CN117938431B - Complex attack detection method for industrial control system based on association rule - Google Patents
Complex attack detection method for industrial control system based on association rule Download PDFInfo
- Publication number
- CN117938431B CN117938431B CN202311697164.XA CN202311697164A CN117938431B CN 117938431 B CN117938431 B CN 117938431B CN 202311697164 A CN202311697164 A CN 202311697164A CN 117938431 B CN117938431 B CN 117938431B
- Authority
- CN
- China
- Prior art keywords
- rule
- attack
- association
- event
- complex
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims description 34
- 238000012098 association analyses Methods 0.000 claims description 4
- 238000013459 approach Methods 0.000 claims description 3
- 238000013139 quantization Methods 0.000 claims 1
- 238000004364 calculation method Methods 0.000 abstract 1
- 238000011002 quantification Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 1
- 206010072219 Mevalonic aciduria Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of intelligent terminal security, and provides an industrial control system complex attack detection method based on association rules, which comprises the following steps: s1: enabling association rules in a database; s2: configuring the granularity of association rules; s3: configuring association rule parameters; s4: converting the logic rule into XML language; s5: converting XML rules into rule trees; s6: the real-time event stream is inserted into a queue to be matched; s7: the complex attack detection algorithm is matched with the intermediate result backlogs; s8: the complex attack detection algorithm is matched with the rule tree directives; s9: successfully matching and calculating an event risk value; s10: generating an attack tree and giving early warning to the background; s11: the alert store attacks the database. The cloud computing system and the cloud computing method can enhance the identification and detection capability of the cloud to complex attacks.
Description
Technical Field
The invention relates to the technical field of intelligent terminal safety, in particular to an industrial control system complex attack detection method based on association rules.
Background
With the development of intelligent industry, the connection between an industrial control system and the internet is more and more compact, but the following security problem is not ignored, and at present, the abnormal behavior of the system is monitored mainly by deploying IDS security components on each device of the industrial control system, but the IDS can only be used for detecting end-to-end single-step attacks. However, with the rapid development of electronic technology and information technology, the attack mode is also developed from a single attack to a complex APT (ADVANCED PERSISTENT THREAT advanced sustainable attack), and the APT attack generally has: long-term property, high pertinence, multi-level property, concealment and the like. For complex attack events such as APT in industrial networks, it is difficult to identify them only by IDS components. Therefore, a new generation situation awareness system for an intelligent industrial system combining a terminal IDS and a cloud SOC (Security Operations Center) appears, the IDS is deployed on each device of the industrial control system, security event alarms are generated through matching rules, alarm data are uploaded to the cloud in real time, and complex attacks are identified by utilizing computing power and resources of the cloud. Most researchers tend to define complex attacks as multi-step attacks, meaning building a complete attack scenario from security event alarms generated by multi-step attacks made up of multiple steps, which are defined herein as complex attack patterns in security events generated by industrial control systems. Usually, association analysis is performed on an industrial control system historical security event library to obtain association rules, so that a knowledge base of complex attack scenes is established, but researches on how to recognize complex attacks in real-time data streams through the association rules are less, and a set of solutions for recognizing the complex attacks are not available in the field of industrial control system security.
Disclosure of Invention
The invention provides an industrial control system complex attack detection method based on association rules, which can detect complex attacks matched with the association rules in a real-time event stream and enhance the identification and detection capability of a cloud to the complex attacks.
The invention relates to a complex attack detection method of an industrial control system based on association rules, which comprises the following steps:
s1: enabling association rules in a database;
S2: configuring the granularity of association rules;
S3: configuring association rule parameters;
s4: converting the logic rule into XML language;
s5: converting XML rules into rule trees;
S6: the real-time event stream is inserted into a queue to be matched;
S7: the complex attack detection algorithm is matched with the intermediate result backlogs;
s8: the complex attack detection algorithm is matched with the rule tree directives;
s9: successfully matching and calculating an event risk value;
s10: generating an attack tree and giving early warning to the background;
s11: the alert store attacks the database.
In the S1, the association rule is mainly derived from two approaches, namely, obtained through expert experience, and secondly, an effective complex attack mode is mined through association analysis on a historical massive security event library, and the association rule is further generated;
the association rules obtained by the two methods can be summarized into a unified form, and on the basis, a flag bit is added in a rule base to represent the starting state of the rule in order to manage the association rules, so that the effective management of the rule is realized, and the storage format of the association rules in a database is obtained.
Preferably, in S3, in order to quantitatively represent the risk value of a single step forming a complex attack in the rule matching process, an administrator needs to configure two parameters for the association rule according to the hit rate and experience of the rule, including the priority of the whole association rule and the reliability of the single step rule; in addition, it is necessary to determine an importance value of the device according to the importance degree of the device.
Preferably, in S4, the association rule in the database is represented by an XML format, and the attack scene is represented by a structure for subsequent complex attack detection, and multiple attack steps of the complex attack, that is, a 1:n relationship between the complex attack and the single step attack, are represented by a nested tree structure.
Preferably, in S5, for the enabled association rule, each association rule is traversed, directives labels are used as parent nodes of the N-ary tree, rule labels and attributes contained in the rule labels are organized as objects and used as child nodes, and then the complete N-ary tree is constructed according to the nested hierarchical relationship before the rule labels.
Preferably, in S6, the event in the real-time event stream is converted into an object that can be processed by the algorithm, the attribute of the event is taken as a member of the object, and the attribute of the object is composed of three parts, namely, the event related attribute, the algorithm related attribute is matched, and the risk value quantifies the related attribute; finally, an event queue needs to be established, the security events are sequentially inserted into the queue according to the occurrence time, and a rule-matched queue to be processed is established.
Preferably, in S7, the security event of the queue head is fetched from the event queue, and is first matched with all root nodes of the matching intermediate state tree backlogs, if a certain root node is successfully matched, whether a leaf node is determined;
if the rule is a leaf node, the rule is successfully matched, the rule number is reported, and the leaf node is deleted from backlogs;
If it is an intermediate node, then all subtrees of that node are placed backlogs while the original tree is deleted from backlogs.
Preferably, in S8, the security event of the queue head is fetched from the event queue, and is sequentially matched with all root nodes of the rule tree directives, if the matching is not successful, the rule matching process of the security event is ended;
if the matching is successful in a certain rule tree, judging whether the rule tree is a leaf node or not;
if the rule is matched successfully, reporting the rule number;
if not, then all subtrees of the node are placed backlogs and the subtrees need to record the original rule number.
Preferably, in S9, if the security event is successfully matched with the intermediate result backlogs or the rule direct, a ruleMatched flag is set, after the matching is successful, a backlogs node is newly created, the matching rule and the related attribute of the event are copied in the node, the risk value of the matching event is calculated, and the risk value is recorded in the risk of the event.
Preferably, in S10, when a complex attack is detected, an attack tree representing the complex attack is obtained at the same time, and is put into the alarm set, and the attack tree is used as an alarm of the complex attack, and early warning response is given to a background manager.
The invention relates to a complex attack detection method based on association rules, which logically represents the association rules, configures the association rules into an XML format, further converts the association rules into N fork gauge tree, realizes the automatic configuration of the association rules, designs a set of complex attack identification algorithm, can accurately identify the complex attack in real-time security event stream of industrial control terminal equipment, reports the complex attack path to a cloud management center, and supports subsequent risk early warning and response.
The invention has the following beneficial effects:
1) The method has the advantages that the rule base of complex attack of the cloud is fully utilized, the association rule is converted into the N-ary tree by means of XML language as an intermediate medium and is configured into the system, automatic configuration of the association rule is realized, and the workload of manual configuration is reduced.
2) The invention combines the characteristics of the safety event and rule base of the industrial control system, designs a set of complex attack recognition algorithm, discovers a complex attack sequence matched with the association rule from the real-time safety event queue by means of N fork gauge tree, and realizes complex attack detection in the real-time event stream of the industrial control system.
3) In the process of constructing the attack N-ary tree, according to the parameters added in the association rule, calculating the risk value of each single-step attack of complex attack in the event matching process, and providing a risk value quantification method.
Drawings
FIG. 1 is a flowchart of a method for detecting complex attacks of an industrial control system based on association rules in an embodiment;
FIG. 2 is a rule storage format in a database based on association rules in an embodiment;
FIG. 3 is a simplified schematic diagram of a data structure of an N-ary tree based on association rules in an embodiment;
FIG. 4 is a flow chart of a complex attack recognition algorithm in an embodiment;
FIG. 5 is a storage format of a complex attack in a database in an embodiment.
Detailed Description
For a further understanding of the present invention, the present invention will be described in detail with reference to the drawings and examples. It is to be understood that the examples are illustrative of the present invention and are not intended to be limiting.
Examples
As shown in fig. 1, the present embodiment provides a complex attack detection method of an industrial control system based on association rules, which includes the following steps:
s1: enabling association rules in a database;
The association rule is mainly derived from two approaches, namely, obtained through expert experience, and the effective complex attack mode is mined through association analysis on a historical massive security event library, and the association rule is further generated, wherein the common method comprises the following steps: a data mining method based on frequent item sets and sequence. The formats of the association rules from the two sources should be uniform, and although the formats of the IDS may differ, they basically contain 4 basic attributes of IP, device information, and event types, so that the uniform form of the association rules can be generalized.
The association rules are stored in the rule base, each association rule has a unique id, the enabled rule id can be selected according to the actual condition of the rule, and one rule is enabled, which means that an event stream can be matched with the association rule, so that whether a certain event belongs to a part of complex attack or not is judged, in order to effectively manage the association rules, a flag bit status can be added in the rule base to represent the enabling state of the rule, and the effective management of the rule is realized, so that the storage format of the association rules in the database is obtained, as shown in fig. 2.
S2: configuring the granularity of association rules;
Association rules are usually stored in a database as a rule base, and in consideration of flexibility of matching, in order to enable an association system to achieve accurate matching of attack paths and enable rules to have certain universality, regarding the same rule, the granularity of rule configuration can be determined by a background administrator, for example: the fine-granularity rule includes source-destination IP to accurately identify fixed point attack, the coarse-granularity rule sets the source-destination IP as ANY, which means that ANY IP can be matched with the field in the attack step, the key of successful matching is successful matching of fields such as attack type and equipment, the code is an association rule representation based on XML format, which means that NIDS is subjected to fine-granularity matching, including IP, and HIDS is subjected to coarse-granularity matching.
In the configuration interface of the association rule, if a plurality of association rules are in an unactivated state, which attributes are used as necessary attributes for rule matching can be configured in the details in the column of operation, and the rest attributes can be subjected to fuzzy processing. Of course for an enabled association rule, the corresponding state will be updated to the "status" field in the database.
S3: configuring association rule parameters;
in order to quantitatively represent the risk value of a single step forming a complex attack in the rule matching process, an administrator is required to configure two parameters for the association rule, including the priority (priority) of the whole association rule and the reliability (reliability) of a single step rule, wherein the priority can be estimated according to the influence of the success of the attack on the system, the greater the threat to the system, the higher the value, and for the reliability, the attack type and the stage setting in the whole attack process can be combined, for example: for an attack event with the type of 'Trojan implantation', which is in the last step of the whole attack chain and has a larger threat, whether the complex attack can succeed or not is directly influenced, a larger credibility is set for the attack event, so that in the process of calculating the risk value, the obtained risk value risk is also increased, and the threat brought by the event is predicted to be larger.
In addition, it is necessary to determine a risk value of the device according to the importance level of the device, for example, the influence of the PLC being attacked is greater than the influence of the FCS being attacked, and then asset (PLC) =4, asset (FCS) =2 may be used. An example of setting parameters for association rules is given in fig. 5.
S4: converting the logic rule into XML language;
Representing association rules in a database through XML format, carrying out structural representation on an attack scene for subsequent complex attack detection, and representing a plurality of attack steps of complex attack, namely a relation of 1:n between the complex attack and single step attack through nested tree structures, for example: a complex attack is represented by directives labels, wherein the contained single-step rule consists of a plurality of rule, each rule represents a single-step attack in an attack chain, the nesting level and the relationship of the rule represent the logic relationship before the attack step, if the rule labels are in the same level, the rule is hit if any one of the rule labels occurs, if the rule labels represent the relationship of parent-child nodes, the relationship exists before the rule, the parent nodes are matched first, then the child nodes are matched, and the two labels are counted. Details of single step rules are included in rule, such as IP, event type, device name, etc., type represents the device type that detects the rule, source IP, destination IP and port are used to uniquely represent an attack event, and also include reliability mentioned in S3, and XML representation of the rule is as follows:
s5: converting XML rules into rule trees;
For the enabled association rule, traversing each association rule, taking directives tags as father nodes of the N-ary tree, organizing rule tags and attributes contained in the rule tags as objects and taking the father nodes as child nodes, then constructing a complete N-ary tree according to the nesting hierarchical relationship before the rule tags, as shown in fig. 3, in addition, converting rule nodes into objects, converting each attribute of the nodes into member variables of the objects, and representing each node of the N-ary tree as an object, thereby establishing XML files, and for a plurality of association rules, taking a plurality of XML files as intermediate results of rule conversion.
S6: the real-time event stream is inserted into a queue to be matched;
The method comprises the steps of converting an event in a real-time event stream into an object which can be processed by an algorithm, wherein the attribute of the event is used as a member of the object, and the attribute of the object comprises three parts, namely, event related attributes such as IP, equipment name, event type, occurrence time and the like, a flag which is matched with a rule, a matching flag and a matching algorithm related attribute such as an alarm and the like, and attribute related to event risk value quantification such as credibility, priority, risk value and the like. Finally, an event queue needs to be established, the security events are sequentially inserted into the queue according to the occurrence time, and a rule-matched queue to be processed is established.
S7: the complex attack detection algorithm is matched with the intermediate result backlogs;
The security event of the queue head is fetched from the event queue, first, the security event is matched with all root nodes of the matched intermediate state tree backlogs, and if a certain root node is successfully matched, whether the leaf node is a leaf node is judged. If the rule is a leaf node, the rule is successfully matched, the rule number is reported, and the leaf node is deleted from backlogs; if it is an intermediate node, all subtrees of that node are put backlogs (subtrees inherit the rule number of the original tree) while the original tree is deleted from backlogs.
S8: the complex attack detection algorithm is matched with the rule tree directives;
The security event of the queue head is taken out from the event queue, and is matched with all root nodes of the rule tree directives after being matched with the intermediate result, if the matching is not successful, the rule matching process of the event is finished; if the matching is successful in a certain rule tree, whether the rule tree is leaf node is judged. If the rule is matched successfully, reporting the rule number; if not, all subtrees of the node are placed backlogs and the subtrees need to record the original rule number, and the whole rule matching process is as shown in fig. 4.
S9: successfully matching and calculating an event risk value;
If the security event matches the intermediate result backlogs or rule directives successfully, the ruleMatched flag is set, and after the matching is successful, a backlogs node is created, in which the matching rule and the relevant attribute of the event are copied, for example: copying the credibility reliablility of the corresponding node in the rule tree and the priority of the association rule, combining the reliability reliablility with the parameter asset set for the equipment, calculating the risk value of the matching event, and recording the risk value in the risk attribute of the event.
S10: generating an attack tree and giving early warning to the background;
For the first matched event, as there is no intermediate result backlogs to be matched, the event skips backlogs matching and matches with rules first, the process traverses all enabled rule trees, if matching with a rule tree is successful, an unmatched intermediate result backlogs, backlogs is also the structure of an N-ary tree, a larger rule tree is continuously constructed along with the increase of matching layers, finally, when backlogs is successfully matched with leaf nodes of the rule tree, an event sequence of complex attack has been detected, and at the moment, the intermediate process backlogs and the rule tree have the same structure, backlogs can be directly used as an alarm of complex attack, early warning response is given to a background manager, and the alarm page at the front end is displayed.
S11: the alert store attacks the database.
When the occurrence of a complex attack event is identified, besides early warning to the background, the complex attack event needs to be stored in a database for situation display, for example: the overall threat situation with the period of week or month is displayed, or attack tracing is performed by other means, such as: knowledge graph and other means, in addition, the storage format of the complex attack in the database needs to be determined, as shown in fig. 5, wherein the storage format comprises two tables, the first table represents summary information of the complex attack, namely, component_attack, and the second table represents detailed information of a single attack contained in the complex attack, namely, single_alarm. For the complex attack, adding 1 to occurrence corresponding to the complex attack in the database, and updating risk in the combined_attack, for the single attack, adding each attack event risk in the database, and carrying out risk quantification on each step of the complex attack, wherein the total risk value of the complex attack is obtained by weighting the risk value of the single-step attack contained in the complex attack.
In the embodiment, the association rule is logically represented, configured into an XML format, and further converted into an N fork gauge tree, so that the automatic configuration of the association rule is realized, a set of complex attack identification algorithm is designed, the complex attack in the real-time security event stream of the industrial control terminal equipment can be accurately identified, and the complex attack path is reported to the cloud management center to support subsequent risk early warning and response.
The invention and its embodiments have been described above by way of illustration and not limitation, and the invention is illustrated in the accompanying drawings and described in the drawings in which the actual structure is not limited thereto. Therefore, if one of ordinary skill in the art is informed by this disclosure, the structural mode and the embodiments similar to the technical scheme are not creatively designed without departing from the gist of the present invention.
Claims (7)
1.A complex attack detection method of an industrial control system based on association rules is characterized in that: the method comprises the following steps:
s1: enabling association rules in a database;
S2: configuring the granularity of association rules;
the association rules are stored in a database as a rule base, and in order to enable the association system to achieve accurate matching of attack paths and enable the rules to be universal in consideration of matching flexibility, and in consideration of the same rule, a background manager determines granularity of rule configuration;
S3: configuring association rule parameters;
S3, in order to quantitatively represent the risk value of a single step forming a complex attack in the rule matching process, an administrator is required to configure two parameters for the association rule according to the hit rate and experience of the rule, wherein the two parameters comprise the priority of the whole association rule and the reliability of the single step rule; in addition, an important value of the device needs to be determined according to the importance degree of the device;
s4: converting the logic rule into XML language;
s5: converting XML rules into rule trees;
S6: the real-time event stream is inserted into a queue to be matched;
S7: the complex attack detection algorithm is matched with the intermediate result backlogs;
S7, the security event of the queue head is taken out from the event queue, firstly, the security event is matched with all root nodes matched with the intermediate state tree backlogs, and if the matching of a certain root node is successful, whether the leaf node is a leaf node is judged;
if the rule is a leaf node, the rule is successfully matched, the rule number is reported, and the leaf node is deleted from backlogs;
If it is an intermediate node, then all subtrees of that node are placed backlogs while the original tree is deleted from backlogs;
s8: the complex attack detection algorithm is matched with the rule tree directives;
S8, the security event of the queue head is taken out from the event queue, and is sequentially matched with all root nodes of the rule tree directives, if the matching is not successful, the rule matching process of the security event is finished;
if the matching is successful in a certain rule tree, judging whether the rule tree is a leaf node or not;
if the rule is matched successfully, reporting the rule number;
if the node is not a leaf node, all subtrees of the node are put into backlogs, and the subtrees need to record the original rule number;
s9: successfully matching and calculating an event risk value;
s10: generating an attack tree and giving early warning to the background;
s11: the alert store attacks the database.
2. The method for detecting complex attacks of an industrial control system based on association rules according to claim 1, wherein the method comprises the following steps: in the S1, the association rule is mainly derived from two approaches, namely, obtained through expert experience, and secondly, an effective complex attack mode is excavated through association analysis on a historical massive security event library, and the association rule is further generated;
the association rules obtained by the two methods can be summarized into a unified form, and on the basis, a flag bit is added in a rule base to represent the starting state of the rule in order to manage the association rules, so that the effective management of the rule is realized, and the storage format of the association rules in a database is obtained.
3. The method for detecting complex attacks of an industrial control system based on association rules according to claim 2, wherein the method comprises the following steps: and S4, representing association rules in a database through an XML format, carrying out structural representation on the attack scene for subsequent complex attack detection, and representing a plurality of attack steps of the complex attack through a nested tree structure, namely, a relation of 1:n between the complex attack and the single-step attack.
4. The method for detecting complex attack of industrial control system based on association rule according to claim 3, wherein the method comprises the following steps: and S5, traversing each association rule for the enabled association rule, organizing directives labels as father nodes of the N-ary tree, rule labels and contained attributes thereof as objects, and constructing the complete N-ary tree according to the nesting hierarchical relationship before the rule labels as child nodes.
5. The method for detecting complex attack of industrial control system based on association rule according to claim 4, wherein the method comprises the following steps: s6, converting the event in the real-time event stream into an object which can be processed by an algorithm, wherein the attribute of the event is used as a member of the object, and the attribute of the object consists of three parts, namely, an event related attribute, an algorithm related attribute, a risk value quantization related attribute; finally, an event queue needs to be established, the security events are sequentially inserted into the queue according to the occurrence time, and a rule-matched queue to be processed is established.
6. The method for detecting complex attacks of an industrial control system based on association rules according to claim 5, wherein the method comprises the following steps: in S9, if the security event is successfully matched with the intermediate result backlogs or the rule direct, a ruleMatched flag is set, after the matching is successful, a backlogs node is newly created, the matching rule and the related attribute of the event are copied in the node, the risk value of the matching event is calculated, and the risk value is recorded in the risk of the event.
7. The method for detecting complex attacks of an industrial control system based on association rules according to claim 6, wherein the method comprises the following steps: in S10, when a complex attack is detected, an attack tree representing the complex attack is obtained at the same time, the attack tree is put into an alarm set, and the attack tree is used as an alarm of the complex attack, and early warning response is given to a background manager.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311697164.XA CN117938431B (en) | 2023-12-11 | 2023-12-11 | Complex attack detection method for industrial control system based on association rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311697164.XA CN117938431B (en) | 2023-12-11 | 2023-12-11 | Complex attack detection method for industrial control system based on association rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117938431A CN117938431A (en) | 2024-04-26 |
| CN117938431B true CN117938431B (en) | 2024-06-21 |
Family
ID=90751500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311697164.XA Active CN117938431B (en) | 2023-12-11 | 2023-12-11 | Complex attack detection method for industrial control system based on association rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938431B (en) |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8474043B2 (en) * | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
| CN101902441B (en) * | 2009-05-31 | 2013-05-15 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN101610174B (en) * | 2009-07-24 | 2011-08-24 | 深圳市永达电子股份有限公司 | Log correlation analysis system and method |
| US9467465B2 (en) * | 2013-02-25 | 2016-10-11 | Beyondtrust Software, Inc. | Systems and methods of risk based rules for application control |
| CN105391687A (en) * | 2015-10-13 | 2016-03-09 | 南京联成科技发展有限公司 | System and method for supplying information security operation service to medium-sized and small enterprises |
| US11301134B2 (en) * | 2017-10-26 | 2022-04-12 | International Business Machines Corporation | Using attack trees to reduce memory consumption by rule engines |
| CN110493043B (en) * | 2019-08-16 | 2022-05-03 | 武汉思普崚技术有限公司 | Distributed situation awareness calling method and device |
| CN114143020B (en) * | 2021-09-06 | 2023-10-31 | 北京许继电气有限公司 | Rule-based network security event association analysis method and system |
| CN114710368B (en) * | 2022-06-06 | 2022-09-02 | 杭州安恒信息技术股份有限公司 | Security event detection method and device and computer readable storage medium |
| CN115412358B (en) * | 2022-09-02 | 2024-01-30 | 中国电信股份有限公司 | Network security risk assessment method and device, electronic equipment and storage medium |
| CN117118719A (en) * | 2023-09-05 | 2023-11-24 | 中汽创智科技有限公司 | Intrusion detection method, intrusion detection device, computer equipment and storage medium |
-
2023
- 2023-12-11 CN CN202311697164.XA patent/CN117938431B/en active Active
Non-Patent Citations (2)
| Title |
|---|
| 基于攻击树的文件风险评估方法;钟倩;方勇;刘亮;陈莉;;通信技术;20110510(05);全文 * |
| 改进攻击树的恶意代码检测方法;谢乐川;袁平;;计算机工程与设计;20130516(05);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117938431A (en) | 2024-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111158977B (en) | Abnormal event root cause positioning method and device | |
| US11226975B2 (en) | Method and system for implementing machine learning classifications | |
| CN105095048B (en) | A kind of monitoring system alarm association processing method based on business rule | |
| US20160292166A1 (en) | Method and system for parameterizing log file location assignments for a log analytics system | |
| US8856313B2 (en) | Systems and methods for using provenance information for data retention in stream-processing | |
| CN112468472A (en) | Security policy self-feedback method based on security log association analysis | |
| CN104021195B (en) | Warning association analysis method based on knowledge base | |
| CN107566163A (en) | A kind of alarm method and device of user behavior analysis association | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| CN112769605B (en) | Heterogeneous multi-cloud operation and maintenance management method and hybrid cloud platform | |
| CN115459965A (en) | Multistep attack detection method for network security of power system | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN113179241A (en) | Multi-step attack characterization method based on time sequence correlation analysis | |
| CN112600719A (en) | Alarm clustering method, device and storage medium | |
| JP5295062B2 (en) | Automatic query generation device for complex event processing | |
| CN117938431B (en) | Complex attack detection method for industrial control system based on association rule | |
| CN106411566A (en) | MIB alarm analysis method and system based on XML technology | |
| CN117376092A (en) | Fault root cause positioning method, device, equipment and storage medium | |
| CN116647389A (en) | Network access security early warning system and method for industrial control system | |
| CN115277245A (en) | Attribute-based multi-dimensional abnormal root cause positioning method, system and storage medium | |
| CN114443437A (en) | Alarm root cause output method, apparatus, device, medium, and program product | |
| Ma et al. | Eventbrowser: A flexible tool for scalable analysis of event data | |
| CN117971527A (en) | Application system degradation method, device, computer equipment and storage medium | |
| CN117436073B (en) | Security log alarming method, medium and equipment based on intelligent label | |
| CN114553580B (en) | Network attack detection method and device based on rule generalization and attack reconstruction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |