CN116647406B - Advanced persistent threat attack IP detection method - Google Patents
Advanced persistent threat attack IP detection method Download PDFInfo
- Publication number
- CN116647406B CN116647406B CN202310742047.4A CN202310742047A CN116647406B CN 116647406 B CN116647406 B CN 116647406B CN 202310742047 A CN202310742047 A CN 202310742047A CN 116647406 B CN116647406 B CN 116647406B
- Authority
- CN
- China
- Prior art keywords
- attack
- threat
- matrix
- triples
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 230000002085 persistent effect Effects 0.000 title claims abstract description 20
- 239000011159 matrix material Substances 0.000 claims abstract description 63
- 230000007704 transition Effects 0.000 claims abstract description 29
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000000034 method Methods 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000005923 long-lasting effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides an advanced persistent threat attack IP detection method, which comprises the following steps: step S1: deploying network security detection equipment in a network, and acquiring detection alarm logs and levels of various detection equipment; step S2: normalizing the acquired alarm log, wherein the normalized format is a set of network attack triples; step S3: generating a state transition matrix G according to the set of triples; step S4: combining an IP white list, and performing iterative computation on a state transition matrix by using an improved pagerank algorithm to obtain a threat value of the IP; step S5: ordering is performed according to threat values. The IP of the network attack source can be accurately identified, and further APT attacks can be effectively identified and managed by combining specific use scenes.
Description
Technical Field
The invention relates to the field of advanced persistent threat, in particular to an advanced persistent threat attack IP detection method.
Background
Advanced Persistent Threat (APT) attacks do not refer specifically to a certain means of attack, but rather refer to a manifestation of comprehensive network warfare from organization to organization. Compared with the common network attack, the APT attack is more complicated and specialized, and long-term latency requires financial and material support.
APT attacks are long-lasting network attacks with advanced means of attack against some specific attack targets. The attack process comprises the following steps: determining an attack target, collecting target related information, submerging the system environment of the target, preparing tools required by the attack, deploying tools required by the attack, implementing the attack, and clearing attack traces. APT attacks may take months or up to decades from the time the attack target is determined to the time the attack is successful.
APT attacks are usually a combination of multiple attack patterns, and therefore, multi-level and multi-azimuth detection and defense are also required. Because of its strong concealment, traditional security defenses are hardly noticeable. Conventional threat detection systems tend to produce thousands of alarms per day, with attack IP for APT attacks typically hidden.
Disclosure of Invention
The present invention has been made in view of the above problems, and it is an object of the present invention to provide an advanced persistent threat attack IP detection method that overcomes or at least partially solves the above problems.
According to one aspect of the present invention, there is provided an advanced persistent threat attack IP detection method, the detection method comprising:
step S1: deploying network security detection equipment in a network, and acquiring detection alarm logs and levels of various detection equipment;
step S2: normalizing the acquired alarm log, wherein the normalized format is a set of network attack triples;
step S3: generating a state transition matrix G according to the set of triples;
step S4: combining an IP white list, and performing iterative computation on a state transition matrix by using an improved pagerank algorithm to obtain a threat value of the IP;
step S5: ordering is performed according to threat values.
Optionally, the triples specifically include: attack IP, attacked IP, and threat weight.
Optionally, the step S1: the method for deploying network security detection equipment in the network and acquiring detection alarm logs and levels of various detection equipment specifically comprises the following steps:
the obtained logs are unified into five-tuple;
and designing a mapping table according to the triples, wherein the mapping table corresponds to different threat weights.
Optionally, the five-tuple specifically includes: the device, attack IP, attacked IP, attack type, threat level.
Optionally, the step S2: normalizing the acquired alarm log, wherein the normalization format is a set of network attack triples, and the set specifically comprises:
based on different devices, attack types and threat weights corresponding to threat levels, the canonical format is a set of the triples;
and combining triplets with the same attack IP and the same attacked IP, summing threat weights, and updating the threat weights.
Optionally, the step S3: generating the state transition matrix G according to the set of triples specifically includes:
define all the attacked and attacked IPs as set A [ N ]]={IP 1 ,IP 2 ,…IP N The state transition matrix G is a matrix with the size of N;
traversing each element (IP) in the set of network attack triples i ,IP j ,W k ) Updating the value of the element G (j, i) in the state transition matrix G to W k 。
Optionally, the step S4: combining an IP white list, performing iterative computation on a state transition matrix by using an improved pagerank algorithm, wherein the obtaining of the threat value of the IP specifically comprises the following steps:
converting G into a Markov matrix M, wherein
Defining the transition probability of the state transition matrix as s, and defining the convergence value of iteration as maxerr;
initializing an array R [ N ]]={r 1 ,r 2 ,…r n }. In particular, for set A [ N ]]IP in (a) i (i∈[1,N]) If IPi is in the IP white list, r i =0, otherwise r i =1, then standard normalization was performed on R;
initializing a whitelist matrix b=b 1 *B 2 *…*B i *…*B n Wherein B is i For IP in white list i Is defined as:
row i of the behavior where b=1/(N-1) and b is located;
converting by applying a Markov matrix M on the matrix R to obtain a matrix R';
generating a conversion matrix B according to the white list, and updating R 'to R'. Times.B;
summing the difference value of each element of R' and R, stopping iteration if the difference value is smaller than maxerr, otherwise returning to the step 4.5 to continue iteration;
the value { R } of the resulting R' matrix 1’ ,r 2’ ,…r n’ Is IP set A [ N ]]={IP 1 ,IP 2 ,…IP N A corresponding threat value.
Optionally, the converting by applying the markov matrix M on the matrix R specifically includes:
R’=(1-s)/N*A(1) N*N +s*M T ·R;
wherein A (1) N*N N matrix of all 1, M T Is a transpose of M.
The invention provides an advanced persistent threat attack IP detection method, which comprises the following steps: step S1: deploying network security detection equipment in a network, and acquiring detection alarm logs and levels of various detection equipment; step S2: normalizing the acquired alarm log, wherein the normalized format is a set of network attack triples; step S3: generating a state transition matrix G according to the set of triples; step S4: combining an IP white list, and performing iterative computation on a state transition matrix by using an improved pagerank algorithm to obtain a threat value of the IP; step S5: ordering is performed according to threat values. The IP of the network attack source can be accurately identified, and further APT attacks can be effectively identified and managed by combining specific use scenes.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an advanced persistent threat attack IP detection method according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprising" and "having" and any variations thereof in the description embodiments of the invention and in the claims and drawings are intended to cover a non-exclusive inclusion, such as a series of steps or elements.
The technical scheme of the invention is further described in detail below with reference to the accompanying drawings and the examples.
As shown in fig. 1, an advanced persistent threat attack IP detection method includes:
step S1: and deploying network security detection equipment in the network, and acquiring detection alarm logs and levels of various detection equipment.
Step S2: and normalizing the acquired alarm log, wherein the normalization is in a form of a set of network attack triples (attack IP, attacked IP and threat weight).
Step S3: and generating a state transition matrix G according to the triplet set.
Step S4: and combining an IP white list, and performing iterative computation on the state transition matrix by using an improved pagerank algorithm to obtain the threat value of the IP.
Step S5: the higher the threat value, the more likely the IP is A Persistent Threat (APT) attack IP, ordered according to threat values.
The step S1 comprises the following steps:
step 1.1: the obtained logs are unified into five-tuple (equipment, attack IP, attacked IP, attack type and threat level);
step 1.2: for different (device, attack type, threat level) triples, mapping tables are designed to correspond to different threat weights. In principle, the more important the position where the device itself is deployed, the greater the alarm threat of the device, the greater the attack type threat, the higher the threat level, and the higher the corresponding threat weight.
The step S2 comprises the following steps:
step 2.1: based on different threat weights corresponding to different triples (equipment, attack type and threat level), the information of equipment, attack type, threat level and the like is removed by standardizing the format of the triples into a set of triples (attack IP, attacked IP and threat weight).
Step 2.2: and combining triplets with the same attack IP and the same attacked IP, summing threat weights, and updating the threat weights.
The step S3 comprises the following steps:
step 3.1: define all the attacked and attacked IPs as set A [ N ]]={IP 1 ,IP 2 ,…IP N }. Then the state transition matrix G is a matrix of size N x N.
Step 3.2: traversing each element (IP) in a set of network attack triples (attack IP, attacked IP, threat weight) i ,IP j ,W k ) Updating the value of the element G (j, i) in the state transition matrix G to W k 。
The step S4 includes:
converting G into a Markov matrix M, wherein
The transition probability of the state transition matrix is defined as s, and the convergence value of the iteration is defined as maxerr.
Initializing an array R [ N ]]={r 1 ,r 2 ,…r n }. In particular, for set A [ N ]]IP in (a) i (i∈[1,N]) If IPi is in the IP white list, r i =0, otherwise r i =1, then standard normalization was performed on R.
Initializing a whitelist matrix b=b 1 *B 2 *…*B i *…*B n Wherein B is i For IP in white list i Is defined as:
where b=1/(N-1) and the row i of the row where b is located.
And converting by applying a Markov matrix M on the matrix R to obtain a matrix R'. The specific conversion process is that R' = (1-s)/N is A (1) N*N +s*M T R. Wherein A (1) N*N N matrix of all 1, M T Is a transpose of M.
Generating a conversion matrix B according to the white list, and updating R 'to R' B.
The difference of each element of R' and R is summed, and if less than maxerr, the iteration is stopped, otherwise the iteration is continued back to step 4.5.
The value { R } of the resulting R' matrix 1’ ,r 2’ ,…r n’ The IP set A [ N ]]={IP 1 ,IP 2 ,…IP N A corresponding threat value.
1) 2 pieces of network security intrusion detection equipment are deployed in a network, and detection alarm logs and level examples are acquired as follows:
apparatus and method for controlling the operation of a device | Attack IP | Attacked IP | Attack type | Threat level |
Apparatus 1 | 192.168.1.2 | 192.168.1.3 | Port scanning | Low and low |
Apparatus 1 | 192.168.1.2 | 192.168.1.4 | Port scanning | Low and low |
Apparatus 1 | 192.168.1.2 | 192.168.1.5 | Port scanning | Low and low |
Apparatus 1 | 192.168.1.2 | 192.168.1.6 | Port scanning | Low and low |
Apparatus 1 | 192.168.1.3 | 192.168.1.4 | sql injection | In (a) |
Device 2 | 192.168.1.2 | 192.168.1.3 | Port scanning | Low and low |
Device 2 | 192.168.1.2 | 192.168.1.4 | Port scanning | Low and low |
Device 2 | 192.168.1.2 | 192.168.1.5 | Port scanning | Low and low |
Device 2 | 192.168.1.2 | 192.168.1.6 | Port scanning | Low and low |
Device 2 | 192.168.1.3 | 192.168.1.5 | Remote control wooden horse | High height |
Device 2 | 192.168.1.3 | 192.168.1.5 | Violent cracking | In (a) |
Device 2 | 192.168.1.4 | 192.168.1.6 | sql injection | In (a) |
Device 2 | 192.168.1.5 | 192.168.1.3 | Port scanning | Low and low |
Device 2 | 192.168.1.5 | 192.168.1.6 | Violent cracking | In (a) |
Device 2 | 192.168.1.6 | 192.168.1.5 | Remote control wooden horse | High height |
2) According to the equipment, the attack type and the threat level, the mapping table is designed as follows:
3) Based on the above information, a set of triples (attack IP, attacked IP, threat weight) is obtained as follows:
attack IP | Attacked IP | Threat weighting |
192.168.1.2 | 192.168.1.3 | 1 |
192.168.1.2 | 192.168.1.4 | 1 |
192.168.1.2 | 192.168.1.5 | 1 |
192.168.1.2 | 192.168.1.6 | 1 |
192.168.1.3 | 192.168.1.4 | 2 |
192.168.1.2 | 192.168.1.3 | 2 |
192.168.1.2 | 192.168.1.4 | 2 |
192.168.1.2 | 192.168.1.5 | 2 |
192.168.1.2 | 192.168.1.6 | 2 |
192.168.1.3 | 192.168.1.5 | 6 |
192.168.1.3 | 192.168.1.5 | 4 |
192.168.1.4 | 192.168.1.6 | 4 |
192.168.1.5 | 192.168.1.3 | 2 |
192.168.1.5 | 192.168.1.6 | 4 |
192.168.1.6 | 192.168.1.5 | 6 |
4) And combining triplets with the same attack IP and the same attacked IP, summing threat weights, and updating the threat weights.
Attack IP | Attacked IP | Threat weighting |
192.168.1.2 | 192.168.1.3 | 3 |
192.168.1.2 | 192.168.1.4 | 3 |
192.168.1.2 | 192.168.1.5 | 3 |
192.168.1.2 | 192.168.1.6 | 3 |
192.168.1.3 | 192.168.1.4 | 2 |
192.168.1.3 | 192.168.1.5 | 10 |
192.168.1.4 | 192.168.1.6 | 4 |
192.168.1.5 | 192.168.1.3 | 2 |
192.168.1.5 | 192.168.1.6 | 4 |
192.168.1.6 | 192.168.1.5 | 6 |
5) An IP set array a [5] = { "192.168.1.2", "192.168.1.3",
“192.168.1.4”,“192.168.1.5”,“192.168.1.6”}
6) Traversing each element (IP) in a set of network attack triples (attack IP, attacked IP, threat weight) using IP set array subscripts i ,IP j ,W k ) Updating the value of the element G (j, i) in the state transition matrix G to Wk, and correspondingly obtaining the state transition matrix G:
7) Converting G into a markov matrix M:
8) The transition probability s=0.85 of the state transition matrix is defined and the convergence value of the iteration is defined as maxerr=0.01.
9) Assuming 192.168.1.6 is in the white list, the corresponding transfer matrix
10 A markov matrix M is applied to the matrix R for conversion to obtain a matrix R'.
The specific conversion process is that R' = (1-s)/N is A (1) N*N +s*M T R. Wherein A (1) N*N
N matrix of all 1, M T Is a transpose of M.
11 Generating a conversion matrix B according to the white list, and updating R 'to R' B.
12 The difference for each element of R' and R is summed, and if less than maxerr, the iteration is stopped, otherwise the iteration is continued back to step 10.
13 The value of the resulting R' array is 0.36902042,0.27569046,
0.13057429,0.22471483,0} the result is the following table, 192.168.1.2 being the most likely attack IP.
IP | Threat value |
192.168.1.2 | 0.36902042 |
192.168.1.3 | 0.27569046 |
192.168.1.4 | 0.13057429 |
192.168.1.5 | 0.22471483 |
192.168.1.6 | 0 |
14 If 192.168.1.6 is not in the white list, the result is the following table, 192.168.1.6 is the most likely attack IP.
IP | Threat value |
192.168.1.2 | 0.25867582 |
192.168.1.3 | 0.14860763 |
192.168.1.4 | 0.12230881 |
192.168.1.5 | 0.17205961 |
192.168.1.6 | 0.29834813 |
The beneficial effects are that: the invention discloses an advanced persistent threat APT attack IP identification method, which is characterized in that the alarm in network equipment is comprehensively analyzed, the weights of network security threats among various IPs are recalculated by combining an IP white list, the weights of the network security threats are iteratively updated and calculated by an improved pagerank algorithm, threat IPs are sequenced according to the weights after the secondary calculation, so that the source IP of the network attack is accurately identified, and the APT attack is effectively identified and managed by combining a specific use scene.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (7)
1. An advanced persistent threat attack IP detection method, the detection method comprising:
step S1: deploying network security detection equipment in a network, and acquiring detection alarm logs and levels of various detection equipment;
step S2: normalizing the acquired alarm log, wherein the normalized format is a set of network attack triples;
step S3: generating a state transition matrix G according to the set of triples;
step S4: combining an IP white list, and performing iterative computation on a state transition matrix by using an improved pagerank algorithm to obtain a threat value of the IP;
converting G into a Markov matrix M, wherein
Defining the transition probability of the state transition matrix as s, and defining the convergence value of iteration as maxerr;
initializing an array R [ N ]]={r 1 ,r 2 ,…r n };
For set A [ N ]]IP in (a) i (i∈[1,N]) If IPi is in the IP white list, r i =0, otherwise r i =1, then standard normalization was performed on R;
initializing a whitelist matrix b=b 1 *B 2 *…*B i *…*B n Wherein B is i For IP in white list i Is defined as:
row i of the behavior where b=1/(N-1) and b is located;
converting by applying a Markov matrix M on the matrix R to obtain a matrix R';
generating a conversion matrix B according to the white list, and updating R 'to R'. Times.B;
summing the difference value of each element of R' and R, stopping iteration if the difference value is smaller than maxerr, otherwise, continuing iteration;
the value { R } of the resulting R' matrix 1’ ,r 2’ ,…r n’ Is IP set A [ N ]]={IP 1 ,IP 2 ,…IP N A corresponding threat value;
step S5: ordering is performed according to threat values.
2. The advanced persistent threat attack IP detection method of claim 1 wherein said triplets specifically comprise: attack IP, attacked IP, and threat weight.
3. The advanced persistent threat attack IP detection method of claim 1, wherein said step S1: the method for deploying network security detection equipment in the network and acquiring detection alarm logs and levels of various detection equipment specifically comprises the following steps:
the obtained logs are unified into five-tuple;
and designing a mapping table according to the triples, wherein the mapping table corresponds to different threat weights.
4. An advanced persistent threat attack IP detection method according to claim 3 wherein said five-tuple specifically comprises: the device, attack IP, attacked IP, attack type and threat level.
5. The advanced persistent threat attack IP detection method of claim 1, wherein said step S2: normalizing the acquired alarm log, wherein the normalization format is a set of network attack triples, and the set specifically comprises:
based on different devices, attack types and threat weights corresponding to threat levels, the canonical format is a set of the triples;
and combining triplets with the same attack IP and the same attacked IP, summing threat weights, and updating the threat weights.
6. The advanced persistent threat attack IP detection method of claim 1, wherein said step S3: generating the state transition matrix G according to the set of triples specifically includes:
define all the attacked and attacked IPs as set A [ N ]]={IP 1 ,IP 2 ,…IP N The state transition matrix G is a matrix with the size of N;
traversing each element (IP) in the set of network attack triples i ,IP j ,W k ) Updating the value of the element G (j, i) in the state transition matrix G to W k 。
7. The advanced persistent threat attack IP detection method of claim 1 wherein said applying a markov matrix M on a matrix R for conversion comprises:
R’=(1-s)/N*A(1) N*N +s*M T ·R;
wherein A (1) N*N N matrix of all 1, M T Is a transpose of M.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310742047.4A CN116647406B (en) | 2023-06-21 | 2023-06-21 | Advanced persistent threat attack IP detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310742047.4A CN116647406B (en) | 2023-06-21 | 2023-06-21 | Advanced persistent threat attack IP detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116647406A CN116647406A (en) | 2023-08-25 |
CN116647406B true CN116647406B (en) | 2024-03-12 |
Family
ID=87623043
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310742047.4A Active CN116647406B (en) | 2023-06-21 | 2023-06-21 | Advanced persistent threat attack IP detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116647406B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105871883A (en) * | 2016-05-10 | 2016-08-17 | 上海交通大学 | Advanced persistent threat detection method based on aggressive behavior analysis |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
CN114662096A (en) * | 2022-03-25 | 2022-06-24 | 北京邮电大学 | Threat hunting method based on graph kernel clustering |
CN115719070A (en) * | 2022-11-25 | 2023-02-28 | 北京航空航天大学杭州创新研究院 | Multi-step attack detection model pre-training method based on alarm semantics |
CN116032629A (en) * | 2023-01-03 | 2023-04-28 | 上海安博通信息科技有限公司 | Classification treatment method, system electronic equipment and storage medium for alarm traffic |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10631168B2 (en) * | 2018-03-28 | 2020-04-21 | International Business Machines Corporation | Advanced persistent threat (APT) detection in a mobile device |
WO2021171090A1 (en) * | 2020-02-28 | 2021-09-02 | Darktrace, Inc. | An artificial intelligence adversary red team |
-
2023
- 2023-06-21 CN CN202310742047.4A patent/CN116647406B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105871883A (en) * | 2016-05-10 | 2016-08-17 | 上海交通大学 | Advanced persistent threat detection method based on aggressive behavior analysis |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
CN114662096A (en) * | 2022-03-25 | 2022-06-24 | 北京邮电大学 | Threat hunting method based on graph kernel clustering |
CN115719070A (en) * | 2022-11-25 | 2023-02-28 | 北京航空航天大学杭州创新研究院 | Multi-step attack detection model pre-training method based on alarm semantics |
CN116032629A (en) * | 2023-01-03 | 2023-04-28 | 上海安博通信息科技有限公司 | Classification treatment method, system electronic equipment and storage medium for alarm traffic |
Also Published As
Publication number | Publication date |
---|---|
CN116647406A (en) | 2023-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Pai et al. | Clustering for malware classification | |
CN106899440B (en) | Network intrusion detection method and system for cloud computing | |
CN110717522A (en) | Countermeasure defense method of image classification network and related device | |
CN106790248B (en) | Network intrusion detection method based on double-self-adaptive regularization online extreme learning machine | |
WO2016123522A1 (en) | Anomaly detection using adaptive behavioral profiles | |
US11374919B2 (en) | Memory-free anomaly detection for risk management systems | |
CN112883377A (en) | Feature countermeasure based federated learning poisoning detection method and device | |
Nguyen et al. | Human-in-the-loop xai-enabled vulnerability detection, investigation, and mitigation | |
CN116647406B (en) | Advanced persistent threat attack IP detection method | |
CN115883261A (en) | ATT and CK-based APT attack modeling method for power system | |
CN114241233B (en) | Nonlinear class group sparse representation real and false target one-dimensional range profile identification method | |
CN110855716A (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
Gangula et al. | Network intrusion detection system for Internet of Things based on enhanced flower pollination algorithm and ensemble classifier | |
Javed et al. | Multi-denoising based impulse noise removal from images using robust statistical features and genetic programming | |
CN109672678B (en) | Phishing website identification method and device | |
CN112560034A (en) | Malicious code sample synthesis method and device based on feedback type deep countermeasure network | |
Imtiaz et al. | Efficient approach for anomaly detection in internet of things traffic using deep learning | |
Modell et al. | A graph embedding approach to user behavior anomaly detection | |
EP4033716A1 (en) | Systems and methods for ip mass host verification | |
CN108566306B (en) | Network security real-time anomaly detection method based on data equalization technology | |
Lee et al. | A Lightweight Malware Classification Method Based on Detection Results of Anti-Virus Software | |
CN116680727B (en) | Function stealing defense method for image classification model | |
Htwe et al. | Malware Attack Detection using Machine Learning Methods for IoT Smart Devices | |
US20240144097A1 (en) | Universal Post-Training Backdoor Detection and Mitigation for Classifiers | |
Li et al. | DDoS intrusion detection using generalized grey self-organizing maps |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |