CN115567325B - Threat hunting method based on graph matching - Google Patents
Threat hunting method based on graph matching Download PDFInfo
- Publication number
- CN115567325B CN115567325B CN202211536047.0A CN202211536047A CN115567325B CN 115567325 B CN115567325 B CN 115567325B CN 202211536047 A CN202211536047 A CN 202211536047A CN 115567325 B CN115567325 B CN 115567325B
- Authority
- CN
- China
- Prior art keywords
- graph
- node
- origin
- query
- query graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/53—Querying
Abstract
The invention discloses a threat hunting method based on graph matching, which comprises the following steps: constructing an origin graph: collecting system kernel audit logs, and constructing an origin graph according to cause-and-effect relationships and event streams in the system kernel logs; constructing a query graph: extracting threat entities and relations among the threat entities from network threat intelligence so as to construct an inquiry graph related to attack; and (3) matching the graphs: segmenting the origin graph by adopting an edge segmentation method, distributing the segmented origin graph to each site, respectively carrying out graph matching search on each site, calculating the similarity between the origin graph and the query graph, and finding a subgraph which is most similar to the query graph in the origin graph until the similarity score is highest so as to finish threat hunting; threat early warning: and if the similarity score is larger than the threshold value, immediately alarming, and outputting the nodes and the paths matched with the query graph. The method solves the problem of attacker escape so as to achieve the purpose of accurate and efficient hunting.
Description
Technical Field
The invention relates to the field of threat hunting, in particular to a threat hunting method based on graph matching.
Background
With the continuous emergence of Advanced and Persistent Threat (APT), network security faces serious challenges. The APT attack is different from a conventional network attack, which aims to penetrate a specific company or organization and acquire important asset information, sensitive data and the like, and has organization, advanced attack technology and persistent attack process. The existing APT attack automatic detection method is single and passive, such as through a dependency graph, API analysis, user portrait, statistical feature extraction and the like. For real-time detection systems, an alarm means that an attack/hazard has occurred; for a non-real-time detection system, when an analyst detects an attack on offline data, an attacker often causes serious damage to the real environment. Therefore, how to actively find, identify and understand an attack opponent through continuous retrace data inside the organization is one of the hot spots of great interest in academia and industry. Thus, fully automated attack detection methods are moving toward semi-automated threat hunting. The threat hunting is an action driven by human, and needs to actively and repeatedly analyze and search the invaded trace in the organization environment (network, terminal, application system, etc.), so as to shorten the residence time of the attacker in the organization environment and reduce the harm of the attacker to the organization environment to the greatest extent.
The network environment is more and more complex, the attack technology is likely to be changed at any time, and the network threat intelligence can provide attack knowledge fusing multi-source data, including attack scenes, attack tactics, attack technology, attack processes and the like. Therefore, enterprises can access a huge threat behavior database through a network threat intelligence (CTI) report, so that known hostile behaviors are obtained as much as possible, safety personnel can conveniently make attack and defense strategies, and safety protection efficiency is greatly improved. In this context, a new network security defense mechanism driven by threat intelligence arises.
In order to effectively perform threat hunting, an analyst not only needs to enhance the capability of attack behavior mining by using intelligence-related knowledge, but also needs to continuously retrace in combination with long-term system logs (such as system entities like processes, network sockets and files; and kernel information records like system events like system calls) inside an organization to discover possible threats. Provenance graphs can link cause and effect events in a system, and show system execution through interaction between system entity objects, which have been used by many researchers for threat hunting. According to research, the existing threat hunting method lacks integrity and cannot reveal how the attack is developed, and at the same time, depending on the low-level signature, the attack behavior cannot be detected if the attacker updates or uses a tool to change the signature (such as an IP address or a hash value) to avoid detection.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a threat hunting method based on graph matching.
A threat hunting method based on graph matching comprises the following steps:
1) Constructing an origin map: collecting system kernel audit logs, and constructing an origin graph according to cause-and-effect relationships and event streams in the system kernel logs;
2) Constructing a query graph: extracting threat entities and the relationship among the threat entities from the network threat intelligence so as to construct an inquiry graph related to attack;
3) And (3) matching the graphs: adopting an edge segmentation method to segment the origin graph, distributing the segmented origin graph to each site, respectively carrying out graph matching search on each site, calculating the similarity between the origin graph and the query graph, and finding a subgraph which is most similar to the query graph in the origin graph until the similarity score is highest to obtain a highest similarity score;
4) Threat early warning: and if the highest similarity score is larger than the threshold value, immediately alarming, outputting the nodes and paths matched by the query graph, and realizing the interpretability of the hunting results by utilizing an ATT & CK framework.
The method has the advantages that the origin graph is reasonably segmented, the hunting efficiency is improved through distributed searching, the hunting combines the technology of matching of entity and element behaviors, meanwhile, the problems of missing report and false report are solved by combining the context semantics and edge information of the nodes, the hunting result is further explained by utilizing an ATT & CK framework, and the efficient, accurate and interpretable threat hunting method is realized.
In the step 1), the system is Linux, freeBSD or/and Windows.
In step 3), the step of segmenting the origin graph by using an edge segmentation method specifically comprises the following steps: and selecting a set corresponding to a node with the minimum candidate number as an initial node set of each partition according to the number of the candidate nodes of each node of the query graph in the starting graph, namely the number of the partitions is determined by the minimum number of the candidate nodes, starting from the initial node of the initial node set, selecting a node from an adjacent point set of divided data each time to be divided into a current partition until the current partition reaches a rated load, and then dividing the next partition to complete the main site fragmentation.
Distributing the fragmented origin graph to each site, performing graph matching search on each site, and calculating the similarity between the origin graph and the query graph, wherein the method specifically comprises the following steps: after the main site is fragmented, the query graph and the fragmented origin graph are distributed to all sites, each site respectively executes a graph matching algorithm to fix candidate nodes of the query graph, and similarity between the origin graph and the query graph is calculated through the candidate nodes of the query graph.
The graph matching algorithm comprises the following steps:
3.1 Extracting a technical template from the ATT & CK model, determining an attack technology according to the query graph as an attack element behavior, and searching candidate nodes of the fixed query graph attack element behavior by fusing a single node of the origin graph and the attack element behavior by each site;
3.2 Fix the neighbor nodes of the candidate nodes of the attack element behaviors of the query graph, and fix the candidate nodes of the query graph by considering the context semantics of the neighbor nodes and the semantic information of the edges.
In step 3.2), considering context semantics of adjacent nodes and semantic information of edges, fixing candidate nodes of the query graph specifically includes:
3.2.1 Based on the type of system entity, divided into processes, files, sockets, and registries, wherein the files are divided into sensitive files, library files, and executable files according to the different types of the files;
determining the optimal candidate node of the query graph according to the reachable path information of the adjacent node and the type of the adjacent node of the query graph, and if the optimal candidate node of the query graph corresponds to the reachable path information of the adjacent node, entering the step 3.2.2) to consider the semantic information of the edges;
3.2.2 Considering information flow direction between nodes and semantic information of edges between nodes, mapping between attack element behaviors or between nodes, matching the semantic information of edges, completing the semantic information of edges if matching, fixing candidate nodes of the query graph, and matching the semantic information of edges again by using a rule of equivalent semantic transmission if not matching.
In step 3.2.1), determining the best candidate node of the query graph according to the reachable path information of the adjacent node and the type of the adjacent node of the query graph, specifically including: according to the node type of the query graph and the node type of the origin graph, if the types are the same, the node of the origin graph is used as one of the candidate nodes of the query graph, if the candidate node of the query graph is matched with any one of reachable path information, reachable node information and the type of an adjacent node of the query graph of the node of the query graph, different weights are respectively given to the candidate node of the query graph, the weight values are sequentially from low to high, the three weights can be accumulated, and finally the candidate node with the highest weight value is selected as the best candidate node of the query graph.
In step 3.2.2), the rule of equivalent semantic transfer specifically includes: if the semantic information of the edge between two nodes in the query graph is not matched with the semantic information of the edge between the candidate nodes corresponding to the origin graph, different associated entities of the same type of events have different malicious degrees, whether the semantic information of the edge is associated with the attack or not is judged by judging the context information of the associated entities, if the semantic information of the edge is associated with the attack, a path is considered to be reachable, the next node is continuously searched until the semantic information of the edge corresponding to the node is matched, and the candidate nodes of the query graph are fixed.
The rule of the equivalent semantic transmission is a transmission rule specified according to the attack essence, if the edge semantic information between two nodes in the query graph is not matched with the edge semantic information between corresponding candidate nodes but meets the rule of the equivalent semantic transmission, the path is considered to be reachable, and the next node is continuously searched until the corresponding edge information is matched when a certain node is reached.
Compared with the prior art, the invention has the following advantages:
(1) Collecting kernel log data, wherein the kernel data records good semantic information and well shows the relationship between system objects;
(2) The matching mode of the meta-behavior is used, so that an attacker is prevented from intentionally detouring to miss the information flow;
(3) Semantic information between nodes is added in the searching process, and the accuracy of matching to the information flow is ensured;
(4) Dividing the starting image into reasonable fragments, calculating the result of each fragment in parallel, and carrying out communication among the fragments to realize high-efficiency hunting;
(5) For the NPC problem of graph matching, on-demand searching is adopted, and information flow between nodes drives searching.
(6) When mapping the side semantic information, using the equivalent semantic transmission method to prevent the attacker from escaping.
Drawings
Fig. 1 is a flow chart of a threat hunting method based on graph matching.
FIG. 2 is a flow chart of the graph matching algorithm of the present invention.
FIG. 3 is a flow chart of parallel lookup according to the present invention.
FIG. 4 is a flow chart of the method for segmenting the origin graph by edge segmentation according to the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
Referring to fig. 1, a method for threat hunting based on graph matching includes the following steps:
(1) Constructing an origin graph: kernel audit logs of Linux, freeBSD and Windows are collected, and a provenance graph G is constructed according to causal relation and event streams in the logs;
(2) Constructing a query graph: extracting threat entities (IOCs) and relations among the threat entities from network threat intelligence (CTI) so as to construct a query graph Q related to attack;
(3) And (3) matching the graphs: converting the threat hunting into the problem of finding a subgraph which is most similar to the query graph in the provenance graph according to the obtained provenance graph and the query graph, and simultaneously solving the problem of attacker escape by methods of attack element behavior retrieval, consideration of node context semantics, matching edge semantic information, asynchronous master-slave distributed query and the like and using an equivalent semantic transmission method so as to achieve the aim of accurate and efficient hunting;
(4) Threat early warning: and according to the graph alignment score, if the maximum alignment score is larger than a threshold value, immediately alarming, and outputting the matched nodes and paths to realize the interpretability of the hunting result.
In the step (1), the detailed steps for constructing the source graph are as follows:
(1-1) collecting log data: for a multi-platform operating system, a proper log data acquisition tool needs to be selected to acquire kernel data, and the kernel data is not easy to be tampered relative to upper-layer application program data;
(1-2) modeling provenance graph G: according to the collected kernel audit log, the kernel audit log is modeled into a directed graph with labels (such as types and attributes), so that causal relationships and information flows can be effectively tracked, wherein nodes represent system entities (such as files F, processes P, sockets S and a registry R, wherein the files F can be divided into different attributes F0, F1, F2 and F3 to represent multiple file types, so as to lock hunting targets, and the registry R is divided into R0, R1, R2, R3 and R4). Edges represent information flow and cause-and-effect relationships between nodes, such as read, fork, receive, write, and the like.
In the step (2), the detailed steps of constructing the query graph are as follows: (2-1) extracting threat entities (IOCs) and relationships between them: cyber Threat Intelligence (CTI) describes aspects of attacks, including attack order, attacking entities and impact on attacked systems, etc., often in structured and unstructured languages. The IOCs and their relationships are extracted from unstructured CTI reports using Natural Language Processing (NLP) techniques in the method.
(2-2) modeling the query graph Q: the attack behavior occurring in the CTI report is modeled into a directed graph with labels (such as types and attributes), nodes represent entities (such as files F, processes P, sockets S and registry R) occurring in the report, wherein the files F can be divided into different attributes F0, F1, F2 and F3 to represent multiple file types for hunting the target of locking, and similarly, the registry R is divided into R0, R1, R2, R3 and R4, and edges represent information flow and causal relationship between nodes, such as read (read data operation), fork (create process operation), receive (receive network data operation), write (write data operation) and the like.
In step (3), the algorithm flowchart of map alignment is shown in fig. 2, and the detailed steps are as follows: (3-1) related symbols define: three matching modes are defined in the method, which are respectively as follows: single point matching, meta-behavior matching, and graph matching, the correlation definition is shown in table 1.
Table 1 definitions of the symbols
(3-1-1) cost of attackH(i:j): to measure the probability of generating an attack flow from node i to node j
To represent the cost of the attack, the specific calculation is as follows;
Table 2 equivalent semantic transfer rules table
(3-1-2) Meta-behavioral matching scoreW(G1::G2): representing the possibility of attacking meta-behavior, denotedW(G1::G2);
G1 and G2 are subgraphs in Gq and Gp respectively, and the larger the value of W (G1:: G2), the more aligned the number of attack element behaviors, the higher the possibility of attack. When W (G1:: G2) =1, the matching of G1 and all nodes in G2, all streams and semantic information on the streams is successful; and W (G1:: G2) =0, which indicates that all nodes and structures in G1 and G2 fail to be matched.
(3-1-3) alignment scoreS(G::Q): an alignment score representing the origin graph G and the query graph Q, denoted as S (Gq:: gp);
the larger the value of S (G:: Q), the larger the number of node alignments, the higher the similarity between G and Q, the greater the similarity between the flows in G and Q, and the greater the possibility of attack. When S (G:: Q) =1, it indicates that all nodes in G are aligned with nodes in Q, and all flows present in G also appear between the aligned nodes in Q.
(3-2) slicing algorithm: in the invention, the origin graph is segmented by adopting a side segmentation method, and each segmented site performs distributed search according to a master-slave structure, as shown in fig. 4.
(3-2-1) finding candidate nodes in the query graph, which are mapped to the nodes in the origin graph: the entity name extracted by the network threat information may not be consistent with the entity name extracted by the bottom kernel log, and the related entities are difficult to match, so that the accuracy of hunting is influenced. Therefore, the invention proposes matching corresponding candidate nodes in G according to the type of the node in G, the access degree of the node, the type of the adjacent node and the edge semantic information from the adjacent node to the node, thereby avoiding directly matching the name.
(3-2-2) slicing the origin graph: according to the number of candidate nodes of each node of the query graph in the initial graph, a node set with the minimum candidate number is selected as an initial node set of each partition, namely the number of the partitions is determined by the minimum number of the candidate nodes. Starting from an initial node, selecting a node from the adjacent point set of the divided data each time to be divided into the current subarea until the current subarea reaches the rated load, and then dividing the next subarea.
(3-2-3) distributed lookup: after the main site is fragmented, the fragmented data and the query graph are distributed to each site, each site respectively executes a graph matching algorithm to calculate partial answers, namely each fragment
Calculating aloneH(i:k)、W(Q::/>
)And each site receives the data transmitted from other sites to update the local data, then sends the updated answer to other sites, and repeats the process until the data of each site is not updated. And then, the local calculation results of all the sites are sent to the master site, and the complete matching result is calculated and formed in the master site.
(3-3) graph matching algorithm: from the step (3-2), the provenance graph is segmented into F = (F1, \8230;, fn) and is distributed to sites (S1, \8230;, sn), partial answers of the segmentation Fi of each site matching the query graph are calculated, and threat hunting is performed through methods of attack meta-behavior retrieval, node context semantics, edge semantic information and the like, as shown in fig. 2.
(3-3-1) attack element behavior retrieval: ATT (automatic train transfer) system&The CK framework describes different techniques used at various stages of an APT attack, from which meta-attack behaviors can be extracted, i.e. each meta-attack behavior represents one technical behavior in one APT attack. Before single-node matching, firstly, the meta-attack behavior which can represent APT attack in Q is found, then the corresponding meta-behavior is matched in G, if the matching is successful, the more possibility of attack is shownLarge, weight valueW。
Example 1: the meta-behavior of the T1547.001 technology module in the extraction ATT & CK framework is shown in FIG. 3.
(3-3-2) matching nodes: usually, a plurality of candidate nodes corresponding to G may be matched in Q, and in order to improve efficiency, the graph matching algorithm of the invention traverses the graph forwards/backwards from the matched attack element behavior. For nodes n and m in a given Q, and a corresponding set of candidate nodes in G
、/>
If the candidate node set of seed node n is to be fixed in G->
Need to count >>
Are respectively to
Cost of attack ofHAnd (c) wherein m is such that: (1) n is or can be reached from n; (2) Candidate nodes in G corresponding to n and m +>
,/>
Paths are reachable, and the side semantic information between connected nodes is the same or equivalent. The calculation of the matching node is shown in equation (5):
In the step (4), the threat early warning comprises the following detailed steps: (4-1) calculating an alignment score: an alignment score S is calculated in the host site according to equation (3), where the alignment score S is the similarity score of the most similar subgraph in the origin graph to the query graph.
(4-2) early warning: and if the S is larger than the threshold value, carrying out threat early warning, outputting the fixed optimal subgraph, and explaining the hunting result by using the determined attack element behaviors.
Claims (4)
1. A threat hunting method based on graph matching is characterized by comprising the following steps:
1) Constructing an origin graph: collecting system kernel audit logs, and constructing an origin graph according to cause-and-effect relationships and event streams in the system kernel logs;
2) Constructing a query graph: extracting threat entities and the relationship among the threat entities from the network threat intelligence so as to construct an inquiry graph related to attack;
3) And (3) matching the graphs: adopting an edge segmentation method to segment the origin graph, distributing the segmented origin graph to each site, respectively carrying out graph matching search on each site, calculating the similarity between the origin graph and the query graph, and finding a subgraph which is most similar to the query graph in the origin graph until the similarity score is highest to obtain a highest similarity score;
the step of adopting an edge segmentation method to segment the origin graph specifically comprises the following steps:
selecting a set corresponding to a node with the minimum candidate number as an initial node set of each partition according to the number of candidate nodes of each node of the query graph in the initial graph, starting from the initial node of the initial node set, selecting a node from an adjacent point set of partitioned data to partition to the current partition each time until the current partition reaches a rated load, and then partitioning the next partition to complete main site fragmentation;
distributing the fragmented origin graph to each site, performing graph matching search on each site, and calculating the similarity between the origin graph and the query graph, wherein the method specifically comprises the following steps:
after the main site is fragmented, distributing the query graph and the fragmented origin graph to each site, respectively executing a graph matching algorithm to fix candidate nodes of the query graph by each site, and calculating the similarity between the origin graph and the query graph through the candidate nodes of the query graph;
the graph matching algorithm comprises the following steps:
3.1 Extracting a technical template from the ATT & CK model, determining an attack technology according to the query graph as an attack element behavior, and searching candidate nodes of the fixed query graph attack element behavior by fusing a single node of the origin graph and the attack element behavior by each site;
3.2 Fix and inquire the adjacent node of candidate node of the picture attack element behavior, consider the context semanteme and semantic information of the edge of the adjacent node, fix the candidate node of the inquiry picture;
considering context semantics of adjacent nodes and semantic information of edges, fixing candidate nodes of the query graph specifically comprises:
3.2.1 Based on the type of system entity, into processes, files, sockets, and registries, and into sensitive files, library files, and executable files, based on the different types of files;
determining the optimal candidate node of the query graph according to the reachable path information of the adjacent node and the type of the adjacent node of the query graph, and if the optimal candidate node of the query graph corresponds to the reachable path information of the adjacent node, entering the step 3.2.2) to consider the semantic information of the edges;
3.2.2 Considering information flow direction between nodes and semantic information of edges between nodes, mapping between attack element behaviors or between nodes, matching the semantic information of the edges, completing the semantic information of the edges if the semantic information of the edges is matched, fixing candidate nodes of the query graph, and matching the semantic information of the edges again by using a rule of equivalent semantic transmission if the semantic information of the edges is not matched;
4) Threat early warning: and if the highest similarity score is larger than the threshold value, immediately alarming, and outputting the nodes and paths matched with the query graph.
2. The graph matching-based threat hunting method as claimed in claim 1, wherein in step 1), the system is Linux, freeBSD or/and Windows.
3. The method for threat hunting based on graph matching as claimed in claim 1, wherein in step 3.2.1), determining the best candidate node of the query graph according to the reachable path information of the neighboring nodes and the types of the neighboring nodes of the query graph comprises:
according to the node type of the query graph and the node type of the origin graph, if the types are the same, the node of the origin graph is used as one of candidate nodes of the query graph, if the candidate node of the query graph is matched with any one of reachable path information, reachable node information and the type of an adjacent node of the query graph of the node of the query graph, different weights are respectively given, the weight values sequentially go from low to high, the three weights can be accumulated, and finally the candidate node with the highest weight value is selected as the best candidate node of the query graph.
4. The method for threat hunting based on graph matching as claimed in claim 1, wherein in step 3.2.2), the rule of equivalent semantic delivery specifically includes:
if the semantic information of the edge between two nodes in the query graph is not matched with the semantic information of the edge between the candidate nodes corresponding to the origin graph, different associated entities of the same type of events have different malicious degrees, whether the semantic information of the edge is associated with the attack or not is judged by judging the context information of the associated entities, if the semantic information of the edge is associated with the attack, a path is considered to be reachable, the next node is continuously searched until the semantic information of the edge corresponding to the node is matched, and the candidate nodes of the query graph are fixed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211536047.0A CN115567325B (en) | 2022-12-02 | 2022-12-02 | Threat hunting method based on graph matching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211536047.0A CN115567325B (en) | 2022-12-02 | 2022-12-02 | Threat hunting method based on graph matching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115567325A CN115567325A (en) | 2023-01-03 |
| CN115567325B true CN115567325B (en) | 2023-03-31 |
Family
ID=84770671
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211536047.0A Active CN115567325B (en) | 2022-12-02 | 2022-12-02 | Threat hunting method based on graph matching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115567325B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560228B (en) * | 2024-01-10 | 2024-03-19 | 西安电子科技大学杭州研究院 | Real-time attack detection method and system for flow tracing graph based on label and graph alignment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007109721A2 (en) * | 2006-03-21 | 2007-09-27 | 21St Century Technologies, Inc. | Tactical and strategic attack detection and prediction |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765847A (en) * | 2020-06-02 | 2021-12-07 | 北京中科卓信软件测评技术中心 | Information system APT attack resistance evaluation method based on threat information |
| CN112269316B (en) * | 2020-10-28 | 2022-06-07 | 中国科学院信息工程研究所 | High-robustness threat hunting system and method based on graph neural network |
| CN114637989A (en) * | 2022-03-21 | 2022-06-17 | 西安电子科技大学 | APT attack tracing method and system based on distributed system and storage medium |
| CN114662096A (en) * | 2022-03-25 | 2022-06-24 | 北京邮电大学 | Threat hunting method based on graph kernel clustering |
-
2022
- 2022-12-02 CN CN202211536047.0A patent/CN115567325B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007109721A2 (en) * | 2006-03-21 | 2007-09-27 | 21St Century Technologies, Inc. | Tactical and strategic attack detection and prediction |
Non-Patent Citations (1)
| Title |
|---|
| 顾兆军;何波.基于可疑队列的多源攻击图入侵检测方法.计算机工程与设计.2017,(第06期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115567325A (en) | 2023-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108718310B (en) | Deep learning-based multilevel attack feature extraction and malicious behavior identification method | |
| Navarro et al. | A systematic survey on multi-step attack detection | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN108933793B (en) | Attack graph generation method and device based on knowledge graph | |
| US7530105B2 (en) | Tactical and strategic attack detection and prediction | |
| CN111431939B (en) | CTI-based SDN malicious flow defense method | |
| US11522902B2 (en) | Reliability calculation apparatus, reliability calculation method and program | |
| CN112333195B (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
| CN102075516A (en) | Method for identifying and predicting network multi-step attacks | |
| CN105100122A (en) | Threat detection and alert method and system based on big data analysis | |
| CN103279710A (en) | Method and system for detecting malicious codes of Internet information system | |
| CN114547415A (en) | Attack simulation method based on network threat information in industrial Internet of things | |
| CN112115183B (en) | Honeypot system threat information analysis method based on graph | |
| CN112422537A (en) | Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat | |
| CN115567325B (en) | Threat hunting method based on graph matching | |
| CN116405246A (en) | Vulnerability exploitation chain construction technology based on attack and defense combination | |
| CN115277127A (en) | Attack detection method and device for searching matching attack mode based on system tracing graph | |
| CN116566674A (en) | Automated penetration test method, system, electronic equipment and storage medium | |
| CN115065545A (en) | Big data threat perception-based security protection construction method and AI (Artificial Intelligence) protection system | |
| CN103455754B (en) | A kind of malicious searches keyword recognition methods based on regular expression | |
| CN116938587A (en) | Threat detection method and system based on trace-source diagram behavior semantic extraction | |
| KR102562671B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm | |
| CN113572781A (en) | Method for collecting network security threat information | |
| CN114301699A (en) | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium | |
| KR102592624B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |