step, "determining the priority score corresponding to each operation relationship based on the overall relationship proportion value and the entity node proportion value corresponding to the operation relationship" may specifically be: determining a rarity score based on the integral relation ratio corresponding to the operation relation; determining a fan-out score based on the entity node ratio corresponding to the operation relationship; according to a preset priority score formula: (ii) a priority score = α -rarity score + b-fan-out score; calculating a priority score; where α is a predetermined rarity correction constant and B is a predetermined fanout correction constant.
It should be noted that, a mapping table of a preset overall relationship ratio and a rarity score exists, and the rarity score can be determined according to the overall relationship ratio, and similarly, a mapping table of a preset entity node ratio and a fan-out score exists, and the fan-out score can be determined according to the entity node ratio. Wherein the rareness score is inversely proportional to the overall relationship fraction; the fan-out score is proportional to the physical node ratio. Further, the specific contents of the mapping table can be obtained by those skilled in the art according to a plurality of experiments.
Those skilled in the art can understand that the step of the dependency graph optimization method based on the priority score can further filter the initial dependency graph constructed by the bottom log, and delete the operation relationship corresponding to the low data stealing behavior to obtain the simplified final dependency graph. Specifically, the initial dependency graph is a process graph in which each IP, file MD5 value, and process ID are nodes, and the operation relationship is a connecting line. Since the priority scores of the individual connecting lines (operational relationships) have been calculated in the above-described steps, the entire diagram can be simplified when the low connecting lines (operational relationships) are deleted.
Step 140, importing the final dependency graph into the trained causal model to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
The final dependency graph is a behavior graph formed by operation relations (connecting lines) by taking the IP, the file MD5 value and the process ID as nodes, and various operation relations can be generated between the two nodes. The plurality of nodes can form a plurality of action (operation) sequences based on the sequence of operation time. The causal relationship existing in the action (operation) sequences (for example, the action of uploading a file is first performed, and then the action of modifying or deleting the file is performed, etc.), and the causal relationship existing action (operation) sequence is an implicit action sequence.
The causal model may be a linear non-gaussian acyclic model or the like. The final dependency graph itself has a chain of behavior trace calls, a sequence of explicit behaviors, and a sequence of implicit behaviors. However, the implicit behavior sequence hidden in the method can not be obviously observed, which brings difficulty to survey and evidence collection. Other implicit behavior sequences can be extracted through a causal model, then the extracted implicit behavior sequences are compared with implicit behavior call chains corresponding to preset data stealing behaviors, and if the extracted implicit behavior sequences are consistent with the implicit behavior call chains, it can be determined that the current implicit behavior sequences are possible to be the data stealing behaviors.
After determining whether the data stealing behavior exists, the method and the system can mark the privacy behavior sequence and send the privacy behavior sequence to a safety operator. Specifically, the method comprises the following steps: when the data stealing behavior is determined to exist, marking an implicit behavior sequence corresponding to the data stealing behavior; and packaging and sending the marked implicit behavior sequence, the IP, the file MD5 value, the process ID and the acquisition time period related to the marked implicit behavior sequence to a preset safe operation terminal.
In addition, fig. 2 is a diagram of a data theft detection system based on causal tracing of logs according to an embodiment of the present application. As shown in fig. 2, the system provided in the embodiment of the present application mainly includes:
an obtaining module 210, configured to collect, by using a terminal unified log platform, an original log corresponding to a preset log collection time period; performing data cleaning on the original log to obtain a preprocessed log;
an abstraction module 220 for abstracting the pre-processed log into an initial dependency graph by the compute engine; the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation;
the obtaining module 210 is further configured to determine a priority score corresponding to each operation relationship based on the overall relationship proportion value and the entity node proportion value corresponding to the operation relationship; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph;
a determining module 230, configured to introduce the final dependency graph into the trained causal model to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
In addition, the system also comprises a storage module; the storage module is used for storing the initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
In addition, an embodiment of the present application further provides a data theft detection device based on log causal tracing, as shown in fig. 3, where executable instructions are stored thereon, and when the executable instructions are executed, the data theft detection device based on log causal tracing as described above is implemented. Specifically, the server sends an execution instruction to the memory through the bus, and when the memory receives the execution instruction, sends an execution signal to the processor through the bus so as to activate the processor.
The processor is used for acquiring an original log corresponding to a preset log acquisition time period through the terminal unified log platform; performing data cleaning on the original log to obtain a preprocessed log; abstracting the pre-processing log into an initial dependency graph through a computing engine; the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation; determining a priority score corresponding to each operation relation based on an overall relation ratio and an entity node ratio corresponding to the operation relation; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph; leading the final dependency graph into a trained causal model to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to the preset data stealing behavior to determine whether the data stealing behavior exists or not.
So far, the technical solutions of the present disclosure have been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments can be split and combined, and equivalent changes or substitutions can be made on related technical features by those skilled in the art without departing from the technical principles of the present disclosure, and any changes, equivalents, improvements, and the like made within the technical concept and/or technical principles of the present disclosure will fall within the protection scope of the present disclosure.
Claims (8)
1. A data theft detection method based on log causal tracing is characterized by comprising the following steps:
acquiring an original log corresponding to a preset log acquisition time period through a terminal unified log platform; performing data cleaning on the original log to obtain a preprocessed log;
abstracting, by a compute engine, the pre-processed log into an initial dependency graph; wherein the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation;
determining a priority score corresponding to each operation relation based on the integral relation ratio and the entity node ratio corresponding to the operation relation; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph;
leading the final dependency graph into a trained causal model to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
2. The log causal tracing-based data theft detection method according to claim 1, wherein the calculation engine is divided into a real-time calculation engine and a batch calculation engine,
before abstracting, by a compute engine, the pre-processed log into an initial dependency graph, the method further comprising:
and acquiring a calculation instruction to determine a calculation engine for processing the preprocessing log from a real-time calculation engine and a batch calculation engine.
3. The log causal tracing-based data theft detection method of claim 1, wherein after abstracting the preprocessed logs into an initial dependency graph by a compute engine, the method further comprises:
storing the initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
4. The data stealing detection method based on the causal tracing of the logs as claimed in claim 1, wherein determining the priority score corresponding to each operational relationship based on the integral relationship fraction value and the entity node fraction value corresponding to the operational relationship specifically comprises:
determining a rareness score based on the integral relation ratio corresponding to the operation relation;
determining a fan-out score based on the entity node ratio corresponding to the operation relationship;
according to a preset priority score formula:
(ii) a priority score = α -rarity score + b-fan-out score; calculating a priority score; where α is a predetermined rarity correction constant and B is a predetermined fanout correction constant.
5. The log causal tracing-based data theft detection method of claim 1, wherein after determining whether data theft behavior exists, the method further comprises:
when the data stealing behavior is determined to exist, marking an implicit behavior sequence corresponding to the data stealing behavior;
and packaging and sending the marked implicit behavior sequence, the IP, the file MD5 value, the process ID and the acquisition time period related to the marked implicit behavior sequence to a preset safe operation terminal.
6. A data theft detection system based on log causal tracing, the system comprising:
the acquisition module is used for acquiring an original log corresponding to a preset log acquisition time period through the terminal unified log platform; performing data cleaning on the original log to obtain a preprocessed log;
an abstraction module for abstracting the preprocessed logs into an initial dependency graph by a compute engine; wherein the dependency graph comprises an IP, a file MD5 value, a process ID and an operation relation;
the obtaining module is further used for determining a priority score corresponding to each operation relation based on the integral relation proportion value and the entity node proportion value corresponding to the operation relation; removing the operation relation of which the priority score is lower than a preset priority threshold value in the initial dependency graph to obtain a final dependency graph;
the determining module is used for leading the final dependency graph into the trained causal model so as to obtain an implicit behavior sequence corresponding to the final dependency graph; and comparing the implicit behavior sequence with an implicit behavior call chain corresponding to a preset data stealing behavior to determine whether the data stealing behavior exists.
7. The log causal tracing-based data theft detection system of claim 6, wherein the system further comprises a storage module;
the storage module is used for storing the initial dependency graph in a Key-Value form through a preset KV-database; wherein, Key represents IP, file MD5 Value and process ID, and Value represents operation relation.
8. A data theft detection device based on log causal tracing, characterized in that the device comprises:
a processor;
and a memory having executable code stored thereon, which when executed, causes the processor to perform a method of data theft detection based on log causal tracing as claimed in any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210850109.9A CN115086071B (en) | 2022-07-20 | 2022-07-20 | Data stealing detection method, system and equipment based on cause and effect tracing of logs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210850109.9A CN115086071B (en) | 2022-07-20 | 2022-07-20 | Data stealing detection method, system and equipment based on cause and effect tracing of logs |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115086071A true CN115086071A (en) | 2022-09-20 |
| CN115086071B CN115086071B (en) | 2022-12-06 |
Family
ID=83259989
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210850109.9A Active CN115086071B (en) | 2022-07-20 | 2022-07-20 | Data stealing detection method, system and equipment based on cause and effect tracing of logs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115086071B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021070352A1 (en) * | 2019-10-10 | 2021-04-15 | 日本電信電話株式会社 | Graph association system and graph association method |
| CN113190373A (en) * | 2021-05-31 | 2021-07-30 | 中国人民解放军国防科技大学 | Micro-service system fault root cause positioning method based on fault feature comparison |
| CN113779573A (en) * | 2021-08-04 | 2021-12-10 | 国家计算机网络与信息安全管理中心 | Large-scale Lesox software analysis method and analysis device based on system tracing graph |
| CN113779574A (en) * | 2021-08-09 | 2021-12-10 | 浙江工业大学 | APT detection method based on context behavior analysis |
| CN114238958A (en) * | 2021-12-15 | 2022-03-25 | 华中科技大学 | Intrusion detection method and system based on traceable clustering and graph serialization |
-
2022
- 2022-07-20 CN CN202210850109.9A patent/CN115086071B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021070352A1 (en) * | 2019-10-10 | 2021-04-15 | 日本電信電話株式会社 | Graph association system and graph association method |
| CN113190373A (en) * | 2021-05-31 | 2021-07-30 | 中国人民解放军国防科技大学 | Micro-service system fault root cause positioning method based on fault feature comparison |
| CN113779573A (en) * | 2021-08-04 | 2021-12-10 | 国家计算机网络与信息安全管理中心 | Large-scale Lesox software analysis method and analysis device based on system tracing graph |
| CN113779574A (en) * | 2021-08-09 | 2021-12-10 | 浙江工业大学 | APT detection method based on context behavior analysis |
| CN114238958A (en) * | 2021-12-15 | 2022-03-25 | 华中科技大学 | Intrusion detection method and system based on traceable clustering and graph serialization |
Non-Patent Citations (1)
| Title |
|---|
| 石峰等: "大规模战役仿真分析中的因果追溯方法研究", 《系统仿真学报》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115086071B (en) | 2022-12-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108471429B (en) | Network attack warning method and system | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| CN108683687B (en) | Network attack identification method and system | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN108092962A (en) | A kind of malice URL detection method and device | |
| CN110928718A (en) | Exception handling method, system, terminal and medium based on correlation analysis | |
| CN111866016B (en) | Log analysis method and system | |
| CN108108288A (en) | A kind of daily record data analytic method, device and equipment | |
| CN114548706A (en) | Early warning method for business risk and related equipment | |
| CN112416705A (en) | Abnormal information processing method and device | |
| Chen et al. | Invariants based failure diagnosis in distributed computing systems | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN114244564A (en) | Attack defense method, device, equipment and readable storage medium | |
| CN114844768A (en) | Information analysis method and device and electronic equipment | |
| CN114385668A (en) | Cold data cleaning method, device, equipment and storage medium | |
| CN111209213A (en) | Method, system, device and storage medium for detecting abnormity of application program during operation | |
| CN111090593A (en) | Method, device, electronic equipment and storage medium for determining crash attribution | |
| CN115086071B (en) | Data stealing detection method, system and equipment based on cause and effect tracing of logs | |
| CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
| CN109684220A (en) | A kind of browser compatibility analysis method based on event replay | |
| CN112446030B (en) | Method and device for detecting file uploading vulnerability of webpage end | |
| CN111800409B (en) | Interface attack detection method and device | |
| CN116015823A (en) | Event detection method and device, electronic equipment and storage medium | |
| CN110442837B (en) | Generation method and device of complex periodic model and detection method and device thereof | |
| CN116915463B (en) | Call chain data security analysis method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |