CN109743300A - A kind of security incident automation method of disposal based on isomery model strategy library - Google Patents

A kind of security incident automation method of disposal based on isomery model strategy library Download PDF

Info

Publication number
CN109743300A
CN109743300A CN201811562239.2A CN201811562239A CN109743300A CN 109743300 A CN109743300 A CN 109743300A CN 201811562239 A CN201811562239 A CN 201811562239A CN 109743300 A CN109743300 A CN 109743300A
Authority
CN
China
Prior art keywords
model
strategy
security incident
library
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811562239.2A
Other languages
Chinese (zh)
Inventor
林建洪
徐良
蒋熠
陈晓莉
章亮
马峰
何晓明
徐菁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Ponshine Information Technology Co Ltd
Original Assignee
Zhejiang Ponshine Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Ponshine Information Technology Co Ltd filed Critical Zhejiang Ponshine Information Technology Co Ltd
Priority to CN201811562239.2A priority Critical patent/CN109743300A/en
Publication of CN109743300A publication Critical patent/CN109743300A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides the security incidents that the present invention provides a kind of based on isomery model strategy library to automate method of disposal, using triple isomery modellings, both system level policies were supported to load, user class strategy setting can be supported again, machine learning algorithm is introduced simultaneously, rule is refined by GBDT model for the security incidents such as website attack and APT attack, analyzes normal access and abnormal access feature, stress model and online verifying, accurately identify attack.Furthermore, policy library supports the reverse feedback of layering, through the rule that algorithm level strategic layer repetition learning obtains user class strategic layer periodically will be added to as Personalized Policies, the attacker IP identified through algorithm level strategic layer will be added to system level policies layer in real time, the self-learning capability of security incident disposition rule can be effectively promoted by the reverse feedback mechanism of layering in isomery model strategy library, improve the accuracy and integrality of policy library, the final automation disposition for realizing security incident.

Description

A kind of security incident automation method of disposal based on isomery model strategy library
Technical field
The present invention relates to network safety filed more particularly to a kind of security incident automations based on isomery model strategy library Method of disposal.
Background technique
As telecommunications and Internet enterprises universe network scale constantly expand, multifaceted network security threats and safety wind Danger is also being continuously increased, the threat of the compositions such as network intrusions, internet worm, DDos attack and increasing, the network attack of loss Behavior relies solely on firewall, intrusion detection, anti-virus, access control towards trend developments such as distribution, scale, complications The single network safety guard technologies such as system, have been unable to meet the demand of network security, and there is an urgent need to new technologies, find in time Anomalous event in network, grasps security status in real time, by the thing for formula of mending the fold after the sheep is lost before, post-processing, gradually turn To automatic assessment prediction in advance, disposition is automated in thing, reduces network security risk, improves network security intelligently control ability.
Summary of the invention
The embodiment of the present invention is to be solved to provide a kind of security incident automation disposition based on isomery model strategy library Method.
To solve the above-mentioned problems, technical solution provided in an embodiment of the present invention is as follows:
A kind of security incident automation method of disposal based on isomery model strategy library, including Disposal Strategies library, scheduling mould Block and disposition module, the scheduler module include event scheduling and disposition scheduling, and it is concurrent that the event scheduling receives security incident It send to Disposal Strategies library, Disposal Strategies library is sent to disposition scheduler module after judging security incident feature, disposes scheduler module root It is sent to disposition module according to security incident type and controlled assets ownership, disposition module issues disposition and acts and feed back to scheduling mould Block;
The Disposal Strategies library is triple isomery model strategies library, including system strategy layer, subscriber policy layer and algorithm plan Slightly layer, the height of the matching disposition priority are as follows: system strategy layer is higher than subscriber policy layer, and subscriber policy layer is higher than algorithm plan Slightly layer,
The system strategy layer includes special event ID, black and white lists IP and domain name;
The subscriber policy layer includes event type, event topic, source address, destination address;
The algorithm policy layer includes threshold value, the frequency, semanteme and the attack of doubtful website or the abnormal behaviour of doubtful invader Feature.
Further, the system strategy layer the following steps are included:
S11 obtains normal sample and sample is attacked in website, pre-processes to data.I.e. whether the normal sample refer to For security incident: normal sample is exactly the sample data of normal behaviour, and attack sample in website of the present invention is security incident.Herein Pretreatment refers to the basic conception in data mining, including data scrubbing, data integration, hough transformation and transformation, is general Method and process etc..
S12 carries out characteristic statistics and analysis to sample data.Analysis includes but is not limited to following characteristics herein: access URL The analyses such as length analysis, access duration analysis, access frequency analysis, access mode.
The disaggregated model that S13 is attacked using GBDT building identification website;
S14 disaggregated model generates website attack recognition dynamic rules.Recognition rule is that model is exported according to sample herein , it is not fixed rule that the rule of different sample output is different.
The rule that disaggregated model generates in S15 step S14 is supplied subscriber policy layer is periodically issued to as Personalized Policies Option and installment;
The deployment of S16 disaggregated model is online, analyzes site access flow.It disposes herein and online refers to model according to sample , in locally training building, online is exactly to be deployed in actual production environment for this.
S17 identifies doubtful attack;
S18 matches doubtful attacker IP with business access IP, is confirmed whether it is business access, if so, by sample Originally it is added in normal access-sample, if it is not, being then confirmed as website attack;
S19 analyzes the source destination-address that website is attacked;
S20 judges attack type to internal attack, external attack, beam attack, and the sample that will be had confirmed that as website attack Originally it is added in the sample for the website Attack Classification model of model training, the study of a trigger model new round, adjusting parameter.This It internals attack the internal assets of finger and launches a offensive to internet external system in place.External attack refers to that external system internally initiate by assets Attack.Horizontal infiltration is not attacked between homologous ray inside assets when beam attack.
The IP of attacker is added to system strategy layer blacklist in S21 extracting attack event.
Further, the S13 is further comprising the steps of using the disaggregated model of GBDT building identification website attack:
The corresponding total access times of each IP are obtained after S131 statistical analysis, access duration, the n dimension such as access Number of websites Feature;
S132 is standardized feature, makes the Distribution value of feature in each dimension between -1 to 1;
Using treated, data training obtains first CART model h to S1331(x), GBDT model f is updated1(x)=h1 (x), the number of iterations T=t, it is known that ft-1(x), the predicted value y obtained before model after an iteration can be calculatedt-1=ft-1 (x), the error (y-y between predicted value and true value is calculatedt-1), by (y-yt-1) as output, training obtains t-th of CART mould Type ht(x), GBDT model is updated, obtains result: ft(x)=ft-1(x)+ht(x) i.e. comprising the GBDT mould of T CART base learner Type,
Wherein, h1It (x) is the Weak Classifier in first time iteration, thering is sample data training to obtain, f1(x) it changes for first time The GBDT model obtained after generation, T=t indicate the current GBDT model for being the t times iteration, being after the t-1 times iteration, yt-1For The predicted value of GBDT model output after the t-1 times iteration, ht(x) for by error y-yt-1T-th of weak typing being calculated Device, ft(x) the GBDT model to be obtained after t iteration;
S134 extracts the class node of each CART learner, exports corresponding classifying rules.Class node refers to herein, such as The Weak Classifier 1 obtained by training sample has following rule: when the access that each ID is initiated is greater than 1000 times per hour and visits Ask that average duration less than 0.5 second, then is defined as attacking;Wherein 1000 and 0.5 is the class node obtained by machine learning.It is defeated Corresponding to classifying rules out refers to the rule that will be obtained above by machine learning in a manner of regular expression as classifying rules Output.
S135 optimizes classifying rules.Optimization refers to by model the number of iterations T and to model parameter not herein Disconnected adjustment optimizes.
Further, the disposition scheduling includes controlled asset library and disposal facility library, and the controlled asset library is for closing The disposal facility of the corresponding control of connection disposition object, the disposal facility library are used for behind clear disposal facility library at further acquisition Install standby log-on message and disposing capacity.
Further, the controlled asset library includes controlled address, disposal facility type, disposal facility address and ownership.
Further, the disposal facility library includes login mode, device type, device address, device version, logs in account Number, login password and disposing capacity.Disposing capacity includes source address closure, destination address closure, blackhole route, forces solution herein Analysis, url such as blacken at the technological means.
Further, it is described disposition module layering inversely feed back dispose the following steps are included:
S41 system receives safety analysis platform safety event from outside, further parses and is put in storage after acquisition;
S42 matching system layer strategy, including IP black and white lists, domain name black and white lists, are opened if matching with security incident Dynamic event is disposed automatically, is not matched with security incident and is then entered client layer strategy matching;
If S43 system layer strategy is not matched with security incident, the matching of security incident Yu client layer strategy is carried out, Matching client layer strategy includes the matching of event type, event topic, source address and destination address, if matched with security incident Then start event to dispose automatically, is not matched with security incident and then enter algorithm layer strategy matching;
If S44 client layer strategy is not matched with security incident, the matching of security incident Yu algorithm layer strategy is carried out, Matching algorithm layer strategy includes the matching of frequency, threshold value, abnormal behaviour;Start event if matching with security incident to locate automatically Set, and the attacker IP disposed in security incident be added in the blacklist of system strategy layer, if fruit strategy does not match into Enter artificial disposal process.
Above technical scheme is used, the invention has the following advantages that
The present invention uses triple isomery modellings, not only system level policies is supported to load, but also user class strategy can be supported to set It sets, while introducing machine learning algorithm, rule is refined by GBDT model for the security incidents such as website attack and APT attack, The normal access of analysis and abnormal access feature, stress model and online verifying, accurately identify attack.In addition, policy library branch It holds and is layered reverse feedback, the rule obtained through algorithm level strategic layer repetition learning will periodically be added to user class strategic layer as a Property strategy, the attacker IP identified through algorithm level strategic layer will be added to system level policies layer in real time, pass through isomery model plan The reverse feedback mechanism of layering in slightly library can effectively promote the self-learning capability of security incident disposition rule, improve the standard of policy library True property and integrality, the final automation disposition for realizing security incident.
Detailed description of the invention
Fig. 1 is a kind of security incident automation method of disposal system frame based on isomery model strategy library provided by the invention Frame figure;
Fig. 2 is that a kind of security incident automation method of disposal based on isomery model strategy library provided by the invention is triple different Structure model strategy library figure.
Fig. 3 is a kind of security incident automation method of disposal algorithm plan based on isomery model strategy library provided by the invention Process is attacked in the algorithm identification website of slightly layer.
Fig. 4 is that a kind of security incident automation method of disposal GBDT based on isomery model strategy library provided by the invention is calculated Method modeling procedure
Fig. 5 is a kind of security incident automation method of disposal reverse hierarchical based on isomery model strategy library provided by the invention To feedback disposal process figure.
Specific embodiment
As shown in Figure 1, a kind of security incident based on isomery model strategy library automates method of disposal, including Disposal Strategies Library, scheduler module and disposition module, the scheduler module include that event scheduling and disposition scheduling, the event scheduling receive safety Event is simultaneously sent to Disposal Strategies library, and Disposal Strategies library is sent to disposition scheduler module after judging security incident feature, and disposition is adjusted Degree module is sent to disposition module according to security incident type and controlled assets ownership, and disposition module issues disposition and acts and feed back To scheduler module.
As shown in Fig. 2, the Disposal Strategies library is triple isomery model strategies library, including system strategy layer, subscriber policy Layer and algorithm policy layer, the height of the matching disposition priority are as follows: system strategy layer is higher than subscriber policy layer, subscriber policy layer Higher than algorithm policy layer,
The system strategy layer includes special event ID, the other systems rule such as black and white lists IP and domain name;
The subscriber policy layer includes event type, event topic, source address, destination address etc.;
The algorithm policy layer includes threshold value, the frequency, semanteme and the attack of doubtful website or the abnormal behaviour of doubtful invader Feature, i.e., other signified off-notes in figure.
As shown in figure 3, the system strategy layer the following steps are included:
S11 obtains normal sample and sample is attacked in website, pre-processes to data.I.e. whether the normal sample refer to For security incident: normal sample is exactly the sample data of normal behaviour, and attack sample in website of the present invention is security incident.Herein Pretreatment refers to the basic conception in data mining, including data scrubbing, data integration, hough transformation and transformation, is general Method and process etc..
S12 carries out characteristic statistics and analysis to sample data.Analysis includes but is not limited to following characteristics herein: access URL The analyses such as length analysis, access duration analysis, access frequency analysis, access mode.
The disaggregated model that S13 is attacked using GBDT building identification website;
S14 disaggregated model generates website attack recognition dynamic rules.Recognition rule is that model is exported according to sample herein , it is not fixed rule that the rule of different sample output is different
The rule that disaggregated model generates in S15 step S14 is supplied subscriber policy layer is periodically issued to as Personalized Policies Option and installment;
The deployment of S16 disaggregated model is online, analyzes site access flow.It disposes herein and online refers to model according to sample , in locally training building, online is exactly to be deployed in actual production environment for this.
S17 identifies doubtful attack;
S18 matches doubtful attacker IP with business access IP, is confirmed whether it is business access, if so, by sample Originally it is added in normal access-sample, if it is not, being then confirmed as website attack;
S19 analyzes the source destination-address that website is attacked;
S20 judges attack type to internal attack, external attack, beam attack, and the sample that will be had confirmed that as website attack Originally it is added in the sample for the website Attack Classification model of model training, the study of a trigger model new round, adjusting parameter.This It internals attack the internal assets of finger and launches a offensive to internet external system in place.External attack refers to that external system internally initiate by assets Attack.Horizontal infiltration is not attacked between homologous ray inside assets when beam attack.
Including but not limited to following parameter is adjusted in table one, design parameter adjustment:
Divide maximum characteristic max_features
Most set big depth max_depth
Smallest sample number needed for internal node is subdivided min_samples_split
The minimum sample number of leaf node min_samples_leaf
The smallest sample weights of leaf node and min_weight_fraction_leaf
Maximum leaf node number max_leaf_nodes
The IP of attacker is added to system strategy layer blacklist in S21 extracting attack event.
As shown in figure 4, the S13 is further comprising the steps of using the disaggregated model of GBDT building identification website attack:
The corresponding total access times of each IP are obtained after S131 statistical analysis, access duration, the n dimension such as access Number of websites Feature;
S132 is standardized feature, makes the Distribution value of feature in each dimension between -1 to 1;
Using treated, data training obtains first CART model h to S1331(x), GBDT model f is updated1(x)=h1 (x), the number of iterations T=t, it is known that ft-1(x), the predicted value y obtained before model after an iteration can be calculatedt-1=ft-1 (x), the error (y-y between predicted value and true value is calculatedt-1), by (y-yt-1) as output, training obtains t-th of CART mould Type ht(x), GBDT model is updated, obtains result: ft(x)=ft-1(x)+ht(x) i.e. comprising the GBDT mould of T CART base learner Type;
Wherein, h1It (x) is the Weak Classifier in first time iteration, thering is sample data training to obtain, f1(x) it changes for first time The GBDT model obtained after generation, T=t indicate the current GBDT model for being the t times iteration, being after the t-1 times iteration, yt-1For The predicted value of GBDT model output after the t-1 times iteration, ht(x) for by error y-yt-1T-th of weak typing being calculated Device, ft(x) the GBDT model to be obtained after t iteration.
S134 extracts the class node of each CART learner, exports corresponding classifying rules.Class node refers to herein, such as The Weak Classifier 1 obtained by training sample has following rule: when the access that each ID is initiated is greater than 1000 times per hour and visits Ask that average duration less than 0.5 second, then is defined as attacking;Wherein 1000 and 0.5 is the class node obtained by machine learning.It is defeated Corresponding to classifying rules out refers to the rule that will be obtained above by machine learning in a manner of regular expression as classifying rules Output.
S135 optimizes classifying rules.Optimization refers to by model the number of iterations T and to model parameter not herein Disconnected adjustment optimizes.
To realize automation disposition of the security incident after strategy matching, need to further clarify the corresponding place of security incident Install standby and movement.The disposition scheduling includes controlled asset library and disposal facility library, and the controlled asset library is at association The disposal facility of the corresponding control of object is set, the disposal facility library is used to behind clear disposal facility library further obtain disposition and sets Standby log-on message and disposing capacity.
The controlled asset library includes controlled address, disposal facility type, disposal facility address and ownership.
The disposal facility library include login mode, device type, device address, device version, login account, log in it is close Code and disposing capacity.Disposing capacity includes source address closure, destination address closure, blackhole route, parsing, url is forced to add herein The technological means such as black.
As shown in figure 5, it is described disposition module layering inversely feed back dispose the following steps are included:
S41 system receives safety analysis platform safety event from outside, further parses and is put in storage after acquisition;
S42 matching system layer strategy, including IP black and white lists, domain name black and white lists, are opened if matching with security incident Dynamic event is disposed automatically, is not matched with security incident and is then entered client layer strategy matching;
If S43 system layer strategy is not matched with security incident, the matching of security incident Yu client layer strategy is carried out, Matching client layer strategy includes the matching of event type, event topic, source address and destination address, if matched with security incident Then start event to dispose automatically, is not matched with security incident and then enter algorithm layer strategy matching;
If S44 client layer strategy is not matched with security incident, the matching of security incident Yu algorithm layer strategy is carried out, Matching algorithm layer strategy includes the matching of frequency, threshold value, abnormal behaviour;Start event if matching with security incident to locate automatically Set, and the attacker IP disposed in security incident be added in the blacklist of system strategy layer, if fruit strategy does not match into Enter artificial disposal process.
GBDT (Gradient Boosting Decision Tree) is called MART (Multiple Additive Regression Tree), it is a kind of decision Tree algorithms of iteration, which is made of more decision trees, and the conclusion of all trees is tired It adds up and does final result.It at the beginning of being suggested just and SVM be together considered as generalization ability (generalization) compared with Strong algorithm.More caused everybody concern because the machine learning model of sequence is used to search in recent years.
Although present disclosure is as above, present invention is not limited to this.Anyone skilled in the art are not departing from this It in the spirit and scope of invention, can make various changes or modifications, therefore protection scope of the present invention should be with claim institute Subject to the range of restriction.

Claims (7)

1. a kind of security incident based on isomery model strategy library automates method of disposal, which is characterized in that including Disposal Strategies Library, scheduler module and disposition module, the scheduler module include that event scheduling and disposition scheduling, the event scheduling receive safety Event is simultaneously sent to Disposal Strategies library, and Disposal Strategies library is sent to disposition scheduler module after judging security incident feature, and disposition is adjusted Degree module is sent to disposition module according to security incident type and controlled assets ownership, and disposition module issues disposition and acts and feed back To scheduler module;
The Disposal Strategies library is triple isomery model strategies library, including system strategy layer, subscriber policy layer and algorithm policy layer, The height of the matching disposition priority are as follows: system strategy layer is higher than subscriber policy layer, and subscriber policy layer is higher than algorithm policy layer,
The system strategy layer includes special event ID, black and white lists IP and domain name;
The subscriber policy layer includes event type, event topic, source address, destination address;
The algorithm policy layer includes threshold value, the frequency, semanteme and the attack of doubtful website or the abnormal behavior of doubtful invader.
2. the according to claim a kind of security incident based on isomery model strategy library automates method of disposal, feature Be, the system strategy layer the following steps are included:
S11 obtains normal sample and sample is attacked in website, pre-processes to data;
S12 carries out characteristic statistics analysis to sample data;
The disaggregated model that S13 is attacked using GBDT building identification website;
S14 disaggregated model generates website attack recognition dynamic rules;
The rule that disaggregated model generates in S15 step S14, it is selective as Personalized Policies using periodically subscriber policy layer is issued to Configuration;
The deployment of S16 disaggregated model is online, analyzes site access flow;
S17 identifies doubtful attack;
S18 matches doubtful attacker IP with business access IP, is confirmed whether it is business access, if so, by sample IP It is added in normal access-sample, if it is not, being then confirmed as website attack;
S19 analyzes the source destination-address that website is attacked;
S20 judges attack type to internal attack, external attack, beam attack, and will have confirmed that the sample for website attack adds Enter into the sample for the website Attack Classification model of model training, the study of a trigger model new round, adjusting parameter;
The IP of attacker is added to system strategy layer blacklist in S21 extracting attack event.
3. the according to claim 2 kind of security incident based on isomery model strategy library automates method of disposal, feature It is, the S13 is further comprising the steps of using the disaggregated model of GBDT building identification website attack:
The corresponding total access times of each IP are obtained after S131 statistical analysis, access duration, the n Wei Te such as access Number of websites Sign;
S132 is standardized feature, makes the Distribution value of feature in each dimension between -1 to 1;
Using treated, data training obtains first CART model h to S1331(x), GBDT model f is updated1(x)=h1(x), The number of iterations T=t, it is known that ft-1(x), the predicted value y obtained before model after an iteration is calculatedt-1=ft-1(x), it calculates Error (y-y between predicted value and true valuet-1), by (y-yt-1) as output, training obtains t-th of CART model, updates GBDT model, obtains result: ft(x)=ft-1(x)+htIt (x), that is, include the GBDT model of T CART base learner,
Wherein, h1It (x) is the Weak Classifier in first time iteration, thering is sample data training to obtain, f1(x) for after first time iteration Obtained GBDT model, T=t indicate the current GBDT model for being the t times iteration, being after the t-1 times iteration, yt-1For t-1 The predicted value of GBDT model output after secondary iteration, ht(x) for by error y-yt-1T-th of Weak Classifier being calculated, ft(x) For the GBDT model obtained after t iteration;
S134 extracts the class node of each CART learner, exports corresponding classifying rules;
S135 optimizes classifying rules.
4. the according to claim a kind of security incident based on isomery model strategy library automates method of disposal, feature It is, the disposition scheduling includes controlled asset library and disposal facility library, and the controlled asset library is for being associated with disposition object pair The disposal facility that should be managed, the disposal facility library are used to further obtain the login of disposal facility behind clear disposal facility library Information and disposing capacity.
5. the according to claim 4 kind of security incident based on isomery model strategy library automates method of disposal, feature It is, the controlled asset library includes controlled address, disposal facility type, disposal facility address and ownership.
6. the according to claim 4 kind of security incident based on isomery model strategy library automates method of disposal, feature It is, the disposal facility library includes login mode, device type, device address, device version, login account, login password And disposing capacity.
7. the according to claim a kind of security incident based on isomery model strategy library automates method of disposal, feature Be, it is described disposition module layering inversely feed back dispose the following steps are included:
S41 system receives safety analysis platform safety event from outside, further parses and is put in storage after acquisition;
S42 matching system layer strategy, including IP black and white lists, domain name black and white lists, start thing if matching with security incident Part is disposed automatically, is not matched with security incident and is then entered client layer strategy matching;
If S43 system layer strategy is not matched with security incident, the matching of security incident Yu client layer strategy is carried out, is matched Client layer strategy includes the matching of event type, event topic, source address and destination address, is opened if matching with security incident Dynamic event is disposed automatically, is not matched with security incident and is then entered algorithm layer strategy matching;
If S44 client layer strategy is not matched with security incident, the matching of security incident Yu algorithm layer strategy is carried out, is matched Algorithm layer strategy includes the matching of frequency, threshold value, abnormal behaviour;Start event if matching with security incident to dispose automatically, And the attacker IP disposed in security incident is added in the blacklist of system strategy layer, people is entered if fruit strategy does not match Work disposal process.
CN201811562239.2A 2018-12-20 2018-12-20 A kind of security incident automation method of disposal based on isomery model strategy library Pending CN109743300A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811562239.2A CN109743300A (en) 2018-12-20 2018-12-20 A kind of security incident automation method of disposal based on isomery model strategy library

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811562239.2A CN109743300A (en) 2018-12-20 2018-12-20 A kind of security incident automation method of disposal based on isomery model strategy library

Publications (1)

Publication Number Publication Date
CN109743300A true CN109743300A (en) 2019-05-10

Family

ID=66360858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811562239.2A Pending CN109743300A (en) 2018-12-20 2018-12-20 A kind of security incident automation method of disposal based on isomery model strategy library

Country Status (1)

Country Link
CN (1) CN109743300A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110120957A (en) * 2019-06-03 2019-08-13 浙江鹏信信息科技股份有限公司 A kind of twin method and system of safe disposal number based on intelligent scoring mechanism
CN111917769A (en) * 2020-07-30 2020-11-10 中盈优创资讯科技有限公司 Automatic handling method and device of security event and electronic equipment
CN113726761A (en) * 2021-08-27 2021-11-30 深圳供电局有限公司 Network security protection method based on white list
CN117688558A (en) * 2024-02-01 2024-03-12 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086772A1 (en) * 2006-10-09 2008-04-10 Radware, Ltd. Automatic Signature Propagation Network
CN101540741A (en) * 2009-05-06 2009-09-23 北京邮电大学 Image junk mail filtering method based on threshold
US20130346147A1 (en) * 2012-06-22 2013-12-26 RedDrummer LLC Methods and systems for determining a relative importance of a user within a network environment
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
CN106447383A (en) * 2016-08-30 2017-02-22 杭州启冠网络技术有限公司 Cross-time multi-dimensional abnormal data monitoring method and system
CN106559395A (en) * 2015-09-29 2017-04-05 北京东土军悦科技有限公司 A kind of data message detection method and device based on industrial network
CN107070889A (en) * 2017-03-10 2017-08-18 中国电建集团成都勘测设计研究院有限公司 A kind of unified security system of defense based on cloud platform
CN107682323A (en) * 2017-09-20 2018-02-09 东北大学 A kind of industrial control system network-access security early warning system and method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086772A1 (en) * 2006-10-09 2008-04-10 Radware, Ltd. Automatic Signature Propagation Network
CN101540741A (en) * 2009-05-06 2009-09-23 北京邮电大学 Image junk mail filtering method based on threshold
US20130346147A1 (en) * 2012-06-22 2013-12-26 RedDrummer LLC Methods and systems for determining a relative importance of a user within a network environment
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
CN106559395A (en) * 2015-09-29 2017-04-05 北京东土军悦科技有限公司 A kind of data message detection method and device based on industrial network
CN106447383A (en) * 2016-08-30 2017-02-22 杭州启冠网络技术有限公司 Cross-time multi-dimensional abnormal data monitoring method and system
CN107070889A (en) * 2017-03-10 2017-08-18 中国电建集团成都勘测设计研究院有限公司 A kind of unified security system of defense based on cloud platform
CN107682323A (en) * 2017-09-20 2018-02-09 东北大学 A kind of industrial control system network-access security early warning system and method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110120957A (en) * 2019-06-03 2019-08-13 浙江鹏信信息科技股份有限公司 A kind of twin method and system of safe disposal number based on intelligent scoring mechanism
CN110120957B (en) * 2019-06-03 2019-12-06 浙江鹏信信息科技股份有限公司 Safe disposal digital twin method and system based on intelligent scoring mechanism
CN111917769A (en) * 2020-07-30 2020-11-10 中盈优创资讯科技有限公司 Automatic handling method and device of security event and electronic equipment
CN113726761A (en) * 2021-08-27 2021-11-30 深圳供电局有限公司 Network security protection method based on white list
CN117688558A (en) * 2024-02-01 2024-03-12 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event
CN117688558B (en) * 2024-02-01 2024-05-07 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event

Similar Documents

Publication Publication Date Title
CN109743300A (en) A kind of security incident automation method of disposal based on isomery model strategy library
US11611577B2 (en) Threat mitigation system and method
Natarajan Cyber secure man-in-the-middle attack intrusion detection using machine learning algorithms
Hodo et al. Anomaly detection for simulated iec-60870-5-104 trafiic
EP4066463A1 (en) Threat mitigation system and method
US20210026953A1 (en) Threat mitigation system and method
US20210377313A1 (en) Threat Mitigation System and Method
US11552983B2 (en) Threat mitigation system and method
CN105024982A (en) Method and device for network access and server
CN112437085A (en) Network attack identification method and device
US11709946B2 (en) Threat mitigation system and method
CN115001771A (en) Verification code defense method, system, equipment and storage medium based on automatic updating
Gao Omni SCADA intrusion detection
KR101512703B1 (en) System for guaranteeing quality of access to web server based on user's behavior and user's information and the method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190510

RJ01 Rejection of invention patent application after publication