CN117118687A - Multi-stage attack dynamic detection system based on unsupervised learning - Google Patents
Multi-stage attack dynamic detection system based on unsupervised learning Download PDFInfo
- Publication number
- CN117118687A CN117118687A CN202311004071.4A CN202311004071A CN117118687A CN 117118687 A CN117118687 A CN 117118687A CN 202311004071 A CN202311004071 A CN 202311004071A CN 117118687 A CN117118687 A CN 117118687A
- Authority
- CN
- China
- Prior art keywords
- attack
- stage
- module
- detection system
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 100
- 238000000605 extraction Methods 0.000 claims abstract description 19
- 238000000034 method Methods 0.000 claims description 13
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 claims description 3
- 238000012847 principal component analysis method Methods 0.000 claims description 3
- 238000007619 statistical method Methods 0.000 claims description 3
- 230000009467 reduction Effects 0.000 claims description 2
- 239000003550 marker Substances 0.000 claims 1
- 230000007547 defect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a multi-stage attack dynamic detection system based on unsupervised learning, which comprises: the system comprises an intrusion detection system for single-stage attack detection, a data packet matching module, a network flow generation and feature extraction module, a clustering module, an attack type classification module, an attack rule dynamic generation module and a multi-stage attack dynamic detection module. In the attack detection stage, the flow to be detected is compared with the generated multi-stage attack rule, and the identification of multiple multi-stage attack modes is realized on the premise of not depending on single-stage attack details and attack sequences. The invention can dynamically learn different types of multi-stage network attacks through the clustering of suspicious network flows, and meets the requirements of multi-stage network attack detection on high efficiency and unsupervised performance.
Description
Technical Field
The invention relates to the field of network security, in particular to a multi-stage attack dynamic detection system based on unsupervised learning.
Background
Malicious behavior in current networks is mostly a complex multi-stage attack. While most network layer or host layer security products have the ability to detect single stage attacks, they often lack the ability to accurately detect multi-stage attacks. Unlike single-stage attacks, multi-stage attacks last longer than single-stage attacks, and the means of attack are more complex. For example, to circumvent conventional security configurations, the duration of a multi-stage attack varies from a few minutes to a few months. Thus, in order to properly detect and counter-attack multi-stage attacks, network security administrators need to track and correlate alarms from single-stage attacks from different machines and different attack scenarios. In recent years, advanced attackers represented by APT (Advanced persistentthreat ) attack teams continuously increase the complexity of attack scenes while maximizing the success rate of the attack, implement low-rate attacks as much as possible and hide attack evidence, thereby achieving the purpose of evading detection.
In a multi-stage attack, the following four single-stage attack types can be generally identified from the network traffic:
reconnaissance: the attack target selection process gathers information of network reachable systems with potential exploitable vulnerabilities. This process allows an attacker to selectively lock the attack target, thereby saving attack costs.
Delivering: the source code, program, or payload is sent to the target system.
Command and control (C2): and establishing a network channel for commanding and controlling the zombie host or the target system.
The actions are as follows: achieving the final goal, such as destroying the target system, obtaining confidential information, infecting other systems, etc.
The four single-stage attacks do not necessarily occur simultaneously due to the differences in network environments or attack scenarios, and their order of occurrence also often varies. Thus there may be a combination of different single-stage attacks. Due to the complexity of the multi-stage attack scenario, it is difficult to correctly identify the multi-stage attack without pre-identifying the clear pattern of the multi-stage attack.
Currently, typical multi-stage attack detection methods are broadly divided into three types: knowledge model-based, attack semantics-based and statistical model-based detection methods. However, since these approaches often rely on the correlation of alarms generated by signature-based intrusion detection systems, they require pre-learning of details of single-stage attack activities. Thus, when there are different combinations of single-stage attacks, their detection performance is very limited. To overcome this limitation, recent security solutions, such as security information and event management systems, use domain-specific knowledge obtained from different journals, honeypots and software defined networks as additional input attributes. However, since the attack association process still relies on well-defined predefined rules and a comprehensive understanding of the attack pattern. Thus, without pre-obtaining details of a single-stage attack, their performance may also be limited when detecting variants of a multi-stage attack.
In general, current research for multi-stage attack detection has three major limitations:
(1) Most multi-stage attack detection methods rely on pre-observed attack details of single-stage attacks, which are provided from signatures of single-stage attacks. Therefore, these methods have a limitation in that a new multi-stage attack cannot be detected;
(2) Besides being incapable of detecting zero-day attacks, the multi-stage attack rule generation scheme is higher in false alarm rate because the sequence of single-stage attacks is not considered;
(3) Individual methods can identify novel multi-stage attacks by detecting zero day single-stage attacks. However, these methods often rely on honeypot technology, which can fail when an attacker intentionally avoids the honeypot.
Disclosure of Invention
The present invention has been made in view of the above problems, and it is an object of the present invention to provide a multi-stage attack dynamic detection system based on unsupervised learning that overcomes or at least partially solves the above problems.
According to one aspect of the present invention, there is provided a multi-stage attack dynamic detection system based on unsupervised learning, the detection system comprising: the system comprises an intrusion detection system for single-stage attack detection, a data packet matching module, a network flow generation and feature extraction module, a clustering module, an attack type classification module, an attack rule dynamic generation module and a multi-stage attack dynamic detection module.
Optionally, the intrusion detection system for single-stage attack detection includes: signature-based intrusion detection systems and anomaly-based intrusion detection systems are implemented using techniques including deep packet inspection, statistical analysis, machine learning;
and the alarm information generated by the intrusion detection system for single-stage attack detection is input into the data packet matching module.
Optionally, the packet matching module is configured to filter network packets that are matched with the alarm information generated by the intrusion detection system for single-stage attack detection, where packets that are not matched are regarded as normal packets and discarded, and the matched packets are marked as suspicious packets;
the data packet matching module simultaneously uses alarm information generated by a signature-based intrusion detection system or an anomaly-based intrusion detection system.
Optionally, the network flow generating and feature extracting module includes:
the network flow generation sub-module uses four-tuple information to aggregate the data packets, wherein the four-tuple information refers to a source IP address, a destination IP address, a source port and a destination port;
specifically, the TCP stream is composed of a series of data packet message sequences with the same quadruple from SYN message to FIN message, if there is no FIN data packet, the arrival time interval of adjacent data packets exceeds 5 minutes, the stream is considered to be ended;
the UDP stream is also composed of a series of packet messages with the same four-tuple information. But does not contain flag information, the timeout time of the packet interval of the UDP stream is set to 1 minute;
the feature extraction sub-module extracts a plurality of attribute features from each network flow, and the network flows obtained by the network flow generation and feature extraction module are marked as suspicious network flows.
Optionally, the attribute features include: average packet length, network flow duration, average packet arrival time interval, payload content.
Optionally, the clustering module clusters the suspicious network flows obtained by the network flow generation and feature extraction module in an attack rule generation stage;
performing dimension reduction on the characteristics of the suspicious network flow by using an algorithm including a principal component analysis method before clustering;
the clustering module adopts a density-based application spatial clustering method to eliminate abnormal points in clusters and automatically generates a plurality of clusters, a mark is set for each cluster, and all clusters are called mark clusters.
Optionally, the attack type classification module divides the suspicious network flow obtained by the network flow generation and feature generation module into different attack types in an attack detection stage according to the type and the number of the mark clusters obtained by the clustering module;
the attack type classification module classifies by using a K-nearest neighbor algorithm;
the network flow determined to be an attack by the attack type classification module is referred to as a marked suspicious network flow.
Optionally, the multi-stage attack dynamic detection module generates a relationship tree from network flows with association relationships in the marked suspicious network flows according to the time occurrence sequence in the attack detection stage, the association relationships refer to that the source IP addresses of the two network flows are the same, or the destination IP addresses are the same, or the destination ports are the same, the relationship tree is matched with the multi-stage attack rules generated by the attack rule dynamic generation module, and the matched network relationship tree is marked as multi-stage attack.
The invention provides a multi-stage attack dynamic detection system based on unsupervised learning, which comprises: the system comprises an intrusion detection system for single-stage attack detection, a data packet matching module, a network flow generation and feature extraction module, a clustering module, an attack type classification module, an attack rule dynamic generation module and a multi-stage attack dynamic detection module. In the attack detection stage, the flow to be detected is compared with the generated multi-stage attack rule, and the identification of multiple multi-stage attack modes is realized on the premise of not depending on single-stage attack details and attack sequences. The invention can dynamically learn different types of multi-stage network attacks through the clustering of suspicious network flows, and meets the requirements of multi-stage network attack detection on high efficiency and unsupervised performance.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a multi-stage attack dynamic detection system based on unsupervised learning according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprising" and "having" and any variations thereof in the description embodiments of the invention and in the claims and drawings are intended to cover a non-exclusive inclusion, such as a series of steps or elements.
The technical scheme of the invention is further described in detail below with reference to the accompanying drawings and the examples.
The invention provides a multi-stage attack dynamic detection system based on unsupervised learning, which divides multi-stage attack detection into an attack rule generation stage and an attack detection stage. In the attack rule generation stage, suspicious traffic is clustered through data packet matching, network flow generation and feature extraction, and a multi-stage attack rule is generated. In the attack detection stage, the flow to be detected is compared with the generated multi-stage attack rule, and the identification of multiple multi-stage attack modes is realized on the premise of not depending on single-stage attack details and attack sequences. The invention can dynamically learn different types of multi-stage network attacks through the clustering of suspicious network flows, and meets the requirements of multi-stage network attack detection on high efficiency and unsupervised performance.
As shown in fig. 1, a multi-stage attack dynamic detection system based on unsupervised learning includes: the system comprises an intrusion detection system for single-stage attack detection, a data packet matching module, a network flow generation and feature extraction module, a clustering module, an attack type classification module, an attack rule dynamic generation module and a multi-stage attack dynamic detection module. Unlike previous research efforts, the multi-stage attack rules of the present design are dynamically generated without knowing the predefined details of the single-stage attack activity. The invention does not depend on a predefined attack mode, can provide a novel multi-stage attack defending countermeasure aiming at different single-stage attack combinations, and can identify different types of multi-stage attacks with high accuracy.
Intrusion detection systems for single-phase attack detection, including signature-based intrusion detection systems and anomaly-based intrusion detection systems, are implemented using techniques including deep packet inspection, statistical analysis, machine learning. The invention does not limit the type and the implementation method of the intrusion detection system for single-stage attack detection, and the alarm information generated by the intrusion detection system for single-stage attack detection is input into the data packet matching module.
The data packet matching module is responsible for filtering network data packets matched with alarm information generated by the intrusion detection system for single-stage attack detection, and the data packets which are not matched are regarded as normal data packets and discarded, and the data packets which are matched are marked as suspicious data packets. The data packet matching module simultaneously uses alarm information generated by a signature-based intrusion detection system or an abnormal intrusion detection system.
The network flow generation and feature extraction module extracts flow features using an open source flow analysis tool including, but not limited to, bro. Bro provides a comprehensive platform for network traffic analysis, and is particularly focused on semantic-based security monitoring. Bro can arrange the devices in the network into a visual graph, go deep into the network traffic and check the network data packet, which provides a more versatile traffic analysis platform. Bro supports custom scripts that allow a user to extract specific feature information from a network stream. The network flow generation and feature extraction module comprises a network flow generation sub-module and a feature extraction sub-module, wherein the network flow generation sub-module uses four-tuple information to aggregate data packets, namely a source IP (Internet Protocol) address, a destination IP address, a source port and a destination port.
Specifically, the TCP (Transmission Control Protocol) flow is composed of a series of packet message sequences with identical quadruples from SYN message to FIN message, and if no FIN message exists, the arrival time interval of adjacent packets exceeds 5 minutes, and the flow is considered to be ended. The UDP stream is also composed of a series of packet messages with the same four-tuple information. But does not contain flag information, the timeout time of the packet interval of the UDP stream is set to 1 minute. The feature extraction sub-module extracts a plurality of attribute features from each network flow including, but not limited to, average packet length, network flow duration, average packet arrival time interval, load content information. The network flows obtained by the network flow generation and feature extraction module are marked as suspicious network flows.
And the clustering module clusters and groups the suspicious network flows obtained by the network flow generation and feature extraction module in an attack rule generation stage. To avoid poor clustering results caused by high-dimensional data, algorithms including but not limited to principal component analysis methods are used to dimension down features of the suspicious network flow prior to clustering. Since false positive alarm information of an intrusion detection system can reduce the quality of a clustering result, the clustering module eliminates abnormal points in clusters and automatically generates a plurality of cluster clusters by adopting a Density-based application space clustering (Density-Based Spatial Clustering of Applications with Noise, DBSCAN) method, and a mark is set for each cluster, wherein the cluster clusters are called mark clusters.
The attack rule dynamic generation module takes the mark cluster generated by the clustering module as input in the attack rule generation stage, and generates a multi-stage attack rule by analyzing suspicious network flows contained in the mark cluster. The attack rule dynamic generation module comprises two parts of network flow relation tree generation and frequent pattern mining: firstly, generating a relation tree of network flows with association relation in the mark cluster according to a time occurrence sequence, wherein the association relation refers to that the source IP addresses of two network flows are the same, or the destination IP addresses are the same, or the destination ports are the same; on the basis, an Apriori association rule mining algorithm is used for finding frequent items in the network flow relation tree, and the frequent items output by the Apriori association rule mining algorithm are multi-stage attack rules generated by the attack rule dynamic generation module.
And the attack type classification module divides the suspicious network flow obtained by the network flow generation and feature generation module into different attack types in an attack detection stage according to the types and the number of the mark clusters obtained by the clustering module. The attack type classification module classifies using a K-nearest neighbor algorithm. The network flow determined to be an attack by the attack type classification module is referred to as a marked suspicious network flow.
The multi-stage attack dynamic detection module generates a relation tree of network flows with association relation in the marked suspicious network flows according to the time occurrence sequence in the attack detection stage, wherein the association relation refers to that the source IP addresses of the two network flows are the same, or the destination IP addresses are the same, or the destination ports are the same, on the basis, the relation tree is matched with the multi-stage attack rule generated by the attack rule dynamic generation module, and the matched network relation tree is marked as multi-stage attack.
The beneficial effects are that: the invention provides a multi-stage attack dynamic detection system based on unsupervised learning, which breaks the defect that the traditional detection method depends on the correlation of alarm information generated by a signature-based intrusion detection system, solves the defect that the traditional detection method is difficult to realize unsupervised multi-stage attack detection, and solves the problem that the traditional multi-stage attack detection excessively depends on single-stage attack detection results.
The present invention provides that the multi-stage attack rules are dynamically generated without knowing the predefined details of the single-stage attack activity. The invention does not depend on a predefined attack mode, can provide a novel multi-stage attack defending countermeasure aiming at different single-stage attack combinations, and can identify different types of multi-stage attacks with high accuracy.
The invention overcomes the defects of long detection period, high false negative rate and high false positive rate of single-stage attack in the traditional multi-stage attack detection method, and improves the practicability of the multi-stage attack detection method.
The prototype system is used and practice proves that the invention can effectively detect multi-stage network attack, in particular to east-west lateral movement attack existing in the local area network.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (8)
1. A multi-stage attack dynamic detection system based on unsupervised learning, the detection system comprising: the system comprises an intrusion detection system for single-stage attack detection, a data packet matching module, a network flow generation and feature extraction module, a clustering module, an attack type classification module, an attack rule dynamic generation module and a multi-stage attack dynamic detection module.
2. The multi-stage attack dynamic detection system based on unsupervised learning of claim 1, wherein the intrusion detection system for single stage attack detection comprises: signature-based intrusion detection systems and anomaly-based intrusion detection systems are implemented using techniques including deep packet inspection, statistical analysis, machine learning;
and the alarm information generated by the intrusion detection system for single-stage attack detection is input into the data packet matching module.
3. The system of claim 1, wherein the packet matching module is configured to filter network packets that match alarm information generated by the intrusion detection system for single-stage attack detection, wherein packets that are not matched are regarded as normal packets and discarded, and packets that are matched are marked as suspicious packets;
the data packet matching module simultaneously uses alarm information generated by a signature-based intrusion detection system or an anomaly-based intrusion detection system.
4. The multi-stage attack dynamic detection system based on unsupervised learning of claim 1 wherein the network flow generation and feature extraction module comprises:
the network flow generation sub-module uses four-tuple information to aggregate the data packets, wherein the four-tuple information refers to a source IP address, a destination IP address, a source port and a destination port;
specifically, the TCP stream is composed of a series of data packet message sequences with the same quadruple from SYN message to FIN message, if there is no FIN data packet, the arrival time interval of adjacent data packets exceeds 5 minutes, the stream is considered to be ended;
the UDP stream is also composed of a series of packet messages with the same four-tuple information. But does not contain flag information, the timeout time of the packet interval of the UDP stream is set to 1 minute;
the feature extraction sub-module extracts a plurality of attribute features from each network flow, and the network flows obtained by the network flow generation and feature extraction module are marked as suspicious network flows.
5. The unsupervised learning based multi-stage attack dynamic detection system according to claim 4, wherein the attribute features include: average packet length, network flow duration, average packet arrival time interval, payload content.
6. The multi-stage attack dynamic detection system based on unsupervised learning according to claim 1, wherein the clustering module clusters the suspicious network flows obtained by the network flow generation and feature extraction module in an attack rule generation stage;
performing dimension reduction on the characteristics of the suspicious network flow by using an algorithm including a principal component analysis method before clustering;
the clustering module adopts a density-based application spatial clustering method to eliminate abnormal points in clusters and automatically generates a plurality of clusters, a mark is set for each cluster, and all clusters are called mark clusters.
7. The multi-stage attack dynamic detection system based on unsupervised learning according to claim 1, wherein the attack type classification module classifies suspicious network flows obtained by the network flow generation and feature generation module into different attack types in an attack detection stage according to the types and the number of the marker clusters obtained by the clustering module;
the attack type classification module classifies by using a K-nearest neighbor algorithm;
the network flow determined to be an attack by the attack type classification module is referred to as a marked suspicious network flow.
8. The system of claim 1, wherein the multi-stage attack dynamic detection module generates a relationship tree from the marked suspicious network flows according to a time occurrence sequence in an attack detection stage, the relationship is that source IP addresses of two network flows are identical, or destination IP addresses are identical, or destination ports are identical, the relationship tree and the multi-stage attack rule generated by the attack rule dynamic generation module are matched, and the matched network relationship tree is marked as multi-stage attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311004071.4A CN117118687A (en) | 2023-08-10 | 2023-08-10 | Multi-stage attack dynamic detection system based on unsupervised learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311004071.4A CN117118687A (en) | 2023-08-10 | 2023-08-10 | Multi-stage attack dynamic detection system based on unsupervised learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117118687A true CN117118687A (en) | 2023-11-24 |
Family
ID=88799395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311004071.4A Pending CN117118687A (en) | 2023-08-10 | 2023-08-10 | Multi-stage attack dynamic detection system based on unsupervised learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118687A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200143052A1 (en) * | 2018-11-02 | 2020-05-07 | Microsoft Technology Licensing, Llc | Intelligent system for detecting multistage attacks |
| CN112019497A (en) * | 2020-07-10 | 2020-12-01 | 上海大学 | Word embedding-based multi-stage network attack detection method |
| CN113821793A (en) * | 2021-08-27 | 2021-12-21 | 北京工业大学 | Multi-stage attack scene construction method and system based on graph convolution neural network |
| KR20220026858A (en) * | 2020-08-26 | 2022-03-07 | 국방과학연구소 | Method and apparatus for displaying threat alert type |
-
2023
- 2023-08-10 CN CN202311004071.4A patent/CN117118687A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200143052A1 (en) * | 2018-11-02 | 2020-05-07 | Microsoft Technology Licensing, Llc | Intelligent system for detecting multistage attacks |
| CN112019497A (en) * | 2020-07-10 | 2020-12-01 | 上海大学 | Word embedding-based multi-stage network attack detection method |
| KR20220026858A (en) * | 2020-08-26 | 2022-03-07 | 국방과학연구소 | Method and apparatus for displaying threat alert type |
| CN113821793A (en) * | 2021-08-27 | 2021-12-21 | 北京工业大学 | Multi-stage attack scene construction method and system based on graph convolution neural network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lu et al. | Clustering botnet communication traffic based on n-gram feature selection | |
| CN106713371B (en) | Fast Flux botnet detection method based on DNS abnormal mining | |
| US9094288B1 (en) | Automated discovery, attribution, analysis, and risk assessment of security threats | |
| Agarwal et al. | Hybrid approach for detection of anomaly network traffic using data mining techniques | |
| Xu et al. | Profiling internet backbone traffic: behavior models and applications | |
| Mohapatra et al. | Handling of man-in-the-middle attack in wsn through intrusion detection system | |
| CN111181901B (en) | Abnormal flow detection device and abnormal flow detection method thereof | |
| Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
| Miller et al. | The role of machine learning in botnet detection | |
| Amoli et al. | Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets | |
| CN109768981B (en) | Network attack defense method and system based on machine learning under SDN architecture | |
| KR100684602B1 (en) | Corresponding system for invasion on scenario basis using state-transfer of session and method thereof | |
| IL285979B2 (en) | A deep embedded self-taught learning system and method for detecting suspicious network behaviours | |
| Buragohain et al. | Anomaly based DDoS attack detection | |
| Landress | A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection | |
| Shrivastava et al. | Effective anomaly based intrusion detection using rough set theory and support vector machine | |
| Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
| CN114091020A (en) | Anti-attack defense method and system based on feature grouping and multi-model fusion | |
| Nair et al. | A study on botnet detection techniques | |
| CN113268735B (en) | Distributed denial of service attack detection method, device, equipment and storage medium | |
| Shahrestani et al. | Architecture for applying data mining and visualization on network flow for botnet traffic detection | |
| Zaheer et al. | A hybrid model for botnet detection using machine learning | |
| Sawaya et al. | Detection of attackers in services using anomalous host behavior based on traffic flow statistics | |
| Do et al. | An Efficient Feature Extraction Method for Attack Classification in IoT Networks | |
| Miller et al. | The impact of different botnet flow feature subsets on prediction accuracy using supervised and unsupervised learning methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |