Network killing chain detection method, prediction method and system
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
A detection method and network technology, applied in the field of network security, can solve the problems such as the underlying implementation of the analysis method not given, the lack of visualization effect, and the difficulty in obtaining
Active Publication Date: 2020-12-15
XIDIAN UNIV
View PDF7 Cites 12 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
First of all, many researchers only proposed a theoretical framework to solve the problem of network kill chain at the macro level, and did not give direct analysis methods and specific underlying implementations.
Secondly, the algorithms proposed by some researchers for the kill chain model belong to the category of supervised learning and require labeled data sets as input, which is difficult to obtain in actual scenarios.
Finally, only a few researchers have applied the results of cyber kill chain analysis to cyber situational awareness scenarios, and there is a lack of intuitive visualization
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0068] This embodiment provides a specific kill chain detection and prediction method, which is implemented according to the following steps:
[0069] Step 1, construct a d-dimensional feature vector:
[0070] (1.1) Count all attack event types in the IDS alarm log data, divide the attack events into seven stages of the kill chain model according to their characteristics, and add the number of stages as a new field to the IDS alarm log data. Among them, the IDS alarm log data is used to record the detailed information of the host or server being attacked;
[0071] (1.2) select the d fields relevant to the kill chain analysis in the IDS alarm log data;
[0072] (1.3) Suppose a f and a g Represent two records or two pieces of data in the IDS alarm log data respectively, the subscripts f and g represent the sorting numbers of the data, and n≥g>f>0. Then define the similarity measure of each field, as follows:
[0073] (1) The date and time reflect the contextual relationship...
specific example
[0128] Step 1, construct a 9-dimensional feature vector:
[0129] (1.1) Count all attack event types in the IDS alarm log data, divide the attack events into seven stages of the kill chain model according to their characteristics, and add the number of stages as a new field to the IDS alarm log data. The specific attack events are divided into the following table:
[0130]
[0131] (1.2) Select 9 fields related to network kill chain analysis in the IDS alarm log data, as shown in the following table:
[0132] field illustrate LocalDateTime date and time RequestMethod HTTP request method IP IP address SeverPort server port number ClientPort client port number ClientEnv client environment HTTPCode HTTP response code Locate geographic location event The stage in the kill chain of the attack
[0133] (1.3) Suppose a f and a g Represent two records or two pieces of data in the IDS alarm log data re...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention discloses a network killing chain detection method, a network killing chain prediction method and a network killing chain detection and prediction system. The network killing chain detection method specifically comprises the following steps of: (1) constructing a d-dimensional feature vector; (2) screening and subtracting the d-dimensional feature vector into a k-dimensional featurevector by using an unsupervised feature selection algorithm; (3) acquiring a network kill chain attack event sequence set through utilizing the k-dimensional feature vector, wherein in a real scene inwhich IDS alarm log data is subjected to killing chain mining, aiming at the problem that the number of killing chains contained in the data cannot be known in advance, an improved spectral clustering algorithm disclosed by the invention not only can realize unsupervised learning, but further can automatically identify the clustering number compared with other supervised learning methods; (4) based on the obtained network killing chain sequences, performing prediction analysis by adopting a Markov theory and three network killing chain variant models; and (5) realizing the killing chain detection and prediction system based on theoretical analysis.
Description
technical field [0001] The invention belongs to the field of network security, and further relates to the mining of log data, specifically a machine learning-based network kill chain detection method, prediction method and system. Background technique [0002] With the development of mobile technology and the popularity of social networking, the ubiquitous role and contribution of the Internet in daily life has made computers more vulnerable to cyber attacks. According to the 2018 Cyber Attack Overview Statistics released by Symantec in April 2019, the proportion of banking Trojan attacks has risen from 4% to 16%, and new types of attacks are emerging in an endless stream. The motives for these cyber attacks vary, including but not limited to financial gain, personal injury, intellectual property theft, and political damage. Even with traditional security defenses with multiple layers of security defenses, attackers are able to infiltrate the network and remain persistent...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to view more 
Login to view more