CN117040932B - Rapid evidence obtaining method and system for tracing network attack - Google Patents
Rapid evidence obtaining method and system for tracing network attack Download PDFInfo
- Publication number
- CN117040932B CN117040932B CN202311293492.3A CN202311293492A CN117040932B CN 117040932 B CN117040932 B CN 117040932B CN 202311293492 A CN202311293492 A CN 202311293492A CN 117040932 B CN117040932 B CN 117040932B
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- node
- information
- tracing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000004458 analytical method Methods 0.000 claims abstract description 66
- 238000001514 detection method Methods 0.000 claims abstract description 15
- 230000006870 function Effects 0.000 claims description 39
- 239000013598 vector Substances 0.000 claims description 21
- 238000005206 flow analysis Methods 0.000 claims description 2
- 230000006399 behavior Effects 0.000 abstract description 8
- 238000012986 modification Methods 0.000 description 9
- 230000004048 modification Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 238000007796 conventional method Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 239000008358 core component Substances 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack tracing quick evidence obtaining method and system; s1, collecting a data set of network attack: at this stage, network attack-related datasets are collected, including network traffic data, IDS (intrusion detection system) output, log information, and the like. The method adopts a space-time network model, integrates multidimensional data, and comprises information such as network topology, node attribute, event occurrence time sequence and the like. The multidimensional data comprehensive analysis is helpful for comprehensively understanding network behaviors and improving the accuracy and the comprehensiveness of tracing.
Description
Technical Field
The invention relates to the technical field of network engineering, in particular to a network attack tracing rapid evidence obtaining method and system.
Background
Network attack refers to malicious actions such as illegal access, destruction, theft, tampering or blocking of a network system, network equipment, a computer system or data thereof through a computer network. Network attacks are mostly intentional, aimed at stealing information and destroying the system. The source and responsible person of the network attack can be determined through tracing evidence, and evidence is provided for pursuing legal responsibility. This helps in the way an attacker is tethered, maintaining network security and public interests. By analyzing the attack source, attack mode and attack path, the vulnerability and vulnerability of the system or network can be discovered. The method is beneficial to a network manager to repair loopholes in time, strengthen network security and improve the defending capability of the system.
Furthermore, the traceable evidence collection can provide deep insight into the behavior of an attacker, and is helpful for improving and optimizing network security policies. Based on the characteristics and modes of the attack behaviors, the defending strategy can be adjusted, and the coping capability of the system to future attacks is improved. Through quick and effective tracing evidence obtaining, measures can be rapidly taken to prevent further attack behaviors, limit the damage range and reduce the loss caused by attack. Common modes, means and features of attacks can be identified through traceable analysis of multiple network attacks. This helps to build a more effective preventive mechanism, early warning and guard against similar attacks.
In the prior art, a main way of the conventional technology form of "an attack evidence obtaining and tracing method for an electric power monitoring system" disclosed in CN202110176274.6 is to collect network flow data in the monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data flow. However, such conventional techniques have the following technical drawbacks:
(1) Limiting to a specific feature analysis: the conventional technology mainly relies on feature analysis, namely, some feature parameters are predefined and matched with abnormal feature parameters in a preset database. This approach is limited by predefined features and may not cover all attack types, especially new or complex forms of attack.
(2) The limitation and false alarm rate are high: feature analysis may produce false positives because some normal behavior may be mistaken for an attack feature. At the same time, some variants of the attack may not be detected because its features are not in the predefined feature set.
(3) Modeling of network topology and timing is lacking: the conventional technology does not fully consider network topology and event occurrence timing information, and is limited to static analysis of features. Thus, the true situation of the attack path may be missed, and the propagation and influence path of the attack cannot be fully known.
(4) Depending on the database established in advance: conventional techniques rely on a database built in advance to store the characteristic information, which can lead to certain storage overhead and update maintenance difficulties. Meanwhile, if the new attack form is not in the database, it cannot be accurately identified.
(5) It is difficult to handle complex attack chains: for complex attack chains, conventional techniques may be difficult to analyze and trace efficiently because they do not provide a complete attack path and timing relationship between attacks.
Therefore, a network attack tracing rapid evidence obtaining method and a system are provided.
Disclosure of Invention
In view of the above, the present invention aims to provide a network attack tracing rapid evidence obtaining method and system, so as to solve or alleviate the technical problems existing in the prior art, namely, the method is limited to specific feature analysis, has high limitation and false alarm rate, lacks modeling of network topology and time sequence, depends on a database established in advance and is difficult to process complex attack chains, and at least provides a beneficial choice for the method and the system;
The technical scheme of the invention is realized as follows:
first aspect
Rapid evidence obtaining method for tracing network attack
Overview (one)
The network attack tracing rapid evidence obtaining method aims at rapidly and accurately determining the source of the network attack and providing enough evidence so as to pursue legal responsibility. The application provides a technical framework for tracing network attacks, which comprises the main steps of data collection, network topology model construction, space-time network model creation, path analysis and attack source tracing.
(II) technical step
S1, collecting a data set of network attack: at this stage, network attack-related datasets are collected, including network traffic data, IDS (intrusion detection system) output, log information, and the like.
S2, constructing a network topology model G: a network topology model g= (V, E) is constructed, where V represents a set of nodes and E represents a set of edges. The network topology model provides a basis for subsequent analysis based on the actual network structure.
S3, a space-time network model S: a spatio-temporal network model S is created, abstracting the network into a spatio-temporal diagram. The nodes represent network devices or hosts, the edges represent network connection relationships, and the time information represents the time at which a network event occurs.
S4, path analysis: all possible attack paths AP from the source node s to the target node t are found using the path analysis function path analysis (G, s, t).
S5, tracing a source attack source: the tracing function TraceAttackSource (AP) is used to determine the source of the attack, i.e. the source node in the attack path AP.
(III) technical content
(3.1) in said S1, said dataset comprises: information output by network traffic analysisInformation output by IDS systemAnd output information of log analysis:
1) The information output by the network flow analysis:
The saidIncluding a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
2) Information output by the IDS system:
Each of saidRepresenting an intrusion detection record, said intrusion detection record comprising an intrusion type and/or a detection time; m represents the total number thereof;
3) Output information of the log analysis:
Each of saidRepresenting a log record, said log record comprising an event description and/or time of occurrence; p represents the total number thereof.
(3.2) in the S2, comprising:
1) The node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifier The representation is:
n represents a nodeIs the sum of (3);
2) The edge set E: all connection relations in the network are contained, and each edge is connected with two nodesRepresenting the nodeInter-passing edgeConnection network:
(3.3) in said S3, said spatiotemporal network model S comprises:
1) Five-tuple:
2) Outputting the information vector IV:
representing network topology information including the set of nodes V and the set of edges E;
representing node attribute information;
representing side attribute information;
time information is represented, including the time of occurrence of the network event.
(3.4) in the S4, the Path analysis functionThe method comprises the following steps: depth-first search:
representing a set of all possible attack paths from the source node s to the target node t, using a DFS algorithm search.
(3.5): in the S5, the tracing function:
wi is the nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
Second aspect
A network attack tracing rapid evidence collection system comprises a processor and a memory coupled with the processor, wherein program instructions are stored in the memory, and when the program instructions are executed by the processor, the processor is enabled to execute the tracing rapid evidence collection method.
The network attack tracing rapid evidence obtaining system is used for rapidly and accurately locating an attack source in the field of network security. The system includes a processor, a memory coupled to the processor, and a memory storing program instructions. It comprises the following steps:
(1) A processor: the core component of the system is responsible for executing program instructions, coordinating the operation of the system, processing network attack data, and calling corresponding algorithms and functions to realize a tracing quick evidence obtaining method.
(2) A memory: the memory is used for storing program instructions, and the instructions are key to realizing the traceability rapid evidence collection method. The program instructions are executed by the processor one by one, triggering the corresponding operations.
Summarizing, compared with the prior art, the network attack tracing rapid evidence obtaining method and system provided by the invention have the following beneficial effects:
(1) Multidimensional data comprehensive analysis: the method adopts a space-time network model, integrates multidimensional data, and comprises information such as network topology, node attribute, event occurrence time sequence and the like. The multidimensional data comprehensive analysis is helpful for comprehensively understanding network behaviors and improving the accuracy and the comprehensiveness of tracing.
(2) Comprehensively modeling network structure and timing information: the invention adopts a space-time network model, can more comprehensively model the network structure and time sequence information, and not only considers the network topology, but also considers the time sequence of event occurrence. The comprehensive modeling is helpful for accurately understanding the propagation path and time sequence of the attack, and improves the tracing accuracy of the attack.
(3) More flexible attack identification and traceability: the invention can more flexibly identify various attacks without being limited by specific characteristics by adopting a dynamic modeling mode and not depending on fixed characteristic parameters. Meanwhile, the model can be dynamically adjusted according to the real-time condition of the network event, and the method has stronger adaptability.
(4) Processing power for complex attack chains: the space-time network model can well process complex attack chains, identify multi-stage and multi-node attack paths, and improve the traceability of complex attacks. This is critical for security analysis in modern complex network environments.
(5) The tracing efficiency and the instantaneity are improved: the invention can more rapidly and more efficiently trace the source of the attack through algorithm optimization and multidimensional data analysis, is beneficial to rapidly responding to network attack and reduces the loss caused by the attack.
(6) Independent of pre-built databases: compared with the traditional method based on the database constructed in advance by specific feature analysis, the space-time network model does not need to construct the database in advance, reduces the maintenance cost and workload of the database, and improves the flexibility and practicability of the system.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the technical descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a logic diagram of a method flow according to the present invention;
FIG. 2 is a control program diagram of a ninth embodiment of the present invention;
fig. 3 is a control program diagram of a ninth embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the invention will be readily understood, a more particular description of the invention will be rendered by reference to the appended drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. This invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, whereby the invention is not limited to the specific embodiments disclosed below;
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different manner from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
It will be further appreciated by those of skill in the art that the various example elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the various example elements and steps have been described generally in terms of function in the foregoing description to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is noted that the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Example 1
In order that the detailed description of the invention may be understood, a more particular description of the invention will be rendered by way of example only. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
The present embodiment provides the following technical solutions, please refer to fig. 1:
a network attack tracing quick evidence obtaining method comprises the following steps:
s1, first, a data set related to network attack needs to be collected, where the data sets include network traffic data, intrusion Detection System (IDS) output, log information, and the like. These data will be used as the basis for subsequent analysis to construct a spatio-temporal network model.
S2, constructing a network topology model G:
v represents a node set, E represents an edge set; the network topology model G is the basis of the method. In this model, node set V includes all network devices or hosts, while edge set E represents the connection relationship between network devices.
S3, a space-time network model S: outputting an information vector IV based on the space-time network model S; the space-time network model S is the core of the method. In this step, the present embodiment abstracts the network into a space-time diagram. The nodes represent network devices or hosts, the edges represent network connection relationships, and the time information represents the time at which a network event occurs. The spatio-temporal network model S combines network structure and time information to better analyze the propagation and impact of network attack events.
S4, path analysis: based on the input of the information vector IV, a path analysis function is usedFinding a path from the source node s toAll possible attack paths AP of the target node t;
based on the space-time network model S, the present embodiment can use a path analysis functionAll possible attack paths AP from the source node s to the target node t are found. This function may employ various path search algorithms, such as depth-first search (DFS) or breadth-first search (BFS), etc. (see in particular embodiment seven) to find all possible paths from the source node to the target node.
S5, tracing a source attack source: after obtaining all possible attack paths AP, the present embodiment may use a tracing functionTo determine the source of the attack. The function can adopt various tracing algorithms, and the attack source node is determined according to the information in the attack path AP. The tracing function may determine the attack source node by using a weighted average method, a heuristic algorithm method, and the like.
In this embodiment, the logic of the above method is:
p1, data collection: network attack-related data sets, such as network traffic, IDS output, and log information, are collected.
P2, constructing a network topology model: a network topology model G is constructed based on the collected data.
P3, constructing a space-time network model: and constructing a space-time network model S based on the network topology model, and fusing the network structure and the time information.
P4, path analysis: using the space-time network model, all possible attack paths AP are found by the path analysis function.
P5, tracing attack sources: and determining an attack source node through a tracing function based on the attack path AP.
Summarizing, aiming at the following technical defects of the conventional technology, the solution of the present embodiment is as follows:
(1) Solving the specific feature analysis limit: the space-time network model is adopted to abstract the network into a space-time diagram, and not only special characteristics are considered, but also the network topology structure and event occurrence time sequence information are considered. This may not only rely on specific feature analysis, but may also integrate multidimensional features for analysis, including node properties, network topology, event occurrence time, etc.
(2) And the false alarm rate is reduced: the false alarm rate can be reduced by the comprehensive analysis of the space-time network model. By considering the characteristics of multiple dimensions, normal behaviors and abnormal behaviors can be distinguished more accurately, and the possibility of false alarm is reduced.
(3) Modeling network topology and timing information: the space-time network model integrates network topology and time sequence information into one model, and solves the problem of insufficient modeling of the network topology and the time sequence in the traditional method. Thus, the occurrence of network events can be more fully understood.
(4) Reducing the dependence on the database established in advance: the space-time network model adopts a dynamic modeling mode, and a database is not required to be constructed in advance to store specific characteristic parameters. Therefore, the method does not depend on a database established in advance, and can also effectively trace the source of the attack.
(5) Processing complex attack chains: the space-time network model considers network topology and time sequence information, can better process complex attack chains, and can accurately identify attack paths, including complex multi-stage attacks.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example two
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, the S1 stage relates to collection of a data set and comprises information output by network traffic analysisInformation output by IDS systemAnd output information of log analysis:
In this embodiment, the network traffic analyzes the output information: the information output by the network traffic analysis includes a series of network traffic records formally represented as:
including a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
wherein each ofThe information contained can be expressed as:
the information can be used for analyzing the source, the destination, the protocol type and the port condition of the network traffic, and provides basic information for subsequent network attack tracing.
In this embodiment, the information output by the IDS system: the information output by the IDS system includes a series of intrusion detection records, each recordIncluding information on the type of intrusion and/or time of detection. Formalized representation is:
each of which isRepresenting an intrusion detection record, the intrusion detection record comprising an intrusion type and/or a detection time; m represents the total number thereof;
in the present embodiment, output information of log analysis : the output information of the log analysis includes a series of log records:
each of which isRepresenting a log record, wherein the log record comprises an event description and/or occurrence time; p represents the total number thereof. This information can be used to learn about various events and corresponding times that occur on the network, helping to analyze the point in time of the attackAnd the occurrence of events.
In this embodiment, information is collected for network traffic analysis, IDS system output, and log analysis. Each type of information contains a plurality of records, each record containing specific key information such as source IP, destination IP, protocol, intrusion type, event description, time of occurrence, etc.
These information will be referred to as a dataset、Andis used for constructing a space-time network model and carrying out subsequent attack traceability analysis. The data set collection method can provide multidimensional information and provide a rich data basis for tracing and analyzing network attacks.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example III
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, the S2 stage relates to the construction of a network topology model and mainly comprises the definition of a node set V and an edge set EE. Both of which constitute a network topology model G.
In S2, it includes:
1) Node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifierThe representation is:
n represents a nodeIs the sum of (3); i represents the sequence number of the node
The nodes may be entities in any network, such as routers, switches, computers, servers, etc. Each nodeHaving a specific unique identifier in the network facilitates subsequent identification and processing of the node.
2) Edge set E: all connection relations in the network are contained, and each edge is connected with two nodesRepresenting nodesInter-passing edgeConnection network:
the connection relationship in the network may be a physical connection, such as a network cable connection, a wireless connection, etc., or may be a logical connection, such as a network communication protocol, etc. These connections form the topology of the network and are the basis for analyzing network traffic and attack propagation paths.
The network topology model G reflects the connection relation among all entities in the network and provides key topology information for subsequent network attack tracing based on the space-time network model.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example IV
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in this embodiment, the space-time network model S is the core of the network attack tracing rapid evidence obtaining method, and is used for comprehensively representing the topology structure and time sequence information of the network. In stage S3, the present embodiment constructs a spatio-temporal network model S comprising five elements, each element representing different information.
In S3, the spatio-temporal network model S includes:
1) Five-tuple:
information output by network traffic analysis: including a source IP address, a destination IP address, a protocol, and/or a port, etc.
Information output by IDS system: information output by the IDS system, including intrusion type and/or detection time, etc.
Output information of log analysis: output information of the log analysis, including event descriptions and/or time of occurrence, etc.
V: a node set, representing all nodes in a network, represents a network device, host, or other network entity.
E: an edge set comprising all connection relations in the network, each edge connecting two nodesRepresenting nodesInter-passing edgeAnd connecting to a network.
2) Output information vector IV:
the output information vector IV is a representation of the spatiotemporal network model S for summarizing important information in the model. V includes four sub-vectors representing network topology, node attributes, edge attributes, and time information, respectively.
Representing network topology information, including a node set V and an edge set E;
representing node attribute information;
representing side attribute information;
time information is represented, including the time of occurrence of the network event.
In this embodiment, the output information vector IV abstracts the topology structure, node attribute, edge attribute and time information of the network in the form of vectors, so that subsequent analysis and processing are facilitated.
Specific:
(1) Summary information: and IV, the key information in the space-time network model SS is abstracted into a vector form, so that the complex network structure and event information are simplified, and further analysis is facilitated.
(2) Extracting a network topology structure:topology information of the network is provided, wherein the topology information comprises a node set V and an edge set E, and the connection relation of the network is abstracted.
(3) Node and side attribute information extraction:andattribute information representing nodes and edges, respectively, may include node types, weights of edges, and the like.
(4) Extracting time information:time information is provided, including the time of occurrence of network events, to facilitate analysis of the temporal order and interval of occurrence of events.
Further, the roles played by IV in tracing include:
(1) Application in path analysis: in the path analysis phase, the information vector IVIV may be used to identify and analyze potential attack paths. By analysis of、、Andand the like, and can determine nodes, node attributes and connection conditions on the path.
(2) Application in attack source tracing: in the tracing stage, time informationIs critical. By analyzing the time information, the time period of attack occurrence can be determined, and the network topology structure is combinedThe traceability range can be reduced, and the possible attack sources can be determined.
(3) The specific function of the information vector IV is to abstract and summarize network data and extract important information so as to better analyze network attack paths and trace attack sources.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example five
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence obtaining method, an information vector IV is the abstraction and generalization of key information in a time-space network model. In the information vector IV, specifically, it includes:
1) Network topology information:
Network topology informationThe node set V and the edge set E are included, and the connection relation between nodes in the network is expressed in a concise mode.
V: a node set, representing all nodes in a network, represents a network device, host, or other network entity.
E: an edge set comprising all connection relations in the network, each edge connecting two nodesRepresenting nodesInter-passing edgeAnd connecting to a network.
2) Node attribute information :
Node attribute informationVarious attributes of nodes in the network are represented. Each nodeAnd its corresponding attributes are represented by a tuple.
In the formulaRepresenting nodesIs a property of (2); in this way, the present embodiment can record the attribute of each node in a clear manner in the information vector.
3) Side attribute information:
Side attribute informationRepresenting attributes of the network edge. The information of the weight of the edge, the communication protocol and the like can be further introduced by way of example.
4) Event attribute information: unlike in the fourth embodimentIt may also contain in-network triggersVarious events of life
Representing the ith network event. These events may include attack events, exception events, normal events, etc., for subsequent attack tracing and analysis.
In this embodiment, an information vector IV is constructed, and the topology, node attributes, edge attributes, and event information of the network are abstracted and summarized for subsequent analysis, processing, and tracing. The construction of the information vector IV enables the network structure and event information to be represented in a clear mode, and provides a rich data basis for network attack tracing.
The above examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example six
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the S4 stage of the network attack tracing rapid evidence obtaining method, a path analysis function is usedTo find all possible attack paths from the source node s to the target node t, a Depth First Search (DFS) algorithm is employed. The logic and principles of the DFS algorithm are described in detail below.
In this embodiment, the Depth First Search (DFS) is a graph traversal algorithm that explores all nodes in the graph and finds paths from the starting node to the target node. In network attack tracing, DFS is used to find potential attack paths.
In S4, a path analysis functionThe DPS algorithm is searched for depth first:
representing the set of all possible attack paths from the source node s to the target node t, using a DFS algorithm.
The DPS algorithm is characterized by the steps of:
p1, initializing: starting from a source node s, s is marked as an accessed node. At the same time, a path list is initialized, and is empty at the beginning.
P2, exploring adjacent nodes: for each neighbor node v of s, if v has not been accessed, v is marked as accessed and then the current path is extended to include v, i.e., v is added to the path list.
P3, recursion search: for each adjacent node w of v, repeating the step 2, and continuing to explore. This is a recursive process that will continue until the target node t is found or there are no unvisited nodes.
P4, backtracking: if the current path cannot continue to expand, i.e. no neighbor node is not accessed, backtracking to the last node and continuing to explore other branches.
P5, path record: every time a path from s to t is found, it is recorded and the search for other possible paths is continued.
P6, termination condition: the algorithm terminates when all possible paths are explored or the target node t is found.
Specifically, the DFS algorithm starts from the source node s and continuously searches the deep node until the target node t is found or all branches are searched based on the principle of depth search. Depth-first searching is implemented in a recursive or stacked manner to ensure that each node is accessed. Each time a neighboring node is explored, the node is added to the current path, so that the path from s to the current node can be recorded. When the target node t is found or the path cannot be extended continuously, backtracking is performed, and other branches are tried. By recording the paths, all possible paths from s to t can be found. The DFS algorithm is used for assisting the embodiment in searching the attack path in network attack tracing, can help to determine the attack propagation mode, and provides an important clue for subsequent tracing analysis.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example seven
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in the network attack tracing rapid evidence collection method, a depth-first search (DFS) algorithm is adopted for searching all possible attack paths from a source node s to a target node t. The DFS algorithm is implemented in a recursive manner while utilizing some auxiliary data structures to record the nodes that have been accessed, the current path, and all possible attack paths. The logic and principles of the DFS algorithm will be described in detail in this embodiment below:
A set of visited nodes;
path is a list used for recording the current explored path;
allpathis is a collection that stores all possible attack paths.
The DPS flow includes:
p1, initializing: an empty set of visible is initialized for recording the accessed nodes, an empty list path for recording the currently explored paths, and an empty set of allpathis for storing all possible attack paths.
P2, DFS recursive search: invoking a recursive function
The DFS recursive search is started.
P3, DFS recurrence function: the graph G, the current node s, the target node t, the visited node set visited, the current path list path, and all possible attack path sets allPaths. Depth-first search is performed inside the recursive function:
and P3.1, adding the current node s into the current path.
P3.2, marking the current node s as accessed, and adding the accessed set visited.
And P3.3, if s is equal to the target node t, finding a path from the source node s to the target node t, and adding the current path into all possible attack path sets allPaths.
P3.4, otherwise, recursively calling all adjacent nodes v of s if v is not accessed
And continuing to explore.
P3.5, backtracking: s is removed from the current path and s is removed from the accessed set, identified.
P3.6, return result: all possible attack path sets allPaths are returned.
It will be appreciated that in this embodiment, the DFS algorithm searches as deeply as possible, first accesses an unviewed neighbor node of the current node, and recursively proceeds until the target node is reached or the search cannot be continued. And adding the current node into the path, and removing the current node during recursive backtracking to ensure that the path is correctly recorded. And when the search cannot be continued, returning to the node at the upper level, and exploring other branches until all branches are explored. The DFS algorithm can find all possible paths from the source node to the target node, and provides key information for tracing the follow-up attack.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example eight
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
According to the above specific implementation manner and embodiment, the present embodiment further provides the following technical solutions:
in this embodiment, in the S5 stage of the network attack tracing rapid evidence obtaining method, a tracing function is adoptedTo determine the source of the attack. The function utilizes the weight wi of the node and the number n of nodes on the attack path to evaluate the probability of the node as an attack source.
In S5, the traceability function:
wi is a nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
The tracing steps comprise:
p1, inputting parameters: an attack path AP, which is an attack path from a source node to a target node.
P2, tracing:
p2.1, calculating the node number n on the attack path.
P2.2 for each node on the path The weight wi of a node is calculated to indicate the likelihood that the node is the source of the attack.
And P2.3, calculating a weighted average value of the node according to the node weight wi and the node number n, and taking the weighted average value as the weight of the node as an attack source.
P3, determining an attack source: and selecting the node with the highest weight as the most probable attack source according to the calculated node weight.
Further, the methodThe tracing function evaluates the possibility of the node as an attack source by analyzing the node on the attack path and utilizing the weight wi of the node and the node number n. The main principle is as follows: node weight wi represents a nodeAs a source of attack. Typically, the evaluation is based on the node's attributes, historical behavior, anomalies, etc., with higher weights indicating that the node is more likely to be the source of the attack. The node number n represents the number of nodes on the attack path, i.e. the length of the attack path. The longer the attack path, the lower the likelihood. According to the node weight wi and the node number n, a weighted average value of each node can be calculated, and the comprehensive possibility of each node on the attack path serving as an attack source is reflected. The node with the highest weighted average is selected as the most likely source of attack. Thus, the attack source can be determined as accurately as possible, and further attack tracing and evidence obtaining processes are facilitated.
Summarizing, the objective of the traceability function is to determine the attack source as accurately as possible for subsequent evidence collection and further security analysis. By considering the weight of the node and the length of the attack path, the accuracy and the reliability of tracing can be improved.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Example nine
In order that the above-recited embodiments of the invention may be understood in detail, a more particular description of the invention, briefly summarized below, may be had by way of example. The present invention may be embodied in many other forms than described herein and similarly modified by those skilled in the art without departing from the spirit of the invention, so that the invention is not limited to the embodiments disclosed below.
The embodiment provides a network attack tracing rapid evidence obtaining system, which comprises a processor and a memory coupled with the processor, wherein program instructions are stored in the memory, and when the program instructions are executed by the processor, the processor is enabled to execute the tracing rapid evidence obtaining method.
The network attack tracing rapid evidence obtaining system is used for rapidly and accurately locating an attack source in the field of network security. The system includes a processor, a memory coupled to the processor, and a memory storing program instructions. It comprises the following steps:
(1) A processor: the core component of the system is responsible for executing program instructions, coordinating the operation of the system, processing network attack data, and calling corresponding algorithms and functions to realize a tracing quick evidence obtaining method.
(2) A memory: the memory is used for storing program instructions, and the instructions are key to realizing the traceability rapid evidence collection method. The program instructions are executed by the processor one by one, triggering the corresponding operations.
The working principle is as follows:
(1) Program instructions execute: the processor executes program instructions stored in the memory, step by step in the order of the instructions.
(2) The tracing rapid evidence collection method is called: when executing the program instruction, the tracing quick evidence obtaining method is called. The method is based on the network attack tracing rapid evidence obtaining method introduced above, and achieves rapid tracing and positioning of the network attack source.
(3) Data processing and analysis: the system processes and analyzes the collected network attack data through the processor, builds a network topology model and generates a space-time network model.
(4) Path analysis and attack source tracing: and calling a path analysis function to perform path analysis by using the generated space-time network model, and finding out a possible attack path from the source node to the target node. Then, a specific attack source is determined by using the traceability function.
Further, referring to fig. 2 to 3, which show control programs stored in the memory, the present embodiment provides only its operation logic in the form of c++ pseudo code, and the principle includes:
s1, collecting a network attack data set, namely simulating the collection process of the data set by calling a CollectAttackData () function.
S2, constructing a network topology model, namely constructing the network topology model by using a buildNTworks topology () function, wherein the model consists of a node set and an edge set.
And S3, creating a space-time network model by using a createPatationtemporal network model () function, wherein the model comprises a topological structure of the network and corresponding attribute information.
S4, path analysis, namely, path analysis is carried out by using a PathAnalysis DFS () function, and a depth-first search (DFS) algorithm is adopted to find all possible attack paths from the source node to the target node.
S5, tracing the source of the attack, namely tracing the source by using a traceAttackSource () function, and determining the most probable attack source node according to the attack path and the node weight.
Further, the functions in the program include:
(1) Collectatackdata (): this function is a control function of the process of collecting network attack data.
(2) The buildnetworks topology (). The function is used to build a network topology model, returning a data structure containing a set of nodes and a set of edges.
(3) The createPatationtemporal network model (). The function is used to create a spatiotemporal network model, which builds a complete spatiotemporal network model from the network topology and attribute information.
(4) PathAnalysis DFS () the function implements a depth-first search (DFS) algorithm for path analysis that looks up all possible attack paths from the source node to the target node.
(5) The traceAttackSource (). The function is used to trace the source of the attack, and the most probable attack source node is calculated based on the attack path and the node weight.
The examples merely illustrate embodiments of the invention that are specific and detailed for relevant practical applications and are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Claims (4)
1. A network attack tracing quick evidence obtaining method is characterized by comprising the following steps:
s1, collecting a data set of network attack;
the dataset comprises: information output by network traffic analysisInformation output by IDS system->And output information of log analysis->:
1) The information output by the network flow analysis:
;
Including a source IP address, a destination IP address, a protocol, and/or a port; n represents the total number thereof;
2) Information output by the IDS system:
;
Each of which isRepresenting an intrusion detection record, said intrusion detection record comprising an intrusion type and/or a detection time; m represents the total number thereof;
3) Output information of the log analysis:
;
Each of which isRepresenting a log record, said log record comprising an event description and/or time of occurrence; p represents the total number thereof;
s2, constructing a network topology model G:
;
v represents a node set, E represents an edge set;
s3, a space-time network model S: outputting an information vector IV based on the space-time network model S;
the spatiotemporal network model S comprises:
1) Five-tuple:
;
2) Outputting the information vector IV:
;
representing network topology information including the set of nodes V and the set of edges E;
representing node attribute information;
Representing side attribute information;
representing time information including a time of occurrence of a network event;
the information vector IV includes:
1) The network topology information:
;
2) The node attribute information:
;
In the formulaRepresenting the node->Is a property of (2);
3) The side attribute information:
;
4) The event attribute information:
;
Representing an ith network event;
s4, path analysis: based on the input of the information vector IV, a path analysis function is usedFinding all possible attack paths AP from the source node s to the target node t;
the path analysis functionThe method comprises the following steps: depth-first search:
;
representing a set of all possible attack paths from the source node s to the target node t, and searching the set by using a DFS algorithm;
s5, tracing attackThe source is: based on the input of the information vector IV and the attack path AP, a tracing function is usedTo determine the source of the attack;
the tracing function:
;
W i Is the nodeThe weight of (2) represents the likelihood that the node is the source of the attack;
n is the number of nodes on the attack path.
2. The network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: in the S2, it includes:
1) The node set V: including all nodes in the network, representing network devices, hosts, or other network entities, each node being identified by a unique identifier The representation is:
;
n represents a nodeIs the sum of (3);
2) The edge set E: all connection relations in the network are contained, each edge is connected with two nodes, and the passing edge between the nodes is representedConnection network:
。
3. the network attack traceability rapid evidence collection method according to claim 1, wherein the method comprises the following steps: the DFS algorithm is as follows:
;
a set of visited nodes;
path is a list used for recording the current explored path;
allpathis is a collection that stores all possible attack paths.
4. A network attack traceability rapid evidence collection system is characterized in that: the system comprises a processor and a memory coupled to the processor, wherein the memory stores program instructions that, when executed by the processor, cause the processor to perform the network attack traceability rapid evidence collection method according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311293492.3A CN117040932B (en) | 2023-10-09 | 2023-10-09 | Rapid evidence obtaining method and system for tracing network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311293492.3A CN117040932B (en) | 2023-10-09 | 2023-10-09 | Rapid evidence obtaining method and system for tracing network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117040932A CN117040932A (en) | 2023-11-10 |
| CN117040932B true CN117040932B (en) | 2024-04-02 |
Family
ID=88630418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311293492.3A Active CN117040932B (en) | 2023-10-09 | 2023-10-09 | Rapid evidence obtaining method and system for tracing network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040932B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470213A (en) * | 2016-10-17 | 2017-03-01 | 杭州迪普科技股份有限公司 | A kind of source tracing method of attack message and device |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN112104639A (en) * | 2020-09-11 | 2020-12-18 | 湖南大学 | Attack path parallel prediction method for power system network |
| CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
| CN112822213A (en) * | 2021-02-07 | 2021-05-18 | 国网福建省电力有限公司电力科学研究院 | Attack evidence obtaining and tracing method for power monitoring system |
| CN114584401A (en) * | 2022-05-06 | 2022-06-03 | 国家计算机网络与信息安全管理中心江苏分中心 | Tracing system and method for large-scale network attack |
| CN114615063A (en) * | 2022-03-14 | 2022-06-10 | 清华大学 | Attack tracing method and device based on log correlation analysis |
| CN115134250A (en) * | 2022-06-29 | 2022-09-30 | 北京计算机技术及应用研究所 | Network attack source tracing evidence obtaining method |
| CN115567306A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | APT attack tracing analysis method based on bidirectional long-time and short-time memory network |
| CN115664703A (en) * | 2022-09-13 | 2023-01-31 | 国网安徽省电力有限公司信息通信分公司 | Attack tracing method based on multi-dimensional information |
-
2023
- 2023-10-09 CN CN202311293492.3A patent/CN117040932B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470213A (en) * | 2016-10-17 | 2017-03-01 | 杭州迪普科技股份有限公司 | A kind of source tracing method of attack message and device |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN112104639A (en) * | 2020-09-11 | 2020-12-18 | 湖南大学 | Attack path parallel prediction method for power system network |
| CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
| CN112822213A (en) * | 2021-02-07 | 2021-05-18 | 国网福建省电力有限公司电力科学研究院 | Attack evidence obtaining and tracing method for power monitoring system |
| CN114615063A (en) * | 2022-03-14 | 2022-06-10 | 清华大学 | Attack tracing method and device based on log correlation analysis |
| CN114584401A (en) * | 2022-05-06 | 2022-06-03 | 国家计算机网络与信息安全管理中心江苏分中心 | Tracing system and method for large-scale network attack |
| CN115134250A (en) * | 2022-06-29 | 2022-09-30 | 北京计算机技术及应用研究所 | Network attack source tracing evidence obtaining method |
| CN115664703A (en) * | 2022-09-13 | 2023-01-31 | 国网安徽省电力有限公司信息通信分公司 | Attack tracing method based on multi-dimensional information |
| CN115567306A (en) * | 2022-09-29 | 2023-01-03 | 中国人民解放军国防科技大学 | APT attack tracing analysis method based on bidirectional long-time and short-time memory network |
Non-Patent Citations (1)
| Title |
|---|
| 网络攻击溯源技术研究综述;魏姗姗;保密科学技术(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117040932A (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111431939B (en) | CTI-based SDN malicious flow defense method | |
| Khan et al. | Feature selection of denial-of-service attacks using entropy and granular computing | |
| Zhu et al. | Alert correlation for extracting attack strategies | |
| Alserhani et al. | MARS: multi-stage attack recognition system | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| Fredj | A realistic graph‐based alert correlation system | |
| CN102075516A (en) | Method for identifying and predicting network multi-step attacks | |
| Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
| Al-Utaibi et al. | Intrusion detection taxonomy and data preprocessing mechanisms | |
| Kosamkar et al. | Improved Intrusion detection system using C4. 5 decision tree and support vector machine | |
| CN113965469B (en) | Construction method of network data analysis model | |
| Das et al. | An efficient feature selection approach for intrusion detection system using decision tree | |
| Fayyad et al. | Attack scenario prediction methodology | |
| CN117240632B (en) | Attack detection method and system based on knowledge graph | |
| Ianni et al. | Scout: Security by computing outliers on activity logs | |
| CN117040932B (en) | Rapid evidence obtaining method and system for tracing network attack | |
| Hu et al. | Abnormal Event Correlation and Detection Based on Network Big Data Analysis. | |
| CN115567325B (en) | Threat hunting method based on graph matching | |
| Xuan et al. | New approach for APT malware detection on the workstation based on process profile | |
| Khaoula et al. | Improving Intrusion Detection Using PCA And K-Means Clustering Algorithm | |
| Changguo et al. | The research on the application of association rules mining algorithm in network intrusion detection | |
| Li et al. | Assessing attack threat by the probability of following attacks | |
| CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns | |
| Altinisik et al. | ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search | |
| Hussain et al. | An NIDS for Known and Zero-Day Anomalies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |