CN116436701B - Method, device, equipment and storage medium for predicting network attack - Google Patents
Method, device, equipment and storage medium for predicting network attack Download PDFInfo
- Publication number
- CN116436701B CN116436701B CN202310690622.0A CN202310690622A CN116436701B CN 116436701 B CN116436701 B CN 116436701B CN 202310690622 A CN202310690622 A CN 202310690622A CN 116436701 B CN116436701 B CN 116436701B
- Authority
- CN
- China
- Prior art keywords
- attack
- target
- potential
- probability
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 238000001514 detection method Methods 0.000 claims abstract description 76
- 230000003068 static effect Effects 0.000 claims abstract description 63
- 238000012545 processing Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 50
- 238000012544 monitoring process Methods 0.000 claims description 20
- 238000012549 training Methods 0.000 claims description 14
- 230000009467 reduction Effects 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 10
- 239000013598 vector Substances 0.000 description 8
- 230000006399 behavior Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 239000000470 constituent Substances 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The present disclosure discloses a method, apparatus, device and storage medium for predicting network attacks. The method comprises the following steps: determining a current attack means and a plurality of potential attack targets according to the current attack targets; processing the current attack means by utilizing the attack prediction model to obtain potential attack means and occurrence probability thereof; acquiring a static detection result of each potential attack target; calculating an attack risk value of each potential attack target under the potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target and the conditional probability of the attack means under the static detection result; and determining the potential attack target with the largest attacked risk value as the predicted attack target. The method of the embodiment of the invention can screen the predicted attack target most likely to be attacked by utilizing the attacked risk value, efficiently and accurately complete the prediction of the attack target in the next stage and improve the prediction accuracy.
Description
Technical Field
The present disclosure relates generally to the field of network security technology. More particularly, the present disclosure relates to a method, apparatus, electronic device, and computer readable storage medium for predicting network attacks.
Background
Network security technologies generally predict network security situations, so that the security state of a network is mastered before a network attack event occurs, and corresponding protective measures are timely taken to avoid unnecessary attacks and losses.
Among known cyber attack threats, there is a class of attacks known as advanced persistent threat (APT, advanced Persistent Threat), which is a significant threat to important information systems such as finance, energy, traffic, government, military and telecommunications due to its organized, targeted, extremely long duration attack characteristics. The attack channels of the APT are diversified, the hidden time is long, and the attack characteristics are difficult to extract, so that the next attack means of the attack chain is difficult to predict, and a great security threat is caused.
The network attack prediction method provided by the prior art determines a plurality of attack chains according to the disclosed network attack event, determines the current attack stage according to the network attack currently suffered by the target host, predicts the next attack stage by referring to the sequence of the attack stages on the attack chains, but cannot predict the attack target, and cannot provide more accurate prediction information for the network security situation prediction process.
In view of this, it is desirable to provide a network attack prediction scheme, so as to efficiently and accurately predict the attack target of the next stage, and improve the prediction accuracy.
Disclosure of Invention
To address at least one or more of the technical problems mentioned above, the present disclosure proposes a network attack prediction scheme in various aspects.
In a first aspect, the present disclosure provides a method for predicting a network attack comprising: determining a current attack means and a plurality of potential attack targets according to the current attack targets; processing the current attack means by utilizing the attack prediction model to obtain potential attack means and occurrence probability thereof; acquiring a static detection result of each potential attack target; calculating an attack risk value of each potential attack target under the potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target and the conditional probability of the attack means under the static detection result; and determining the potential attack target with the largest attacked risk value as the predicted attack target.
In some embodiments, wherein calculating the risk of attack value for each potential attack target comprises: calculating the attack probability of each potential attack target by the potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target and the conditional probability of the attack means under the static detection result; determining a preset target value of each potential attack target; and taking the product of the attack probability of each potential attack target and the preset target value as the attack risk value of each potential attack target.
In some embodiments, wherein after determining the predicted attack target, the method further comprises: aiming at the predicted attack target, calculating the attack probability of each potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of the predicted attack target and the conditional probability of the occurrence of the attack means under the static detection result; and determining the potential attack means with the largest attack probability as the prediction attack means.
In some embodiments, the static detection result of each potential attack target includes a security feature that the potential attack target has, wherein calculating the probability of being attacked for each potential attack target includes: generating a Has function of each potential attack target aiming at each security feature according to the static detection result of each potential attack target; generating a probability function of each potential attack means for each security feature according to the conditional probability of the attack means under the static detection result; and calculating the attack probability of each potential attack target according to the Has function, the probability function and the occurrence probability of each potential attack means.
In some embodiments, wherein calculating the probability of being attacked for each potential attack target from the Has function, the probability function, and the probability of occurrence for each potential attack means comprises: according to Calculating the attack probability of the potential attack target; wherein P (b) represents the probability of being attacked by potential attack target b, T represents the set of potential attack means, < ->Representing potential attack means, F representing the security features of potential attack target b, F representing the set of security features of potential attack target b,/for>Representing potential means of attack->Probability of occurrence of->Representing each potential means of attack->For the probability function of each security feature f, has (b, f) represents the Has function for each security feature for each potential attack target.
In some embodiments, wherein calculating the attack probability for each potential attack means for the predicted attack target comprises: for the predicted attack target b, according toCalculate each potential attack means->Is a probability of attack; wherein attack probability->Indicating that the predicted attack target b is subject to potential attack means->F represents the security features of potential attack target b, F represents the set of security features of potential attack target b, +.>Representing potential means of attack->Probability of occurrence of->Representing each potential means of attack->Probability function with respect to each security feature f +.>Reflecting the occurrence of potential attack means under static detection results- >Has (b, f) represents the Has function of each potential attack target for each security feature, has (b, f) reflects the static detection result of potential attack target b.
In some embodiments, wherein generating a Has function for each security feature for each potential attack target comprises: if the potential attack target b Has the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 1; and if the potential attack target b does not have the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 0.
In some embodiments, wherein generating a probability function for each potential attack means for each security feature comprises: carrying out numerical statistics according to the historical static detection result and the associated historical attack means so as to obtain a probability function rel (t, f) of each attack means aiming at each security feature; and deriving a probability function for each security feature for each potential attack means based on the probability function rel (t, f) and the potential attack meansThe method comprises the steps of carrying out a first treatment on the surface of the Wherein rel (t, f) ∈ [0,1 ]]T represents attack means,>∈[0,1],/>representing an attack means, f representing a security feature.
In some embodiments, wherein after determining the predictive attack means, the method further comprises: and adopting an attack reduction means aiming at the predicted attack means for the predicted attack target.
In some embodiments, wherein determining the current attack means based on the current attack target comprises: dynamically monitoring a current attack target to obtain a dynamic monitoring log of the current attack target; processing the dynamic monitoring log according to a preset rule to generate a safety alarm; and determining the current attack means of the current attack target according to the security alarm.
In some embodiments, wherein determining potential attack targets from current attack targets comprises: collecting local network topology structure and network connectivity information; taking the target meeting the preset condition and the current attack target as potential attack targets; the preset condition includes that the target and the current attack target are in the same link in the local network topology structure, and the network connectivity information of the link is connected.
In some embodiments, wherein prior to processing the current attack means using the attack prediction model, the method further comprises: acquiring historical attack data; intercepting a historical attack chain according to the historical attack data; extracting features of the historical attack chain to obtain a training sample; and training the model by using the training sample to obtain an attack prediction model.
In some embodiments, the historical attack data is an ordered sequence formed by a historical attack means, and the historical attack chain is a subsequence of the ordered sequence.
In a second aspect, the present disclosure provides an apparatus for predicting a network attack comprising: the static detection module is used for carrying out static detection on potential attack targets; and an attack prediction module communicatively coupled to the static detection module and operative in concert to perform the method of the first aspect.
In some embodiments, the apparatus further comprises: the network information acquisition module is used for acquiring the local network topological structure and the network connectivity information so as to enable the attack prediction module to determine potential attack targets; and the dynamic monitoring module is used for dynamically monitoring the current attack target so as to ensure that the attack prediction module determines the current attack means.
In a third aspect, the present disclosure provides an electronic device comprising: a processor; and a memory having executable code stored thereon that, when executed by the processor, causes the processor to perform the method of the first aspect.
In a fourth aspect, the present disclosure provides a non-transitory computer-readable storage medium having executable code stored thereon, which when executed by a processor of an electronic device, causes the processor to perform the method of the first aspect.
By the attack prediction method provided by the embodiment of the disclosure, potential attack means and potential attack targets can be determined according to the current attack targets, and the attack risk value of each potential attack target under the potential attack means is calculated by combining the static detection result of the potential attack targets, the occurrence probability of the potential attack means and the conditional probability of the occurrence of the attack means under the static detection result, so that the attack risk value is utilized to judge which target in the potential attack targets is highest in risk of the potential attack means, the next stage of attack targets are accurately predicted, and more accurate prediction information is provided for the network security situation prediction process, so that efficient and accurate network security control is performed on the predicted attack targets.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
FIG. 1 illustrates an exemplary flow chart of a network attack prediction method 100 of some embodiments of the present disclosure;
FIG. 2 illustrates an exemplary flow chart of a method 200 of computing a risk of attack value in accordance with some embodiments of the present disclosure;
FIG. 3 illustrates an exemplary flow chart of a method 300 of computing probability of attack for some embodiments of the present disclosure;
FIG. 4 illustrates an exemplary flow chart of a network attack prediction method 400 of further embodiments of the present disclosure;
FIG. 5 illustrates an exemplary flowchart of an attack means determination method 500 of some embodiments of the present disclosure;
FIG. 6 illustrates an exemplary flow chart of a model training method 600 of some embodiments of the present disclosure;
FIG. 7 illustrates an exemplary block diagram of a network attack prediction device 700 in accordance with some embodiments of the present disclosure;
fig. 8 shows an exemplary block diagram of an electronic device 800 of an embodiment of the disclosure.
Detailed Description
The following description of the embodiments of the present disclosure will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the disclosure. Based on the embodiments in this disclosure, all other embodiments that may be made by those skilled in the art without the inventive effort are within the scope of the present disclosure.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present disclosure is for the purpose of describing particular embodiments only, and is not intended to be limiting of the disclosure. As used in the specification and claims of this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the term "and/or" as used in the present disclosure and claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Specific embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Exemplary application scenarios
APT generally refers to a group of attackers that use relatively complex and highly targeted means of attack to invade a particular target multiple times, thereby stealing sensitive information or control systems, and such threats can persist for a long period of time. APT poses a greater security threat to network security as compared to other forms of attack due to its greater concealment, durability, and jeopardy.
A cyber security threat knowledge base ATT & CK, collectively Adversarial Tactics, techniques, and Common Knowledge, is provided in the current cyber security arts that describes a variety of tactics and Techniques that may be used by an attacker, as well as the specific manner in which an attacker may take. The ATT & CK unifies the standards of malicious network attack behavior descriptions, and subdivides various network attack behaviors corresponding to attack behavior data. The ATT & CK framework organizes this information in a structured model that can help network security professionals better understand and handle attacks from threatening actors.
The network attack prediction scheme provided by the disclosure can comprehensively judge by combining static detection results and other information of each target under an ATT & CK framework, and can efficiently and accurately predict the attack which has specific targets and is difficult to extract attack characteristics aiming at APT, so that the attack targets of the next stage of an attack chain are locked.
The existing scheme for predicting network attack based on the attack chain can only predict the next attack stage, cannot accurately lock an attack target, and cannot provide more accurate prediction information for a network security situation prediction process.
Exemplary embodiment
In view of this, the embodiments of the present disclosure provide a network attack prediction scheme, which calculates an attacked risk value of each potential attack target by a potential attack means according to a static detection result of the potential attack target, an occurrence probability of the potential attack means, and a conditional probability of the occurrence of the attack means under the static detection result, and screens out a predicted attack target most likely to be attacked by the attack risk value, so that prediction of the attack target in the next stage can be efficiently and accurately completed.
Fig. 1 illustrates an exemplary flow chart of a network attack prediction method 100 of some embodiments of the present disclosure.
As shown in fig. 1, in step S101, a current attack means and a plurality of potential attack targets are determined according to a current attack target.
In this embodiment, the target currently under the network attack is called a, and since the current attack target a has been subjected to the network attack, the current attack means of the attacker can be obtained by detecting the state of the current attack target a.
It should be noted that when the method is executed under the ATT & CK framework, the attack means herein may be regarded as an attack technique in ATT & CK, such as a passthrough threat Drive-by company, etc. In addition, an attacker may attack the current attack target a using a single or multiple attack means, i.e. the number of current attack means may be one or more, and a plurality of current attack means may also constitute the attack tactics shown in ATT & CK.
In this embodiment, the potential attack target refers to a target that an attacker has a possibility of attack in the next attack stage, and at least needs to satisfy the following conditions: is within the scope of an attacker's attack. Based on the condition, it can be known that the attacker can choose to continue to attack the current attack target a in the next attack stage, and can choose to attack the target q directly connected with the current attack target a.
Further, potential attack targets may be determined by analyzing the network topology. Taking multiple hosts under the same network as an example, the network topology structure can be represented by a directed graph g= < V, E >, where V represents a set of all hosts in the network, E represents a set of directed edges between the hosts, and then the attack scope of an attacker can be represented as follows: { a } { q| < a, q > ∈E, q∈V }, it can be understood that the attack scope of an attacker includes: a current attack target a and a target q directly reachable from the current attack target.
In practical application, a network information acquisition module can acquire a local network topology structure and network connectivity, and a potential attack target is determined through the following steps:
collecting local network topology structure and network connectivity information;
and taking the target meeting the preset condition and the current attack target as potential attack targets.
Wherein the preset conditions include: in the local network topology structure, the target and the current attack target are in the same link, and the network connectivity information of the link is connected.
The network topology is a physical layout feature of physical connection of various transmission media such as network cables, etc., and can be used for representing network configuration and connection of network servers, workstations and network devices by describing two most basic graphic elements such as points and lines in geometry.
Taking a plurality of hosts under the same network as an example, one node in the local network topology structure is a host, one line is a link, the nodes at two ends of the link are directly connected, and the network connectivity information reflects whether the link is in a connected state or a disconnected state.
When the target is in the same link with the current attack target and the link is communicated, the attacker can directly reach the target from the current attack target, so that the target is in the attack range of the attacker.
In step S102, the current attack means is processed by using the attack prediction model to obtain potential attack means and occurrence probability thereof.
In this embodiment, the current attack means is input into the attack prediction model, so that the attack means possibly adopted by the attacker in the next attack stage, which is also called as potential attack means, can be obtained.
After the current attack means is input into the attack prediction model, the attack prediction model outputs a set T= { T of attack means possibly adopted by an attacker in the next attack stage 1 , t 2 ,…, t i Further, a set of occurrence probabilities { P (t) i ) | t i ∈T, 0≤P(t i )≤1}。
It should be noted that the number of potential attack means output by the attack prediction model may be one or more. The attack means available to the attacker is assumed to include t A 、t B 、t C 、t D 、t E 、t F And t G Total 7 kinds, if the current attack means is t A And t C Its corresponding feature vector can be expressed as<1,0,1,0,0,0,0>After being processed by the attack prediction model, the output form is as follows<0,0.2,0,0.4,0,0.6,0.7>Which illustrates that the potential means of attack includes t B 、t D 、t F And t G 。
And normalizing the output feature vectors to obtain the occurrence probability of each potential attack means. Still by<0,0.2,0,0.4,0,0.6,0.7>This prediction is exemplified by potential attack means t B Probability of occurrence P (t) B )=0.2/(0.2+0.4+0.6+0.7)100% = 10.5%, potential attack means t D Probability of occurrence P (t) D )=0.4/(0.2+0.4+0.6+0.7)/>100% = 21.1%, and so on, potential attack means t F Probability of occurrence P (t) F )=0.6/(0.2+0.4+0.6+0.7)100% = 31.6%, potential attack means t G Probability of occurrence P (t) G )= 0.7/(0.2+0.4+0.6+0.7)/>100%=36.8%。
It should be noted that the above feature vector of the input attack prediction model and the output prediction result are only one example given in the present embodiment, and do not constitute a unique limitation to the attack prediction model.
In step S103, a static detection result of each potential attack target is acquired.
In practical application, the static detection module is used for carrying out physical examination on the target, so that a static detection result of the target is obtained. The main items of static detection include baseline detection, weak password detection, vulnerability detection, malicious program/virus detection, rootkit detection and the like, and whether the detected target has a weak password or not is a security feature of the current detected target, so that based on the items of static detection, each target can construct a security feature set F to represent the security condition of the target, wherein the security feature can include whether the target has a weak password, whether the target has a specific application, whether the target opens an SSH port or not, and the like, and the static detection result of each potential attack target includes the security feature F of the potential attack target.
It should be further noted that, in this embodiment, the execution timing of step S102 and step S103 is not strictly required, and in practical application, step S103 may be executed prior to step S102 or may be executed in parallel with step S102.
In step S104, an attack risk value for each potential attack target is calculated.
Specifically, in step S104, the attack risk value of each potential attack target for the potential attack means is calculated according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target, and the conditional probability of the occurrence of the attack means under the static detection result.
It should be noted that, in the ATT & CK, the attack technique and the security feature have an association relationship, when a target has a certain security feature, a certain attack technique may be applied, easily applied, or the success rate of application is high, so that the association degree between the security feature and the attack technique is high, and when another target has the security feature, the target is considered to have a high conditional probability of being attacked by the attack technique. For example, in attack tactics Credential Access, there is an attack technique Brute Force and sub-technique Password Guessing, which attacks are only easily successful when there is a weak password in the target. Also for example, in the attack tactics Laternal move, there are attack technologies Remote Services and sub-technologies SSH, which attacks may only succeed if the SSH service in the target allows telnet.
In view of this, the security feature of each potential attack target can be determined according to the static detection result of each potential attack target, the conditional probability of a certain attack means under each security feature can be obtained according to the conditional probability of an attack means under the static detection result, and then the attack risk value of a potential attack target under the current situation of the potential attack means can be calculated by combining the occurrence probability of each potential attack means.
In step S105, it is determined that the potential attack target with the largest risk value under attack is the predicted attack target.
The step S104 may calculate an attack risk value of each potential attack target, where a higher attack risk value indicates that the potential attack targets are more likely to be attacked, and the potential attack target with the highest attack probability is the final predicted attack target.
Further, the risk of attack value may include quantized data in two dimensions, one of which is a preset target value and the other of which is a target probability of attack. The preset target value is a value set for each target in advance, the value can be used for feeding back the value of the data asset in the target, the quantized data of the dimension of the preset target value is essentially used for evaluating the loss generated after the target is attacked, the attack probability is the possibility that the feedback target is attacked, and the quantized data of the dimension is essentially used for evaluating the probability that the target is attacked.
The combination of quantized data in two dimensions is considered based on the following factors: when the attack probability difference of the potential attack targets is large, the potential attack targets with large attack probability are preferentially considered as predicted attack targets so as to ensure that the subsequent attack can be successfully intercepted. However, given that the difference between the attack probabilities of the two potential attack targets is smaller, if the potential attack target with smaller attack probability has higher data asset value, the loss generated by the attack of the potential attack target is difficult to bear, and the potential attack target still needs to be regarded as a predicted attack target for protection.
Still further, in some embodiments, the present disclosure provides a method of attack risk value calculation. Fig. 2 illustrates an exemplary flow chart of a method 200 of computing a risk of attack value in accordance with some embodiments of the present disclosure. It will be appreciated that the attack means determination method is a specific implementation of step S104 described above, and thus the features described above in connection with fig. 1 may be similarly applied thereto.
As shown in fig. 2, in step S201, the probability of being attacked by each potential attack target is calculated.
Specifically, in step S201, the attack probability may be calculated according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target, and the conditional probability of occurrence of the attack means under the static detection result.
Further, the present embodiment providesThis calculation formula is used to calculate the probability of being attacked, wherein +.>Representing potential means of attack->Probability of occurrence of->,/>Representing each potential means of attack->For each security feature f, has (b, f) represents each potential attack target b for each securityA fully characterized Has function.
According to the description in the foregoing embodiment, the attack technique has an association relation with the security feature, and when the target has a certain security feature, a certain attack technique may be applied, where the association relation may be represented by a probability function rel (t, f), where the probability function rel (t, f) represents the conditional probability that the target is attacked by the attack means t when the target has the security feature f. Thus, the first and second substrates are bonded together,essentially reflecting the occurrence of potential attack means +.>Conditional probability of (2).
The function of the Has is to determine whether an object Has a certain attribute or method, so that whether the potential attack target b Has the security feature f can be determined according to the value of Has (b, f), that is, has (b, f) can reflect the static detection result of the potential attack target b.
In addition, P (b) represents the probability of being attacked by potential attack target b, T represents the set of potential attack means, Representing potential attack means, F represents the security features possessed by potential attack target b, and F represents the set of security features possessed by potential attack target b.
In step S202, a preset target value for each potential attack target is determined.
Since different targets have different data assets, the value of the different data assets is different, so that corresponding value differences exist among the targets, and in order to reflect the value differences, a preset target value can be set for each target.
What has been described above is that the data assets have different values, and in practice, the reasons for the difference in value may also include other factors, such as equipment costs, and the like.
In step S203, the product of the attack probability of each potential attack target and the preset target value is taken as the attack risk value of each potential attack target.
Assuming that the preset target Value of the potential attack target b is Value (b), the attack risk Value may be expressed as Value (b)P (b), the process of determining the predicted target of attack can be regarded as screening Value (b)/(b)>Process of minimum value of P (b).
To improve the accuracy of predictions, the present disclosure provides a method of calculating probability of attack that is applicable to any of the previous embodiments. Fig. 3 illustrates an exemplary flow chart of a method 300 of computing probability of attack for some embodiments of the present disclosure. It will be appreciated that the method of calculating the probability of attack is a specific implementation of step S201 described above, and so the features described above in connection with fig. 2 may be similarly applied thereto.
As shown in fig. 3, in step S301, a Has function of each potential attack target for each security feature is generated according to the static detection result of each potential attack target.
Illustratively, the execution of step S301 is as follows:
if the potential attack target b Has the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 1;
if the potential attack target b does not have the security feature f, the value of the Has function Has (b, f) of the potential attack target b for the security feature f is 0.
Taking the attack tactics Laternal move as an example, attack technology Remote Services and sub-technology SSH may only succeed if the SSH service in the target allows telnet. Assuming that the potential attack target b Has a security feature f that SSH service allows telnet, the Has function Has (b, f) =1 for the security feature f that the potential attack target b and SSH service allow telnet.
In step S302, a probability function for each security feature for each potential attack means is generated from the conditional probabilities of the attack means occurring under the static detection result.
In this embodiment, numerical statistics may be performed first according to the historical static detection result and its associated historical attack means to obtain a distribution ratio, which may be regarded as the probability function rel (t, f) of each attack means obtained for each security feature, and then using the potential attack means Replacing t in rel (t, f) to get the probability function of each potential attack means for each security feature +.>Wherein rel (t, f) ∈ [0,1 ]],/>∈[0,1]。
It should be noted that, in the present embodiment, the execution timing of step S301 and step S302 is not strictly required, and in practical application, step S302 may be executed prior to step S301 or parallel to step S301, which is not limited only herein.
In step S303, the probability of being attacked by each potential attack target is calculated according to the Has function, the probability function, and the occurrence probability of each potential attack means.
Specifically, the products of the Has function, the probability function and the occurrence probability of each potential attack means can be doubly summed to obtain the attack probability of each potential attack target, and the specific calculation formula of the process is that。
Taking the attack tactics Laternal move as an example, the attack technology Remote Services and the sub-technology SSH are taken as potential attack means, when the potential attack target does not have the corresponding security feature, the value of the item of has (b, f) is 0, and no matter how the attack technology Remote Services and the sub-technology SSH have the occurrence probability, the potential attack target b can not cause the increase of the attack probability due to the attack technology Remote Services and the sub-technology SSH.
The reference of the Has function can eliminate the interference of partial impossible attack means on the attack probability aiming at the current potential attack target, so that the accuracy of the attack probability is ensured, and the prediction accuracy is further ensured.
In the network attack prediction process, after the predicted attack target is locked, the attack means possibly adopted by an attacker in the next attack stage can be further determined, namely, the predicted attack means is determined, so that a targeted protection measure is implemented on the predicted attack target aiming at the predicted attack means.
Fig. 4 illustrates an exemplary flow chart of a network attack prediction method 400 of further embodiments of the present disclosure.
As shown in fig. 4, in step S401, a predicted attack target is determined according to the current attack target.
It should be noted that the specific implementation of step S401 has been described in detail in the foregoing embodiments, and will not be repeated here
In step S402, attack probabilities for each potential attack means are calculated for the predicted attack targets.
In this embodiment, the attack probability of each potential attack means is calculated according to the potential attack means and the occurrence probability thereof, the static detection result of the predicted attack target, and the conditional probability of the occurrence of the attack means under the static detection result.
Specifically, for the predicted attack target b, the formula may be followedCalculate each potential attack means->Is a result of the attack probability of (a).
Wherein the attack probabilityIndicating that the predicted attack target b is subject to potential attack means->F represents the security features of potential attack target b, F represents the set of security features of potential attack target b, +.>Representing potential means of attack->Is a probability of occurrence of (a).
Representing each potential means of attack->With respect to the probability function of each security feature f, according to the description in the previous embodiment,/>The conditional probability of an attack means occurring under the static detection result is reflected.
In the present embodiment of the present invention, in the present embodiment,may be generated in the manner of step S302 in the previous embodiment, and will not be described here again.
Has (b, f) represents the Has function of each potential attack target for each security feature, and reflects the static detection result of potential attack target b according to the description in the previous embodiment.
In this embodiment, has (b, f) may be generated according to the method of step S301 in the previous embodiment, which is not described herein.
In step S403, the potential attack means with the greatest attack probability is determined as the predicted attack means.
For the predicted attack target, the attack probability of each potential attack means represents the possibility that an attacker adopts the potential attack means for the predicted attack target, so that the potential attack means with the highest attack probability is the attack means with the highest possibility that the attacker adopts for the predicted attack target, namely the predicted attack means.
Further, after determining the predicted attack means, an attack mitigation means for the predicted attack means may also be employed for the predicted attack target.
Not only are various tactics and attack techniques which may be used by an attacker described in the ATT & CK, but also a targeted attack reduction means is described, so that a user can conveniently formulate a corresponding security risk reduction strategy. By utilizing the corresponding relation between the attack technology and the attack reduction means in the ATT & CK, the attack reduction means aiming at the predicted attack means can be inquired, and network security control is carried out on the predicted attack target based on the attack reduction means.
In order to determine the current attack means during the execution of any of the network attack prediction methods described in the foregoing embodiments, the present disclosure provides a method as shown in fig. 5, which can determine the current attack means through the dynamic monitoring result of the current attack target. Fig. 5 illustrates an exemplary flowchart of an attack means determination method 500 of some embodiments of the present disclosure.
As shown in fig. 5, in step S501, the current attack target is dynamically monitored to obtain a dynamic monitoring log of the current attack target.
In practical application, the dynamic monitoring module is a module for collecting dynamic monitoring logs reported by various targets and generating safety alarms according to preset rules. The dynamic monitoring module can dynamically monitor the target and record abnormal behaviors in the running process.
In step S502, the dynamic monitoring log is processed according to a preset rule to generate a security alarm.
According to preset rules and abnormal behavior records, the dynamic monitoring module generates security alarms such as abnormal IP login, abnormal time login, hidden processes, account number addition, account number change and the like.
In step S503, the current attack means of the current attack target is determined according to the security alarm.
Because the generation reasons of the security alarms are different, the attack means of the current attack target can be deduced through the security alarms. For example, when the security alert is being logged in multiple attempts, the corresponding attack technique may be deemed to be brute force.
Some embodiments of the present disclosure combine static detection techniques and dynamic monitoring techniques to monitor the abnormal behavior of a current attack target to obtain information of the current attack means, and detect the security condition of a potential attack target to obtain the calculation parameters of the attack risk value of the potential attack target.
In addition, an attack prediction model is introduced to efficiently and quickly generate potential attack means so as to facilitate the follow-up completion of the locking of the predicted attack targets and/or the screening of the predicted attack means.
Before the current attack means is processed by using the attack prediction model to obtain the potential attack means, the model needs to be trained to improve the accuracy of the attack prediction model.
FIG. 6 illustrates an exemplary flow chart of a model training method 600 of some embodiments of the present disclosure.
As shown in fig. 6, in step S601, history attack data is acquired.
The historical attack data can be data extracted from network attack cases disclosed by the Internet, and can be obtained by analyzing and extracting target groups according to historical network attack events.
In this embodiment, the historical attack data are sorted to form an ordered sequence of < s1, s2, …, sn >, where s1, s2, and sn represent the historical attack means used in the historical attack, which may be all attack techniques in ATT & CK, i.e. the historical attack data is an ordered sequence formed by the historical attack means.
In step S602, a history attack chain is intercepted according to history attack data.
According to the ordered sequence shown in step S601, the attack behavior may be intercepted in the form of several attack chains. To contain four attack means of ordered sequence<t A ,t B ,t C ,t D >For example, it may intercept the following three attack chains:<t A ,t B ,t C >→<t D >,<t A ,t B >→<t C >and<t A >→<t B >the history attack chain can be regarded as a subsequence of the ordered sequence in step S601.
In step S603, feature extraction is performed on the history attack chain to obtain a training sample.
In the present embodiment, the attack chain intercepted in step S602 <t A ,t B ,t C >→<t D >Can be converted into a feature vector form through feature extraction, and the feature vector obtained after the conversion is<1,1,1,0,0,0,0>→<0,0,0,1,0,0,0>While attacking chain<t A ,t B >→<t C >The corresponding feature vector is<1,1,0,0,0,0,0>→<0,0,1,0,0,0,0>Attack chain<t A >→<t B >The corresponding feature vector is<1,0,0,0,0,0,0>→<0,1,0,0,0,0,0>。
It should be noted that, at this time, the attack means includes t A ,t B ,t C ,t D ,t E ,t F And t G A total of 7.
In step S604, model training is performed using the training samples to obtain an attack prediction model.
And (3) taking the historical attack chain in the feature vector form obtained in the step (S603) as a training sample to carry out model training, and thus obtaining an attack prediction model.
In this process, the machine learning model may be trained as an initial model, and specific machine learning techniques may be a multi-layer perceptron (MLP, multilayer Perceptron), linear regression (LR, logistic Regression), na ve Bayes, support vector machines (SVM, support Vector Machine), or the like, or model training may be performed using a decision tree algorithm, which is not limited only herein.
In summary, by the attack prediction method provided by the above embodiment, the potential attack means and the occurrence probability thereof in the next stage can be predicted by using the attack prediction model, and the static detection result of the target and the association relationship between the attack technique and the static detection result are combined, so that before the attack occurs, the target most likely to be attacked by the attacker in the next attack stage is locked, thereby facilitating the risk reduction of the predicted attack target by the user.
In addition, the attack means adopted in the next attack stage can be further predicted, and the method is more accurate than simple history attack chain matching, so that symptomatic risk reduction is realized.
The embodiment of the disclosure also provides a device for predicting the network attack. Fig. 7 illustrates an exemplary block diagram of a network attack prediction device 700 in accordance with some embodiments of the present disclosure.
As shown in fig. 7, the network attack prediction apparatus includes:
the static detection module 701 is configured to perform static detection on a potential attack target, and specifically, the static detection module 701 is configured to perform item detection including baseline detection, weak password detection, vulnerability detection, malicious program/virus detection, and rootkit detection on the potential attack target, so as to obtain information of a security feature of the potential attack target;
an attack prediction module 702 communicatively coupled to the static detection module 701 and operative in conjunction therewith for performing the method as illustrated in any of the preceding embodiments.
Further, the network attack prediction apparatus 700 may further include:
a network information collection module 703 communicatively coupled to and cooperating with the attack prediction module 702 for collecting local network topology and network connectivity information for the attack prediction module 702 to determine potential attack targets;
And a dynamic monitoring module 704, which is communicatively connected to and cooperates with the attack prediction module 702, for dynamically monitoring a current attack target for the attack prediction module 702 to determine a current attack means.
Corresponding to the foregoing functional embodiments, an electronic device as shown in fig. 8 is also provided in the embodiment of the present invention. Fig. 8 shows an exemplary block diagram of an electronic device 800 of an embodiment of the disclosure.
An electronic device 800 shown in fig. 8, comprising: a processor 810; and a memory 820, the memory 820 having stored thereon executable program instructions which, when executed by the processor 810, cause the electronic device to implement any of the methods as described above.
In the electronic apparatus 800 of fig. 8, only constituent elements related to the present embodiment are shown. Thus, it will be apparent to those of ordinary skill in the art that: the electronic device 800 may also include common constituent elements that are different from those shown in fig. 8.
The processor 810 may control the operation of the electronic device 800. For example, the processor 810 controls the operation of the electronic device 800 by executing programs stored in the memory 820 on the electronic device 800. The processor 810 may be implemented by a Central Processing Unit (CPU), an Application Processor (AP), an artificial intelligence processor chip (IPU), etc., provided in the electronic device 800. However, the present disclosure is not limited thereto. In this embodiment, the processor 810 may be implemented in any suitable manner. For example, the processor 810 may take the form of, for example, a microprocessor or processor, and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a programmable logic controller, and an embedded microcontroller, among others.
The memory 820 may be used to store hardware for various data, instructions that are processed in the electronic device 800. For example, the memory 820 may store processed data and data to be processed in the electronic device 800. Memory 820 may store data sets that have been processed or to be processed by processor 810. Further, the memory 820 may store applications, drivers, and the like to be driven by the electronic device 800. For example: the memory 820 may store various programs related to task type recognition, operator type recognition, and the like to be performed by the processor 810. The memory 820 may be a DRAM, but the present disclosure is not limited thereto. The memory 820 may include at least one of volatile memory or nonvolatile memory. The nonvolatile memory may include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), flash memory, phase change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), ferroelectric RAM (FRAM), and the like. Volatile memory can include Dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), PRAM, MRAM, RRAM, ferroelectric RAM (FeRAM), and the like. In an embodiment, the memory 820 may include at least one of a Hard Disk Drive (HDD), a Solid State Drive (SSD), a high density flash memory (CF), a Secure Digital (SD) card, a Micro-secure digital (Micro-SD) card, a Mini-secure digital (Mini-SD) card, an extreme digital (xD) card, a cache (caches), or a memory stick.
In summary, specific functions implemented by the memory 820 and the processor 810 of the electronic device 800 provided in the embodiment of the present disclosure may be explained in comparison with the foregoing embodiments in the present disclosure, and may achieve the technical effects of the foregoing embodiments, which will not be repeated herein.
Alternatively, the present disclosure may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) having stored thereon computer program instructions (or computer programs, or computer instruction codes) which, when executed by a processor of an electronic device (or electronic device, server, etc.), cause the processor to perform part or all of the steps of the above-described methods according to the present disclosure.
While various embodiments of the present disclosure have been shown and described herein, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Numerous modifications, changes, and substitutions will occur to those skilled in the art without departing from the spirit and scope of the present disclosure. It should be understood that various alternatives to the embodiments of the disclosure described herein may be employed in practicing the disclosure. The appended claims are intended to define the scope of the disclosure and are therefore to cover all equivalents or alternatives falling within the scope of these claims.
Claims (12)
1. A method for predicting a network attack, comprising:
determining a current attack means and a plurality of potential attack targets according to the current attack targets;
processing the current attack means by utilizing the attack prediction model to obtain potential attack means and occurrence probability thereof;
acquiring a static detection result of each potential attack target;
generating a Has function of each potential attack target aiming at each security feature according to the static detection result of each potential attack target, wherein the Has function specifically comprises the following steps: if the potential attack target b Has the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 1, and if the potential attack target b does not have the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 0;
generating a probability function of each potential attack means for each security feature according to the conditional probability of the attack means under the static detection result, wherein the probability function specifically comprises the following steps: carrying out numerical statistics according to the historical static detection result and the associated historical attack means to obtain a probability function rel (t, f) of each attack means aiming at each security feature, and obtaining a probability function of each potential attack means aiming at each security feature based on the probability function rel (t, f) and the potential attack means Wherein rel (t, f) ∈ [0,1 ]]T represents attack means,>∈[0,1],/>representing attack means, f representing security features;
calculating the attack probability of each potential attack target according to the Has function, the probability function and the occurrence probability of each potential attack means, wherein the method specifically comprises the following steps: according toCalculating the probability of being attacked by the potential attack target, wherein P (b) represents the probability of being attacked by the potential attack target b, T represents the set of potential attack means, +.>Representing potential attack means, F representing the security features of potential attack target b, F representing the set of security features of potential attack target b,/for>Representing potential means of attack->Probability of occurrence of->Representing each potential means of attack->For each security feature f, has (b, f) represents the Has function for each security feature for each potential attack target;
determining a preset target value of each potential attack target;
taking the product of the attack probability of each potential attack target and the preset target value as the attack risk value of each potential attack target; and
and determining the potential attack target with the largest attack risk value as the predicted attack target.
2. The method of claim 1, wherein after determining the predicted attack target, the method further comprises:
Aiming at the predicted attack target, calculating the attack probability of each potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of the predicted attack target and the conditional probability of the attack means under the static detection result; and
and determining the potential attack means with the maximum attack probability as the prediction attack means.
3. The method of claim 2, wherein calculating an attack probability for each potential attack means for the predicted attack target comprises:
for the predicted attack target b, according toCalculate each potential attack means->Is a probability of attack;
wherein the attack probabilityIndicating that the predicted attack target b is subject to potential attack means->F represents the security features of potential attack target b, F represents the set of security features of potential attack target b, +.>Representing potential means of attack->Probability of occurrence of->Representing each potential means of attack->With respect to the probability function of each security feature f,reflecting the occurrence of potential attack means +.>Has (b, f) represents the Has function of each potential attack target for each security feature, has (b, f) reflects the static detection result of potential attack target b.
4. A method according to claim 2 or 3, wherein after determining the predictive measure of attack, the method further comprises:
and adopting an attack reduction means aiming at the predicted attack means for the predicted attack target.
5. The method of claim 1, wherein determining a current attack means based on a current attack target comprises:
dynamically monitoring a current attack target to obtain a dynamic monitoring log of the current attack target;
processing the dynamic monitoring log according to a preset rule to generate a safety alarm; and
and determining the current attack means of the current attack target according to the security alarm.
6. The method of claim 1, wherein determining potential attack targets from current attack targets comprises:
collecting local network topology structure and network connectivity information; and
taking the target meeting the preset condition and the current attack target as potential attack targets; the preset condition is included in the local network topology structure, the target and the current attack target are located on the same link, and network connectivity information of the link is communicated.
7. The method of claim 1, wherein prior to processing the current attack means using the attack prediction model, the method further comprises:
Acquiring historical attack data;
intercepting a historical attack chain according to the historical attack data;
extracting features of the historical attack chain to obtain a training sample; and
and performing model training by using the training sample to obtain the attack prediction model.
8. The method of claim 7, wherein the historical attack data is an ordered sequence of historical attack means, and the historical attack chain is a subsequence of the ordered sequence.
9. An apparatus for predicting a network attack, comprising:
the static detection module is used for carrying out static detection on potential attack targets; and
an attack prediction module communicatively coupled to the static detection module and operative in conjunction with the static detection module for performing the method of any of claims 1-8.
10. The apparatus as recited in claim 9, further comprising:
the network information acquisition module is used for acquiring the local network topological structure and the network connectivity information so as to enable the attack prediction module to determine potential attack targets; and
and the dynamic monitoring module is used for dynamically monitoring the current attack target so as to ensure that the attack prediction module determines the current attack means.
11. An electronic device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method of any of claims 1-8.
12. A non-transitory computer readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310690622.0A CN116436701B (en) | 2023-06-12 | 2023-06-12 | Method, device, equipment and storage medium for predicting network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310690622.0A CN116436701B (en) | 2023-06-12 | 2023-06-12 | Method, device, equipment and storage medium for predicting network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116436701A CN116436701A (en) | 2023-07-14 |
| CN116436701B true CN116436701B (en) | 2023-08-18 |
Family
ID=87087562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310690622.0A Active CN116436701B (en) | 2023-06-12 | 2023-06-12 | Method, device, equipment and storage medium for predicting network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116436701B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN115203692A (en) * | 2022-05-23 | 2022-10-18 | 东南大学 | Multi-dimensional Android platform application behavior safety assessment method integrating user subjective evaluation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9680855B2 (en) * | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
-
2023
- 2023-06-12 CN CN202310690622.0A patent/CN116436701B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN115203692A (en) * | 2022-05-23 | 2022-10-18 | 东南大学 | Multi-dimensional Android platform application behavior safety assessment method integrating user subjective evaluation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116436701A (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| El Sayed et al. | A flow-based anomaly detection approach with feature selection method against ddos attacks in sdns | |
| US10298607B2 (en) | Constructing graph models of event correlation in enterprise security systems | |
| US7716739B1 (en) | Subjective and statistical event tracking incident management system | |
| US20210352095A1 (en) | Cybersecurity resilience by integrating adversary and defender actions, deep learning, and graph thinking | |
| US20190182274A1 (en) | Techniques for predicting subsequent attacks in attack campaigns | |
| Garitano et al. | A review of SCADA anomaly detection systems | |
| CA2495147C (en) | Control systems and methods using a partially-observable markov decision process (po-mdp) | |
| Alserhani et al. | MARS: multi-stage attack recognition system | |
| JP6557774B2 (en) | Graph-based intrusion detection using process trace | |
| Chen et al. | A model-based validated autonomic approach to self-protect computing systems | |
| Jadidi et al. | A threat hunting framework for industrial control systems | |
| Wu et al. | Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities | |
| WO2018071356A1 (en) | Graph-based attack chain discovery in enterprise security systems | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| Kholidy et al. | Attack prediction models for cloud intrusion detection systems | |
| Abdulrazaq et al. | Combination of multi classification algorithms for intrusion detection system | |
| Kholidy et al. | Online risk assessment and prediction models for Autonomic Cloud Intrusion srevention systems | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| EP4111660B1 (en) | Cyberattack identification in a network environment | |
| Amarasinghe et al. | AI based cyber threats and vulnerability detection, prevention and prediction system | |
| CN116436701B (en) | Method, device, equipment and storage medium for predicting network attack | |
| Bahareth et al. | Constructing attack scenario using sequential pattern mining with correlated candidate sequences | |
| Badis et al. | Toward a source detection of botclouds: a pca-based approach | |
| KR102433581B1 (en) | Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques | |
| Banadaki et al. | Design of intrusion detection systems on the internet of things infrastructure using machine learning algorithms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |