CN115333778A - Network attack behavior prediction method based on attack mode - Google Patents

Network attack behavior prediction method based on attack mode Download PDF

Info

Publication number
CN115333778A
CN115333778A CN202210829333.XA CN202210829333A CN115333778A CN 115333778 A CN115333778 A CN 115333778A CN 202210829333 A CN202210829333 A CN 202210829333A CN 115333778 A CN115333778 A CN 115333778A
Authority
CN
China
Prior art keywords
attack
behavior
mode
candidate
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210829333.XA
Other languages
Chinese (zh)
Other versions
CN115333778B (en
Inventor
董理君
吴铁军
姜家伟
贾伟
江波
李新川
康晓军
姚宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Geosciences
Nsfocus Technologies Group Co Ltd
Original Assignee
China University of Geosciences
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Geosciences, Nsfocus Technologies Group Co Ltd filed Critical China University of Geosciences
Priority to CN202210829333.XA priority Critical patent/CN115333778B/en
Publication of CN115333778A publication Critical patent/CN115333778A/en
Application granted granted Critical
Publication of CN115333778B publication Critical patent/CN115333778B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack behavior prediction method based on an attack mode, which comprises the following steps: constructing a network attack affair map; wherein the case map consists of the attacking behaviors; extracting attack modes from the affair map; wherein the attack pattern consists of link relationships between the attack behaviors; aggregating the attack mode and the historical attack behavior to obtain vector representation of the attack mode and the historical attack behavior; updating historical attack behavior representation by adopting an improved GAT network, calculating candidate attack behavior scores by using the updated historical attack behaviors, and sequencing the candidate attack behaviors; wherein the candidate attack behaviors are all attack behaviors to be predicted; and the highest candidate aggressive behavior score is the final predicted aggressive behavior. The invention has the beneficial effects that: the attribute information of the attack subject is considered, and the historical attack behavior of the subject is coded, so that the subject can better serve the malicious behavior prediction task.

Description

Network attack behavior prediction method based on attack mode
Technical Field
The invention relates to the field of network security, in particular to a network attack behavior prediction method based on an attack mode.
Background
In the current field of network security, it is important but difficult to predict the next attack behavior of an attacker. The successful implementation of the previous attack behavior of the attacker is often the key to the start of the next attack behavior, and the previous attack behavior is not isolated and has a certain correlation with each other. If the attack mode can be summarized according to the typical attack path, the system can be protected in a targeted manner when the system is not attacked; when the attack is already suffered, if a historical attack path can be coded and attribute information of an attacker can be obtained according to a neighbor node, the next possible attack behavior can be predicted, the loss after the attack is reduced as much as possible, and even the continuous network attack is interrupted.
Different from a common attack chain model (kill chain) in the industry, the event prediction problem can be well processed by behavior transfer information in a case graph, the attack behavior can be rapidly predicted by using a knowledge graph representation learning technology, and the method is a more intelligent prediction method.
However, the current network attack prediction method based on the knowledge graph is difficult to simultaneously obtain entity-related triples and events in graph granularity, so that the high-order neighbor similarity between network attack entities cannot be captured by the prediction method based on the attack path. The network attack graph method based on the topology information has strong dependence on data and large prediction time cost, and is not beneficial to intelligent prediction.
Disclosure of Invention
In order to solve the technical problems, the method considers the historical attack behavior path and abstracts the historical attack behavior path to summarize a corresponding typical attack mode. In addition, the method also considers the attribute information of the attacking main body and codes the historical attacking behaviors of the main body, so that the method can better serve malicious behavior prediction tasks.
The invention provides a network attack behavior prediction method based on an attack mode, which comprises the following steps:
s1, constructing a network attack affair map; wherein the case map consists of the attacking behaviors;
s2, extracting an attack mode from the physiological map; wherein the attack pattern consists of link relationships between attack behaviors;
s3, aggregating the attack mode and the historical attack behavior to obtain vector representation of the attack mode and the historical attack behavior;
s4, updating the historical attack behavior representation by adopting the improved GAT network, calculating the score of the candidate attack behavior by using the updated historical attack behavior, and sequencing the candidate attack behavior; the candidate attack behaviors are all attack behaviors to be predicted;
and S5, the candidate attack behavior with the highest score is the final predicted attack behavior.
The beneficial effects provided by the invention are as follows: the attribute information of the attack subject is considered, and the historical attack behavior of the subject is coded, so that the subject can better serve the malicious behavior prediction task.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a portion of an attack graph.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be further described with reference to the accompanying drawings.
Referring to FIG. 1, FIG. 1 is a schematic flow chart of a method according to the present invention; a network attack behavior prediction method based on an attack mode comprises the following steps:
s1, constructing a network attack affair map; wherein the case map consists of the attacking behaviors;
specifically, step S1 is:
s11, preprocessing information in the network threat information to acquire attribute and description information of an attack behavior;
the network threat intelligence (CTI) contains attribute information and description information of a plurality of malicious software or vulnerabilities, and possible attack modes and attack sequences of the malicious software or vulnerabilities are recorded in the description information. The part of the content can be manually marked and collected;
aiming at the problems that language description in the network threat information is redundant, contains a plurality of vocabularies in the professional field and is mistakenly identified as an independent entity due to a large number of pronouns, the method adopts neuralcoef as a coreference resolution model, adopts BERT + BilSTM to delete a large number of redundant texts in sentences and extracts entity information required by map construction; among them, BERT is an abbreviation of Bidirectional Encoder reproduction from transforms, and translation is a Bidirectional encoding Representation based on a transformation model, where the transformation model, i.e. transform, is a general term of a class of models, and transformation is only a technical idea.
BilSTM Chinese may represent a "two-way long short term memory network," where Bi refers to two-way.
S12, extracting entity information required for constructing a case map according to the attributes and the description information;
and S13, constructing a network attack affair map according to the entity information.
For better explanation, the related concepts are explained in advance below;
the concept of node, entity and attack behavior is as follows: both the knowledge graph and the case graph have nodes, but the nodes have different meanings.
In the knowledge graph, nodes represent entities, and a triple composed of (entities, relations/predicates, entities) represents an event, namely an attack behavior.
Whereas in the event graph, a node represents an event (attack behavior), i.e. consists of the above-mentioned triples. That is, in the application, based on the event graph, the node represents an attack behavior;
s2, extracting an attack mode from the pattern map; wherein the attack pattern consists of link relationships between the attack behaviors;
it should be noted that, the method defines the attack mode as a set of connected horn clauses with attack behaviors in sequential or concurrent relationship, where the connection requires that the attack modes are connected between the attack behaviors on the attack graph, and the attack modes are extracted based on the event graph. Therefore, the extracted attack mode is a chain formed by attack behaviors, and is also called an attack path (A- > B- > C = > D); the attack path is represented by a- > B- > C = > D, where a- > B- > C is the attack mode body and D is the mode head. Each node is an attack behavior/attack condition, for example, service a opens 18220 port/attacker attacks a service by using sql injection, and represents (service a,80 port, open) (attacker, sql injection, use) in a triple form, the first two items of the triple refer to entities, and the third item refers to a relationship between entities.
The step S2 specifically comprises the following steps:
s21, extracting a preliminary attack mode from the network attack case map by adopting an iteration mode of adding frame points and example points;
the frame points refer to nodes of the frame of the attack mode, namely relationships among entities, and the instance points are entities filled in the frame of the attack mode. In the above triplet example, the frame points "utilizations" are added first, and then the instance points, i.e., the entities in the triplet, are filled in.
Then, finding frame points within one hop of the frame point (i.e. the relationship between entities in the triplets directly connected to the triplets, for example, the attack path a- > B- > C = > D, where C is a triplet within one hop of D, and B and C are triplets within two hops of D), calculating a frame point with a larger probability before N according to tf-idf (where N is a super parameter, i.e. a parameter that needs to be manually set before training, the default is 3 in the method provided by the patent, and may also be set to other values), and refilling the entity corresponding to the frame point, so as to iterate once until the length of the attack chain reaches the preset length (where the length is also a super parameter, i.e. the longest pattern body appearing below).
And S22, re-screening the primary attack mode according to the occurrence frequency of the primary attack mode and the confidence coefficient of the primary attack mode to obtain the screened attack mode.
It should be noted that the calculation formula of the number of occurrences of the attack pattern is as follows:
Figure BDA0003747555730000051
where supp is the number of occurrences of the attack pattern, which needs to satisfy both the pattern body and the pattern header. Where x and y are the two entities of a candidate triplet, r is the relationship between them, and r (x, y) represents a candidate triplet. Because the number of occurrences needs to be calculated for each attack pattern, the same pattern body may correspond to multiple pattern headers, i.e., r (x, y). t is t 1 ,…,t m Representing the triples involved in the attack pattern body,
Figure BDA0003747555730000052
represents t 1 ,…,t m The structure of the model body.
In addition, the confidence of the attack mode is also an important evaluation index, and the method takes the head coverage rate of the attack mode (namely the percentage of attack paths or attack conditions in all candidate attack behaviors which are consistent with the mode body) as the confidence, and defines the confidence as follows:
Figure BDA0003747555730000053
where the denominator represents the number of occurrences of all r (x, y) and the numerator represents the number of occurrences of the attack pattern with r (x, y) as the pattern head. The larger this ratio, the more positive the attack pattern body has on the appearance of the pattern header.
It should be noted that, in the actual processing process, after the screened attack modes are obtained, manual re-screening can be performed once, so that the coverage rate of the attack modes is improved as much as possible on the premise of ensuring the confidence degrees of the attack modes. Finally, some attack modes with higher quality and relatively higher coverage rate are obtained for the next work.
S3, aggregating the attack mode and the historical attack behavior to obtain vector representation of the attack mode and the historical attack behavior;
according to the method, a mode of embedding and representing entity relations in an attack behavior triple is used as the representation of the attack behavior, the BilSTM is adopted to integrate and encode the attack mode and the historical attack behavior of an attack subject, so that the historical behavior can be fully considered when the attack behavior is predicted in the next step, softmax is adopted as an activation function, and the two purposes of easiness in training and high accuracy are simultaneously met. The purpose of this step is to obtain the code (i.e. vector representation) of the attack mode and the historical attack behavior, and after the vector representation is obtained, the corresponding data processing of the computer can be carried out for the subsequent operation;
s4, updating the historical attack behavior representation by adopting the improved GAT network, calculating the score of the candidate attack behavior by using the updated historical attack behavior, and sequencing the candidate attack behavior; wherein the candidate attack behaviors are all attack behaviors to be predicted;
it should be noted that step S4 specifically includes:
s41, inputting the vector representation of the attack mode and the historical attack behavior into a graph attention neural network GAT, and updating the vector representation by adopting the confidence coefficient of the candidate attack behavior to obtain updated vector representation;
it should be noted that, the statistical probability of the event is used as a basis for calculating the confidence of the candidate event, and the calculation method is as follows:
Figure BDA0003747555730000061
wherein E e1 Representing all pointing events e 1 The set of events of (a) is,
Figure BDA0003747555730000062
a pathway event is a collection of events for v,
Figure BDA0003747555730000063
represent
Figure BDA0003747555730000064
The occupied specific gravity.
If the specific gravity is higher, the attacker is more likely to carry out the next attack action through the path.
Corresponding thereto, for all events e 1 And the most possible next attack behavior can be calculated through the formula.
S42, optionally selecting one from the updated vector representation as a candidate attack behavior, and aggregating the candidate attack behavior and the neighbor of the candidate attack behavior to obtain an embedded vector as follows:
Figure BDA0003747555730000065
wherein W and b represent weight matrix and bias, according to embedded vector v of candidate attack behavior and embedded vector of neighborhood thereof
Figure BDA0003747555730000071
Obtaining potential attack behavior embedding vector through activation function sigma
Figure BDA0003747555730000072
S43, according to the embedded vector
Figure BDA0003747555730000073
Calculating the score of the target attack behavior as the candidate attack behavior according to the following formula:
Figure BDA0003747555730000074
Figure BDA0003747555730000075
embedded vectors, v, representing potential attack behavior e Representing the historical attack path of an attacker, obtaining the normalized score of the historical attack path through an f () multilayer perceptron, and taking the normalized score as the score of the candidate attack behavior;
for steps S42-S43, the present application is explained in detail as follows:
the GAT Network is used for updating embedded representation of nodes, and English is Graph Attention Network, namely a neural Network, and the GAT Network is mainly characterized in that when nodes are updated to represent, the influence of surrounding nodes on the nodes is not consistent (namely, an Attention mechanism is adopted); for example, referring to fig. 2, fig. 2 is a portion of an attack graph;
when updating the vector representation of node a, the BCDEF node needs to be weighted, and nodes that affect a more heavily should be given a higher weight.
The method is mainly characterized in that different weight distribution modes are adopted, and the confidence coefficient of the candidate event is used as the basis for distributing the weight. For example, there are five nodes in the graph that are connected within one hop of node a, with confidence Tr as shown. For the node C, when the node a is updated, the weight of the collected node C is:
Figure BDA0003747555730000076
after the weight is obtained, the following steps are carried out:
Figure BDA0003747555730000077
as an aggregate score between candidate node a and node C. After calculating the scores of all BCDEFs and a, this neighborhood can be represented by the following equation:
Figure BDA0003747555730000081
the expression formula of the aggregation target node and the neighbor is as follows:
Figure BDA0003747555730000082
finally, an embedded expression is obtained, and the probability that the target node is used as a candidate node is calculated by using the embedded expression and the embedded expression of the attack mode, wherein the formula is as follows:
Figure BDA0003747555730000083
it should be noted that, the overall Loss function of the method is:
Figure BDA0003747555730000084
the method adopts cross entropy loss as overall loss, E represents an entity in an attack path of an attacker, R represents a relation in the attack path, and the last item is an L2 regularization item.
And S44, repeating the steps S42 to S43 until all scores of all target aggressive behaviors serving as candidate aggressive behaviors in the updated vector representation are solved, and sequencing according to the scores from high to low.
And S5, the candidate attack behavior with the highest score is the final predicted attack behavior.
The invention has the beneficial effects that: the attribute information of the attack subject is considered, and the historical attack behavior of the subject is coded, so that the subject can better serve the malicious behavior prediction task.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (6)

1. A network attack behavior prediction method based on an attack mode is characterized in that: the method comprises the following steps:
s1, constructing a network attack affair map; wherein the case map consists of the attacking behaviors;
s2, extracting an attack mode from the physiological map; wherein the attack pattern consists of link relationships between the attack behaviors;
s3, aggregating the attack mode and the historical attack behavior to obtain vector representation of the attack mode and the historical attack behavior;
s4, updating historical attack behavior representation by adopting the improved GAT network, calculating candidate attack behavior scores by using the updated historical attack behaviors, and sequencing the candidate attack behaviors; the candidate attack behaviors are all attack behaviors to be predicted;
and S5, the candidate attack behavior with the highest score is the final predicted attack behavior.
2. The network attack behavior prediction method based on the attack mode as claimed in claim 1, characterized in that: the step S1 specifically comprises the following steps:
s11, preprocessing information in the network threat information to acquire attribute and description information of an attack behavior;
s12, extracting entity information required for constructing a case map according to the attributes and the description information;
and S13, constructing a network attack affair map according to the entity information.
3. The method according to claim 1, wherein the network attack behavior prediction method based on the attack mode comprises: when the network attack affair map is constructed, a directed attack graph is established according to the sequence of attack behaviors.
4. The network attack behavior prediction method based on the attack mode as claimed in claim 1, characterized in that: the step S2 specifically comprises the following steps:
s21, extracting a preliminary attack mode from the network attack case map by adopting an iteration mode of adding frame points and example points;
and S22, re-screening the primary attack mode according to the occurrence frequency of the primary attack mode and the confidence coefficient of the primary attack mode to obtain the screened attack mode.
5. The method according to claim 1, wherein the network attack behavior prediction method based on the attack mode comprises: and S3, carrying out integrated coding on the candidate attack mode and the historical attack behavior of the attack subject by adopting a BilSTM network model to the attack mode coding so as to obtain vector representation of the attack mode and the historical attack behavior.
6. The method according to claim 1, wherein the network attack behavior prediction method based on the attack mode comprises: the step S4 specifically comprises the following steps:
s41, inputting the vector representation of the attack mode and the historical attack behavior into a graph attention neural network GAT, and updating the vector representation by adopting the confidence coefficient of the candidate attack behavior to obtain updated vector representation;
s42, optionally selecting one from the updated vector representation as a candidate attack behavior, and aggregating the candidate attack behavior and the neighbor of the candidate attack behavior to obtain an embedded vector as follows:
Figure FDA0003747555720000021
wherein W and b represent weight matrix and bias, according to embedded vector v of candidate attack behavior and embedded vector of neighborhood thereof
Figure FDA0003747555720000023
Obtaining potential attack behavior embedding vector through activation function sigma
Figure FDA0003747555720000024
S43, according to the embedded vector
Figure FDA0003747555720000025
Calculating the score of the target attack behavior as the candidate attack behavior according to the following formula:
Figure FDA0003747555720000022
Figure FDA0003747555720000026
embedded vectors, v, representing potential attack behavior e Representing the historical attack path of an attacker, obtaining the normalized score of the historical attack path through an f () multilayer perceptron, and taking the normalized score as the score of the candidate attack behavior;
and S44, repeating the steps S42 to S43 until all scores of all target aggressive behaviors serving as candidate aggressive behaviors in the updated vector representation are solved, and sequencing according to the scores from high to low.
CN202210829333.XA 2022-07-15 2022-07-15 Network attack behavior prediction method based on attack mode Active CN115333778B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210829333.XA CN115333778B (en) 2022-07-15 2022-07-15 Network attack behavior prediction method based on attack mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210829333.XA CN115333778B (en) 2022-07-15 2022-07-15 Network attack behavior prediction method based on attack mode

Publications (2)

Publication Number Publication Date
CN115333778A true CN115333778A (en) 2022-11-11
CN115333778B CN115333778B (en) 2024-05-14

Family

ID=83917096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210829333.XA Active CN115333778B (en) 2022-07-15 2022-07-15 Network attack behavior prediction method based on attack mode

Country Status (1)

Country Link
CN (1) CN115333778B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865458A (en) * 2022-11-25 2023-03-28 国网山东省电力公司信息通信公司 Network attack behavior detection method, system and terminal based on LSTM and GAT algorithms
CN116821374A (en) * 2023-07-27 2023-09-29 中国人民解放军陆军工程大学 Event prediction method based on information
CN117640127A (en) * 2023-07-17 2024-03-01 深圳市博通智能技术有限公司 Method, device, medium and equipment for predicting audio/video attack scale

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148404A1 (en) * 2006-12-19 2008-06-19 International Business Machines Corporation Method, system, and program product for characterizing computer attackers
US9948663B1 (en) * 2015-12-07 2018-04-17 Symantec Corporation Systems and methods for predicting security threat attacks
CN112187773A (en) * 2020-09-23 2021-01-05 支付宝(杭州)信息技术有限公司 Method and device for mining network security vulnerability
CN114095270A (en) * 2021-11-29 2022-02-25 北京天融信网络安全技术有限公司 Network attack prediction method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148404A1 (en) * 2006-12-19 2008-06-19 International Business Machines Corporation Method, system, and program product for characterizing computer attackers
US9948663B1 (en) * 2015-12-07 2018-04-17 Symantec Corporation Systems and methods for predicting security threat attacks
CN112187773A (en) * 2020-09-23 2021-01-05 支付宝(杭州)信息技术有限公司 Method and device for mining network security vulnerability
CN114095270A (en) * 2021-11-29 2022-02-25 北京天融信网络安全技术有限公司 Network attack prediction method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LIJUN DONG ET AL.: "Novel online attack strategy recognition technique", JCCS, 31 December 2008 (2008-12-31) *
张科;: "多数据源层次化网络攻击路径长度预测仿真", 计算机仿真, no. 11, 15 November 2019 (2019-11-15) *
王莉娜;房鼎益;吴晓南;陈晓江;: "网络入侵事件防御决策技术研究", 计算机应用与软件, no. 04, 30 April 2007 (2007-04-30) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115865458A (en) * 2022-11-25 2023-03-28 国网山东省电力公司信息通信公司 Network attack behavior detection method, system and terminal based on LSTM and GAT algorithms
CN115865458B (en) * 2022-11-25 2024-04-02 国网山东省电力公司信息通信公司 Network attack behavior detection method, system and terminal based on LSTM and GAT algorithm
CN117640127A (en) * 2023-07-17 2024-03-01 深圳市博通智能技术有限公司 Method, device, medium and equipment for predicting audio/video attack scale
CN116821374A (en) * 2023-07-27 2023-09-29 中国人民解放军陆军工程大学 Event prediction method based on information

Also Published As

Publication number Publication date
CN115333778B (en) 2024-05-14

Similar Documents

Publication Publication Date Title
Dai et al. Adversarial attack on graph structured data
CN115333778A (en) Network attack behavior prediction method based on attack mode
CN106649659B (en) Social network-oriented link prediction system and method
CN112818137B (en) Entity alignment-based multi-source heterogeneous knowledge graph collaborative reasoning method and device
CN111787000B (en) Network security evaluation method and electronic equipment
Myers et al. Learning Bayesian networks from incomplete data using evolutionary algorithms
CN107832830A (en) Intruding detection system feature selection approach based on modified grey wolf optimized algorithm
CN113628059B (en) Associated user identification method and device based on multi-layer diagram attention network
CN113269228B (en) Method, device and system for training graph network classification model and electronic equipment
CN116684200B (en) Knowledge completion method and system for attack mode of network security vulnerability
CN115168443A (en) Anomaly detection method and system based on GCN-LSTM and attention mechanism
Liu et al. AGRM: attention-based graph representation model for telecom fraud detection
CN116582349A (en) Attack path prediction model generation method and device based on network attack graph
CN116861467B (en) Context feature-based database abnormal query access control method
CN116192537B (en) APT attack report event extraction method, system and storage medium
CN116306780B (en) Dynamic graph link generation method
CN110290101B (en) Deep trust network-based associated attack behavior identification method in smart grid environment
Nguyen et al. Context tree maximizing
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN116226396A (en) Time sequence knowledge graph reasoning method based on logic rule and relation multiple coding
CN114842247A (en) Graph convolution network semi-supervised node classification method based on feature accumulation
CN114692867A (en) Network representation learning algorithm combining high-order structure and attention mechanism
Zhang et al. Metaconcept: Learn to abstract via concept graph for weakly-supervised few-shot learning
Cai et al. Design of active learning framework for collaborative anomaly detection
Saradhadevi et al. A survey on digital image enhancement techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant