CN117040932A - Rapid evidence obtaining method and system for tracing network attack - Google Patents

Rapid evidence obtaining method and system for tracing network attack Download PDF

Info

Publication number
CN117040932A
CN117040932A CN202311293492.3A CN202311293492A CN117040932A CN 117040932 A CN117040932 A CN 117040932A CN 202311293492 A CN202311293492 A CN 202311293492A CN 117040932 A CN117040932 A CN 117040932A
Authority
CN
China
Prior art keywords
network
attack
node
information
tracing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311293492.3A
Other languages
Chinese (zh)
Other versions
CN117040932B (en
Inventor
陈明亮
刘潮
谢国强
刘锋
邱日轩
刘京
钟文慧
陈旭
钟逸铭
余滢婷
崔柳
钟志萍
向恺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Jiangxi Electric Power Co ltd
State Grid Siji Network Security Beijing Co ltd
Original Assignee
State Grid Jiangxi Electric Power Co ltd
State Grid Siji Network Security Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Jiangxi Electric Power Co ltd, State Grid Siji Network Security Beijing Co ltd filed Critical State Grid Jiangxi Electric Power Co ltd
Priority to CN202311293492.3A priority Critical patent/CN117040932B/en
Publication of CN117040932A publication Critical patent/CN117040932A/en
Application granted granted Critical
Publication of CN117040932B publication Critical patent/CN117040932B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack tracing quick evidence obtaining method and system; s1, collecting a data set of network attack: at this stage, network attack-related datasets are collected, including network traffic data, IDS (intrusion detection system) output, log information, and the like. The method adopts a space-time network model, integrates multidimensional data, and comprises information such as network topology, node attribute, event occurrence time sequence and the like. The multidimensional data comprehensive analysis is helpful for comprehensively understanding network behaviors and improving the accuracy and the comprehensiveness of tracing.

Description

Rapid evidence obtaining method and system for tracing network attack
Technical Field
The invention relates to the technical field of network engineering, in particular to a network attack tracing rapid evidence obtaining method and system.
Background
Network attack refers to malicious actions such as illegal access, destruction, theft, tampering or blocking of a network system, network equipment, a computer system or data thereof through a computer network. Network attacks are mostly intentional, aimed at stealing information and destroying the system. The source and responsible person of the network attack can be determined through tracing evidence, and evidence is provided for pursuing legal responsibility. This helps in the way an attacker is tethered, maintaining network security and public interests. By analyzing the attack source, attack mode and attack path, the vulnerability and vulnerability of the system or network can be discovered. The method is beneficial to a network manager to repair loopholes in time, strengthen network security and improve the defending capability of the system.
Furthermore, the traceable evidence collection can provide deep insight into the behavior of an attacker, and is helpful for improving and optimizing network security policies. Based on the characteristics and modes of the attack behaviors, the defending strategy can be adjusted, and the coping capability of the system to future attacks is improved. Through quick and effective tracing evidence obtaining, measures can be rapidly taken to prevent further attack behaviors, limit the damage range and reduce the loss caused by attack. Common modes, means and features of attacks can be identified through traceable analysis of multiple network attacks. This helps to build a more effective preventive mechanism, early warning and guard against similar attacks.
In the prior art, a main way of the conventional technology form of "an attack evidence obtaining and tracing method for an electric power monitoring system" disclosed in CN202110176274.6 is to collect network flow data in the monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data flow. However, such conventional techniques have the following technical drawbacks:
(1) Limiting to a specific feature analysis: the conventional technology mainly relies on feature analysis, namely, some feature parameters are predefined and matched with abnormal feature parameters in a preset database. This approach is limited by predefined features and may not cover all attack types, especially new or complex forms of attack.
(2) The limitation and false alarm rate are high: feature analysis may produce false positives because some normal behavior may be mistaken for an attack feature. At the same time, some variants of the attack may not be detected because its features are not in the predefined feature set.
(3) Modeling of network topology and timing is lacking: the conventional technology does not fully consider network topology and event occurrence timing information, and is limited to static analysis of features. Thus, the true situation of the attack path may be missed, and the propagation and influence path of the attack cannot be fully known.
(4) Depending on the database established in advance: conventional techniques rely on a database built in advance to store the characteristic information, which can lead to certain storage overhead and update maintenance difficulties. Meanwhile, if the new attack form is not in the database, it cannot be accurately identified.
(5) It is difficult to handle complex attack chains: for complex attack chains, conventional techniques may be difficult to analyze and trace efficiently because they do not provide a complete attack path and timing relationship between attacks.
Therefore, a network attack tracing rapid evidence obtaining method and a system are provided.
Disclosure of Invention
In view of the above, the present invention aims to provide a network attack tracing rapid evidence obtaining method and system, so as to solve or alleviate the technical problems existing in the prior art, namely, the method is limited to specific feature analysis, has high limitation and false alarm rate, lacks modeling of network topology and time sequence, depends on a database established in advance and is difficult to process complex attack chains, and at least provides a beneficial choice for the method and the system;
The technical scheme of the application is realized as follows:
first aspect
Rapid evidence obtaining method for tracing network attack
Overview (one)
The network attack tracing rapid evidence obtaining method aims at rapidly and accurately determining the source of the network attack and providing enough evidence so as to pursue legal responsibility. The application provides a technical framework for tracing network attacks, which comprises the main steps of data collection, network topology model construction, space-time network model creation, path analysis and attack source tracing.
(II) technical step
S1, collecting a data set of network attack: at this stage, network attack-related datasets are collected, including network traffic data, IDS (intrusion detection system) output, log information, and the like.
S2, constructing a network topology model G: a network topology model g= (V, E) is constructed, where V represents a set of nodes and E represents a set of edges. The network topology model provides a basis for subsequent analysis based on the actual network structure.
S3, a space-time network model S: a spatio-temporal network model S is created, abstracting the network into a spatio-temporal diagram. The nodes represent network devices or hosts, the edges represent network connection relationships, and the time information represents the time at which a network event occurs.
S4, path analysis: all possible attack paths AP from the source node s to the target node t are found using the path analysis function path analysis (G, s, t).
S5, tracing a source attack source: the tracing function TraceAttackSource (AP) is used to determine the source of the attack, i.e. the source node in the attack path AP.
(III) technical content
(3.1) in said S1, said dataset comprises: information output by network traffic analysisInformation output by IDS systemAnd output information of log analysis
1) The information output by the network flow analysis
The saidIncluding a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
2) Information output by the IDS system
Each of saidRepresenting an intrusion detection record, said intrusion detection record packetIncluding intrusion type or/and detection time; m represents the total number thereof;
3) Output information of the log analysis
Each of saidRepresenting a log record, said log record comprising an event description and/or time of occurrence; p represents the total number thereof.
(3.2) in the S2, comprising:
1) The node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifier The representation is:
n represents a nodeIs the sum of (3);
2) The edge set E: all connection relations in the network are contained, and each edge is connected with two nodesRepresenting the nodeInter-passing edgeConnection network:
(3.3) in said S3, said spatiotemporal network model S comprises:
1) Five-tuple:
2) Outputting the information vector IV:
representing network topology information including the set of nodes V and the set of edges E;
representing node attribute information;
representing side attribute information;
time information is represented, including the time of occurrence of the network event.
(3.4) in the S4, the Path analysis functionThe method comprises the following steps: depth-first search:
representing a set of all possible attack paths from the source node s to the target node t, using a DFS algorithm search.
(3.5): in the S5, the tracing function
wi is the nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
Second aspect
A network attack tracing rapid evidence collection system comprises a processor and a memory coupled with the processor, wherein program instructions are stored in the memory, and when the program instructions are executed by the processor, the processor is enabled to execute the tracing rapid evidence collection method.
The application aims to realize a network attack traceability rapid evidence collection system, and provides rapid and accurate attack source positioning for the field of network security. The system includes a processor, a memory coupled to the processor, and a memory storing program instructions. It comprises the following steps:
(1) A processor: the core component of the system is responsible for executing program instructions, coordinating the operation of the system, processing network attack data, and calling corresponding algorithms and functions to realize a tracing quick evidence obtaining method.
(2) A memory: the memory is used for storing program instructions, and the instructions are key to realizing the traceability rapid evidence collection method. The program instructions are executed by the processor one by one, triggering the corresponding operations.
Summarizing, compared with the prior art, the network attack tracing rapid evidence obtaining method and system provided by the application have the following beneficial effects:
(1) Multidimensional data comprehensive analysis: the method adopts a space-time network model, integrates multidimensional data, and comprises information such as network topology, node attribute, event occurrence time sequence and the like. The multidimensional data comprehensive analysis is helpful for comprehensively understanding network behaviors and improving the accuracy and the comprehensiveness of tracing.
(2) Comprehensively modeling network structure and timing information: the invention adopts a space-time network model, can more comprehensively model the network structure and time sequence information, and not only considers the network topology, but also considers the time sequence of event occurrence. The comprehensive modeling is helpful for accurately understanding the propagation path and time sequence of the attack, and improves the tracing accuracy of the attack.
(3) More flexible attack identification and traceability: the invention can more flexibly identify various attacks without being limited by specific characteristics by adopting a dynamic modeling mode and not depending on fixed characteristic parameters. Meanwhile, the model can be dynamically adjusted according to the real-time condition of the network event, and the method has stronger adaptability.
(4) Processing power for complex attack chains: the space-time network model can well process complex attack chains, identify multi-stage and multi-node attack paths, and improve the traceability of complex attacks. This is critical for security analysis in modern complex network environments.
(5) The tracing efficiency and the instantaneity are improved: the invention can more rapidly and more efficiently trace the source of the attack through algorithm optimization and multidimensional data analysis, is beneficial to rapidly responding to network attack and reduces the loss caused by the attack.
(6) Independent of pre-built databases: compared with the traditional method based on the database constructed in advance by specific feature analysis, the space-time network model does not need to construct the database in advance, reduces the maintenance cost and workload of the database, and improves the flexibility and practicability of the system.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a logic diagram of a method flow according to the present application;
FIG. 2 is a control program diagram of a ninth embodiment of the present application;
fig. 3 is a control program diagram of a ninth embodiment of the present application.
Detailed Description
In order that the above objects, features and advantages of the application will be readily understood, a more particular description of the application will be rendered by reference to the appended drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the application, whereby the application is not limited to the specific embodiments disclosed below;
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different manner from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
It will be further appreciated by those of skill in the art that the various example elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the various example elements and steps have been described generally in terms of function in the foregoing description to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is noted that the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Example 1
In order that the detailed description of the invention may be understood, a more particular description of the invention will be rendered by way of example only. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
The present embodiment provides the following technical solutions, please refer to fig. 1:
a network attack tracing quick evidence obtaining method comprises the following steps:
s1, first, a data set related to network attack needs to be collected, where the data sets include network traffic data, intrusion Detection System (IDS) output, log information, and the like. These data will be used as the basis for subsequent analysis to construct a spatio-temporal network model.
S2, constructing a network topology model G:
v represents a node set, E represents an edge set; the network topology model G is the basis of the method. In this model, node set V includes all network devices or hosts, while edge set E represents the connection relationship between network devices.
S3, a space-time network model S: outputting an information vector IV based on the space-time network model S; the space-time network model S is the core of the method. In this step, the present embodiment abstracts the network into a space-time diagram. The nodes represent network devices or hosts, the edges represent network connection relationships, and the time information represents the time at which a network event occurs. The spatio-temporal network model S combines network structure and time information to better analyze the propagation and impact of network attack events.
S4, path analysis: based on the input of the information vector IV, a path analysis function is usedFinding all possible attack paths AP from the source node s to the target node t;
based on the space-time network model S, the present embodiment can use a path analysis functionAll possible attack paths AP from the source node s to the target node t are found. This function may employ various path search algorithms, such as depth-first search (DFS) or breadth-first search (BFS), etc. (see in particular embodiment seven) to find all possible paths from the source node to the target node.
S5, tracing a source attack source: after obtaining all possible attack paths AP, the present embodiment may use a tracing functionTo determine the source of the attack. The function can adopt various tracing algorithms, and the attack source node is determined according to the information in the attack path AP. The tracing function may determine the attack source node by using a weighted average method, a heuristic algorithm method, and the like.
In this embodiment, the logic of the above method is:
p1, data collection: network attack-related data sets, such as network traffic, IDS output, and log information, are collected.
P2, constructing a network topology model: a network topology model G is constructed based on the collected data.
P3, constructing a space-time network model: and constructing a space-time network model S based on the network topology model, and fusing the network structure and the time information.
P4, path analysis: using the space-time network model, all possible attack paths AP are found by the path analysis function.
P5, tracing attack sources: and determining an attack source node through a tracing function based on the attack path AP.
Summarizing, aiming at the following technical defects of the conventional technology, the solution of the present embodiment is as follows:
(1) Solving the specific feature analysis limit: the space-time network model is adopted to abstract the network into a space-time diagram, and not only special characteristics are considered, but also the network topology structure and event occurrence time sequence information are considered. This may not only rely on specific feature analysis, but may also integrate multidimensional features for analysis, including node properties, network topology, event occurrence time, etc.
(2) And the false alarm rate is reduced: the false alarm rate can be reduced by the comprehensive analysis of the space-time network model. By considering the characteristics of multiple dimensions, normal behaviors and abnormal behaviors can be distinguished more accurately, and the possibility of false alarm is reduced.
(3) Modeling network topology and timing information: the space-time network model integrates network topology and time sequence information into one model, and solves the problem of insufficient modeling of the network topology and the time sequence in the traditional method. Thus, the occurrence of network events can be more fully understood.
(4) Reducing the dependence on the database established in advance: the space-time network model adopts a dynamic modeling mode, and a database is not required to be constructed in advance to store specific characteristic parameters. Therefore, the method does not depend on a database established in advance, and can also effectively trace the source of the attack.
(5) Processing complex attack chains: the space-time network model considers network topology and time sequence information, can better process complex attack chains, and can accurately identify attack paths, including complex multi-stage attacks.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example two
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, the S1 stage relates to collection of a data set and comprises information output by network traffic analysisInformation output by IDS systemAnd output information of log analysis
In this embodiment, the network traffic analyzes the output information: the information output by the network traffic analysis includes a series of network traffic records formally represented as:
including a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
wherein each ofThe information contained can be expressed as:
the information can be used for analyzing the source, the destination, the protocol type and the port condition of the network traffic, and provides basic information for subsequent network attack tracing.
In this embodiment, the information output by the IDS system: the information output by the IDS system includes a series of intrusion detection records, each recordIncluding information on the type of intrusion and/or time of detection. Formalized representation is:
each of which isRepresenting an intrusion detection record, the intrusion detection record comprising an intrusion type and/or a detection time; m represents the total number thereof;
in the present embodiment, output information of log analysis : the output information of the log analysis includes a series of log records:
each of which isRepresenting a log record, wherein the log record comprises an event description and/or occurrence time; p represents the total number thereof. This information can be used to learn about various events and corresponding times that occur on the network, helping to analyze the point in time of the attack and the occurrence of the event.
In this embodiment, information is collected for network traffic analysis, IDS system output, and log analysis. Each type of information contains a plurality of records, each record containing specific key information such as source IP, destination IP, protocol, intrusion type, event description, time of occurrence, etc.
These information will be referred to as a datasetAndis used for constructing a space-time network model and carrying out subsequent attack traceability analysis. The data set collection method can provide multidimensional information and provide a rich data basis for tracing and analyzing network attacks.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example III
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, the S2 stage relates to the construction of a network topology model and mainly comprises the definition of a node set V and an edge set EE. Both of which constitute a network topology model G.
In S2, it includes:
1) Node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifierThe representation is:
n represents a nodeIs the sum of (3); i represents the sequence number of the node
The nodes may be entities in any network, such as routers, switches, computers, servers, etc. Each nodeHaving a specific unique identifier in the network facilitates subsequent identification and processing of the node.
2) Edge set E: all connection relations in the network are contained, and each edge is connected with two nodesRepresenting nodesInter-passing edgeConnection network:
The connection relationship in the network may be a physical connection, such as a network cable connection, a wireless connection, etc., or may be a logical connection, such as a network communication protocol, etc. These connections form the topology of the network and are the basis for analyzing network traffic and attack propagation paths.
The network topology model G reflects the connection relation among all entities in the network and provides key topology information for subsequent network attack tracing based on the space-time network model.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example IV
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in this embodiment, the space-time network model S is the core of the network attack tracing rapid evidence obtaining method, and is used for comprehensively representing the topology structure and time sequence information of the network. In stage S3, the present embodiment constructs a spatio-temporal network model S comprising five elements, each element representing different information.
In S3, the spatio-temporal network model S includes:
1) Five-tuple:
information output by network traffic analysis: including a source IP address, a destination IP address, a protocol, and/or a port, etc.
Information output by IDS system: information output by the IDS system, including intrusion type and/or detection time, etc.
Output information of log analysis: output information of the log analysis, including event descriptions and/or time of occurrence, etc.
V: a node set, representing all nodes in a network, represents a network device, host, or other network entity.
E: an edge set comprising all connection relations in the network, each edge connecting two nodesRepresenting nodesInter-passing edgeAnd connecting to a network.
2) Output information vector IV:
the output information vector IV is a representation of the spatiotemporal network model S for summarizing important information in the model. V includes four sub-vectors representing network topology, node attributes, edge attributes, and time information, respectively.
Representing network topology information, including a node set V and an edge set E;
representing node attribute information;
representing side attribute information;
time information is represented, including the time of occurrence of the network event.
In this embodiment, the output information vector IV abstracts the topology structure, node attribute, edge attribute and time information of the network in the form of vectors, so that subsequent analysis and processing are facilitated.
Specific:
(1) Summary information: and IV, the key information in the space-time network model SS is abstracted into a vector form, so that the complex network structure and event information are simplified, and further analysis is facilitated.
(2) Extracting a network topology structure:topology information of the network is provided, wherein the topology information comprises a node set V and an edge set E, and the connection relation of the network is abstracted.
(3) Node and side attribute information extraction:andattribute information representing nodes and edges, respectively, may include node types, weights of edges, and the like.
(4) Extracting time information:time information is provided, including the time of occurrence of network events, to facilitate analysis of the temporal order and interval of occurrence of events.
Further, the roles played by IV in tracing include:
(1) Application in path analysis: in the path analysis phase, the information vector IVIV may be used to identify and analyze potential attack paths. By analysis ofAndand the like, and can determine nodes, node attributes and connection conditions on the path.
(2) Application in attack source tracing: in the tracing stage, time informationIs critical. By analyzing the time information, the time period of attack occurrence can be determined, and the network topology structure is combinedThe traceability range can be reduced, and the possible attack sources can be determined.
(3) The specific function of the information vector IV is to abstract and summarize network data and extract important information so as to better analyze network attack paths and trace attack sources.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example five
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, an information vector IV is the abstraction and generalization of key information in a time-space network model. In the information vector IV, specifically, it includes:
1) Network topology information
Network topology informationThe node set V and the edge set E are included, and the connection relation between nodes in the network is expressed in a concise mode.
V: a node set, representing all nodes in a network, represents a network device, host, or other network entity.
E: an edge set comprising all connection relations in the network, each edge connecting two nodesRepresenting nodesInter-passing edgeAnd connecting to a network.
2) Node attribute information
Node attribute informationVarious attributes of nodes in the network are represented. Each nodeAnd its corresponding attributes are represented by a tuple.
In the formulaRepresenting nodesIs a property of (2); in this way, the present embodiment can record the attribute of each node in a clear manner in the information vector.
3) Side attribute information
Side attribute informationRepresenting attributes of the network edge. The information of the weight of the edge, the communication protocol and the like can be further introduced by way of example.
4) Event attribute information: unlike in the fourth embodimentIt may also contain various events occurring in the network
Representing the ith network event. These events may include attack events, exception events, normal events, etc., for subsequent attack tracing and analysis.
In this embodiment, an information vector IV is constructed, and the topology, node attributes, edge attributes, and event information of the network are abstracted and summarized for subsequent analysis, processing, and tracing. The construction of the information vector IV enables the network structure and event information to be represented in a clear mode, and provides a rich data basis for network attack tracing.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example six
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the S4 stage of the network attack tracing rapid evidence obtaining method, a path analysis function is usedTo find all possible attack paths from the source node s to the target node t, a Depth First Search (DFS) algorithm is employed. The logic and principles of the DFS algorithm are described in detail below.
In this embodiment, the Depth First Search (DFS) is a graph traversal algorithm that explores all nodes in the graph and finds paths from the starting node to the target node. In network attack tracing, DFS is used to find potential attack paths.
In S4, a path analysis functionThe DPS algorithm is searched for depth first:
representing the set of all possible attack paths from the source node s to the target node t, using a DFS algorithm.
The DPS algorithm is characterized by the steps of:
p1, initializing: starting from a source node s, s is marked as an accessed node. At the same time, a path list is initialized, and is empty at the beginning.
P2, exploring adjacent nodes: for each neighbor node v of s, if v has not been accessed, v is marked as accessed and then the current path is extended to include v, i.e., v is added to the path list.
P3, recursion search: for each adjacent node w of v, repeating the step 2, and continuing to explore. This is a recursive process that will continue until the target node t is found or there are no unvisited nodes.
P4, backtracking: if the current path cannot continue to expand, i.e. no neighbor node is not accessed, backtracking to the last node and continuing to explore other branches.
P5, path record: every time a path from s to t is found, it is recorded and the search for other possible paths is continued.
P6, termination condition: the algorithm terminates when all possible paths are explored or the target node t is found.
Specifically, the DFS algorithm starts from the source node s and continuously searches the deep node until the target node t is found or all branches are searched based on the principle of depth search. Depth-first searching is implemented in a recursive or stacked manner to ensure that each node is accessed. Each time a neighboring node is explored, the node is added to the current path, so that the path from s to the current node can be recorded. When the target node t is found or the path cannot be extended continuously, backtracking is performed, and other branches are tried. By recording the paths, all possible paths from s to t can be found. The DFS algorithm is used for assisting the embodiment in searching the attack path in network attack tracing, can help to determine the attack propagation mode, and provides an important clue for subsequent tracing analysis.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example seven
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence collection method, a depth-first search (DFS) algorithm is adopted for searching all possible attack paths from a source node s to a target node t. The DFS algorithm is implemented in a recursive manner while utilizing some auxiliary data structures to record the nodes that have been accessed, the current path, and all possible attack paths. The logic and principles of the DFS algorithm will be described in detail in this embodiment below:
A set of visited nodes;
path is a list used for recording the current explored path;
allpathis is a collection that stores all possible attack paths.
The DPS flow includes:
p1, initializing: an empty set of visible is initialized for recording the accessed nodes, an empty list path for recording the currently explored paths, and an empty set of allpathis for storing all possible attack paths.
P2, DFS recursive search: invoking a recursive functionThe DFS recursive search is started.
P3, DFS recurrence function: the graph G, the current node s, the target node t, the visited node set visited, the current path list path, and all possible attack path sets allPaths. Depth-first search is performed inside the recursive function:
and P3.1, adding the current node s into the current path.
P3.2, marking the current node s as accessed, and adding the accessed set visited.
And P3.3, if s is equal to the target node t, finding a path from the source node s to the target node t, and adding the current path into all possible attack path sets allPaths.
P3.4, otherwise, recursively calling all adjacent nodes v of s if v is not accessed And continuing to explore.
P3.5, backtracking: s is removed from the current path and s is removed from the accessed set, identified.
P3.6, return result: all possible attack path sets allPaths are returned.
It will be appreciated that in this embodiment, the DFS algorithm searches as deeply as possible, first accesses an unviewed neighbor node of the current node, and recursively proceeds until the target node is reached or the search cannot be continued. And adding the current node into the path, and removing the current node during recursive backtracking to ensure that the path is correctly recorded. And when the search cannot be continued, returning to the node at the upper level, and exploring other branches until all branches are explored. The DFS algorithm can find all possible paths from the source node to the target node, and provides key information for tracing the follow-up attack.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example eight
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in this embodiment, in the S5 stage of the network attack tracing rapid evidence obtaining method, a tracing function is adoptedTo determine the source of the attack. The function utilizes the weight wi of the node and the number n of nodes on the attack path to evaluate the probability of the node as an attack source.
In S5, the traceability function
wi is a nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
The tracing steps comprise:
p1, inputting parameters: an attack path AP, which is an attack path from a source node to a target node.
P2, tracing:
p2.1, calculating the node number n on the attack path.
P2.2 for each node on the path The weight wi of a node is calculated to indicate the likelihood that the node is the source of the attack.
And P2.3, calculating a weighted average value of the node according to the node weight wi and the node number n, and taking the weighted average value as the weight of the node as an attack source.
P3, determining an attack source: and selecting the node with the highest weight as the most probable attack source according to the calculated node weight.
Further, the traceability function evaluates the possibility of the node as an attack source by analyzing the node on the attack path and utilizing the weight wi of the node and the node number n. The main principle is as follows: node weight wi represents a nodeAs a source of attack. Typically, the evaluation is based on the node's attributes, historical behavior, anomalies, etc., with higher weights indicating that the node is more likely to be the source of the attack. The node number n represents the number of nodes on the attack path, i.e. the length of the attack path. The longer the attack path, the lower the likelihood. According to the node weight wi and the node number n, a weighted average value of each node can be calculated, and the comprehensive possibility of each node on the attack path serving as an attack source is reflected. The node with the highest weighted average is selected as the most likely source of attack. Thus, the attack source can be determined as accurately as possible, and further attack tracing and evidence obtaining processes are facilitated.
Summarizing, the objective of the traceability function is to determine the attack source as accurately as possible for subsequent evidence collection and further security analysis. By considering the weight of the node and the length of the attack path, the accuracy and the reliability of tracing can be improved.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example nine
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
The embodiment provides a network attack tracing rapid evidence obtaining system, which comprises a processor and a memory coupled with the processor, wherein program instructions are stored in the memory, and when the program instructions are executed by the processor, the processor is enabled to execute the tracing rapid evidence obtaining method.
The application aims to realize a network attack traceability rapid evidence collection system, and provides rapid and accurate attack source positioning for the field of network security. The system includes a processor, a memory coupled to the processor, and a memory storing program instructions. It comprises the following steps:
(1) A processor: the core component of the system is responsible for executing program instructions, coordinating the operation of the system, processing network attack data, and calling corresponding algorithms and functions to realize a tracing quick evidence obtaining method.
(2) A memory: the memory is used for storing program instructions, and the instructions are key to realizing the traceability rapid evidence collection method. The program instructions are executed by the processor one by one, triggering the corresponding operations.
The working principle is as follows:
(1) Program instructions execute: the processor executes program instructions stored in the memory, step by step in the order of the instructions.
(2) The tracing rapid evidence collection method is called: when executing the program instruction, the tracing quick evidence obtaining method is called. The method is based on the network attack tracing rapid evidence obtaining method introduced above, and achieves rapid tracing and positioning of the network attack source.
(3) Data processing and analysis: the system processes and analyzes the collected network attack data through the processor, builds a network topology model and generates a space-time network model.
(4) Path analysis and attack source tracing: and calling a path analysis function to perform path analysis by using the generated space-time network model, and finding out a possible attack path from the source node to the target node. Then, a specific attack source is determined by using the traceability function.
Further, referring to fig. 2 to 3, which show control programs stored in the memory, the present embodiment provides only its operation logic in the form of c++ pseudo code, and the principle includes:
s1, collecting a network attack data set, namely simulating the collection process of the data set by calling a CollectAttackData () function.
S2, constructing a network topology model, namely constructing the network topology model by using a buildNTworks topology () function, wherein the model consists of a node set and an edge set.
And S3, creating a space-time network model by using a createPatationtemporal network model () function, wherein the model comprises a topological structure of the network and corresponding attribute information.
S4, path analysis, namely, path analysis is carried out by using a PathAnalysis DFS () function, and a depth-first search (DFS) algorithm is adopted to find all possible attack paths from the source node to the target node.
S5, tracing the source of the attack, namely tracing the source by using a traceAttackSource () function, and determining the most probable attack source node according to the attack path and the node weight.
Further, the functions in the program include:
(1) Collectatackdata (): this function is a control function of the process of collecting network attack data.
(2) The buildnetworks topology (). The function is used to build a network topology model, returning a data structure containing a set of nodes and a set of edges.
(3) The createPatationtemporal network model (). The function is used to create a spatiotemporal network model, which builds a complete spatiotemporal network model from the network topology and attribute information.
(4) PathAnalysis DFS () the function implements a depth-first search (DFS) algorithm for path analysis that looks up all possible attack paths from the source node to the target node.
(5) The traceAttackSource (). The function is used to trace the source of the attack, and the most probable attack source node is calculated based on the attack path and the node weight.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.

Claims (9)

1. A network attack tracing quick evidence obtaining method is characterized by comprising the following steps:
s1, collecting a data set of network attack;
s2, constructing a network topology model G:
v represents a node set, E represents an edge set;
s3, a space-time network model S: outputting an information vector IV based on the space-time network model S;
s4, path analysis: based on the input of the information vector IV, a path analysis function is usedFinding all possible attack paths AP from the source node s to the target node t;
s5, tracing a source attack source: based on the input of the information vector IV and the attack path AP, a tracing function is usedTo determine the source of the attack.
2. The network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: in the S1, the data set includes: information output by network traffic analysisInformation output by IDS system->And output information of log analysis->
1) The information output by the network flow analysis
The saidIncluding a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
2) Information output by the IDS system
Each of saidRepresenting an intrusion detection record, said intrusion detection record comprising an intrusion type and/or a detection time; m represents the total number thereof;
3) Output information of the log analysis
Each of saidRepresenting a log record, said log record comprising an event description and/or time of occurrence; p represents the total number thereof.
3. The network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: in the S2, it includes:
1) The node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifierThe representation is:
n represents a nodeIs the sum of (3);
2) The edge set E: all connection relations in the network are contained, and each edge is connected with two nodesRepresenting the node->The middle passing edge->Connection network:
4. the network attack traceability rapid evidence collection method according to claim 2, wherein the method comprises the following steps: in the step S3, the space-time network model S includes:
1) Five-tuple:
2) Outputting the information vector IV:
representing network topology information including the set of nodes V and the set of edges E;
representing node attribute information;
representing side attribute information;
time information is represented, including the time of occurrence of the network event.
5. The network attack traceability rapid evidence collection method according to claim 4, wherein the method comprises the following steps: in the information vector IV, there are:
1) The network topology information
2) The node attribute information
In the formulaRepresenting the node->Is a property of (2);
3) The side attribute information
4) The event attribute information
Representing the ith network event.
6. The network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: in the S4, the path analysis functionThe method comprises the following steps: depth-first search:
representing a set of all possible attack paths from the source node s to the target node t, using a DFS algorithm search.
7. The network attack traceability rapid evidence collection method according to claim 6, wherein the method comprises the following steps: the DFS algorithm is as follows:
a set of visited nodes;
path is a list used for recording the current explored path;
allpathis is a collection that stores all possible attack paths.
8. The network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: in the S5, the tracing function
wi is the nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
9. A network attack traceability rapid evidence collection system is characterized in that: the system comprises a processor and a memory coupled to the processor, wherein the memory stores program instructions that, when executed by the processor, cause the processor to perform the network attack traceability rapid evidence collection method according to any one of claims 1-8.
CN202311293492.3A 2023-10-09 2023-10-09 Rapid evidence obtaining method and system for tracing network attack Active CN117040932B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311293492.3A CN117040932B (en) 2023-10-09 2023-10-09 Rapid evidence obtaining method and system for tracing network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311293492.3A CN117040932B (en) 2023-10-09 2023-10-09 Rapid evidence obtaining method and system for tracing network attack

Publications (2)

Publication Number Publication Date
CN117040932A true CN117040932A (en) 2023-11-10
CN117040932B CN117040932B (en) 2024-04-02

Family

ID=88630418

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311293492.3A Active CN117040932B (en) 2023-10-09 2023-10-09 Rapid evidence obtaining method and system for tracing network attack

Country Status (1)

Country Link
CN (1) CN117040932B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118509258A (en) * 2024-07-17 2024-08-16 浙江大学 Network attack monitoring method and device based on time sequence sub-graph matching
CN118573466A (en) * 2024-07-11 2024-08-30 国家工业信息安全发展研究中心 Nuclear power industry network attack behavior pattern analysis and tracing method
CN118573466B (en) * 2024-07-11 2024-10-25 国家工业信息安全发展研究中心 Nuclear power industry network attack behavior pattern analysis and tracing method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106470213A (en) * 2016-10-17 2017-03-01 杭州迪普科技股份有限公司 A kind of source tracing method of attack message and device
CN108696473A (en) * 2017-04-05 2018-10-23 中国移动通信集团广东有限公司 Attack path restoring method and device
CN112104639A (en) * 2020-09-11 2020-12-18 湖南大学 Attack path parallel prediction method for power system network
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN112822213A (en) * 2021-02-07 2021-05-18 国网福建省电力有限公司电力科学研究院 Attack evidence obtaining and tracing method for power monitoring system
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN114615063A (en) * 2022-03-14 2022-06-10 清华大学 Attack tracing method and device based on log correlation analysis
CN115134250A (en) * 2022-06-29 2022-09-30 北京计算机技术及应用研究所 Network attack source tracing evidence obtaining method
CN115567306A (en) * 2022-09-29 2023-01-03 中国人民解放军国防科技大学 APT attack tracing analysis method based on bidirectional long-time and short-time memory network
CN115664703A (en) * 2022-09-13 2023-01-31 国网安徽省电力有限公司信息通信分公司 Attack tracing method based on multi-dimensional information

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106470213A (en) * 2016-10-17 2017-03-01 杭州迪普科技股份有限公司 A kind of source tracing method of attack message and device
CN108696473A (en) * 2017-04-05 2018-10-23 中国移动通信集团广东有限公司 Attack path restoring method and device
CN112104639A (en) * 2020-09-11 2020-12-18 湖南大学 Attack path parallel prediction method for power system network
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN112822213A (en) * 2021-02-07 2021-05-18 国网福建省电力有限公司电力科学研究院 Attack evidence obtaining and tracing method for power monitoring system
CN114615063A (en) * 2022-03-14 2022-06-10 清华大学 Attack tracing method and device based on log correlation analysis
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN115134250A (en) * 2022-06-29 2022-09-30 北京计算机技术及应用研究所 Network attack source tracing evidence obtaining method
CN115664703A (en) * 2022-09-13 2023-01-31 国网安徽省电力有限公司信息通信分公司 Attack tracing method based on multi-dimensional information
CN115567306A (en) * 2022-09-29 2023-01-03 中国人民解放军国防科技大学 APT attack tracing analysis method based on bidirectional long-time and short-time memory network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
魏姗姗: "网络攻击溯源技术研究综述", 保密科学技术, no. 01 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118573466A (en) * 2024-07-11 2024-08-30 国家工业信息安全发展研究中心 Nuclear power industry network attack behavior pattern analysis and tracing method
CN118573466B (en) * 2024-07-11 2024-10-25 国家工业信息安全发展研究中心 Nuclear power industry network attack behavior pattern analysis and tracing method
CN118509258A (en) * 2024-07-17 2024-08-16 浙江大学 Network attack monitoring method and device based on time sequence sub-graph matching

Also Published As

Publication number Publication date
CN117040932B (en) 2024-04-02

Similar Documents

Publication Publication Date Title
CN111431939B (en) CTI-based SDN malicious flow defense method
Khan et al. Feature selection of denial-of-service attacks using entropy and granular computing
Zhu et al. Alert correlation for extracting attack strategies
CN114679338A (en) Network risk assessment method based on network security situation awareness
Fredj A realistic graph‐based alert correlation system
CN113965469B (en) Construction method of network data analysis model
CN115277127A (en) Attack detection method and device for searching matching attack mode based on system tracing graph
CN117240632B (en) Attack detection method and system based on knowledge graph
Al-Utaibi et al. Intrusion detection taxonomy and data preprocessing mechanisms
Jia et al. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning
Fayyad et al. Attack scenario prediction methodology
Sukhwani et al. A survey of anomaly detection techniques and hidden markov model
Das et al. An efficient feature selection approach for intrusion detection system using decision tree
CN118138361A (en) Security policy making method and system based on autonomously evolutionary agent
Xuan et al. New approach for APT malware detection on the workstation based on process profile
CN117220961B (en) Intrusion detection method, device and storage medium based on association rule patterns
Ianni et al. Scout: Security by computing outliers on activity logs
Khaoula et al. Improving Intrusion Detection Using PCA And K-Means Clustering Algorithm
CN117040932B (en) Rapid evidence obtaining method and system for tracing network attack
Hu et al. Abnormal Event Correlation and Detection Based on Network Big Data Analysis.
CN115567325B (en) Threat hunting method based on graph matching
Hussain et al. An NIDS for Known and Zero-Day Anomalies
Changguo et al. The research on the application of association rules mining algorithm in network intrusion detection
Li et al. Assessing attack threat by the probability of following attacks
CN115051833B (en) Intercommunication network anomaly detection method based on terminal process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant