CN108429714A - A kind of portrait method and system for Security Object based on vector mark - Google Patents
A kind of portrait method and system for Security Object based on vector mark Download PDFInfo
- Publication number
- CN108429714A CN108429714A CN201710009636.6A CN201710009636A CN108429714A CN 108429714 A CN108429714 A CN 108429714A CN 201710009636 A CN201710009636 A CN 201710009636A CN 108429714 A CN108429714 A CN 108429714A
- Authority
- CN
- China
- Prior art keywords
- label
- metadata
- group
- main body
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of portrait method and system for Security Object based on vector mark, including:Analysis data source simultaneously extracts metadata;Metadata is extracted into row vector based on preset rules, the vector of extraction is referred to label;The label being labeled in metadata is corresponded in main body, object and behavior, and statistical counting is carried out to the collection of metadata for having marked label;It is based on statistical counting as a result, it has been found that High relevancy between label, and then group's division is carried out to the corresponding main body of respective labels, object and behavior;The result divided according to group and the label for having High relevancy generate each group's description information;Wherein, the metadata refers to the Expressive Features for characterize data source.Technical solution of the present invention gives a kind of appreciable threat of user vectorial system of extracting and draw a portrait.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of pictures for Security Object based on vector mark
As method and system.
Background technology
Currently, the core of group's Portrait brand technology is to position crowd characteristic, and then potential user group is excavated, is media
Website, advertiser, enterprise and advertising company fully recognize the differentiation feature of group of subscribers, and then client is helped to find marketing machine
Meeting, operation direction etc..And the situation on the Security Objects such as assets, threat is applied it to currently without discovery, therefore, by it
It applies in network safety filed or a new trial.
Invention content
In view of the above technical problems, technical solutions according to the invention utilize the thought of group's portrait, and then are carried for user
For a kind of appreciable label for labelling method for threatening vector, and then find the strong correlating event in mass data source.
The present invention realizes with the following method:A kind of portrait method for Security Object based on vector mark, packet
It includes:
Analysis data source simultaneously extracts metadata;
Metadata is extracted into row vector based on preset rules, the vector of extraction is referred to label;
The label being labeled in metadata is corresponded in main body, object and behavior, and the collection of metadata to having marked label
Carry out statistical counting;
It is based on statistical counting as a result, it has been found that High relevancy between label, and then to the corresponding main body of respective labels, object and row
To carry out group's division;
The result divided according to group and the label for having High relevancy generate each group's description information;
Wherein, the metadata refers to the Expressive Features for characterize data source.
Further, the data source includes:Binary file, network message sequence, dynamic apis monitored results.
Further, the preset rules include:Producer's rule and User Defined rule.
Further, further include:Each metadata can be by one or more than one label for labelling.
Further, further include:The result that group is divided becomes statistics again as new main body, object or behavior
The basis of counting.
Following system may be used to realize in the present invention:A kind of portrait system for Security Object based on vector mark
System, including:
Metadata extraction module, for analyzing data source and extracting metadata;
Vector analysis module, for based on preset rules to metadata into row vector extract, with label come refer to extraction to
Amount;
Statistical analysis module, for the label being labeled in metadata to be corresponded to main body, object and behavior, and to having marked
The collection of metadata of label carries out statistical counting;
Group's division module is used for the output based on the statistical analysis module as a result, it has been found that High relevancy between label, in turn
Group's division is carried out to the corresponding main body of respective labels, object and behavior;
State description module, result for being divided according to group and the label for having High relevancy generate each group's description letter
Breath;
Wherein, the metadata refers to the Expressive Features for characterize data source.
Further, the data source includes:Binary file, network message sequence, dynamic apis monitored results.
Further, the preset rules include:Producer's rule and User Defined rule.
Further, further include:Each metadata can be by one or more than one label for labelling.
Further, further include:The result that group divides is fed back into the system as new main body, object or behavior
It counts in analysis module.
To sum up, the present invention provides a kind of portrait method and system for Security Object based on vector mark, by dividing
Analysis data source extracts metadata in turn, and based on the corresponding vector of preset rules extraction metadata, and can be referred to using label
Generation displaying, it is for statistical analysis to the collection of metadata for having marked label, and then find the High relevancy between label, it is finally completed
Group divides.Technical solution provided by the present invention can provide a kind of appreciable label for labelling side for threatening vector to the user
Method, and then find the strong correlating event in mass data source.
Description of the drawings
In order to illustrate more clearly of technical scheme of the present invention, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments described in the present invention, for this field
For those of ordinary skill, without creative efforts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of portrait embodiment of the method flow for Security Object based on vector mark provided by the invention
Figure;
Fig. 2 is a kind of portrait system embodiment structure chart for Security Object based on vector mark provided by the invention.
Specific implementation mode
The present invention gives it is a kind of based on vector mark the portrait method and system embodiment for Security Object, in order to
So that those skilled in the art is more fully understood the technical solution in the embodiment of the present invention, and makes the above-mentioned purpose of the present invention, spy
Advantage of seeking peace can be more obvious and easy to understand, is described in further detail below in conjunction with the accompanying drawings to technical solution in the present invention:
Present invention firstly provides a kind of portrait embodiments of the method for Security Object based on vector mark, as shown in Figure 1,
Including:
S101:Analysis data source simultaneously extracts metadata;Wherein, the data source includes but not limited to:Binary file, network report
Literary sequence, dynamic apis monitored results etc.;Wherein, the metadata refers to the Expressive Features for characterize data source, such as:
The metadata of analysis for network message sequence, extraction includes:The five-tuples information such as source IP, destination IP.
Wherein, the metadata that the binary file is extracted can specifically include:Binary executable it is potential
The network access informations such as IP address, domain name, the URL that can be extracted in ability, binary file, digital signature information etc..
S102:Metadata is extracted into row vector based on preset rules, the vector of extraction is referred to label;Wherein,
The preset rules include:Producer's rule and User Defined rule.Each metadata can be by one or more than one
Label for labelling.For any label, each metadata may be marked, it is also possible to be not marked, but there is no centres
State.
Wherein, vector of the present invention is equivalent to the combination of multiple any amounts, a kind of each corresponding generation of label of vector
Rule.Producer's rule includes but not limited to:Weak passwurd, with vulnerable software, by threaten attack etc.;The user is certainly
Set pattern then needs to generate according to user, can include but is not limited to:Connect whether initiator or target are critical asset etc..
S103:The label being labeled in metadata is corresponded in main body, object and behavior, and the member to having marked label
Data acquisition system carries out statistical counting;
Wherein, described to correspond to the label being labeled in metadata in main body, object and behavior, specifically, each metadata sheet
Corresponding main body, object and behavior will be expressed or be implied to body, such as:For every metadata of network message sequence, source IP and
Destination IP is exactly two main bodys;For HTTP downloads file, the both sides of transmission are two main bodys, and file of transmission itself is
Object, and HTTP downloads action is behavior;For being detached from for the single file of context, file itself is main body.It will mark
Label in metadata is beaten in main body, object or behavior.For single metadata, main body, object and the letter of behavior
It ceases and is generally assured that in S101, meanwhile, the main body, object and the information of behavior can also be based on group and divide(It draws
Picture)Result obtain.
Such as:Metadata is extracted into row vector for based on producer's rule, and marks label, and metadata will be labeled in
On label correspond in main body, object and behavior, then may finally show as:Main body has weak passwurd;Object is with weakness
Software;Or two main body transmit with vulnerable software etc..
Wherein, the collection of metadata to having marked label carries out statistical counting, specially:According to the mark of main body
(Such as IP address), object mark(Such as md5), behavior mark(As HTTP is downloaded), calculate separately its associated tag set
And the counting of collection resultant.Specific implementation means can be based on statistical method either be based on neural network, such as:For each
IP address will calculate the complete or collected works of the label of the IP address, and the quantity of corresponding each label;If being calculated based on statistical method,
Then direct statistical counting;If being calculated based on neural network, the intensity of corresponding each neuron connection is calculated.
S104:It is based on statistical counting as a result, it has been found that High relevancy between label, and then to the corresponding main body of respective labels,
Object and behavior carry out group's division;Specially:By counting the traversal statistical result calculated, or swashing by neural network
It is living, will find out the High relevancy between label and label in the label related to, and then to the corresponding main body of label, object and
Behavior carries out group's division.Wherein, the result that the group divides described by its associated label and will be supported.
Such as:A large amount of connections are established to a main body from the discovery of multiple main bodys, and connect the rows such as no data transmission
For label, it is possible to determine that find DDOS attack behavior.DDOS attack behavior is the part to the portrait of behavior;These main bodys
It is just being controlled at present by DDOS clients, it will be as a part for the portrait of these main bodys.
S105:The result divided according to group and the label for having High relevancy generate each group's description information;
S106:Result after group is divided becomes the basis of statistical counting as new main body, object or behavior again.
A specific embodiment based on EDR is given below:The abnormal behaviour discovery of EDR is needed to terminal(It is equivalent to this
Main body in invention)The behavior of generation is modeled;And the one kind for exactly modeling of drawing a portrait, the through the invention label for labelling
It draws a portrait with group, the behavior label that the normal population where can recognize that the terminal should have;For terminal, in terminal
The software of operation, the bearer documents of software belong to object of the present invention;The behavior that the operation of software, software generate belongs to this
The invention behavior;The file of terminal(Software)Label, terminal operating the corresponding label of behavior by the terminal(It is main
Body)It is associated on different dimensions;Ultimately form group's description information;If the terminal is found that an abnormal label,
The behavior that should be then marked to the label responds.
Secondly the present invention provides a kind of portrait system embodiment for Security Object based on vector mark, such as Fig. 2
It is shown, including:
Metadata extraction module 201, for analyzing data source and extracting metadata;
Vector analysis module 202 refers to extraction for being extracted into row vector to metadata based on preset rules with label
Vector;
Statistical analysis module 203, for the label being labeled in metadata to be corresponded to main body, object and behavior, and to
The collection of metadata for marking label carries out statistical counting;
Group's division module 204 is used for the output based on the statistical analysis module 203 as a result, it has been found that strong association between label
Property, and then group's division is carried out to the corresponding main body of respective labels, object and behavior;
State description module 205, result for being divided according to group and the label for having High relevancy generate the description of each group
Information;
Wherein, the metadata refers to the Expressive Features for characterize data source.
Preferably, the data source includes:Binary file, network message sequence, dynamic apis monitored results.
Preferably, the preset rules include:Producer's rule and User Defined rule.
Preferably, further include:Each metadata can be by one or more than one label for labelling.
Preferably, further include:The result that group divides is fed back into the statistics as new main body, object or behavior
In analysis module.
Each embodiment in this specification is described in a progressive manner, same or analogous between each embodiment
Just to refer each other for part, and each embodiment focuses on the differences from other embodiments.Especially for system
For embodiment, since it is substantially similar to the method embodiment, so description is fairly simple, related place is implemented referring to method
The part explanation of example.
As described above, above-described embodiment give it is a kind of based on vector mark for Security Object portrait method and be
System embodiment, and invention will be applied to information by innovative improvement applied to group's Portrait brand technology in the fields such as advertisement promotion and pacify
Full field.By analyzing mass data source and extracting metadata, and based on producer's rule or other users custom rule pair
Metadata is extracted into row vector, and corresponding vector is further referred to label, and all metadata to having marked label
Set carries out statistical counting, finds the High relevancy between label based on statistical result, and then complete the division to group, finally will
The result and respective labels divided according to group generates each group's description information.The above embodiment of the present invention is realized to right safely
More intuitively user is specifically showed as carrying out portrait description, and then by threat event.
Above example is to illustrative and not limiting technical scheme of the present invention.Appointing for spirit and scope of the invention is not departed from
What modification or part are replaced, and are intended to be within the scope of the claims of the invention.
Claims (10)
1. a kind of portrait method for Security Object based on vector mark, which is characterized in that including:
Analysis data source simultaneously extracts metadata;
Metadata is extracted into row vector based on preset rules, the vector of extraction is referred to label;
The label being labeled in metadata is corresponded in main body, object and behavior, and the collection of metadata to having marked label
Carry out statistical counting;
It is based on statistical counting as a result, it has been found that High relevancy between label, and then to the corresponding main body of respective labels, object and row
To carry out group's division;
The result divided according to group and the label for having High relevancy generate each group's description information;
Wherein, the metadata refers to the Expressive Features for characterize data source.
2. the method as described in claim 1, which is characterized in that the data source includes:Binary file, network message sequence
Row, dynamic apis monitored results.
3. the method as described in claim 1, which is characterized in that the preset rules include:Producer's rule and User Defined
Rule.
4. the method as described in claim 1, which is characterized in that further include:Each metadata can by one or one with
On label for labelling.
5. the method as described in claim 1, which is characterized in that further include:The result that group is divided is as new main body, visitor
Body or behavior become the basis of statistical counting again.
6. a kind of portrait system for Security Object based on vector mark, which is characterized in that including:
Metadata extraction module, for analyzing data source and extracting metadata;
Vector analysis module, for based on preset rules to metadata into row vector extract, with label come refer to extraction to
Amount;
Statistical analysis module, for the label being labeled in metadata to be corresponded to main body, object and behavior, and to having marked
The collection of metadata of label carries out statistical counting;
Group's division module is used for the output based on the statistical analysis module as a result, it has been found that High relevancy between label, in turn
Group's division is carried out to the corresponding main body of respective labels, object and behavior;
State description module, result for being divided according to group and the label for having High relevancy generate each group's description letter
Breath;
Wherein, the metadata refers to the Expressive Features for characterize data source.
7. system as claimed in claim 6, which is characterized in that the data source includes:Binary file, network message sequence
Row, dynamic apis monitored results.
8. system as claimed in claim 6, which is characterized in that the preset rules include:Producer's rule and User Defined
Rule.
9. system as claimed in claim 6, which is characterized in that further include:Each metadata can by one or one with
On label for labelling.
10. system as claimed in claim 6, which is characterized in that further include:Using group divide result as new main body,
Object or behavior are fed back in the statistical analysis module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710009636.6A CN108429714B (en) | 2017-01-06 | 2017-01-06 | Vector annotation based portrait method and system for secure object |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710009636.6A CN108429714B (en) | 2017-01-06 | 2017-01-06 | Vector annotation based portrait method and system for secure object |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108429714A true CN108429714A (en) | 2018-08-21 |
| CN108429714B CN108429714B (en) | 2021-10-15 |
Family
ID=63147190
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710009636.6A Active CN108429714B (en) | 2017-01-06 | 2017-01-06 | Vector annotation based portrait method and system for secure object |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108429714B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830483A (en) * | 2019-11-13 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Webpage log attack information detection method, system, equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120236950A1 (en) * | 2011-03-15 | 2012-09-20 | Kabushiki Kaisha Toshiba | Information distribution system, information distribution apparatus, information communication terminal, and information distribution method |
| CN105553999A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Application program user behavior analysis and security control method and corresponding device |
| CN105787071A (en) * | 2016-03-02 | 2016-07-20 | 浪潮通信信息***有限公司 | Method for carrying out mobile phone user behavior portrait based on informationized label |
| CN105869001A (en) * | 2015-01-19 | 2016-08-17 | 苏宁云商集团股份有限公司 | Customized product recommendation guiding method and system |
-
2017
- 2017-01-06 CN CN201710009636.6A patent/CN108429714B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120236950A1 (en) * | 2011-03-15 | 2012-09-20 | Kabushiki Kaisha Toshiba | Information distribution system, information distribution apparatus, information communication terminal, and information distribution method |
| CN105869001A (en) * | 2015-01-19 | 2016-08-17 | 苏宁云商集团股份有限公司 | Customized product recommendation guiding method and system |
| CN105553999A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Application program user behavior analysis and security control method and corresponding device |
| CN105787071A (en) * | 2016-03-02 | 2016-07-20 | 浪潮通信信息***有限公司 | Method for carrying out mobile phone user behavior portrait based on informationized label |
Non-Patent Citations (1)
| Title |
|---|
| 张宏鑫、盛风帆等: "《基于移动终端日志数据的人群特征可视化》", 《软件学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830483A (en) * | 2019-11-13 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Webpage log attack information detection method, system, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108429714B (en) | 2021-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3031005B1 (en) | Method for creating signals for time-stamping of documents and method for time-stamping of documents | |
| CN107944232A (en) | A kind of design method and system of the Active Defending System Against based on white list technology | |
| CN104982011A (en) | Document classification using multiscale text fingerprints | |
| CN105321108A (en) | System and method for creating a list of shared information on a peer-to-peer network | |
| CN102708198A (en) | Individualized network advertisement pushing method | |
| Lopes et al. | Symbiotic filtering for spam email detection | |
| CN110851466B (en) | Visualization method and device for block chain system | |
| WO2023071133A1 (en) | Tagged network information service generation and application method and apparatus, device and medium | |
| CN106844364A (en) | A kind of interconnected method of document information | |
| EP2913973A1 (en) | Trusted NFC smart poster tag | |
| Yao et al. | Multi-source alert data understanding for security semantic discovery based on rough set theory | |
| CN108429714A (en) | A kind of portrait method and system for Security Object based on vector mark | |
| Mahato et al. | A novel approach to text steganography using font size of invisible space characters in microsoft word document | |
| Zhu et al. | A novel covert timing channel based on bitcoin messages | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN112734502B (en) | Testing method and device for multimedia information directional delivery and electronic equipment | |
| Alsharafi et al. | Normal profile updating method for enhanced packet header anomaly detection | |
| Chen et al. | Privacy-aware image authentication from cryptographic primitives | |
| US11240265B2 (en) | Network forensic system for performing transmission metadata tracking and analysis | |
| CN114218603A (en) | Method and system for saving data by using block chain based on domestic CPU and OS | |
| CN113051625A (en) | Data evidence storing method and device based on block chain | |
| CN109219831A (en) | The system and method for data analysis are provided based on layer architecture for video | |
| Lee et al. | P2p honeypot to prevent illegal or harmful contents from spreading in p2p network | |
| Zhang et al. | Identifying wechat message types without using traditional traffic | |
| Cai et al. | Pheromone model based visualization of malware distribution networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |