CN102638445A - Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device - Google Patents
Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device Download PDFInfo
- Publication number
- CN102638445A CN102638445A CN2011104451618A CN201110445161A CN102638445A CN 102638445 A CN102638445 A CN 102638445A CN 2011104451618 A CN2011104451618 A CN 2011104451618A CN 201110445161 A CN201110445161 A CN 201110445161A CN 102638445 A CN102638445 A CN 102638445A
- Authority
- CN
- China
- Prior art keywords
- network
- rule
- multistep
- attack
- early warning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
A feedback type multistep network attack intelligent detection method and a feedback type multistep network attack intelligent detection device relate to the field of network information safety. The method includes: respectively feeding practically effective information for a multistep network attack detection rule, network abnormal information and non-early-warning strategy adjusting information back to a multistep network attack detection rule evaluator; using the evaluator to judge whether a network is attacked or not according to the network abnormal information, to judge comprehensiveness of early warning according to the non-early-warning strategy adjusting information, and to evaluate effectiveness of the rule by combining the effective information for the multistep network attack detection rule, so that usability of an existing multistep attack recognition rule in a practical network and comprehensiveness of a current multistep attack recognition rule are determined, namely, whether all attacks can be completely recognized and forecast. The method and the device can be widely applied to various common local area networks, security local area networks, industry internal networks and the like, and multistep network attack detection rules generated by any modes can be more accurate and comprehensive.
Description
Technical field
The present invention relates to a kind of network information security technology, is a kind of network multi-step attack rule intelligent detecting method that has feedback mechanism, detects rule through the intelligent adjustment of feedback mechanism multi-step attack, and then improves regular availability and comprehensive.
Background technology
In the network security technology development, the network attack means are also complicated day by day various.For the safety of assets in the protecting network and information, equipment such as fire compartment wall, intrusion detection, anti-virus, vulnerability scanning and system have obtained extensive use.The warning message enormous amount that these equipment and system produce, and do not have direct correlation between the information, be difficult to analyze multi-step attack.Therefore, people propose several different methods network safety event are carried out association analysis, thereby extract the method that detects multi-step attack.Mainly contain correlating method based on precondition and consequence, based on the correlating method of statistics sequential, rule-based correlating method etc.
The Cuppens of France Ministry of National Defence, the Templeton of California, USA university, the people such as Peng Ning of North Carolina, USA university have successively proposed the correlating method based on precondition and consequence.Utilize the precondition and the consequence of attacking to carry out serial correlation, needn't know whole attack process in advance, be applicable to the association between attack step, it can find the different new attack processes that are combined to form of attacking, and serial correlation accuracy rate as a result is high.But this method is difficult to give warning in advance, and the search volume is big when related, consumption of natural resource is big, the processing time is long, is unfavorable for the real-time online operation, can not detect the novel attack of not knowing cause and effect.
Xinzhou Qin has proposed based on seasonal effect in time series statistics causalnexus method Granger CausalityTest (GCT).The core of this association algorithm is to adopt data mining method GCT (granger causality test; The sequential causality analysis); Be about to network safety information stream and regard the sequential flow of event as, through calculating two different event (Xi, the GCI between Y); M Xi incident before choosing according to qualifications, the statistics causality of judgement Xi incident and Y incident.This method relies on priori and expertise in a large number.Simultaneously, for attacking prediction, the sequence that this method produces can not need further check directly as the foundation of prediction.
The analytical method of rule-based (Rule-Based) is that domain-specific knowledge (like alarm correlation knowledge) is included in one group of rule set, through inference mechanism variety of issue is carried out analysis and judgement.Rule-based association be current the most basically, corresponding technology the most effectively, meet people's thinking, directly perceived, be convenient to understand.The shortcoming of this method is: when regular quantity acquires a certain degree, and the maintenance of the rule base more and more difficult that becomes; System lacks self-learning capability, and is powerless for the new attack that continues to bring out out; The adjustment and difficult in maintenance of rule is difficult to adapt to the network of frequent variation.
Summary of the invention
The objective of the invention is to improve intelligent degree and availability that network multi-step attack detects rule, solve the multi-step attack that obtains through various algorithms at present detect rule under different network environments the availability difference more greatly, problem that generally can not the intelligence expansion.
No matter network multi-step attack detects rule and generates in which way, its purposes is generally identification and prediction network attack.When effectively network attack is identified, often network is caused certain influence.If can generally can be sent early warning by successfully prediction to user or particular system and attack.When prediction is approved that by user or particular system user and system can take the corresponding precautionary measures, to stop proceeding of attacking.The situation of rule application is assessed, assessment result is fed back to multi-step attack detect rule base, can be in time, effectively multi-step attack is detected rule and adjust, improve availability, the accuracy and comprehensive of rule.
A kind of idiographic flow of reaction type multi-step attack intelligent detecting method is as shown in Figure 1.
Implementation of the present invention is: utilize product identification and prediction network attack with multistep network attack measuring ability, and record multistep network attack detects the situation (i.e. " regular effectiveness information ") that rule is played effectiveness in real network; It is unusual that utilization has the product detection network of network abnormality detection function, overflows, illegally logins like abnormal flow, virus, wooden horse, worm, buffer memory etc.; Utilization has the adjustment situation of the product surveillance network security policy of network security policy monitoring function, i.e. the situation of the user and the system changeover precautionary measures, and review the early warning whether these adjustment provide according to multistep network attack testing tool.
The multistep network attack detects rule actual specifying information of playing effectiveness, network abnormal information and is not that the network strategy adjustment information (i.e. " non-early warning strategy adjustment ") of carrying out according to early warning feeds back to multistep network attack detection rule evaluator separately.This evaluator judges according to abnormal information whether network is attacked; Judge the comprehensive of early warning according to non-early warning strategy adjustment situation; And combine the actual situation about coming into force of multistep network attack detection rule that the validity of rule is assessed; Confirming the availability of existing multi-step attack recognition rule in real network, and current multi-step attack recognition rule is comprehensive, promptly whether is enough to identification and predicts all attacks.
In order to describe algorithm and the comprehensive method of Rules of Assessment that the multistep network attack detects rule evaluator Rules of Assessment validity better, define several nouns earlier:
Launch duration T
MS: the millisecond number of the time phase difference that time during Rules of Assessment validity and rule come into operation.Like certain bar rule in time T
1Launch, evaluator is in time T
2This regular validity is assessed, then should rule launch duration T
MS=T
2-T
1T
MSBe the amount of a dynamic change, when evaluator is assessed the validity of same rule at different time, rule launch the duration difference.
Access times N
USED: multistep network attack testing tool produces the number of times of attacking alarm and early warning according to certain bar rule, is called this regular access times.
Effectively alarm times N
AVL: multistep network attack testing tool produces according to certain bar rule and attacks alarm, and alarm is considered to effective number of times.
Effective early warning times N
POLICY: multistep network attack testing tool produces according to certain bar rule and attacks early warning, and early warning is considered to effective number of times.A kind of reaction type multi-step attack intelligent detecting method that this patent designed thinks that early warning effectively is that user or policy management system are adjusted the strategy in the network (like firewall policy, access control policy, host monitor strategy etc.) according to early warning.
Rule priority L
PRIORITY: regular priority definition the multistep network attack detect the order that rule is used.L
PRIORITYBe worth greatly more, the priority of rule is high more, and is also big more by the possibility used.
Non-early warning strategy adjustment: the network strategy adjustment of carrying out according to early warning is called the adjustment of early warning strategy, is not to be called non-early warning strategy adjustment according to the network strategy adjustment information that early warning is carried out.
Below introduce efficiency assessment algorithm and comprehensive appraisal procedure.
The input of efficiency assessment module is that rule is launched duration T
MS, access times N
USED, effectively alarm times N
AVLWith effective early warning times N
POLICY, output is that the multistep network attack detects regular priority L
PRIORITYSpecific algorithm is following:
The efficiency assessment module periodically detects rules to all multi-step attacks and assesses, each time during calculating priority level, each rule launch duration T
MSAll different (this value can be increasing), access times N
USED, effectively alarm times N
AVLWith effective early warning times N
POLICYAlso be not quite similar.Therefore the regular priority L that goes out according to above algorithm computation each time
PRIORITYAll has variation.
The priority threshold values is specified by the user; As priority L
PRIORITYDuring less than specified threshold, rule will not be used.According to this algorithm, will constantly be eliminated to this network invalid rules.The purpose of doing like this is that the invalid rule of avoiding multistep network attack testing tool to use on the one hand is too much, causes computational load big, can not effectively discern or predict multi-step attack; Guarantee that on the other hand the time that multistep network attack testing tool uses in consolidated network is long more, its regular precision is high more.
The input of comprehensive evaluation module is network abnormal information and non-early warning strategy adjustment information.When this two category information produces, show there is attack unrecognized or that predict in the network that it is comprehensive inadequately that promptly current multistep network attack detects rule.This moment, comprehensive evaluation module can start the regular generation module in the multistep network attack testing tool, replenished to generate new rule.
The present invention also provides a kind of reaction type multistep network attack intelligent detection device, it is characterized in that: comprise identification and prediction network attack, and record multistep network attack detects the device of regular information of in real network, playing effectiveness; The device of detection network abnormal information; Can monitoring network the adjustment situation of security strategy, and review whether these adjustment provide early warning according to multistep network attack testing tool device;
Can judge whether network is attacked according to the network abnormal information; Judge the comprehensive of early warning according to non-early warning strategy adjustment information; And the information that combines multistep network attack detection rule to play effectiveness is assessed the validity of rule; With the definite availability of existing multi-step attack recognition rule in real network, and the comprehensive device of current multi-step attack recognition rule.
Effect of the present invention is: assess the validity that network multi-step attack detects rule automatically, in time adjustment and extended network multi-step attack detect rule.Through the present invention, can avoid invalid, redundant rules affect attack detecting efficient, reduce of the dependence of multi-step attack inspection rule to expertise, save the complicated work of artificial cognition rule availability, promote the overall security of network.
Characteristics of the present invention are: implement not rely on concrete network environment, can be widely used in various common local area network (LAN)s, concerning security matters local area network (LAN), industry internal network etc.; It is irrelevant that the performance of its effect and network multi-step attack detect regular generating mode, and the network multi-step attack of any way generation detects rule under particular network environment, can both be more and more precisely with comprehensive.
Description of drawings
Fig. 1 reaction type multi-step attack Intelligent Measurement flow process;
Fig. 2 is a kind of overall structure figure of reaction type multi-step attack intelligent detecting method:
Fig. 3 is the typical application environment that carries out an invention.
Embodiment
The present invention in the specific implementation; Can select the existing on the market product (to call " multistep network attack testing tool " in the following text) with multistep network attack measuring ability for use, have multistep network abnormality detection function product (to call " the unusual probe of network " in the following text), have the product (to call " network security policy monitoring tool " in the following text) of network security policy monitoring function, cooperate and press the multistep network attack that efficiency assessment algorithm and comprehensive assessment algorithm realize and detect the rule evaluator use.
Experimentation is described
In experimentation, we select for use HT706-NSM network security management platform V2.0 that Beijing Aiwei Electronic Technology Co. produces as multistep network attack testing tool (what specifically use is the association analysis module of this product), the XT of Cisco 5600 Traffic Anomaly detectors as the unusual probe of network, the VPN of Topsec Security Integrated Management System SCM as the network security policy monitoring tool.Below respectively the use of these three instruments is introduced:
1, the association analysis module of HT706-NSM network security management platform is through after carrying out processing such as normalization, invalid warning removal, redundant warning merging to the multi-source heterogeneous network safety event of magnanimity; From incident, excavate the attack sequence with improved C4.5 data mining algorithm; Detection rule as multi-step attack; And record rule enabling time, from the security incident of real-time generation, discern and predict multi-step attack according to these rules then.In experimentation, the HT706-NSM network security management platform only matees the security incident that produces in real time in the network greater than 1.58 rule with priority, thus identification and prediction multi-step attack, and write down the regular access times of each bar.This land identification to multi-step attack be referred to as alarm with the multi-step attack that predicts.Whether the multi-step attack alarm needs artificially to judge effectively and whether need revise network strategy according to alarm.If alarm is judged as effectively, platform can increase effective alarm number of times of respective rule automatically; Need revise network strategy according to alarm if alarm is judged as, platform can increase effective early warning number of times of respective rule automatically.This platform every day setting-up time with rule enabling time, access times, effectively alarm number of times and effectively the early warning number of times pass to the multistep network attack and detect rule evaluator.
2, abnormal flow in the XT of the Cisco 5600 Traffic Anomaly detector real time monitoring networks and alarm.These warning information pass to multistep network attack detection rule evaluator through the interface of expansion.
3, the VPN of Topsec Security Integrated Management System SCM can carry out unified management to the strategy on the safety protection equipments such as the Topsec's fire compartment wall in the network, intrusion detection.What use is the strategy change perception interface of customization here.When the strategy on the safety protection equipment changed, the VPN Security Integrated Management System can be inquired the foundation that subscriber policy changes.If according to not being the multi-step attack alarm that the HT706-NSM network security management platform provides, then the situation of strategy change will send to the multistep network attack as non-early warning strategy adjustment alarm and detect rule evaluator.
It is software forms that the multistep network attack detects rule evaluator, is deployed on the station server, comprises regular efficiency assessment and two modules of regular comprehensive assessment.The multistep network attack detects rule evaluator and starts in the time of setting every day.At first; Evaluator according to the multistep network attack collected detect rule rule enabling time, access times, effectively alarm number of times and effectively the early warning number of times recomputate regular priority, and result of calculation is fed back to the association analysis module of HT706-NSM network security management platform.Then; The sum of abnormal flow warning information that evaluator computes was received the same day and non-early warning strategy adjustment warning information; If sum is greater than 0; Then call the data mining interface of HT706-NSM network security management platform, the network safety event that produced to the same day excavates, and produces new multi-step attack and detects rule.
Claims (3)
1. a reaction type multistep network attack intelligent detecting method is characterized in that: utilize product identification and prediction network attack with multistep network attack measuring ability, and record multistep network attack detects the information that rule is played effectiveness in real network; Utilization has the product detection network abnormal information of network abnormality detection function; Utilization has the adjustment situation of the product surveillance network security policy of network security policy monitoring function, i.e. the situation of the user and the system changeover precautionary measures, and review the early warning whether these adjustment provide according to multistep network attack testing tool;
The multistep network attack detect rule actual information of playing effectiveness, network abnormal information and be not the network strategy adjustment information of carrying out according to early warning be that non-early warning strategy adjustment information feeds back to the multistep network attack separately and detects rule evaluator; This evaluator judges according to the network abnormal information whether network is attacked; Judge the comprehensive of early warning according to non-early warning strategy adjustment information; And the information that combines multistep network attack detection rule to play effectiveness is assessed the validity of rule; Confirming the availability of existing multi-step attack recognition rule in real network, and current multi-step attack recognition rule is comprehensive, promptly whether is enough to identification and predicts all attacks.
2. a kind of reaction type multi-step attack intelligent detecting method according to claim 1 is characterized in that:
Define following noun earlier:
Launch duration T
MS: the millisecond number of the time phase difference that time during Rules of Assessment validity and rule come into operation;
Access times N
USED: multistep network attack testing tool produces the number of times of attacking alarm and early warning according to certain bar rule, is called this regular access times;
Effectively alarm times N
AVL: multistep network attack testing tool produces according to certain bar rule and attacks alarm, and alarm is considered to effective number of times;
Effective early warning times N
POLICY: multistep network attack testing tool produces according to certain bar rule and attacks early warning, and early warning is considered to effective number of times; Early warning effectively is that the user adjusts the strategy in the network according to early warning;
Rule priority L
PRIORITY: regular priority definition the multistep network attack detect the order that rule is used; L
PRIORITYBe worth greatly more, the priority of rule is high more, and is also big more by the possibility used;
The network strategy adjustment of carrying out according to early warning is called the adjustment of early warning strategy, is not to be called non-early warning strategy adjustment information according to the network strategy adjustment information that early warning is carried out;
Said efficiency assessment algorithm and comprehensive appraisal procedure are following:
The input of efficiency assessment module is that rule is launched duration T
MS, access times N
USED, effectively alarm times N
AVLWith effective early warning times N
POLICY, output is that the multistep network attack detects regular priority L
PRIORITYComputing formula is following:
The efficiency assessment module periodically detects rules to all multi-step attacks and assesses, each time during calculating priority level, as priority L
PRIORITYDuring less than specified threshold, rule will not be used;
The input of comprehensive evaluation module is network abnormal information and non-early warning strategy adjustment information; When this two category information produces, show there is attack unrecognized or that predict in the network that it is comprehensive inadequately that promptly current multistep network attack detects rule; This moment, comprehensive evaluation module can start the regular generation module in the multistep network attack testing tool, replenished to generate new rule.
3. a reaction type multistep network attack intelligent detection device is characterized in that: comprise identification and prediction network attack, and record multistep network attack detects the device of regular information of in real network, playing effectiveness; The device of detection network abnormal information; Can monitoring network the adjustment situation of security strategy, and review whether these adjustment provide early warning according to multistep network attack testing tool device;
Can judge whether network is attacked according to the network abnormal information; Judge the comprehensive of early warning according to non-early warning strategy adjustment information; And the information that combines multistep network attack detection rule to play effectiveness is assessed the validity of rule; With the definite availability of existing multi-step attack recognition rule in real network, and the comprehensive device of current multi-step attack recognition rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110445161.8A CN102638445B (en) | 2011-12-27 | 2011-12-27 | Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110445161.8A CN102638445B (en) | 2011-12-27 | 2011-12-27 | Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102638445A true CN102638445A (en) | 2012-08-15 |
| CN102638445B CN102638445B (en) | 2015-03-25 |
Family
ID=46622691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110445161.8A Active CN102638445B (en) | 2011-12-27 | 2011-12-27 | Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102638445B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580157A (en) * | 2014-12-14 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Intelligent strategy validity verifying method based on dynamic message building technology |
| CN106685954A (en) * | 2016-12-27 | 2017-05-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for scanning plug-in and determining rule scheduling sequence in plug-in |
| WO2017152877A1 (en) * | 2016-03-11 | 2017-09-14 | 中兴通讯股份有限公司 | Network threat event evaluation method and apparatus |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN114172709A (en) * | 2021-11-30 | 2022-03-11 | 中汽创智科技有限公司 | Network multi-step attack detection method, device, equipment and storage medium |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9900338B2 (en) | 2016-02-09 | 2018-02-20 | International Business Machines Corporation | Forecasting and classifying cyber-attacks using neural embeddings based on pattern of life data |
| US9860268B2 (en) | 2016-02-09 | 2018-01-02 | International Business Machines Corporation | Detecting and predicting cyber-attack phases in data processing environment regions |
| US10230751B2 (en) | 2016-02-09 | 2019-03-12 | International Business Machines Corporation | Forecasting and classifying cyber attacks using neural embeddings migration |
| US9906551B2 (en) | 2016-02-09 | 2018-02-27 | International Business Machines Corporation | Forecasting and classifying cyber-attacks using crossover neural embeddings |
| US9866580B2 (en) | 2016-02-09 | 2018-01-09 | International Business Machines Corporation | Forecasting and classifying cyber-attacks using neural embeddings |
| US10015189B2 (en) | 2016-02-09 | 2018-07-03 | International Business Machine Corporation | Detecting and predicting cyber-attack phases in adjacent data processing environment regions |
| US9948666B2 (en) | 2016-02-09 | 2018-04-17 | International Business Machines Corporation | Forecasting and classifying cyber-attacks using analytical data based neural embeddings |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553293A (en) * | 2003-12-19 | 2004-12-08 | 华中科技大学 | Cooperative invading testing system based on distributed data dig |
| CN1588880A (en) * | 2004-10-15 | 2005-03-02 | 华中科技大学 | Network safety warning system based on cluster and relavance |
| CN101562537A (en) * | 2009-05-19 | 2009-10-21 | 华中科技大学 | Distributed self-optimized intrusion detection alarm associated system |
| US20100007489A1 (en) * | 2008-07-10 | 2010-01-14 | Janardan Misra | Adaptive learning for enterprise threat managment |
| US7937480B2 (en) * | 2005-06-02 | 2011-05-03 | Mcafee, Inc. | Aggregation of reputation data |
-
2011
- 2011-12-27 CN CN201110445161.8A patent/CN102638445B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553293A (en) * | 2003-12-19 | 2004-12-08 | 华中科技大学 | Cooperative invading testing system based on distributed data dig |
| CN1588880A (en) * | 2004-10-15 | 2005-03-02 | 华中科技大学 | Network safety warning system based on cluster and relavance |
| US7937480B2 (en) * | 2005-06-02 | 2011-05-03 | Mcafee, Inc. | Aggregation of reputation data |
| US20100007489A1 (en) * | 2008-07-10 | 2010-01-14 | Janardan Misra | Adaptive learning for enterprise threat managment |
| CN101562537A (en) * | 2009-05-19 | 2009-10-21 | 华中科技大学 | Distributed self-optimized intrusion detection alarm associated system |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580157A (en) * | 2014-12-14 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Intelligent strategy validity verifying method based on dynamic message building technology |
| CN104580157B (en) * | 2014-12-14 | 2017-12-12 | 中国航天科工集团第二研究院七〇六所 | A kind of tactful validity intelligent verification method based on dynamic construction message technology |
| WO2017152877A1 (en) * | 2016-03-11 | 2017-09-14 | 中兴通讯股份有限公司 | Network threat event evaluation method and apparatus |
| CN106685954A (en) * | 2016-12-27 | 2017-05-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for scanning plug-in and determining rule scheduling sequence in plug-in |
| CN106685954B (en) * | 2016-12-27 | 2019-11-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of plug-in unit scans, determines the method and device of rule-based scheduling sequence in plug-in unit |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN114172709A (en) * | 2021-11-30 | 2022-03-11 | 中汽创智科技有限公司 | Network multi-step attack detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102638445B (en) | 2015-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102638445B (en) | Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device | |
| CN105191257B (en) | Method and apparatus for detecting multistage event | |
| EP3528463A1 (en) | An artificial intelligence cyber security analyst | |
| CN106341414A (en) | Bayesian network-based multi-step attack security situation assessment method | |
| Mohammed et al. | Intrusion detection system based on SVM for WLAN | |
| KR102091076B1 (en) | Intelligent security control system and method using mixed map alert analysis and non-supervised learning based abnormal behavior detection method | |
| CN104899513B (en) | A kind of datagram detection method of industrial control system malicious data attack | |
| CN106888205A (en) | A kind of non-intrusion type is based on the PLC method for detecting abnormality of power consumption analysis | |
| Tianfield | Cyber security situational awareness | |
| Fillatre et al. | A statistical method for detecting cyber/physical attacks on SCADA systems | |
| CN102768638A (en) | Software behavior credibility detecting method based on state transition diagram | |
| CN106209829A (en) | A kind of network security management system based on warning strategies | |
| KR102426627B1 (en) | Apparatus and method for monitoring marine debris | |
| Hong et al. | Towards accurate and efficient classification of power system contingencies and cyber-attacks using recurrent neural networks | |
| Qiu et al. | Time-frequency based cyber security defense of wide-area control system for fast frequency reserve | |
| CN115237717A (en) | Micro-service abnormity detection method and system | |
| KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
| Khadidos et al. | Integrating industrial appliances for security enhancement in data point using SCADA networks with learning algorithm | |
| CN113645215A (en) | Method, device, equipment and storage medium for detecting abnormal network traffic data | |
| Wang et al. | Stealthy attack detection method based on Multi-feature long short-term memory prediction model | |
| Hu et al. | Reinforcement learning-based adaptive feature boosting for smart grid intrusion detection | |
| Salazar et al. | Monitoring approaches for security and safety analysis: application to a load position system | |
| CN103067200B (en) | A kind of intermingle density effect simulation method and system | |
| König et al. | Parametrization of Probabilistic Risk Models | |
| K V et al. | Accurate and reliable detection of DDoS attacks based on ARIMA-SWGARCH model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |