CN116074022A - Automatic lateral movement identification method based on process control and artificial intelligence - Google Patents

Automatic lateral movement identification method based on process control and artificial intelligence Download PDF

Info

Publication number
CN116074022A
CN116074022A CN202111271495.8A CN202111271495A CN116074022A CN 116074022 A CN116074022 A CN 116074022A CN 202111271495 A CN202111271495 A CN 202111271495A CN 116074022 A CN116074022 A CN 116074022A
Authority
CN
China
Prior art keywords
rdp
session
host
lateral movement
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111271495.8A
Other languages
Chinese (zh)
Inventor
林薇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Liancheng Technology Development Co ltd
Original Assignee
Nanjing Liancheng Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Liancheng Technology Development Co ltd filed Critical Nanjing Liancheng Technology Development Co ltd
Priority to CN202111271495.8A priority Critical patent/CN116074022A/en
Publication of CN116074022A publication Critical patent/CN116074022A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method for automatically identifying transverse movement based on process control and artificial intelligence, which is characterized in that malicious RDP session can be automatically detected, and each network attack can go through a plurality of stages before being terminated. Lateral movement is one of the particularly important phases, and remote desktop protocol RDP is a major tool used by lateral movement for successfully authenticating identity to an unauthorized host, which host has a footprint on both the host and Windows event log, and for identifying whether an RDP session is malicious by applying a machine learning model to the RDP session in the Windows event log, and the method further comprises the steps of: the method comprises the steps of (1) extracting features, (2) preprocessing, (3) detecting malicious RDP session based on Logitoost algorithm, (4) detecting malicious RDP session, and (5) performing network attack in a lateral movement stage. The invention can detect the transverse movement Cheng Guankong so as to realize early warning of network attack.

Description

Automatic lateral movement identification method based on process control and artificial intelligence
Technical Field
The invention relates to the technical fields of network security, SOC (Security operation center), process control, artificial intelligence and transverse movement, in particular to a method for automatically identifying transverse movement based on process control and artificial intelligence.
Background
Existing security threat detection methods assume that the intrusion is successful and focus on a single event. However, in recent network attacks, particularly complex attacks, the campaign of a single attack by a single hacker is often composed of a plurality of smaller, imperceptible attacks. Detecting these attacks can be challenging because a campaign may develop over time, including multiple phases, each of which is intended to defeat the defenses and occur at a different time.
All attacks that occur in the network space have a pattern that can be described as a series of events that can be divided into different phases, also called a process control model (as shown in fig. 1). Network attacks begin by detecting and identifying targets in the network. Then the weaponized payload is manufactured. The weaponization of payloads typically takes the form of malicious emails and attachments that are sent to the target machines of interest. The attack begins after delivery, after which malicious code is triggered. While malicious code may execute independently, some malware attacks with applications on the target machine. This may include operating system based BUGs (e.g., in RDP and PsExec) to application based BUGs (e.g., in real-time processes such as in Google Chrome and Microsoft Office). The attacker then proceeds to install a secure backdoor on the system or activate a system-built-in function (e.g., RDP), allowing an external persistent connection. After establishing the persistent connection, the attacker may begin performing different operations as it moves laterally in the environment. These operations leave system logs on the target machine and utilize these logs in the detection of lateral mobile attacks.
Most security systems maintain a strong boundary (e.g., firewall, intrusion prevention system) between the internet and the intranet, and an attacker, while being able to choose to access its back target host, has difficulty in launching an attack on the asset residing in the intranet. Thus, attackers often use social engineering techniques (e.g., fishing, baiting, etc.) to decoy network internals to execute malicious code or to submit credentials. This enables an attacker to access the victim's computer and progressively explore valuable information by exploiting vulnerabilities of other intranet entities. This is commonly referred to as lateral movement (Lateral Movement LM).
In the process control model, lateral movement is considered an important network attack behaviour. Lateral movement includes stealing credentials and penetrating into other machines controlled by the attacker to move laterally in the network and gain higher authority to achieve the attacker's goal.
In the lateral movement phase, attackers tend to use legitimate system tools, which makes detection of network attacks a challenging task. However, machine learning (Machine Learning ML) techniques have been widely used in the detection of complex network attacks. Machine learning is an ideal tool for extracting knowledge from data and learning system behaviors, and is an artificial intelligence method.
Advanced persistent threats (Advanced Persistent Threat APT) are typical representatives of the most prominent complex network attacks, with the potential for significant damage to various organizations and businesses. This is a type of covert attack where an attacker has unauthorized access to the network for a long period of time. A backdoor procedure called Carbanak has been reported to cause a dollar loss to a financial institution of 10 billion. In addition, over 8000 ten thousand social security numbers were stolen from the large health insurance company, anthem, which was discovered only after 9 months.
APT detection methods typically rely on network traffic data or host system logs to discover evidence of APT. Network-based intrusion detection has been well explored, but has several drawbacks. First, the information that can be extracted from the network data is limited. For privacy reasons, it is important to extract meaningful information beyond packet statistics and basic quintuples (i.e., source IP, destination IP, source port, destination port, and protocol) without user consent to check the network payload for illegitimate. In addition, more recently 72% of network traffic is encrypted using protocols such as Transport Layer Security (TLS). This makes it challenging to inspect the payload of a packet without significantly degrading system performance. Furthermore, attackers that initiate APT tend to be cautious and often utilize custom protocols, making it more difficult to detect abnormal behavior in network data.
On the other hand, host-based intrusion detection may overcome the limitations described above. At the end host, the data is decrypted, allowing information to be extracted, including payload entropy, packet loss rate, and login failure, which may improve detection performance. In addition, the operating system has a built-in log function and can provide rich information. By enabling or disabling different logging levels and policies, only useful information can be logged. There are multiple stages in APT, some of which leave a footprint to detect intrusion at an early stage. For example, an intruder may access a target host in the intranet, but this operation will generate a suspicious log on the end host.
The remote desktop protocol (Remote Desktop Protocol RDP) is designed by Microsoft to provide remote display and input functionality, while the remote desktop service (Remote Desktop Service RDS) is a native service implementing RDP on the Microsoft Windows platform. Legal network administrators often use this service. However, it is also the main tool used by an attacker during the lateral movement phase, as it is challenging to distinguish between legitimate or malicious uses of the tool.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for automatically identifying the transverse movement based on process control and artificial intelligence, which adopts a LogitBoost algorithm and Windows RDP event logs to detect the evidence of the transverse movement so as to realize early warning of network attack.
The method for automatically identifying the transverse movement based on the process control and the artificial intelligence is characterized by automatically detecting malicious RDP sessions, wherein each network attack can go through a plurality of stages before being terminated. Lateral movement is one of the particularly important phases, and remote desktop protocol RDP is a major tool used by lateral movement for successfully authenticating identity to an unauthorized host, which host has a footprint on both the host and Windows event log, and for identifying whether an RDP session is malicious by applying a machine learning model to the RDP session in the Windows event log, and the method further comprises the steps of:
(1) Extracting features, including the following features:
user (Usr) User name for RDP identity authentication;
source (Src) Source host initiating RDP identity authentication;
destination (Dst) RDP identity authentication target host;
session duration: duration of RDP Session (seconds);
user time difference include user Usr i Is a two-continuous RDP authentication event e j And e k Is a time difference of (2);
source time difference it contains source host Src i Is a two-continuous RDP authentication event e j And e k Is a time difference of (2);
destination time difference include target host Dst i Is a two-continuous RDP authentication event e j And e k Is a time difference of (2);
mean of session duration for user include user Usr i Average duration of all RDP sessions;
mean of session duration for source it contains source host Src i Average duration of all RDP sessions;
mean of session duration for destination include target host Dst i Average duration of all RDP sessions;
weekday, the workday extracted from the timestamp;
second in a day, time of day (Seconds);
(2) Preprocessing, discarding RDP session events such as short time;
(3) Applying a LogitBoost algorithm to the RDP session in the Windows event log;
(4) Detecting a malicious RDP session;
(5) The network attack is in a lateral mobile phase.
Further, the Logitboost algorithm, (x 1 ,y 1 ),…,(x N ,y N ) Training data for the algorithm, where x i As a feature vector, y i = -1 or y i =1, representing malicious or benign RDP sessions, weight
Figure BDA0003328949300000051
And probability estimation +.>
Figure BDA0003328949300000052
The following steps are repeated for m=1, 2,3, … M:
(1) Calculating job response and weight:
Figure BDA0003328949300000061
w i =p(x i )(1-p(x i ));
(2) By using weights w i Z of (2) i To x i Least mean square regression of weights of (2) to fit a function f m (x);
(3) Updating
Figure BDA0003328949300000062
And->
Figure BDA0003328949300000063
(4) Output classification
Figure BDA0003328949300000064
The invention has the technical effects that:
in the present invention, a method for automatically identifying lateral movement based on process control and artificial intelligence is provided, which is characterized in that malicious RDP sessions can be automatically detected, and each network attack can go through several stages before being terminated. Lateral movement is one of the particularly important phases, and remote desktop protocol RDP is a major tool used by lateral movement for successfully authenticating identity to an unauthorized host, which host has a footprint on both the host and Windows event log, and for identifying whether an RDP session is malicious by applying a machine learning model to the RDP session in the Windows event log, and the method further comprises the steps of: the method comprises the steps of (1) extracting features, (2) preprocessing, (3) detecting malicious RDP session based on Logitoost algorithm, (4) detecting malicious RDP session, and (5) performing network attack in a lateral movement stage. The invention can detect the transverse movement Cheng Guankong so as to realize early warning of network attack.
Drawings
FIG. 1 is a process control schematic of a method for automatically identifying lateral movement based on process control and artificial intelligence;
FIG. 2 is a lateral movement schematic diagram of a method of automatically identifying lateral movement based on process control and artificial intelligence;
FIG. 3 is a schematic diagram of a Windows event log field of a method for automatically identifying lateral movement based on process control and artificial intelligence;
FIG. 4 is a schematic diagram of a method of automatically identifying lateral movement based on process control and artificial intelligence.
Detailed Description
The invention is described in further detail below, with reference to the attached drawings and examples:
FIG. 1 is a process control schematic of a method for automatically identifying lateral movement based on process control and artificial intelligence. The process control comprises three stages; further, the process control includes: a reconnaissance stage, a delivery stage, an installation stage, a right lifting stage, a transverse movement stage, an operation target stage and a withdrawal stage; the three stages are specifically described as follows:
the first stage: the network stage (including reconnaissance stage and delivery stage) is that the enterprise network system operates normally without any invasion; at this stage, a hacker or attacker would employ, for example, a phishing attack to scout the target network; the application provides an anti-reconnaissance technology for detecting the phishing attack.
And a second stage: the endpoint phase (including the installation phase, the rights promotion phase) from which the system is always compromised, the attacker is within the enterprise network, but does not have complete control of the enterprise network.
And a third stage: domain phase or evacuation phase (including lateral movement phase, operation target phase and evacuation phase), attacker can raise authority and control machine completely, and attacker can delete and manipulate log so as to make attack trace disappear.
For the scout phase, an attacker is involved actively or passively collecting information that can be used to support target localization. Such information may include detailed information of the victim's enterprise, critical infrastructure, or staff. The attacker can use this information to assist in other phases of the attacker's lifecycle, such as planning and performing deliveries using the collected information, determining the scope and priority of targets after intrusion, or pushing and leading further scouting work.
FIG. 2 is a lateral movement schematic diagram of a method for automatically identifying lateral movement based on process control and artificial intelligence. In fig. 2, a machine residing in an enterprise network (i.e., host 1) is destroyed by an attacker through social engineering (e.g., phishing). Suppose that there was previously an RDP connection from host 1 to host 2, the credentials for accessing host 2 were cached on host 1. In this case, an attacker may perform credential stealing on host 1 to gain access to another internal host (i.e. laterally moved to host 2) with physical access to the database. Note that these databases are not directly connected to the Internet. The attacker may then attempt to connect to the internal database using the stolen credentials of another internal host. In fact, hackers are less likely to successfully initiate an intrusion without lateral movement, as key assets are typically not directly accessible from outside the network. Thus, the use of lateral movement also facilitates detection of early attacks. The present application provides solutions for lateral movement detection based on host-based RDP evidence.
FIG. 3 is a schematic diagram of Windows event log fields of a method of automatically identifying lateral movement based on process control and artificial intelligence. Collecting Windows event logs, while simple, requires defining the type of system objects to be monitored (e.g., files or registry entries, network events), the type of access to these objects (read, write, rights change, etc.) should be recorded, and which accesses (user, system, all, etc.) should be monitored. The configuration of this information is maintained in three locations: i) A secure access control list (security access control list SACL) that controls the audit access types of all files and registry objects; ii) a local security policy that controls which types of objects and events generate events in the log; and iii) a Windows firewall that in part controls the logging of network specific events (e.g., network connections). Using domain controllers, specific policies can be easily applied to the entire enterprise network.
While opening all logging mechanisms can maximize coverage of possible behaviors, the number of logging events quickly exceeds the commodity storage system and significantly affects the performance of the monitored computer. To filter out most of these events while maintaining their utility in detecting malicious behavior, "read-only" events have been deleted from the collection, as almost all malicious behavior involves some form of modification to the system (reconnaissance is a significant exception). In summary, only the writing, deletion and execution of files/registries, and process generation are ultimately recorded. In addition, windows event IDs associated with the collection of data of the present application are 4624 (indicating that an account has been successfully logged in), 4625 (indicating that an account has failed to log in), and 4634 (indicating that an account has been logged out), which are associated with RDP identity authentication.
As can be seen from FIG. 3, a logo type of 10 in the computer Windows event log indicates that RDP is used for telnet, which is very useful for tracking malicious RDP sessions of the present application.
FIG. 4 is a schematic diagram of a method of automatically identifying lateral movement based on process control and artificial intelligence. The method comprises the following steps:
1. extracting features, including the following features:
user (Usr) User name for RDP identity authentication;
source (Src) Source host initiating RDP identity authentication;
destination (Dst) RDP identity authentication target host;
session duration: duration of RDP Session (seconds);
user time difference include user Usr i Is to be used for two continuous RDP identity authentication eventsPiece e j And e k Is a time difference of (2);
source time difference it contains source host Src i Is a two-continuous RDP authentication event e j And e k Is a time difference of (2);
destination time difference include target host Dst i Is a two-continuous RDP authentication event e j And e k Is a time difference of (2);
mean of session duration for user include user Usr i Average duration of all RDP sessions;
mean of session duration for source it contains source host Src i Average duration of all RDP sessions;
mean of session duration for destination include target host Dst i Average duration of all RDP sessions;
weekday, the workday extracted from the timestamp;
second in a day, time of day (Seconds).
It should be noted that not all attributes in the original dataset are used to extract the features described above. The functions of event ID, process name, process ID, login type description, and domain name have the same value in all events. Thus, they are deleted from the function list. The login ID is only used to calculate the session duration.
2. Pretreatment of
An event log of authentication type 10 is collected for Windows event ID 4624 (indicating that an account has been successfully logged in), 4625 (indicating that an account has failed to log in), and 4634 (indicating that an account has been logged out). Event logs lacking the source host are discarded, and the data sets of invalid data items and RDP session events of very short session length are purged.
In addition, the attacker's authentication event contains only the login event (ID 4634), and does not contain the logoff event (ID 4634). Thus, this may prevent the calculation of malicious RDP session duration. To this end, session duration is generated for each aggressor event according to a normal distribution
Figure BDA0003328949300000114
Where μ and σ are the mean and standard deviation, respectively, calculated from the durations of all benign RDP sessions. Although a random distribution may be more reasonable, since the attack may last any time, it is assumed that the attack has a similar behavior (session time) as a benign user. This assumption makes classification more difficult because the malicious data points are closer to the benign data points in this feature. It also makes the data more realistic, as some attackers may simulate benign activities to avoid detection.
3. The Logitoost algorithm comprises the following steps:
1、(x 1 ,y 1 ),…,(x N ,y N ) Training data for the algorithm, where x i As a feature vector, y i = -1 or y i =1, representing malicious or benign RDP sessions;
2. weighting of
Figure BDA0003328949300000111
And probability estimation +.>
Figure BDA0003328949300000112
3. The following steps are repeated for m=1, 2,3, … M:
(1) Calculating job response and weight:
Figure BDA0003328949300000113
w i =p(x i )(1-p(x i ))。
(2) By using weights w i Z of (2) i To x i Least mean square regression of weights of (2) to fit a function f m (x)。
(3) Updating
Figure BDA0003328949300000121
And->
Figure BDA0003328949300000122
(4) Output classification
Figure BDA0003328949300000123
4. Malicious RDP sessions
Based on the LogitBoost algorithm, malicious RDP sessions are detected.
5. Stage of lateral movement
Network attacks are in the lateral mobile phase, malicious RDP sessions are often used by attackers to implement remote attacks in the lateral mobile phase.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the invention; all changes and modifications that come within the meaning and range of equivalency of the invention are to be embraced within their scope.

Claims (2)

1. The method is characterized in that a malicious RDP session can be automatically detected, each network attack can go through several stages before being terminated, the lateral movement is one of the particularly important stages, the remote desktop protocol RDP is a main tool used for the lateral movement and is used for successfully carrying out identity authentication on an unauthorized host, the host can leave footprints on the host and Windows event logs, and whether the RDP session is malicious or not is identified by applying a machine learning model to the RDP session in the Windows event logs, and the method further comprises the following steps:
(1) Extracting features, including the following features:
user (Usr) User name for RDP identity authentication;
source (Src) Source host initiating RDP identity authentication;
destination (Dst) RDP identity authentication target host;
session duration: duration of RDP Session (seconds);
user time difference include user
Figure 242960DEST_PATH_IMAGE001
Two consecutive RDP authentication events +.>
Figure 422269DEST_PATH_IMAGE002
And->
Figure 149922DEST_PATH_IMAGE003
Is a time difference of (2);
source time difference include source host
Figure 465497DEST_PATH_IMAGE004
Is +.>
Figure 253193DEST_PATH_IMAGE002
And->
Figure 654219DEST_PATH_IMAGE003
Is a time difference of (2);
destination time difference it contains target host
Figure 137895DEST_PATH_IMAGE005
Is +.>
Figure 557244DEST_PATH_IMAGE002
And
Figure 266574DEST_PATH_IMAGE003
is a time difference of (2);
mean of session duration for user include user
Figure 341846DEST_PATH_IMAGE006
Average duration of all RDP sessions;
mean of session duration for source include source host
Figure 411302DEST_PATH_IMAGE004
Average duration of all RDP sessions;
mean of session duration for destination it contains target host
Figure 701469DEST_PATH_IMAGE005
Average duration of all RDP sessions;
weekday, the workday extracted from the timestamp;
second in a day, time of day (Seconds);
(2) Preprocessing, discarding RDP session events such as short time;
(3) Applying a LogitBoost algorithm to the RDP session in the Windows event log;
(4) Detecting a malicious RDP session;
(5) The network attack is in a lateral mobile phase.
2. The process control and artificial intelligence based method for automatically identifying lateral movement of claim 1, wherein the LogitBoost algorithm @ is
Figure 833898DEST_PATH_IMAGE007
,/>
Figure 209515DEST_PATH_IMAGE008
),…,(/>
Figure 82662DEST_PATH_IMAGE009
,/>
Figure 227336DEST_PATH_IMAGE010
) Training data for the algorithm, wherein +.>
Figure 527736DEST_PATH_IMAGE011
Is a feature vector +_>
Figure 390650DEST_PATH_IMAGE012
= -1 or->
Figure 801908DEST_PATH_IMAGE012
=1, indicating malicious or benign RDP session, weight ++>
Figure 66668DEST_PATH_IMAGE013
=/>
Figure 275320DEST_PATH_IMAGE014
I=1, 2, …, N, F (x) =0, and probability estimation p (++>
Figure 625530DEST_PATH_IMAGE011
)=/>
Figure 840479DEST_PATH_IMAGE015
The following steps are repeated for m=1, 2,3, … M:
(1) Calculating job response and weight:
Figure 959745DEST_PATH_IMAGE016
=/>
Figure 601948DEST_PATH_IMAGE017
,/>
Figure 173874DEST_PATH_IMAGE013
=p(/>
Figure 864619DEST_PATH_IMAGE011
)(1- p(/>
Figure 356167DEST_PATH_IMAGE011
));
(2) By using weights
Figure 920004DEST_PATH_IMAGE013
Is->
Figure 228494DEST_PATH_IMAGE016
To->
Figure 535979DEST_PATH_IMAGE011
Least mean square regression of weights of (2) to fit a function +.>
Figure 879105DEST_PATH_IMAGE018
(3) Update F (x)
Figure 613842DEST_PATH_IMAGE019
F(x)+/>
Figure 409629DEST_PATH_IMAGE020
And p (x) = =>
Figure 255225DEST_PATH_IMAGE021
(4) Output classification sign [ F (x)]= sign[
Figure 444068DEST_PATH_IMAGE022
]。/>
CN202111271495.8A 2021-10-29 2021-10-29 Automatic lateral movement identification method based on process control and artificial intelligence Pending CN116074022A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111271495.8A CN116074022A (en) 2021-10-29 2021-10-29 Automatic lateral movement identification method based on process control and artificial intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111271495.8A CN116074022A (en) 2021-10-29 2021-10-29 Automatic lateral movement identification method based on process control and artificial intelligence

Publications (1)

Publication Number Publication Date
CN116074022A true CN116074022A (en) 2023-05-05

Family

ID=86182368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111271495.8A Pending CN116074022A (en) 2021-10-29 2021-10-29 Automatic lateral movement identification method based on process control and artificial intelligence

Country Status (1)

Country Link
CN (1) CN116074022A (en)

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
US10044746B2 (en) Synthetic cyber-risk model for vulnerability determination
Yaacoub et al. Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
Zimba Malware-free intrusion: a novel approach to ransomware infection vectors
AU2015268719A1 (en) System and method for identifying unauthorized activities on a computer system using a data structure model
JP2013532869A (en) System and method for local protection against malicious software
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
Sequeira Intrusion prevention systems: security's silver bullet?
Umar et al. Mitigating sodinokibi ransomware attack on cloud network using software-defined networking (SDN)
Bajpai et al. Know thy ransomware response: a detailed framework for devising effective ransomware response strategies
Burji et al. Malware analysis using reverse engineering and data mining tools
Aljurayban et al. Framework for cloud intrusion detection system service
Alsmadi Cyber threat analysis
Li et al. A model of APT attack defense based on cyber threat detection
EP3252645B1 (en) System and method of detecting malicious computer systems
Georgina et al. Deception based techniques against ransomwares: a systematic review
Al Shibani et al. Automated Threat Hunting Using ELK Stack-A Case Study
Kono et al. An unknown malware detection using execution registry access
CN116074022A (en) Automatic lateral movement identification method based on process control and artificial intelligence
Akinyemi et al. Analysis of the LockBit 3.0 and its infiltration into Advanced's infrastructure crippling NHS services
Brill From hit and run to invade and stay: How cyberterrorists could be living inside your systems
US20200382552A1 (en) Replayable hacktraps for intruder capture with reduced impact on false positives
Morgan et al. Network attacks and the data they affect
Yadav et al. Defense-in-depth approach for early detection of high-potential advanced persistent attacks
Rajaallah et al. Intrusion Detection Systems: To an Optimal Hybrid Intrusion Detection System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination