Full-flow attack detection technology based on machine learning

An attack detection and machine learning technology, applied in machine learning, instruments, computing models, etc., can solve problems such as imperfect network supervision, sensitive data outreach, and asset destruction, so as to improve the ability of security confrontation, change working methods, and improve efficiency effect

Active Publication Date: 2019-11-15
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
View PDF10 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The purpose of the present invention is to provide a full-flow attack detection technology based on machine learning, so as to solve the problems in the prior art that the network supervision is not perfect, and network attacks cause asset damage and send sensitive data to the outside world

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Full-flow attack detection technology based on machine learning
  • Full-flow attack detection technology based on machine learning
  • Full-flow attack detection technology based on machine learning

Examples

Experimental program
Comparison scheme
Effect test

application example 1

[0033] For example, the irregular behavior analysis system can detect abnormalities in the relationship between users and servers, and the main observation object is users. Intranet traffic data, terminal log data, and database server data can be used to establish user portraits, and then machine learning algorithms can be used to calculate the association or similar relationship between users, users with similar behaviors and close associations ( image 3 The gray dots in the circles in ) can be seen as the same virtual group ( image 3 circle in ), once a user ( image 3 Some behaviors of the circles in the circle (points connected by lines), such as server login behavior, database access behavior and personal history behavior are relatively large, and at the same time, the virtual group behavior of the user is relatively large, and the user's behavior can be detected abnormal.

application example 2

[0035] For example, irregular behavior analysis can detect anomalies in host traffic, mainly observing entities. The traffic here is a general term, which can be the size of uploaded and downloaded files, the situation when the database is requested, the situation where the agent is requested, etc. As shown in the figure below, the blue curve represents the traffic change of a certain host and one service, and the red dots represent the detected abnormal points. Generally, traffic anomalies can be detected by rules or statistical models, but Figure 4 There is no significant change in the size of the medium flow itself, but the pattern of the flow that has changed, and this abnormal pattern cannot be directly described by common characteristics such as period, same frequency, and high frequency. Here, UEBA uses machine learning algorithms to automatically discover abnormalities in traffic patterns, and then trace the causes of abnormalities.

[0036] According to step (4), t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to the technical field of network detection, in particular to a full-flow attack detection technology based on machine learning, which comprises the following steps: (1) acquiring a vulnerability utilization data packet, and capturing a network data packet; (2) extracting a rule, analyzing the network characteristics utilized by the vulnerability through the acquired networkdata packet utilized by the vulnerability, and carrying out rule extraction; (3) testing the rule, testing the extracted rule and the captured vulnerabilities by using a data packet by using a yara official rule testing tool offline; and (4) performing rule application, applying the tested rule in subsequent traffic analysis, alarming the session matched with the rule, and storing the original traffic data packet. The method can improve the efficiency of analysis work, and greatly improves the security countermeasure capability.

Description

technical field [0001] The invention relates to the technical field of network detection, and the specific field is a machine learning-based full-flow attack detection technology. Background technique [0002] Traditional detection models try to find out malicious code or malicious domain names, which leads to a tricky job of continuously discovering and identifying a limited number of malicious events. The tasks are endless, and attackers are always one step ahead of exploiting new vulnerabilities. [0003] To break this cycle, the new threat detection model will focus on identifying indicators of attack behavior; in other words, the goal of detection shifts from determining what a thing is to what it is doing and what consequences it has. While attackers can hide their threat by making slight changes to the malware or purchasing a new domain name, the behavior and goals of the attack are always similar. For example, almost every attack must establish some form of covert ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06N20/00
CPCH04L63/1408H04L63/1433H04L63/145G06N20/00
Inventor 孙波李应博张伟司成祥张建松李胜男毛蔚轩盖伟麟房婧侯美佳董建武
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap