Unlock instant, AI-driven research and patent intelligence for your innovation.

Key host event identification method based on information flow analysis

A key event and information flow technology, which is applied to computer components, character and pattern recognition, computer security devices, etc., can solve the problem of inability to record, copy, compress, dump, decompress, accurately capture information flow, and event chains. Accurately extract and other issues to achieve the effect of alleviating the problem of clue explosion, simplifying clues, and reducing analysis costs

Pending Publication Date: 2021-08-17
INST OF INFORMATION ENG CAS
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the above methods all rely on the behavior characteristics of the subject, lack of universality, and are difficult to deal with complex and changeable attack scenarios
[0004] In addition, for file operations on the host, the host event recording system can only record single-step operations such as creating, closing, renaming, reading, and writing. For example, process P performs a read operation on file A and reads the content; but multi-step operations such as copying, compressing, dumping, and decompressing cannot be recorded. For example, process P copies file A to file B, that is, reads file A and then writes file B
Moreover, each event may have a dependency relationship with many events, which makes it difficult to accurately capture the flow of information and the event chain to accurately extract

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Key host event identification method based on information flow analysis
  • Key host event identification method based on information flow analysis
  • Key host event identification method based on information flow analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] In order to enable those skilled in the art to better understand the technical solutions in the embodiments of the present invention, and to make the purpose, features and advantages of the present invention more obvious and easy to understand, the technical core of the present invention will be further explained below in conjunction with the accompanying drawings and examples Detailed description.

[0030] This embodiment provides a key host event identification method based on information flow analysis, such as figure 1 The flow chart shown specifically includes the following steps:

[0031] Step 100: Use the ETW framework to collect kernel audit logs to capture host events, including process events and file events.

[0032]Step 200: Perform preprocessing on the host event, including filtering the host event according to the operation code, and performing a merge operation of the file event by using the event attribute. The event attribute is a description of the mu...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a key host event identification method based on information flow analysis, relates to the field of network attack discovery, and aims at researching key host event identification related to file operation on a Windows system, and capturing an effective information flow relationship among events by researching information flow characteristics, a common event which can only express a single-step information flow is enhanced into a key host event which can express a multi-step information flow, and other invalid dependency relationships and corresponding redundant events are eliminated, so that the aim of clue simplification is fulfilled, the problem of clue explosion is relieved, and attack event chains can be more accurately extracted and host end attacks are more accurately detected.

Description

technical field [0001] The present invention relates to the field of network attack discovery, in particular to a method for assisting network attack discovery by identifying key host events, and more specifically, to a key host event identification method based on information flow analysis. Background technique [0002] In today's highly interconnected world, cyber attacks pose an increasingly serious threat to personal privacy, life and property safety, and hosts, as an important medium for human daily work, entertainment, and communication, are the main target of cyber attacks and the main place where attacks occur. Attacks that occur on the host will inevitably leave traces on the host—host events, and host event analysis is an important means to detect host-side attacks and restore the attack process. However, the large number of host events and the complex dependencies between events lead to the problem of thread explosion. Every application will continuously generate...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/566G06F18/24
Inventor 冯云汪旭童刘宝旭刘奇旭刘潮歌张金莉
Owner INST OF INFORMATION ENG CAS