APT attack scene mining method based on intrusion kill chain and fuzzy clustering

A technology of fuzzy clustering and attack scenarios, applied in electrical components, transmission systems, etc., can solve problems such as incomplete paths and inability to match alarms, and achieve the effects of high correlation, improved accuracy, and improved accuracy.

Active Publication Date: 2018-05-25
BEIJING UNIV OF POSTS & TELECOMM
View PDF4 Cites 30 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] However, the establishment of an APT attack model requires expert knowledge. If the attack model is incomplete, there will be problems that the alarm cannot be matched and the formed path is incomplete.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • APT attack scene mining method based on intrusion kill chain and fuzzy clustering
  • APT attack scene mining method based on intrusion kill chain and fuzzy clustering
  • APT attack scene mining method based on intrusion kill chain and fuzzy clustering

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0037] In order to make the above-mentioned features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with specific embodiments and accompanying drawings.

[0038] see figure 2 , which shows a flow chart of an APT attack scenario mining method based on kill chain and fuzzy clustering provided by an embodiment of the present invention. The algorithm forms an attack sequence. In fuzzy clustering, in addition to common attributes such as IP addresses and time stamps, attack event dimensions based on the kill chain model are added to improve the correlation between alarms in an attack sequence, thereby improving APT scene mining. To improve the accuracy of the method, analyze all the attack sequences generated by clustering to dig out the attack scene graph of APT, including the following specific steps:

[0039] step 1:

[0040] The data source of this embodiment is the alarm log data of...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an APT attack scene mining method based on an intrusion kill chain and fuzzy clustering. The method can be used for mining an APT attack scene in an intrusion detection system(IDS) log. The method comprises the steps of collecting and normalizing alert of the intrusion detection system; analyzing behavior characteristics of attack events in alert logs based on an intrusionkill chain model and classifying the attack events; carrying out fuzzy clustering on the alert logs to form an attack sequence set; and analyzing the attack sequence set, deleting incomplete sequences, converting each attack sequence into a directed graph, mining a transition probability matrix among different attack events, and converting the transition probability matrix into an APT attack scene graph with the probability. According to the method, the APT attack graph in true alert can be mined, and the theoretical foundation for APT detection and defense is provided.

Description

technical field [0001] The invention relates to the technical field of network security detection, in particular to an APT attack scenario method based on kill chain and fuzzy clustering, which is suitable for mining intrusion detection system alarm logs. Background technique [0002] With the development of Internet technology, the network security situation is becoming more and more severe, the attack methods in the network are becoming more and more complex, and APT attacks are becoming more and more popular, so the research on APT has become a hot spot. [0003] APT attacks are different from traditional attacks in that they are not used to disrupt services, but to steal intellectual property and sensitive data. It has the characteristics of stages, long duration, and uncertain attack channels. Intrusion Detection System (IDS for short) cannot detect APT attacks, and only generates an alarm for a certain step in the attack. [0004] The current APT attack detection met...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/1425H04L63/1441
Inventor 刘建毅霍彦宇张茹翁芳雨
Owner BEIJING UNIV OF POSTS & TELECOMM
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap