Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Attack path restoration method, device and apparatus and storage medium

A technology of attack path and storage medium, which is applied in the field of attack path restoration method, device, equipment and storage medium, can solve the problem that the application effect of prior knowledge is not universal, and achieve the effect of optimal generalization and adaptability

Active Publication Date: 2021-02-26
BEIJING TOPSEC NETWORK SECURITY TECH +2
View PDF7 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This method requires a lot of prior knowledge, but often the attacker's attack methods change frequently, and the application effect of some prior knowledge is not universal

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Attack path restoration method, device and apparatus and storage medium
  • Attack path restoration method, device and apparatus and storage medium
  • Attack path restoration method, device and apparatus and storage medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0044] see figure 1 , figure 1 It is a schematic flowchart of an attack path restoration method disclosed in the embodiment of the present application. Such as figure 1 As shown, the method of the embodiment of the present application includes steps:

[0045] 101. Obtain security event data on the target system;

[0046] 102. Abstractly map the security event data according to the ATT&CK framework, and obtain the status information of the target system;

[0047] 103. Construct a partially observable Markov decision process model based on state information;

[0048] 104. The attack path is calculated according to the partially observable Markov decision process model.

[0049] In the embodiment of the present application, the state information of the target system can be obtained by abstractly mapping the security event data according to the ATT&CK model, wherein the state information of the target system includes the state information of multiple stages of the target system...

Embodiment 2

[0087] see figure 2 , figure 2 It is a schematic structural diagram of an attack path restoration device disclosed in the embodiment of the present application. Such as figure 2 As shown, the attack path restoration device in the embodiment of the present application includes:

[0088] An acquisition module 201, configured to acquire security event data on the target system;

[0089] A data preprocessing module 202, configured to abstractly map the security event data according to the ATT&CK framework, and obtain status information of the target system;

[0090] A model construction module 203, configured to construct a partially observable Markov decision process model according to state information;

[0091] The calculation module 204 is configured to calculate an attack path according to a partially observable Markov decision process model.

[0092] Compared with the prior art, the device of the embodiment of the present application can start from the actual securit...

Embodiment 3

[0128] see image 3 , image 3 It is a schematic structural diagram of an attack path restoration device disclosed in the embodiment of the present application. Such as image 3 As shown, the attack path restoration device in the embodiment of the present application includes:

[0129] Processor 301;

[0130] The memory 302 is configured to store machine-readable instructions, and when the instructions are executed by the processor, execute the method for restoring an attack path according to Embodiment 1 of the present application.

[0131] Compared with the existing technology, the device in the embodiment of the present application can start from the actual security alarm event data, use the ATT&CK framework to abstract the state of the system and the attack execution action to form a partially observable Markov decision process model, so as to Under the assumption that the attacker has a clear intention but the attack process is complex, the attack process is modeled i...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an attack path restoration method, device and apparatus and a storage medium, and the method comprises the steps: obtaining safety event data on a target system; conducting abstract mapping on the security event data according to an ATTCK framework, and obtaining state information of the target system; constructing a partially observable Markov decision process model according to the state information; and calculating according to the partially observable Markov decision process model to obtain an attack path. The method has better generalization adaptability and analysis efficiency.

Description

technical field [0001] The present application relates to the fields of attack intent analysis and deep learning, and specifically relates to an attack path restoration method, device, equipment, and storage medium. Background technique [0002] In the process of attack analysis of a security incident, it is often expected to restore the attacker's attack path, and then analyze its attack intention, diffusion method, and command and control path. [0003] At present, the existing attack path restoration method is mainly an intention recognition method based on Bayesian network reasoning. Topology information and attack knowledge base, use IDS alarm information to identify the attack intention of the attacker and provide it to the decision-making system as a basis for decision-making. The process of attack intention identification is attack scene generation, IDS alarm information aggregation and matching, updating the conditional probability distribution of attack behavior p...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06N7/00
CPCH04L63/1416H04L63/1433G06N7/01
Inventor 鲍青波周晓阳万可
Owner BEIJING TOPSEC NETWORK SECURITY TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com