CN112769859A - Network attack stage statistical and prediction method based on Markov chain - Google Patents
Network attack stage statistical and prediction method based on Markov chain Download PDFInfo
- Publication number
- CN112769859A CN112769859A CN202110092582.0A CN202110092582A CN112769859A CN 112769859 A CN112769859 A CN 112769859A CN 202110092582 A CN202110092582 A CN 202110092582A CN 112769859 A CN112769859 A CN 112769859A
- Authority
- CN
- China
- Prior art keywords
- attack
- stage
- markov chain
- state transition
- transition matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N7/00—Computing arrangements based on specific mathematical models
- G06N7/01—Probabilistic graphical models, e.g. probabilistic networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Computational Mathematics (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Algebra (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a Markov chain-based network attack stage statistical and prediction method, which comprises the following specific steps: establishing a Markov chain-based state transition matrix, establishing a state space according to an attack process of a network attack killer chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix; correcting the Markov chain-based state transition matrix, and correcting missing or wrong state data in the Markov chain-based state transition matrix due to incomplete statistical data; and predicting the attack stage in the network attack killing chain by using a Markov chain model. The invention combines the widely used network attack chain and Markov chain, so that the network attack event statistics is more suitable for application in prediction, thereby improving the accuracy of the attack prediction model.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for counting and predicting a network attack stage by using a Markov chain in a network killing chain.
Background
Generally, a network attack consists of multiple attack phases, wherein the success of a previous phase can trigger a next phase; while a failure of one stage means a failure of the entire attack. If the network attack detection is comprehensive and accurate, we can see that each attack method is a phase-by-phase, and the whole attack phase is similar to a chain. However, because the span of the network attack event is long, there are many attack points (springboards, zombies, reflectors, etc.), it is extremely difficult to completely detect all stages of the network attack, so that the whole network attack process cannot be comprehensively mastered, and certainly, the attack method occurring at each stage cannot be accurately counted.
The characteristics of the network attack killer chain show that the network attack accords with the characteristic requirements of the Markov chain, namely the network attack is transferred to the next state and is only related to the current state, and the network attack killer chain is irrelevant to the previous state, and based on the characteristic, the invention discloses a network attack stage statistical and prediction method based on the Markov chain aiming at the problems of incomplete data and inaccurate prediction obtained by the existing network attack statistical method.
Disclosure of Invention
The invention discloses a network attack stage statistics and prediction method based on a Markov chain, aiming at the problems of incomplete attack statistical data and large statistical deviation based on incomplete data in the existing network attack statistical method. Therefore, the method can effectively avoid the problem of large prediction deviation caused by incomplete statistical data of the attack stage in the attack chain.
The invention discloses a network attack stage statistical and prediction method based on a Markov chain, which comprises the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the state transition matrix based on the markov chain, and modifying missing or wrong state data in the state transition matrix based on the markov chain due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1 (because each row represents its own probability distribution).
And S3, predicting the attack stage in the network attack killing chain by using the Markov chain model, and predicting the occurrence probability of the next attack stage by using the Markov chain model.
The establishing of the state transition matrix based on the markov chain described in step S1 specifically includes:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software (such as Suricata and the like), and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, performing attack probability statistics, dividing attack events detected in step S12 according to attack chain attack phases, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length (such as N days), and calculating the probability of the attack phase occurring in each time interval, wherein the calculation process specifically includes:
s131, calculating the occurrence weight of the j attack stage in the ith time intervalWherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j]。
S133, simplifying the heat of occurrence set data by using an extreme method to obtain the attribution of the attack stage j in the ith time intervalNormalizing the heat of generation, i.e.
S134, calculating the transition probability of each attack stage from the ith time interval to the (i + 1) th time interval, wherein the expression of the transition probability from the jth attack stage to the (j + n) th attack stage from the ith time interval to the (i + 1) th time interval is Ti,i+1,j,j+n=Hi′i+1,j+n′-H′i,j' the expression of the transition probability from the ith time interval to the (i + 1) th time interval from the jth attack stage to the (j-n) th attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n' where n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7.
S14, establishing corresponding Markov chain-based state transition matrix for each attack method.
The state transition matrix based on the markov chain may adopt an expression form of the attack probability statistical state transition statistical table shown in table 1.
TABLE 1 attack probability statistics State transition statistics Table
The modification of the state transition matrix based on the markov chain in step S2 specifically includes:
s21, Markov chain characteristic screening, analyzing the Markov chain-based state transition matrix established in the step S1, and selecting the Markov characteristic suitable for the matrix, wherein the Markov characteristic specifically comprises intercommunity, periodicity, transient, constant return, ergodic or absorptive state and the like. According to the selected Markov characteristic, the Markov state transition probability matrix is marked as P ═ Pm,n]M is more than or equal to 1 and n is less than or equal to 7. Wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval.
S22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
the predicting the attack stage in the network attack killing chain by using the markov chain in step S3 specifically includes:
and S31, extracting attack characteristics, namely extracting fragments of the traffic data in transmission for detecting the attack event in the step S32.
And S32, detecting the attack event, namely detecting the flow data packet extracted in the step S31 and judging whether the flow data packet has the attack event or not.
S33, attack event correlation, determines to which stage of which attack method the attack event detected in step S32 belongs.
S34, attack prediction, based on the attack event detected in step S32, using the state transition matrix in the Markov chain model to predict the probability of the next attack action of the attacker, wherein the specific prediction method is to assume the currently detected attack eventThe stage is z,1 is more than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set to be C ═ C1 c2 c3 c4 c5c6 c7]Wherein c isz=1,cz'0, z' ≠ z, and the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6d7]Wherein d isz+1Is the probability of the next attack event occurring.
And S35, verifying prediction and verifying the obtained prediction result.
The invention has the beneficial effects that:
1. the invention provides a network attack statistics and prediction model construction method, which combines a widely used network attack chain and a Markov chain, improves the network attack event statistics and future attack prediction methods, and enables the network attack event statistics to be more suitable for being applied to prediction, thereby improving the accuracy of an attack prediction model.
2. The invention improves the prior network attack event statistical method, so that the statistical result of the network attack event is closer to the practical application; meanwhile, aiming at the condition that the statistical result of the attack event is inaccurate, the characteristic of a Markov chain is used for processing the statistical result, so that the adaptability of the prediction model is wider.
Drawings
FIG. 1 is a network attack killing chain, an attack method thereof and an attack event representation diagram;
FIG. 2 is an example Markov chain state transition matrix of the present invention;
FIG. 3 is a flow chart of a Markov chain state transition matrix established by the present invention;
FIG. 4 is a flow chart of the modified Markov chain state transition matrix data of the present invention;
FIG. 5 is a flow chart of the present invention for predicting attack phases in a cyber attack killing chain using Markov chains.
Detailed Description
For a better understanding of the present disclosure, an example is given here.
The invention discloses a network attack stage statistical and prediction method based on a Markov chain, and FIG. 1 is a network attack killing chain, an attack method thereof and an attack event representation diagram; FIG. 2 is an example Markov chain state transition matrix of the present invention; FIG. 3 is a flow chart of the present invention for building a Markov chain state transition matrix; FIG. 4 is a flow chart of the modified Markov chain state transition matrix data of the present invention; FIG. 5 is a flow chart of the present invention for predicting attack phases in a cyber attack killing chain using Markov chains. The method comprises the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the state transition matrix based on the markov chain, and modifying missing or wrong state data in the state transition matrix based on the markov chain due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1 (because each row represents its own probability distribution).
And S3, predicting the attack stage in the network attack killing chain by using the Markov chain model, and predicting the occurrence probability of the next attack stage by using the Markov chain model.
The establishing of the state transition matrix based on the markov chain described in step S1 specifically includes:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software (such as Suricata and the like), and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, performing attack probability statistics, dividing attack events detected in step S12 according to attack chain attack phases, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length (such as N days), and calculating the probability of the attack phase occurring in each time interval, wherein the calculation process specifically includes:
s131, calculating the occurrence weight of the j attack stage in the ith time intervalWherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j]。
S133, simplifying the heat of occurrence set data by an extreme method to obtain the normalized heat of occurrence of the attack stage j in the ith time interval, namely
S134, calculating the transition probability of each attack stage from the ith time interval to the (i + 1) th time interval, wherein the expression of the transition probability from the jth attack stage to the (j + n) th attack stage from the ith time interval to the (i + 1) th time interval is Ti,i+1,j,j+n=H′i+1,j+n′-H′i,jThe expression of the transition probability from the ith time interval to the (i + 1) th time interval from the jth attack stage to the (j-n) th attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n' where n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7.
S14, establishing corresponding Markov chain-based state transition matrix for each attack method.
The state transition matrix based on the markov chain may adopt an expression form of the attack probability statistical state transition statistical table shown in table 1.
TABLE 1 attack probability statistics State transition statistics Table
The modification of the state transition matrix based on the markov chain in step S2 specifically includes:
s21, Markov chain characteristic screening, analyzing the Markov chain-based state transition matrix established in the step S1, and selecting the Markov characteristic suitable for the matrix, wherein the Markov characteristic specifically comprises intercommunity, periodicity, transient, constant return, ergodic or absorptive state and the like. According to the selected Markov characteristic, the Markov state transition probability matrix is marked as P ═ Pm,n]M is more than or equal to 1 and n is less than or equal to 7. Wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval.
S22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
the predicting the attack stage in the network attack killing chain by using the markov chain in step S3 specifically includes:
and S31, extracting attack characteristics, namely extracting fragments of the traffic data in transmission for detecting the attack event in the step S32.
And S32, detecting the attack event, namely detecting the flow data packet extracted in the step S31 and judging whether the flow data packet has the attack event or not.
S33, attack event correlation, determines to which stage of which attack method the attack event detected in step S32 belongs.
And S34, predicting the attack, namely predicting the probability of the next attack action of the attacker by using the state transition matrix in the Markov chain model according to the attack event detected in the step S32, wherein the specific prediction method is that the stage of the currently detected attack event is z,1 is less than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set as C ═ C [ [ C ] C [, C [ ]1 c2 c3 c4 c5c6 c7]Which isIn (c)z=1,cz'0, z' ≠ z, and the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6d7]Wherein d isz+1Is the probability of the next attack event occurring.
And S35, verifying prediction and verifying the obtained prediction result.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (5)
1. A network attack stage statistical and prediction method based on Markov chain is characterized by comprising the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the Markov chain-based state transition matrix, and modifying missing or wrong state data in the Markov chain-based state transition matrix due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1;
and S3, predicting the attack stage in the network attack killing chain by using the Markov chain model, and predicting the occurrence probability of the next attack stage by using the Markov chain model.
2. The markov chain-based network attack stage statistics and prediction method of claim 1, wherein the step S1 of establishing the markov chain-based state transition matrix specifically comprises:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software, and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, carrying out attack probability statistics, dividing attack events detected in the step S12 according to attack stages of an attack chain, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length, and calculating the probability of the attack stage of each time interval;
s14, establishing corresponding Markov chain-based state transition matrix for each attack method.
3. The markov chain-based network attack stage statistics and prediction method of claim 2, wherein the step of calculating the probability of the attack stage occurring for each time interval in step S13 specifically comprises:
s131, calculating the occurrence weight of the j attack stage in the ith time intervalWherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j];
S133, simplifying the heat of occurrence set data by an extreme method to obtain the normalized heat of occurrence of the attack stage j in the ith time interval, namely
S134, calculating the transition probability of each attack stage from the ith time interval to the (i + 1) th time interval, wherein the expression of the transition probability from the jth attack stage to the (j + n) th attack stage from the ith time interval to the (i + 1) th time interval is Ti,i+1,j,j+n=H′i+1,j+n′-H′i,j' the expression of the transition probability from the ith time interval to the (i + 1) th time interval from the jth attack stage to the (j-n) th attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n′,
Wherein n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7.
4. The markov chain-based network attack stage statistics and prediction method of claim 1, wherein the step S2 of modifying the markov chain-based state transition matrix specifically comprises:
s21, Markov chain characteristic screening, wherein the Markov chain-based state transition matrix established in the step S1 is analyzed, and the Markov characteristic suitable for the matrix is selected, and specifically comprises interoperability, periodicity, transient, constant return, ergodicity or absorption state; marking Markov states based on selected Markov propertiesThe state transition probability matrix is P ═ Pm,n]M is more than or equal to 1, and n is less than or equal to 7; wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval;
s22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
5. the markov chain-based network attack stage statistics and prediction method of claim 1, wherein the step S3 of predicting the attack stage in the network attack killing chain by using the markov chain specifically comprises:
s31, extracting attack characteristics, extracting fragments of the traffic data in transmission, and detecting the attack events in the step S32;
s32, detecting the attack event, detecting the flow data packet extracted in the step S31, and judging whether the flow data packet has the attack event;
s33, associating attack events, and determining which stage of which attack method the attack event detected in the step S32 belongs to;
and S34, predicting the attack, namely predicting the probability of the next attack action of the attacker by using the state transition matrix in the Markov chain model according to the attack event detected in the step S32, wherein the specific prediction method is that the stage of the currently detected attack event is z,1 is less than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set as C ═ C [ [ C ] C [, C [ ]1 c2 c3 c4 c5 c6c7]Wherein c isz=1,cz'0, z' ≠ z, and the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6 d7]Wherein d isz+1Is the probability of the next attack event occurring;
and S35, verifying prediction and verifying the obtained prediction result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110092582.0A CN112769859B (en) | 2021-01-24 | 2021-01-24 | Network attack stage statistical and prediction method based on Markov chain |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110092582.0A CN112769859B (en) | 2021-01-24 | 2021-01-24 | Network attack stage statistical and prediction method based on Markov chain |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112769859A true CN112769859A (en) | 2021-05-07 |
CN112769859B CN112769859B (en) | 2021-08-27 |
Family
ID=75706900
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110092582.0A Active CN112769859B (en) | 2021-01-24 | 2021-01-24 | Network attack stage statistical and prediction method based on Markov chain |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112769859B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114422186A (en) * | 2021-12-21 | 2022-04-29 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
CN115941521A (en) * | 2023-01-09 | 2023-04-07 | 广东工业大学 | Data packet characteristic value storage method based on Markov matrix |
CN117221009A (en) * | 2023-11-07 | 2023-12-12 | 国家工业信息安全发展研究中心 | Network security situation prediction method, device, server and storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140041032A1 (en) * | 2012-08-01 | 2014-02-06 | Opera Solutions, Llc | System and Method for Detecting Network Intrusions Using Statistical Models and a Generalized Likelihood Ratio Test |
KR101615587B1 (en) * | 2015-11-06 | 2016-05-11 | 국방과학연구소 | System for implementing Deep Packet Inspection Simulation for detecting and analyzing cyber attack in electronic warfare and Method thereof |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN108418843A (en) * | 2018-06-11 | 2018-08-17 | 中国人民解放军战略支援部队信息工程大学 | Network attack target identification method based on attack graph and system |
CN110365713A (en) * | 2019-08-22 | 2019-10-22 | 中国科学技术大学 | The cyber-defence resource optimum allocation method threatened for advanced duration |
CN110874470A (en) * | 2018-12-29 | 2020-03-10 | 北京安天网络安全技术有限公司 | Method and device for predicting network space security based on network attack |
CN111552973A (en) * | 2020-06-02 | 2020-08-18 | 奇安信科技集团股份有限公司 | Method and device for risk assessment of equipment, electronic equipment and medium |
CN111598475A (en) * | 2020-05-22 | 2020-08-28 | 浙江工业大学 | Power grid risk prediction method based on improved gray Markov model |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
-
2021
- 2021-01-24 CN CN202110092582.0A patent/CN112769859B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140041032A1 (en) * | 2012-08-01 | 2014-02-06 | Opera Solutions, Llc | System and Method for Detecting Network Intrusions Using Statistical Models and a Generalized Likelihood Ratio Test |
KR101615587B1 (en) * | 2015-11-06 | 2016-05-11 | 국방과학연구소 | System for implementing Deep Packet Inspection Simulation for detecting and analyzing cyber attack in electronic warfare and Method thereof |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN108418843A (en) * | 2018-06-11 | 2018-08-17 | 中国人民解放军战略支援部队信息工程大学 | Network attack target identification method based on attack graph and system |
CN110874470A (en) * | 2018-12-29 | 2020-03-10 | 北京安天网络安全技术有限公司 | Method and device for predicting network space security based on network attack |
CN110365713A (en) * | 2019-08-22 | 2019-10-22 | 中国科学技术大学 | The cyber-defence resource optimum allocation method threatened for advanced duration |
CN111598475A (en) * | 2020-05-22 | 2020-08-28 | 浙江工业大学 | Power grid risk prediction method based on improved gray Markov model |
CN111552973A (en) * | 2020-06-02 | 2020-08-18 | 奇安信科技集团股份有限公司 | Method and device for risk assessment of equipment, electronic equipment and medium |
CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
Non-Patent Citations (2)
Title |
---|
GEORGIOS IOANNOU,PANOS LOUVIERIS,NATALIE CLEWLEY,GAVIN POWELL: "A Markov Multi-Phase Transferable Belief Model:", 《 PROCEEDINGS OF THE 16TH INTERNATIONAL CONFERENCE ON INFORMATION FUSION》 * |
牛伟纳: "窃密型复杂网络攻击建模与识别方法研究", 《中国博士学位论文全文数据库信息科技辑》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114422186A (en) * | 2021-12-21 | 2022-04-29 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN114422186B (en) * | 2021-12-21 | 2024-05-28 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
CN114978617B (en) * | 2022-05-06 | 2023-08-08 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistics judgment method based on Markov process learning model |
CN115941521A (en) * | 2023-01-09 | 2023-04-07 | 广东工业大学 | Data packet characteristic value storage method based on Markov matrix |
CN115941521B (en) * | 2023-01-09 | 2023-05-30 | 广东工业大学 | Data packet eigenvalue storage method based on Markov matrix |
CN117221009A (en) * | 2023-11-07 | 2023-12-12 | 国家工业信息安全发展研究中心 | Network security situation prediction method, device, server and storage medium |
CN117221009B (en) * | 2023-11-07 | 2024-02-20 | 国家工业信息安全发展研究中心 | Network security situation prediction method, device, server and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112769859B (en) | 2021-08-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112769859B (en) | Network attack stage statistical and prediction method based on Markov chain | |
US9800597B2 (en) | Identifying threats based on hierarchical classification | |
Yu et al. | An automatically tuning intrusion detection system | |
CN107241352B (en) | Network security event classification and prediction method and system | |
US11507881B2 (en) | Analysis apparatus, analysis method, and analysis program for calculating prediction error and extracting error factor | |
Chen et al. | Anomaly network intrusion detection using hidden Markov model | |
CN109698823B (en) | Network threat discovery method | |
CN109194684B (en) | Method and device for simulating denial of service attack and computing equipment | |
CN110392048A (en) | Network security situation awareness model and method based on CE-RBF | |
CN111107096A (en) | Web site safety protection method and device | |
Zhang et al. | Dynamic risk-aware patch scheduling | |
US20130318609A1 (en) | Method and apparatus for quantifying threat situations to recognize network threat in advance | |
CN115987615A (en) | Network behavior safety early warning method and system | |
Wang et al. | Egeria: Efficient dnn training with knowledge-guided layer freezing | |
CN111191683B (en) | Network security situation assessment method based on random forest and Bayesian network | |
Kholidy et al. | Attack prediction models for cloud intrusion detection systems | |
EP4111660B1 (en) | Cyberattack identification in a network environment | |
CN112347474A (en) | Method, device, equipment and storage medium for constructing security threat information | |
CN112769803A (en) | Network threat detection method and device and electronic equipment | |
CN116668124A (en) | Network attack influence situation analysis method, device, equipment and storage medium | |
CN110708296B (en) | VPN account number collapse intelligent detection model based on long-time behavior analysis | |
CN117040664A (en) | Computer system detection method based on network operation safety | |
CN114189364B (en) | Network node path reduction and prediction method based on Markov chain | |
KR102433581B1 (en) | Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques | |
Zhu et al. | Is stubborn mining severe in imperfect GHOST bitcoin-like blockchains? Quantitative analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |