[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118157970B - Suricata rule similarity calculation method based on editing distance - Google Patents

Suricata rule similarity calculation method based on editing distance Download PDF

Info

Publication number
CN118157970B
CN118157970B CN202410341694.9A CN202410341694A CN118157970B CN 118157970 B CN118157970 B CN 118157970B CN 202410341694 A CN202410341694 A CN 202410341694A CN 118157970 B CN118157970 B CN 118157970B
Authority
CN
China
Prior art keywords
rule
distance
character
rules
suricata
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410341694.9A
Other languages
Chinese (zh)
Other versions
CN118157970A (en
Inventor
马陈城
饶金龙
朱涛
宋晓斌
黄天纵
刘磊
朱怀东
杨资集
张俊
陈国春
俞仁涵
吴吉胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
UNIT 61660 OF PLA
Original Assignee
UNIT 61660 OF PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by UNIT 61660 OF PLA filed Critical UNIT 61660 OF PLA
Priority to CN202410341694.9A priority Critical patent/CN118157970B/en
Publication of CN118157970A publication Critical patent/CN118157970A/en
Application granted granted Critical
Publication of CN118157970B publication Critical patent/CN118157970B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a suricata rule similarity calculation method based on editing distance, belonging to the technical field of network security. In order to solve the problem of low efficiency of manual screening repetition rules, the invention provides a more accurate, simpler, more convenient and more efficient similar rule deduplication automatic processing scheme through LD similarity detection, and improves suricata engine detection efficiency, which is helpful for reducing adverse effects of redundant rules on suricata engine performance, thereby improving network flow detection efficiency.

Description

Suricata rule similarity calculation method based on editing distance
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a suricata rule similarity calculation method based on editing distance.
Background
With the continuous development of internet technology, we are in an era of rapid evolution of network technology. This evolution is not only an improvement in hardware and transmission speed, but also includes a revolution in the broader network ecosystem. The introduction of the 5G technology is a milestone event, which brings unprecedented high-speed, low-delay and high-capacity communication capability to us, thereby promoting the arrival of the universal interconnection era.
With the popularization of the internet of everything, the daily life and the working mode of the user are greatly changed. Applications such as smart home, smart city, industrial internet of things are becoming reality, which connect various devices and systems to the internet to achieve more efficient, convenient and intelligent functions. However, this also presents a new set of challenges, especially network security issues.
Update iteration of network security technology has become an important issue in today's internet domain.
Suricata is a free, open source, mature, fast, robust cyber threat detection engine. It can be used for real-time Intrusion Detection (IDS), inline Intrusion Prevention (IPS), network Security Monitoring (NSM) and offline pcap processing. Suricata use powerful and extensive rules and signature languages to examine network traffic and provide powerful Lua script support to detect complex threats. In the prior art, a large number of repeated rules exist in a suricata rule file, and the defects of omission, single work, long time consumption, low efficiency and the like exist mainly due to manual duplicate removal.
Under the current technology suricata, the method is used for detecting network traffic by users, mainly uses a rule-based detection scheme, and has the problems that a large number of similar rules exist between rules, so that the suricata detection engine is provided with a performance level obstacle.
A large number of repeated similar rules exist in one rule file, repeated and similar rules are needed to be screened and removed manually, the complexity of manual work is greatly increased, the efficiency is low, the feasibility of long-term lasting operation is avoided, and the problems of easy missing and deleting and the like are easily caused.
Rule management, performance efficiency, and network traffic size are key issues in the area of network security:
1. challenges of rule management:
Rule management is the basis for network security policies, but often becomes inconvenient in complex network environments. Conventional firewall and intrusion detection systems typically rely on manually configured rules, which can become very cumbersome and error-prone.
The technology is developed: automated rule management tools and policy-based security management systems are continually evolving to help network administrators manage rules more efficiently and reduce the risk of human error.
2. Problem of performance efficiency:
Network security solutions must maintain good performance while ensuring security. Low performance may lead to network delays, affect the user experience, and even provide opportunities for attackers.
The influence of a large number of repetition rules is that the detection efficiency is low.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to solve the technical problems that: a suricata rule similarity calculation method based on editing distance is designed, and the problem of low efficiency of manual screening repeated rules is solved.
(II) technical scheme
In order to solve the technical problems, the invention provides a suricata rule similarity calculation method based on editing distance, which comprises the following steps:
step1, adding new rules into a web rule management and editing tool, and executing the next step after the rules pass suricata rule verification;
wherein, suricata rule check is performed on the newly added rule based on the following legal rule:
alert http $HOME_NET any ->$EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
The meaning of this rule is: acquiring an http get request from a client to a server, and detecting whether a rule word exists in url of the request; the rule adopts a fast matching mode fast_pattern, the rule classification is unknown bad-unkown, the rule ID is 123, and when 1 data packet matching the rule is received, the alarm corresponding to the rule is triggered to generate rev 1.
Step 2, generalizing the new rule, and removing data fields which do not need to participate in editing distance comparison in the new rule to obtain a new rule;
In step 2, rule ID and the number of received packets in the newly added rule are removed.
Step 3, obtaining all the existing original rules from the rule file, and generalizing each rule;
Step 4, performing one-to-one cyclic traversal LD calculation on the new rule and the generalized original rule according to an edit distance LD calculation method, calculating similarity according to the LD, when the similarity is larger than a set similarity threshold, considering the current new rule and the original rule as similar rules, recording the similar rules in an array, and returning the similar rules recorded in the array to the web page after the LD calculation is finished on all the generalized new rules and the generalized original rules;
and step 5, outputting the array to a user for the user to select to delete or keep the similar rule.
Preferably, in step S4, LD is calculated by the following method:
The edit distance of the two character strings a, b is expressed as lev a,b (|a|, |b|), where |a| and |b| correspond to the lengths of a, b, respectively, and then the edit distance of the two character strings a, b is described in the following mathematical language:
In the above formula, lev a,b (i, j) is defined as the distance between the first i characters in a and the first j characters in b, where i, j is taken as the length of a, b, where the first character index of the string starts from 1, so the last edit distance is the distance when i= |a|, j= |b|: lev a,b (|a|, |b|);
When min (i, j) =0, corresponding to the first i characters in the character string a and the first j characters in the character string b, wherein i, j has a value of 0, which indicates that one of the character strings a and b is an empty string, then the conversion from a to b only needs max (i, j) times of single character editing operation, so that the editing distance between the characters is max (i, j), namely the largest one of i, j;
when min (i, j) noteq0, lev a,b (i, j) is the minimum of the following three cases:
1) Lev a,b (i-1, j) +1, which represents the i-th character a i of the deleted string a,
2) Lev a,b (i, j-1) +1, representing the j-th character b of the inserted string b j
3) Lev a,b(i-1,j-1)+1(ai≠bj), representing substitution b j
Wherein 1 (ai≠bj) is an indicator function, which indicates that 0 is taken when a i=bj; when a i≠bj, its value is 1.
Preferably, in step S4, LD is calculated using the following matrix method:
Initializing a matrix d to be a matrix of m+1 rows and n+1 columns, and setting all elements to be 0, wherein m and n are the lengths of the character strings s1 and s2 respectively;
setting the first column to 0..m;
setting the first row to 0..n;
Traversing all characters of strings s1 and s2
If the current character is the same, i.e., s1[ i-1] = s2[ j-1], then d [ i ] [ j ] = d [ i-1] [ j-1], i.e., the current distance is unchanged, and if the current character is different, the current distance is set to be the minimum value in the left, upper and upper left elements plus 1: d [ i ] [ j ] =min (d [ i-1] [ j ] +1, d [ i ] [ j-1] +1, d [ i-1] [ j-1] +1);
d [ m ] [ n ] is the edit distance of two character strings.
Preferably, in step 4, the formula for calculating the similarity is similarity=1-distance/max (len (s 1), len (s 2)), wherein distance is the edit distance of two character strings s1, s2, len (s 1), and len (s 2) represents the length of the character strings s1, s 2.
Preferably, the similarity threshold is adjusted according to the actual situation.
The invention also provides a system for implementing the method.
The invention also provides a network flow detection method based on the method.
The invention also provides a network flow detection system realized based on the method.
The invention also provides application of the suricata similar rule deduplication method in the technical field of network security.
The invention also provides application of the network flow detection method in the technical field of network security.
(III) beneficial effects
The invention provides a suricata rule similarity calculation method based on edit distance, which is a suricata similarity rule deduplication method based on edit distance, provides a more accurate, simpler, more convenient and more efficient similarity rule deduplication automatic processing scheme through LD similarity detection, improves suricata engine detection efficiency, and is helpful for reducing adverse effects of redundant rules on suricata engine performance, thereby improving network flow detection efficiency.
Drawings
FIG. 1 is a schematic diagram of a general architecture for implementing the concepts of the present invention;
FIG. 2 is a flow chart of the method of the present invention;
fig. 3 is a flowchart of calculating LD using a matrix method according to the present invention.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
The invention provides a suricata rule similarity calculation method based on edit distance aiming at actual network security requirements, and aims to optimize suricata rule management. The focus is mainly on processing rules with higher similarity, which helps to reduce adverse effects of redundant rules on suricata engine performance, so as to improve efficiency of network traffic detection. In general, the invention is expected to improve the performance of suricata engines and reduce the security risk of network traffic through more intelligent and efficient rule management. The invention is helpful to meet the ever-increasing network security demands and improve the usability and security of the network.
Edit distance (LEVENSHTEIN DISTANCE, LD) similarity detection refers to determining the similarity of two strings or texts by calculating their edit distance. The edit distance refers to the minimum number of editing operations required to convert one character string into another, and the allowed editing operations include replacing one character with another, inserting one character, and deleting one character. The smaller the edit distance, the more similar the two strings or text.
The calculation method of LD is given first as follows:
The edit distance LEVENSHTEIN DISTANCE of the two strings a, b is denoted lev a,b (|a|, |b|), where |a| and |b| correspond to the lengths of a, b, respectively. Then, LEVENSHTEIN DISTANCE of the two strings a, b, i.e., lev a,b (|a|, |b|) can be described in the following mathematical language:
In the above formula, lev a,b (i, j) is defined as the distance between the first i characters in a and the first j characters in b. For ease of understanding, i, j may be considered herein as the length of a, b. Here, the first character index of the string starts from 1 (actually because 0 is added before the string when the string is operated on the table), so the last edit distance is i= |a|, j= |b|). lev a,b (|a|, |b|)
When min (i, j) =0, i, j has a value of 0 corresponding to the first i characters in the character string a and the first j characters in the character string b, and one of the character strings a and b is a null string, then the conversion from a to b only needs to be performed for max (i, j) times of single character editing operations, so that the editing distance between the characters is max (i, j), namely the largest one of i, j.
When min (i, j) noteq0, lev a,b (i, j) is the minimum of the following three cases:
Lev a,b (i-1, j) +1, representing the i-th character a i of the deleted string a,
Lev a,b (i, j-1) +1, representing the j-th character b of the inserted string b j
Lev a,b(i-1,j-1)+1(ai≠bj), representing substitution b j
Wherein 1 (ai≠bj) is an indication function, which indicates that 0 is taken when a i=bj, and 1 is taken when a i≠bj.
Referring to fig. 1 and 2, the method for removing duplicate according to suricata similar rules based on editing distance, which is realized based on the above formula, comprises the following steps:
and 1, adding new rules into the web rule management and editing tool by a user, and performing the next similarity function verification after the rules pass suricata rule verification.
Wherein, suricata rule check is performed on the newly added rule based on the following legal rule:
alert http $HOME_NET any ->$EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
The meaning of this rule is: acquiring an http get request from a client to a server, and detecting whether a rule word exists in url of the request; the rule adopts a fast_pattern, the rule classification is unknown (bad-unkown), the rule ID is 123, and when 1 data packet matching the rule is received, the alarm generation (rev: 1) corresponding to the rule is triggered.
Step 2, generalizing the new rule, and removing data (sid, rev, metadata) fields which do not need to participate in editing distance comparison in the new rule to obtain a new rule as follows:
alert http $HOME_NET any ->$EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown;)
The rule has the same meaning as the rule above. Only when the editing distance is calculated, some useless elements in the rule need to be deleted, so that errors caused by affecting similarity calculation are avoided. In this rule, the rule ID and the number of received packets are deleted.
And step 3, obtaining all the existing original rules from the rule file, and generalizing each rule.
And 4, performing one-to-one cycle traversal LD calculation on the new rule and the generalized original rule according to the LD calculation method, calculating the similarity according to the LD, considering the current new rule and the original rule as similar rules when the similarity is greater than 0.9 (or a set threshold), recording the similar rules in an array, continuously performing LD calculation on the generalized new rule and the generalized original rule in sequence until the LD calculation is finished with all the rules, and returning the similar rules recorded in the array to the web page.
And step 5, outputting the array to a user for the user to select to delete or keep the similar rule.
For easier calculation, in step S4, LD (refer to fig. 3) may also be calculated using the following matrix method:
Initializing matrix d to be a matrix of m+1 rows n+1 columns, with all elements being 0 (m and n being the lengths of strings s1 and s2, respectively)
Setting the first column to 0m (i from 1 to m)
Setting the first row to 0..n (j from 1 to n)
Traversing all characters of strings s1 and s2
If the current character is the same (s 1[ i-1] = s2[ j-1 ]), then d [ i ] = d [ i-1] [ j-1], i.e., the current distance is unchanged
If different, the current distance is the minimum of the left, upper left elements plus 1:
d[i][j]= min(d[i-1][j]+1, d[i][j-1]+1, d[i-1][j-1]+1)
finally d [ m ] [ n ] is the editing distance of two character strings
For example, for the strings "kitten" and "sitting":
m = 6, n = 7
Initializing d:
[
[0, 1, 2, 3, 4, 5, 6],
[1, 0, 0, 0, 0, 0, 0],
[2, 0, 0, 0, 0, 0, 0],
[3, 0, 0, 0, 0, 0, 0],
[4, 0, 0, 0, 0, 0, 0],
[5, 0, 0, 0, 0, 0, 0],
[6, 0, 0, 0, 0, 0, 0]
]
The first column is set as [0, 1,2,3,4, 5, 6]
Setting the first behavior [0,1, 2, 3, 4, 5, 6, 7]
Compare each character:
kvs. different, d [1] [1] =min (1, 1, 0) +1=1
I vs i is the same, d [2] [2] =d1 ] =1
T vs t is the same, d [3] [3] =d2 ] =2 ] =1
...
The final distance is d [6] [7] =3
The edit distance of "kitten" and "sitting" is 3.
In step 4, the formula for calculating the similarity is similarity=1-distance/max (len (s 1), len (s 2)), wherein len (s 1), len (s 2) represents the lengths of the character strings s1, s2, and the similarity is obtained by subtracting the difference from 1 using the edit distance divided by the maximum length of the two character strings as a difference measure. Substituting the calculation results of the above example can obtain: similarity=1-3/max (6, 7), with a final similarity result equal to about 0.57. The similarity threshold is adjusted according to actual conditions.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.

Claims (10)

1. A suricata rule similarity calculation method based on editing distance is characterized by comprising the following steps:
step1, adding new rules into a web rule management and editing tool, and executing the next step after the rules pass suricata rule verification;
wherein, suricata rule check is performed on the newly added rule based on the following legal rule:
alert http $HOME_NET any -> $EXTERNAL_NET any, msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;
the meaning of this rule is: acquiring an http get request from a client to a server, and detecting whether a rule word exists in url of the request; the rule adopts a fast matching mode fast_pattern, the rule classification is unknown bad-unkown, the rule ID is 123, and when 1 data packet matching the rule is received, the alarm corresponding to the rule is triggered to generate rev 1;
step 2, generalizing the new rule, and removing data fields which do not need to participate in editing distance comparison in the new rule to obtain a new rule;
In the step 2, removing rule ID and the number of received packets in the newly added rule;
step 3, obtaining all the existing original rules from the rule file, and generalizing each rule;
Step 4, performing one-to-one cyclic traversal LD calculation on the new rule and the generalized original rule according to an edit distance LD calculation method, calculating similarity according to the LD, when the similarity is larger than a set similarity threshold, considering the current new rule and the original rule as similar rules, recording the similar rules in an array, and returning the similar rules recorded in the array to the web page after the LD calculation is finished on all the generalized new rules and the generalized original rules;
and step 5, outputting the array to a user for the user to select to delete or keep the similar rule.
2. The method of claim 1, wherein in step S4, LD is calculated by:
The edit distance of the two character strings a, b is expressed as lev a,b (|a|, |b|), where |a| and |b| correspond to the lengths of a, b, respectively, and then the edit distance of the two character strings a, b is described by the following formula:
In the formula, lev a,b (i, j) is defined as the distance between the first i characters in a and the first j characters in b, where i, j is taken as the length of a, b, where the first character index of the string starts from 1, so the last edit distance is the distance when i= |a|, j= |b|: lev a,b (|a|, |b|);
When min (i, j) =0, corresponding to the first i characters in the character string a and the first j characters in the character string b, i, j has a value of 0, which indicates that one of the character strings a and b is an empty string, then the conversion from a to b is performed only max (i, j) times of single character editing operation, so that the editing distance between them is max (i, j), i.e., the largest one of i, j;
when min (i, j) noteq0, lev a,b (i, j) is the minimum of the following three cases:
1) Lev a,b (i-1, j) +1, which represents the i-th character a i of the deleted string a,
2) Lev a,b (i, j-1) +1, representing the j-th character b of the inserted string b j
3) Lev a,b(i-1,j-1)+1(ai≠bj), representing substitution b j
Wherein 1 (ai≠bj) is an indicator function, which indicates that 0 is taken when a i=bj; when a i≠bj, its value is 1.
3. The method of claim 1, wherein in step S4, LD is calculated using a matrix method as follows:
Initializing a matrix d to be a matrix of m+1 rows and n+1 columns, and setting all elements to be 0, wherein m and n are the lengths of the character strings s1 and s2 respectively;
setting the first column to 0..m;
setting the first row to 0..n;
Traversing all characters of strings s1 and s2
If the current character is the same, i.e., s1[ i-1] = s2[ j-1], then d [ i ] [ j ] = d [ i-1] [ j-1], i.e., the current distance is unchanged, and if the current character is different, the current distance is set to be the minimum value in the left, upper and upper left elements plus 1: d [ i ] [ j ] =min (d [ i-1] [ j ] +1, d [ i ] [ j-1] +1, d [ i-1] [ j-1] +1);
d [ m ] [ n ] is the edit distance of two character strings.
4. The method according to claim 2 or 3, wherein in step 4, the formula for calculating the similarity is similarity=1-distance/max (len (s 1), len (s 2)), wherein distance is an edit distance of two character strings s1, s2, len (s 1), len (s 2) represents a length of the character strings s1, s2.
5. The method of claim 1, wherein the similarity threshold is adjusted based on actual conditions.
6. A system for implementing the method of any one of claims 1 to 5.
7. A network traffic detection method implemented on the basis of the method of any one of claims 1 to 5.
8. A network traffic detection system implemented on the basis of the method of any one of claims 1 to 5.
9. Use of the method according to any one of claims 1 to 5 in the field of network security technology.
10. Use of the method according to claim 7 in the field of network security technology.
CN202410341694.9A 2024-03-25 2024-03-25 Suricata rule similarity calculation method based on editing distance Active CN118157970B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410341694.9A CN118157970B (en) 2024-03-25 2024-03-25 Suricata rule similarity calculation method based on editing distance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410341694.9A CN118157970B (en) 2024-03-25 2024-03-25 Suricata rule similarity calculation method based on editing distance

Publications (2)

Publication Number Publication Date
CN118157970A CN118157970A (en) 2024-06-07
CN118157970B true CN118157970B (en) 2024-09-27

Family

ID=91292540

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410341694.9A Active CN118157970B (en) 2024-03-25 2024-03-25 Suricata rule similarity calculation method based on editing distance

Country Status (1)

Country Link
CN (1) CN118157970B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109117464A (en) * 2018-03-02 2019-01-01 南京邮电大学 A kind of data similarity detection method based on editing distance
CN114401197A (en) * 2021-12-29 2022-04-26 南方电网数字电网研究院有限公司 Network security analysis method based on edge calculation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4287053A3 (en) * 2018-06-28 2024-01-31 CrowdStrike, Inc. Analysis of malware
EP3935781A4 (en) * 2019-03-05 2022-11-09 Red Piranha Limited NETWORK DATA TRAFFIC IDENTIFICATION

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109117464A (en) * 2018-03-02 2019-01-01 南京邮电大学 A kind of data similarity detection method based on editing distance
CN114401197A (en) * 2021-12-29 2022-04-26 南方电网数字电网研究院有限公司 Network security analysis method based on edge calculation

Also Published As

Publication number Publication date
CN118157970A (en) 2024-06-07

Similar Documents

Publication Publication Date Title
EP3796176B1 (en) Fault root cause analysis method and apparatus
CN112131882A (en) Multi-source heterogeneous network security knowledge graph construction method and device
CN112149135B (en) Method and device for evaluating security vulnerabilities and computer-readable storage medium
CN107657174B (en) Database intrusion detection method based on protocol fingerprint
CN112989348B (en) Attack detection method, model training method, device, server and storage medium
US10528731B1 (en) Detecting malicious program code using similarity of hashed parsed trees
CN115396147B (en) An APT detection method integrating cloud network logs and threat knowledge
CN107666468B (en) Network security detection method and device
CN113709189B (en) Method and system for generating detection rule base, electronic equipment and storage medium
WO2018231424A1 (en) Content-level anomaly detector for systems with limited memory
CN111581057B (en) General log analysis method, terminal device and storage medium
US11601339B2 (en) Methods and systems for creating multi-dimensional baselines from network conversations using sequence prediction models
JI et al. Log anomaly detection through gpt-2 for large scale systems
CN115587007A (en) Robertta-based weblog security detection method and system
CN118157970B (en) Suricata rule similarity calculation method based on editing distance
CN116302089B (en) Picture similarity-based code clone detection method, system and storage medium
WO2016173327A1 (en) Method and device for detecting website attack
CN112968906B (en) Modbus TCP abnormal communication detection method and system based on multi-tuple
CN118034989B (en) A log dependency graph construction method, electronic device and storage medium
CN117171800B (en) Sensitive data identification method and device based on zero trust protection system
Cheng et al. Attention mechanism-based vulnerability detection method for graph neural network source code
CN119341809A (en) Network security detection method, device, equipment and medium based on data processing unit
CN118555110A (en) Attack detection and tracing method, device, electronic device and storage medium
Nam et al. Log‐TF‐IDF and NETCONF‐Based Network Switch Anomaly Detection
CN119272277A (en) APT detection method based on semantic enhancement and attention mechanism

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant