85 results about "Attack analysis" patented technology

A system and method are provided for detecting extension attacks made to a communication enterprise, and taking appropriate remedial action to prevent ongoing attacks and future attacks. One or more attributes of a suspect call are analyzed, and a risk is associated with each analyzed attribute. An overall risk or assessment is then made of the analyzed attributes, attack attributes are logged, and one or more remedial actions may be triggered as a result of the analyzed call attributes. The remedial actions may include recording the call, notifying an administrator of a suspect call, or isolating the communication enterprise from the attack by terminating the call or shutting down selected communication endpoints to prevent calls being made to those extensions. Rules may be applied to the analyzed attributes in order to trigger the appropriate remedial action. The call attributes analyzed may include call destination, call direction, call type, time of day of the call, call duration, whether a call source is spoofed, call volume from a particular call source, and hash values created for a suspect media stream.

The invention discloses a detecting method of DDOS (distributed denial of service) attacks, belonging to the field of computer network safety and comprising the steps that, (1) a data packet interception module is used for analyzing accessed network data packet information; (2) a data packet feature statistic module is used for counting the analyzed network data packet information; (3) a statistical data processing module is used for computing the proportional distribution of all kinds of data packets relative to the total number of the data packets at unit time; (4) a data analyzing module is used for computing an alarm threshold of network data according to stored historical data computed in the steps (2) and (3); (5) the data analyzing module is used for judging whether a network data value at the current unit time exceeds the alarm threshold of the corresponding network data or not; if exceeds, the network data is submitted to an attack analyzing module; and (6) the attack analyzing module is used for generating a detection report according to the received network data value. Compared with the prior art, by integrating the historical data transmitted by a network, the invention carries out further analysis on the current network data, and can identify various ddos attacks.

The invention relates to the technical field of computer security, and in particular to a security defensive system and a defensive method based on a software-defined network. The security defensive system comprises a network control module, an attack analysis module, a progress detection module and a network flow detection module, wherein the network control module is used for intercepting a network data packet between virtual machines and used for forwarding acquired flow information to the attack analysis module; the attack analysis module is used for receiving flow information from the virtual machines of the network control module, used for scheduling the progress detection module to detect whether the progress is questionable, and used for scheduling the network flow detection module to execute deep detection on questionable flow if necessary. Aiming at expansion of virtual switches for flow forwarding among virtual machines in a conventional virtual machine server, the invention discloses a deep defensive system which is capable of intercepting, detecting and reorienting the flow, and the purposes of preventing and stopping attack behaviors of virtual machines of a network cluster are achieved.

An apparatus for detecting a network attack includes a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information; a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack; and a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack. A representation unit for visualizing the network attack information and the pattern information of the network attack.

The invention discloses an abnormal flow detection system and an abnormal flow detection method based on a service model. The abnormal flow detection system comprises a data acquisition and analysis device, a first data detection device, and a second data detection device. The data acquisition and analysis device is used for acquisition and analysis of original target flow data of a target networkport. The first data detection device is used to filter the analyzed target flow data according to a preset flow information white list and a preset flow information black list, and is used to transmit the first flow data of the original target flow data, which is not matched with the flow information white list and the flow information black list, to the second data detection device. The seconddata detection device is used to carry out the flow attack determining of the first flow data according to a preset flow attack analysis module, and is used to identify abnormal flow data from the first flow data. By adopting the method and the system provided by the invention, problems of conventional abnormal flow detection methods such as detection lag, high detection costs, and limited detection capability are effectively solved.

This invention is based on the time and events sequence to analysis attacking detection methods and devices involved in exchange for the function of the network. It is a methods and devices to prevent removing data from the data transmission channel without permission .The method provides a complex text-based attack description language to make the user can amend the built-related characteristics, and add new features of related events. The present invention include: basic rules of the incident, the rules of the association, first level detection engine, correlation analysis engine. The whole process of attacking are described more comprehensive and reasonable taking into account the time factor and the order of events Such description and testing which distinct the basic incidents more carefully are more in line with the requirements of detecting attacks. The invention also describes the relation between alarm incident and not alarm incident.

The invention discloses an industrial radio control system semi-physical security experiment platform. The platform comprises a simulation module, a controller host computer, a monitoring site, a programmable logic controller (PLC), an industrial radio communication device and a universal software radio peripheral (USRP) for simulating attacks. The simulation module is used for erecting a virtual controlled object and simulating different industrial scenes. The controller host computer is used for simulating different control algorithms. The monitoring site monitors in real time state signals, control signals and the like in a system operation process and stores correlation data in a database. The USRP is used for simulating a typical industrial radio attack mode. According to the experimental platform, through simulating a typical industrial object and a control algorithm, an attack on an industrial radio channel is simulated by use of the USRP, and the security of an industrial radio protocol and the control system performance under a typical attack are analyzed. The industrial radio control system semi-physical security experiment platform is low in system cost and can be applied to simulation of a typical industrial control object and a corresponding control algorithm and evaluation of the influence of a typical industrial radio attack on an industrial control system.

The invention brings forward an active trapping method based on behavior capturing. A trapping system is established in a formulated network area. The active trapping method comprises the following three links: (1) an active trapping system is established in an advance defense of a network defense system, and an active trapping engine technology is adopted; an active trapping engine, target cheating, attack capturing, attack control, attack analysis and characteristic extracting are established in multiple systems included by a computer; (2) a dynamic depth target cheating attack behavior is utilized to trap a real attack objective of an attacker; (3) and the active trapping system makes the attacker be sure of the attack target according to the aforementioned judgment results so that the real attack objective of the attacker is trapped. According to the active trapping method based on behavior capturing, known and unknown attack behaviors can be captured, the security state of the whole network is mastered and the network security level is enhanced.

The invention discloses an information security defense rule intelligent deployment method based on an improved particle swarm optimization. The method comprises the steps of deployment strategies of the intelligent learning algorithm and security rules; according to attack frequency and type and potential attacks in parametric improved particle swarm optimization system logs, the intelligent learning algorithm is adopted for deployment on the condition that normal resource overheads of a security defense system are not influenced, rule deployment is conducted for the actual environment of the network, an access log attack analysis engine which can defend existing attacks and see through the potential attacks according to network conditions and has the independent attack analysis ability is adopted, and common attacks can be recognized through the access logs. According to the information security defense rule intelligent deployment method, on the condition that an existing security rule defense flow or principle is not influenced, intelligent deployment is conducted on the rules, and the intelligent deployment is different from manual deployment. On the basis of the existing manual deployment, defense pertinence of security products is improved, and server overheads are reduced to a greater degree.

The invention discloses a security detection method for the design of cryptographic algorithm hardware. The method comprises the steps of analyzing cryptographic algorithm, and adding protective measures into the cryptographic algorithm according to an analyzing result; performing architectural design on password hardware, and formulating and adding the hardware protective measures; programming the password hardware, and generating an ASIC (Application Specific Integrated Circuit) password chip circuit layout according to the programming result; and performing power resistance analysis on the password chip, and verifying the security of the chip, including the acquiring of power consumption information and the analysis of data. According to the method, the characteristic of an EDA (Electronic Design Automation) tool capable of stimulating the chip operation power consumption to obtain the stimulated power consumption of the chip at a chip design early stage can be maximally utilized, so that the stimulated power consumption is more accurate in operation, lower in noise, simpler in power alignment, and is more likely to perform power consumption attack analysis in comparison with the operation consumption of the chip. The stimulated and synthesized results are only analyzed and the real chip is not needed, so that the research cost is low, and the total cost for producing the password chips in a company can be reduced.

This invention discloses a warning system of a database-hit attack. The warning system is used for finding a database-hit attack of an application server in the internet. The warning system of the database-hit attack comprises a client, an application server, a network device and a database-hit attack analyzing device, wherein the client is connected with the network device through the internet; the network device is connected with the application server and the database-hit attack analyzing device; the network device is used for performing a mirroring process to communication data transmitted between the client and the application server so as to generate mirror data corresponding to the communication data, and sending the mirror data to the database-hit attack analyzing device; the database-hit attack analyzing device is used for acquiring the mirror data from the network device; a user access action corresponding to the communication data is acquired according to the mirror data; according to the user access action, judge whether the application server is suffering the database-hit attack or not; if so, a warning is sent in real time.

The invention discloses an attack defense method, device and equipment and a storage medium, relates to the technical field of information safety, and the method and the device can be used for intelligent transportation or automatic driving scenes. According to the specific implementation scheme, the method comprises the steps of obtaining an instruction set comprising at least one instruction forcontrolling the state of the vehicle, and respectively comparing each instruction in the instruction set with at least one attack instruction in an attack behavior knowledge base, determining a maximum similarity value corresponding to each instruction, and determining the type and processing strategy of each instruction according to the maximum similarity value corresponding to each instructionand a preset similarity range. According to the technical scheme, each attack instruction in the attack behavior knowledge base is obtained by performing attack analysis on the chain type data set ofat least one vehicle-mounted component, and the context data of the source data is associated when the attack instruction is generated, so that the accuracy of the determined instruction type and theattack defense precision are improved.

The invention discloses a method for verifying safety of an SM2 signature algorithm based on an improved difference error attack, wherein the method comprises the steps as follows: 1) using the SM2 signature algorithm to sign a message M, injecting an error when scalar multiplication of a generated random number k and an elliptic curve base point G of the SM2 signature algorithm is iterated to the No.i times so as to change part of bit value of y coordinate of a medium value in the No.i times; 2) recovering the continuous bit value of the random number k by using the signature result obtained in the step 1), an attestation public key PA and a message M hashing value e; 3) configuring an HNP problem by using the continuous bit value and a wrong signature result, and analyzing a private key by using a lattice attack, and judging whether the current SM2 signature algorithm is safe according to the private key. The method of the invention can insert error more simply and comprehensively analyze the safety that the SM2 signature algorithm resists an attack.

The embodiment of the invention discloses a method and device for identifying an XSS attack, and a computer-readable storage medium. The data to be detected is preprocessed to obtain a digital vector. the trained character-based convolutional neural network model is used to process the digital vector to obtain the attack probability of XSS. When the XSS attack probability value is greater than orequal to the preset threshold, the output data to be detected is XSS attack data. Compared with the prior art, the technical scheme does not need to make rules artificially, and only needs to use thetrained character-type convolution neural network model for XSS attack analysis. The model uses the network structure of convolution neural network, and can identify some attacks with similar structure, which improves the generalization ability of the model. And the character-based convolution neural network model can take each character as the smallest processing unit. Compared with word segmentation processing, it can learn deeper semantics and improve the accuracy of XSS attack recognition.

The invention discloses a high-accuracy DDOS attack detection method, which belongs to the field of computer network security. The method is as follows: the data packet interception module analyzes the access network data packet information; the data packet feature statistics module performs statistics on the parsed network data packet information; The proportion distribution of the total number of packets; the data analysis module calculates the alarm threshold of network data according to the calculated historical data stored; Submit it to the attack analysis module; the attack analysis module generates a detection report according to the received network data value. Compared with the prior art, the present invention integrates the historical data of network transmission, deeply analyzes the current network data, and can identify various DDOS attacks.

The invention provides a data analysis method for coping with a cloud computing network attack and a server, which can intelligently respond to a network attack analysis instruction and collect a potential abnormal session information set in cloud service activity big data triggering an information security response mechanism. Then, the method can be used for guiding a big data attack analysis network to identify cloud service activity big data triggering an information security response mechanism based on the potential abnormal session information set, so that the attack identification operand of the big data attack analysis network is reduced; compared with a traditional thought of manually positioning the potential abnormal session information set for a big data attack analysis network, the method has the advantages that the intelligent degree of network attack identification for cloud service activity big data can be improved; and unnecessary resource overhead is reduced.

The invention provides a network attack analysis method, a network attack analysis device, computing equipment and a medium. The method comprises the following steps: detecting a first network data flow in response to the received first network data flow to determine whether the first network data flow has a network attack file or not; if it is determined that the network attack file exists in thefirst network data stream, obtaining path information of the network attack file; and in response to receiving the request, performing attack analysis on the request to determine whether the electronic device corresponding to the path information is being attacked by the network, the request including the path information of the network attack file and the request belonging to the second networkdata flow, and the receiving time of the second network data flow being later than the receiving time of the first network data flow.

The invention relates to the technical field of cloud services and data attack analysis, in particular to a data attack analysis method applied to cloud services and a server. Due to the fact that in the attack intention analysis process, service event positioning processing can analyze a random and changeable service environment, according to at least one first sensitive interaction event, the first target service session set in the cloud service log triggering the data attack analysis condition is determined, and the first multi-modal interaction event corresponding to the first target service session set is determined, that is, the intention analysis result in the attack intention analysis process is obtained, according to the first multi-modal interaction event, attack intention positioning processing is started, so that a first target data attack intention corresponding to the first target service session set in the service scene can be obtained, so that the intention analysis of the service session sets in different states in the cloud service log triggering the data attack analysis condition can be efficiently and accurately realized.

The invention discloses a multi-step attack tracing method and system, a terminal and a readable storage medium. The tracing method comprises the following steps: formatting a log, extracting event features from the log, establishing a feature relationship, and constructing an event relationship graph according to the feature relationship; weighting the event relation graph through the weight vector to obtain a weighted relation graph; transmitting the weighted relation graph to a community detection module, performing relation division on the weighted relation graph through a community discovery algorithm, and discovering an attack community; after the community is found, based on the obtained attack community, according to the event logic relationship, establishing a sequence, and constructing an attack process. The invention also provides a system, a terminal and a readable storage medium for realizing the method, the problem of state explosion caused by relationship connection canbe solved by utilizing multiple log association analysis, the attack process of multi-step attack can be effectively analyzed, and the method can be used for multi-log-based attack analysis in varioussystems.