[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN112261006B - Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors - Google Patents

Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors Download PDF

Info

Publication number
CN112261006B
CN112261006B CN202011034651.4A CN202011034651A CN112261006B CN 112261006 B CN112261006 B CN 112261006B CN 202011034651 A CN202011034651 A CN 202011034651A CN 112261006 B CN112261006 B CN 112261006B
Authority
CN
China
Prior art keywords
behavior
beh
behaviors
attack
dep
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011034651.4A
Other languages
Chinese (zh)
Other versions
CN112261006A (en
Inventor
李成梁
李兴国
苗功勋
路冰
孙宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Nanjing Zhongfu Information Technology Co Ltd
Zhongfu Information Co Ltd
Zhongfu Safety Technology Co Ltd
Original Assignee
BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Nanjing Zhongfu Information Technology Co Ltd
Zhongfu Information Co Ltd
Zhongfu Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD, Nanjing Zhongfu Information Technology Co Ltd, Zhongfu Information Co Ltd, Zhongfu Safety Technology Co Ltd filed Critical BEIJING ZHONGFU TAIHE TECHNOLOGY DEVELOPMENT CO LTD
Priority to CN202011034651.4A priority Critical patent/CN112261006B/en
Publication of CN112261006A publication Critical patent/CN112261006A/en
Application granted granted Critical
Publication of CN112261006B publication Critical patent/CN112261006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a mining method, a terminal and a storage medium for discovering dependency relationship among threat behaviors, which are used for collecting log files of all users a in a system, cleaning and sorting data in the log files to form an employee behavior set S ═ behaiH, counting the time span w in the set St(ii) a Based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj) (ii) a Calculating a dependency value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of; according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of one employee; deriving an attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely, series of attack actions. The invention finds out the potential relation among the staff behaviors and quantifies the dependency relationship. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.

Description

Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors
Technical Field
The invention relates to the technical field of data security, in particular to a mining method, a terminal and a storage medium for discovering dependency relationship among threat behaviors.
Background
Internal threats are generally considered to be malicious activities that compromise the system by employees or former employees who are unhappy with a business, organization, or organization. The destructor gains access to the enterprise system or network, finds the weak location of the system defense through infiltration of the system structure and operating state and attacks it. Attack of internal threats takes various forms, such as intrusion into a system by using program tools such as trojans, worms, viruses and the like; stealing confidential data inside the enterprise; modifying, deleting or destroying corporate critical data; identity information of employees within a company is stolen, etc. The occurrence of any of these actions can cause an unmanageable loss to an enterprise, organization, or organization.
In the traditional information security, the main information security attack and defense ideas are vulnerability scanning, denial of service and the like, and an attack matrix can well show the types and attack modes of attack behaviors. The attack matrices known at present are MITRE ATT & CK and attack hypothesis matrices. The MITRE ATT & CK may also be referred to as an attacker policy knowledge base, and the matrix represents the attack policy used by the attacker and the corresponding technical means in the corresponding policy. The attack hypothesis matrix represents the aggressors' whereabouts and expected attack effects, and an attack hypothesis model is shown in table 1.
TABLE 1 an MCPS attack matrix
Figure BDA0002704815430000011
Figure BDA0002704815430000021
With the coming of big data, more attack behaviors are no longer single battles, thousands of connections exist among the attack behaviors, the traditional attack matrix is difficult to identify and quantify the attack relations, and when one threat is identified, the preventive measures can release another attack behavior related to the threat all the time, so that the damage which is difficult to estimate is caused to a computer.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a mining method for discovering dependency relationship among threat behaviors, which comprises the following steps:
step one, collecting log files of all users in the system, wherein the log files reflect behavior operations of a user a, cleaning and sorting data in the log files to form an employee behavior set S { beh {aiRepresents the ith behavior of the a-th employee;
step two, counting the time span w in the set St
Step three, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
Step four, calculating a dependency relationship value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of (c);
step five, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of an employee;
deriving attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur, series of attack actions.
Further, it should be noted that, in the first step, various Behavior log logs of the user a are collected, and a Behavior data structure Behavior is constructed based on information in the logs;
the Behavior data structure Behavior at least comprises the following fields: the behavior identification system comprises a behavior number b _ id for identifying the uniqueness of the behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior.
It should be further noted that collecting various types of behavior logs log of the user a includes: collecting input instruction information of the staff, executing software information, program operation information executed by a system according to the input instruction information of the staff and staff identity information.
It should be further noted that, in step two, the earliest starting time t appearing in the statistical data structure BehaviorearliestAnd the latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time spans w of equal lengtht
It should be further noted that, in the third step,
counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time:
Figure BDA0002704815430000031
wherein the function cntall (w)t) Indicating counting the total number of time windows, the function sum (s, z) indicating counting the number of occurrences of the variable s under the constraint z, behaRepresents all actions by user a;
counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time:
Figure BDA0002704815430000032
wherein, the function sum (s, l, z) represents that under the limiting condition z, the number of times s and l commonly occur is counted, and when t > s, sum (s, l, t) is s; when t is less than or equal to s, the cntduble (s, l, t) ═ t.
It should be further noted that, in step four, for user a, the action beh occursaiTo act behajThe degree of dependence of (c) can be calculated by the following formula:
Figure BDA0002704815430000041
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behaiPair behavior behajThe lower the degree of dependence, i.e. action behajAfter this occurs, act behaiIs substantially impossible to occur;
when the value is 0, action beh is indicatedaiIs completely dependent on action behaj
It should be further noted that, in the fifth step,
for user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
Figure BDA0002704815430000042
wherein i, j belongs to [1, n ];
setting a dependent threshold vector λT=(λ12,...,λn);
Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajConstitute attack pathag→ak,g,k∈[1,n];
Outputting all the coincidences from matrix MTSpecified attack pathag→ak
The present invention also provides a terminal, comprising: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
the processor is used for executing the computer program and the mining method for discovering the dependency relationship among the threat behaviors so as to realize the steps of the mining method for discovering the dependency relationship among the threat behaviors.
The present invention also provides a storage medium having a mining method for discovering dependencies between threat behaviors, the storage medium being adapted to store a computer program for execution by a processor to implement the steps of the mining method for discovering dependencies between threat behaviors.
According to the technical scheme, the invention has the following advantages:
the invention finds out the potential dependency among the staff behaviors and quantifies the dependency. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.
According to the invention, based on the attack dependency matrix among behaviors, the distribution condition of the behavior of the staff is excavated. The existing attack matrix can only count the types and threats of attack behaviors, the invention expands the attack matrix and puts the dependency relationship between the behaviors into the attack matrix, so that an enterprise can directly find out two behaviors which are most closely related in a system, and the two behaviors are uniformly processed at the moment, thereby improving the event response capability of the enterprise.
The method for generating the path based on the attack behavior excavates and monitors the behavior dynamics of the staff in real time. The paths show the trend and the sequence relation of one or a series of attack behaviors, and enterprises can monitor the behaviors of employees in real time, discover precursor behaviors which are easy to cause threat behaviors in time and stop the behaviors.
Detailed Description
The described features, structures, or characteristics of the mining method for discovering dependencies between threat behaviors to which the present invention relates may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. However, those skilled in the art will appreciate that the present invention may be practiced without several of the details of the described embodiments, and that the various embodiments may be practiced by other methods, apparatus, steps, etc. that are known to those of skill in the art. Accordingly, the following description does not show or describe well-known methods, apparatus, implementations or operations in detail, to avoid obscuring aspects of the invention.
The invention provides a mining method for discovering dependency relationship among threat behaviors, and aims to mine the dependency relationship among the behaviors.
S11, collecting log files of all users in the system, wherein the log files reflect the behavior operation of the user a, cleaning and sorting the data in the log files to form an employee behavior set S { beh {aiRepresents the ith behavior of the a-th employee;
s12, time span w in statistic set St
S13, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
S14, calculating a dependency relationship value dep based on the two probabilitiesai,aj,depai,ajReflect the action behaiPair behavior behajThe degree of dependence of;
s15, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of an employee;
deriving an attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur, series of attack actions.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. The method mainly comprises the following implementation steps:
and acquiring the behavior. And collecting various Behavior logs log of the user a, and constructing a Behavior data structure Behavior based on information in the logs. The log should indicate when and where an employee performed what work on the system, and therefore, in order to ensure that the subsequent design is performed successfully, the Behavior data structure Behavior at least includes the following fields: a behavior number b _ id for identifying the uniqueness of a behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior. User a may be an internal employee of the enterprise, a visitor using the system, etc.
The above data is the basis for the subsequent analysis of the dependency relationship between the behaviors.
Table 2 behavioral data structure Behavior example
Figure BDA0002704815430000071
Counting the earliest onset time t appearing in BehaviorearliestAnd a latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time windows w of equal lengtht
Counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time amount:
Figure BDA0002704815430000072
wherein the function cntall (w)t) Representing counting the total number of time windows, a functionsum (s, z) indicates the count of the number of occurrences of the variable s under the constraint z, behaRepresenting all actions by user a.
Counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time amount:
Figure BDA0002704815430000081
wherein, the function sumd (s, l, z) represents counting the number of times s and l commonly occur under the limiting condition z, and when t > s, sumd (s, l, t) is s; when t is less than or equal to s, the cntduble (s, l, t) ═ t.
For user a, the actions beh that it takesaiPair behavior behajThe degree of dependence can be calculated by the following formula:
Figure BDA0002704815430000082
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behajPair behavior behaiThe lower the degree of dependence, i.e. action behajAfter occurrence, act behaiSubstantially impossible to occur. When the value is 0, action beh is indicatedaiIs completely dependent on action behaj
For user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
Figure BDA0002704815430000091
wherein i, j is belonged to [1, n ].
In order to reduce the influence of the magnitude difference of the behavior occurrence times on the result, a dependence threshold vector lambda is setT=(λ12,...,λn). Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajConstitute attack pathag→ak,g,k∈[1,n]。
Outputting all the coincidences from matrix MTSpecified attack pathag→ak
The mining method for discovering the dependency relationship among the threat behaviors, which is disclosed by the invention, is based on the dependency relationship expansion attack matrix, the attack path design and the potential relationship among the enterprise employee behaviors, so that the thought is clear and easy to understand, and the operation is easy to realize. The method has the advantages that a certain correlation exists between the unstructured behavior data, the correlation is discovered and quantified by using the dependency relationship, and the behavior data are structured by using the attack matrix. The mining of the behavior dependency relationship mining method enables enterprises to better master the behavior dynamics of internal employees, carries out risk assessment on internal threats implied by each behavior and guarantees safe, reliable and continuous operation of enterprise systems.
Specifically, the advantages of the present invention can be divided into the following three aspects:
the method for calculating the dependency relationship among the behaviors excavates the behavior properties of the staff. The invention finds out the potential relation among the staff behaviors and quantifies the dependency relationship. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical values, and early warning is carried out on the threatening behaviors according to a preset danger threshold value, so that the enterprises are prevented from being attacked by threats from the inside.
According to the invention, based on the attack dependency matrix among behaviors, the distribution condition of the behavior of the staff is excavated. The existing attack matrix can only count the types and threats of the attack behaviors, the invention expands the attack matrix and puts the dependency relationship between the behaviors into the attack matrix, so that an enterprise can directly find out two behaviors with the closest relationship in a system, and the two behaviors are uniformly processed at the moment, thereby improving the event response capability of the enterprise.
The method for generating the path based on the attack behavior excavates and monitors the behavior dynamics of the staff in real time. The paths show the trend and the sequence relation of one or a series of attack behaviors, and enterprises can monitor the behaviors of employees in real time, find precursor behaviors which are easy to cause threat behaviors in time and stop the behaviors.
In summary, the present invention uses co-occurrence frequency and conditional probability to identify dependencies between internal behaviors. The dependency relationship is one of the association relationships in association analysis, and the purpose of the dependency relationship is to search a causal item set or object set in various information carriers such as transaction data and relationship data. The dependency relationship can find out the connection among a large number of data objects, and visually describe the rule and the mode of some attributes in one thing appearing at the same time.
The invention is inspired by the existing attack matrix model, and expands the effect of the attack matrix, so that the attack matrix can not only represent the type and threat of the attack, but also measure the dependency relationship between two potential threat behaviors. Therefore, the method and the system are based on the internal behaviors of the enterprise, the dependency relationship between the behaviors is mined, the dependency degree between the two behaviors is quantified by using a conditional probability formula, and the occurrence sequence between the internal behaviors is identified. And then mapping the value of the dependency relationship between every two behaviors to an attack dependency matrix, and through the matrix, the enterprise can directly find two internal behaviors with the most dense relationship. And finally, performing path search on the attack dependency matrix to obtain a plurality of attack paths, wherein the paths show the causal relationship among one or a series of attack behaviors.
The invention also provides a terminal based on the method, which comprises the following steps: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
the processor is used for executing the computer program and the mining method for discovering the dependency relationship among the threat behaviors so as to realize the steps of the mining method for discovering the dependency relationship among the threat behaviors.
Based on the above method, the present invention further provides a storage medium having a mining method for discovering dependency relationships among threat behaviors, wherein the storage medium stores a computer program, and the computer program is executed by a processor to implement the steps of the mining method for discovering dependency relationships among threat behaviors.
The terminal of the present invention may include a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a Digital broadcast receiver, a Personal Digital Assistant (PDA), a tablet computer (PAD), etc., and a fixed terminal such as a Digital TV, a desktop computer, etc. It will be understood by those skilled in the art that the configuration according to the embodiment of the present invention can be applied to a fixed type terminal in addition to elements particularly used for moving purposes.
The terminals implementing the mining method for discovering dependencies between threat behaviors are the exemplary elements and algorithm steps described in connection with the embodiments disclosed herein, and can be implemented in electronic hardware, computer software, or a combination of both, the components and steps of the examples having been generally described in terms of functionality in the foregoing description for clarity of illustration of interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Through the above description of the embodiments, those skilled in the art will readily understand that the terminal implementing the mining method for discovering dependencies between threat behaviors described herein may be implemented by software, or may be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the disclosure for implementing the mining method for discovering dependency relationship between threat behaviors may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a mobile hard disk, or the like) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, or the like) to execute the indexing method according to the embodiment of the disclosure.
A terminal implementing a mining method for discovering dependencies between threat behaviors may write program code for performing the operations of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + +, or the like, as well as conventional procedural programming languages, such as the "C" language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (6)

1. A mining method for discovering dependency relationships among threat behaviors, the method comprising:
step one, collecting log files of all users a in the system, wherein the log files reflect the behavior operations of the users a, cleaning and sorting data in the log files to form an employee behavior set S (beh)aiRepresents the ith behavior of the a-th employee;
step two, counting the time span w in the set St
Step three, based on S and wtStatistical behavior occurrence probability P (beh)ai) Probability of co-occurrence with behavior P (beh)ai,behaj);
Counting the occurrence probability of the ith behavior made by the user a on the total behavior amount and the total time amount:
Figure FDA0003681320570000011
wherein the function cntall (w)t) Indicating counting the total number of time windows, the function sum (s, z) indicating counting the number of occurrences of the variable s under the constraint z, behaRepresents all actions by user a;
counting the occurrence probability of the i-th and j-th behaviors made by the user a on the total behavior amount and the total time amount:
Figure FDA0003681320570000012
wherein, the function sumd (s, l, z) represents counting the number of times s and l commonly occur under the limiting condition z, and when t > s, sumd (s, l, t) ═ s; when t is less than or equal to s, the cnt double (s, l, t) is t;
step four, calculating a dependency relationship value dep based on two probabilitiesai,aj,depai,ajReflect the action behaiTo act behajThe degree of dependence of (c);
for user a, the behavior beh that it occursaiPair behavior behajThe degree of dependence of (c) can be calculated by the following formula:
Figure FDA0003681320570000021
wherein depai,aj∈(-1,1),depai,aj=-depaj,ai,|depai,ajGreater | indicates behavior behaiTo act behajIs dependent on the programThe lower the degree;
when the value is 0, action beh is indicatedaiIs completely dependent on action behaj
Step five, according to all depai,ajConstructing an attack dependency matrix M, wherein the matrix M reflects the dependency relationship between every two behaviors of one employee;
deriving attack behavior path from Mag→ak,pathag→akRepresenting a complete, most likely to occur series of attack actions;
for user a, any two actions beh that it takesaiAnd behajThe attack matrix M is composed as follows:
Figure FDA0003681320570000022
wherein i, j belongs to [1, n ];
setting a dependency threshold vector λT=(λ12,...,λn);
Performing index traversal on M when lambda isi≤depai,ajWhen it is, take out depai,ajComposing attack pathag→ak,g,k∈[1,n];
Outputting all the coincidences from matrix MTSpecified attack pathag→ak
2. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 1,
collecting various Behavior log logs of a user a, and constructing a Behavior data structure Behavior based on information in the logs;
the Behavior data structure Behavior at least comprises the following fields: the behavior identification system comprises a behavior number b _ id for identifying the uniqueness of the behavior, a behavior source host name host _ name and a source ip address host _ ip for describing a behavior initiator, a behavior description for describing the details of the behavior, and t for describing the occurrence time of the behavior.
3. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 2,
collecting various types of behavior logs log of the user a includes: collecting input instruction information of the staff, executing software information, program operation information executed by a system according to the input instruction information of the staff and staff identity information.
4. The mining method for discovering dependency relationships between threat behaviors as claimed in claim 1,
in step two, the earliest starting time t appearing in the data structure Behavior is countedearliestAnd a latest start time tlatestThe period of time (t)latest-tearliest) Divided into centwindow time spans w of equal lengtht
5. A terminal, comprising: the device comprises a wireless communication module, an audio and video output module, a user input module, a sensing module, a storage medium, an interface module, a processor and a power supply module;
the storage medium is used for storing a computer program and a mining method for discovering dependency relationship among threat behaviors;
a processor is adapted to execute the computer program and the mining method for discovering dependency relationships between threat behaviors, so as to implement the steps of the mining method for discovering dependency relationships between threat behaviors as claimed in any one of claims 1 to 4.
6. A storage medium having a mining method for discovering dependency relationships between threat behaviors, the storage medium having a computer program stored thereon, the computer program being executed by a processor to implement the steps of the mining method for discovering dependency relationships between threat behaviors as claimed in any one of claims 1 to 4.
CN202011034651.4A 2020-09-27 2020-09-27 Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors Active CN112261006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011034651.4A CN112261006B (en) 2020-09-27 2020-09-27 Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011034651.4A CN112261006B (en) 2020-09-27 2020-09-27 Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors

Publications (2)

Publication Number Publication Date
CN112261006A CN112261006A (en) 2021-01-22
CN112261006B true CN112261006B (en) 2022-07-19

Family

ID=74234290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011034651.4A Active CN112261006B (en) 2020-09-27 2020-09-27 Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors

Country Status (1)

Country Link
CN (1) CN112261006B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098306A (en) * 2011-01-27 2011-06-15 北京信安天元科技有限公司 Network attack path analysis method based on incidence matrixes
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN105069044A (en) * 2015-07-22 2015-11-18 安徽理工大学 Simulated indirect dependency based novel process model mining method
CN105516127A (en) * 2015-12-07 2016-04-20 中国科学院信息工程研究所 Internal threat detection-oriented user cross-domain behavior pattern mining method
CN108063776A (en) * 2018-02-26 2018-05-22 重庆邮电大学 Inside threat detection method based on cross-domain behavioural analysis
CN109299044A (en) * 2018-07-20 2019-02-01 浙江工业大学 A kind of secure visual analysis system based on intra-company's log
CN111092879A (en) * 2019-12-13 2020-05-01 杭州迪普科技股份有限公司 Log association method and device, electronic equipment and storage medium
CN111224928A (en) * 2018-11-26 2020-06-02 中国移动通信集团辽宁有限公司 Network attack behavior prediction method, device, equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438644B2 (en) * 2011-03-07 2013-05-07 Isight Partners, Inc. Information system security based on threat vectors
US9967282B2 (en) * 2014-09-14 2018-05-08 Sophos Limited Labeling computing objects for improved threat detection
US10505953B2 (en) * 2017-02-15 2019-12-10 Empow Cyber Security Ltd. Proactive prediction and mitigation of cyber-threats

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098306A (en) * 2011-01-27 2011-06-15 北京信安天元科技有限公司 Network attack path analysis method based on incidence matrixes
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN105069044A (en) * 2015-07-22 2015-11-18 安徽理工大学 Simulated indirect dependency based novel process model mining method
CN105516127A (en) * 2015-12-07 2016-04-20 中国科学院信息工程研究所 Internal threat detection-oriented user cross-domain behavior pattern mining method
CN108063776A (en) * 2018-02-26 2018-05-22 重庆邮电大学 Inside threat detection method based on cross-domain behavioural analysis
CN109299044A (en) * 2018-07-20 2019-02-01 浙江工业大学 A kind of secure visual analysis system based on intra-company's log
CN111224928A (en) * 2018-11-26 2020-06-02 中国移动通信集团辽宁有限公司 Network attack behavior prediction method, device, equipment and storage medium
CN111092879A (en) * 2019-12-13 2020-05-01 杭州迪普科技股份有限公司 Log association method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112261006A (en) 2021-01-22

Similar Documents

Publication Publication Date Title
Hassan et al. Tactical provenance analysis for endpoint detection and response systems
Cheng et al. Enterprise data breach: causes, challenges, prevention, and future directions
US10791133B2 (en) System and method for detecting and mitigating ransomware threats
EP2939173B1 (en) Real-time representation of security-relevant system state
US20170034197A1 (en) Mitigating blockchain attack
US20160164893A1 (en) Event management systems
CN110213226B (en) Network attack scene reconstruction method and system based on risk full-factor identification association
US20240048571A1 (en) Endpoint security architecture with programmable logic engine
US20150172303A1 (en) Malware Detection and Identification
US10216934B2 (en) Inferential exploit attempt detection
US20200387597A1 (en) System and method of detecting unauthorized access to computing resources for cryptomining
EP3531324B1 (en) Identification process for suspicious activity patterns based on ancestry relationship
CN113497786B (en) Evidence collection and tracing method, device and storage medium
EP3692695B1 (en) Intrusion investigation
CN112287339A (en) APT intrusion detection method and device and computer equipment
CN112287340B (en) Evidence obtaining and tracing method and device for terminal attack and computer equipment
CN112261006B (en) Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors
Mihailescu et al. Unveiling Threats: Leveraging User Behavior Analysis for Enhanced Cybersecurity
Alaba et al. Ransomware attacks on remote learning systems in 21st century: a survey
CN114900375A (en) Malicious threat detection method based on AI graph analysis
Najafi et al. Nlp-based entity behavior analytics for malware detection
Lei et al. Self-recovery Service Securing Edge Server in IoT Network against Ransomware Attack.
Samuel et al. Intelligent Malware Detection System Based on Behavior Analysis in Cloud Computing Environment
Mahmoud et al. A hybrid snort-negative selection network intrusion detection technique
KR102471731B1 (en) A method of managing network security for users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant