134 results about "Attack patterns" patented technology

Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses.

Provided are systems, methods, and computer-program products for a network device, configured to use data science techniques to manage the deployment of deception mechanisms in a network, where the deception mechanisms can attract and detect threats to the network. In various implementations, the network device can receive network data. The network data can include data produced by an interaction with a deception mechanism. The deception mechanism can be part of the security of the network. An interaction can include a potential threat to the network. The network device can further be configured to analyze the network data using a data science engine, including identifying a pattern of network behavior. The network device can further generate an attack pattern that includes the behavior of the potential threat. The network device can further use the attack pattern to modify deception mechanisms on the network.

In a system and method for detecting network intrusion, the system comprises: a packet capturer which captures at least one packet on a network; a preprocessor which provides feature values dependent on features of each packet captured by the packet capturer; and a learning engine for classifying patterns dependent on the feature values provided by the preprocessor into two different pattern sets, and for selecting one pattern set having more elements from the pattern sets as a reference set so as to detect network intrusion. The network intrusion detection system and method do not depend on historical data according to known attack patterns, and thus not only detect a changed attack pattern but also efficiently detect network intrusion.

A method of determining vulnerability of web application comprises: selecting fixed parameters from parameters of URL link extracted from a website; determining whether a process of determining vulnerability for the selected fixed parameter is completed or not; inserting an attack pattern for each attack type to an input value for the selected fixed parameter, when the process of determining vulnerability for the selected fixed parameter is not completed; and determining vulnerability of the selected fixed parameter by each attack type through an analysis of response to an input of URL link with the attack pattern inserted thereinto.

The invention discloses a DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection. The problem that intrusion detection accuracy still needs to be improved in the prior art is solved through the method. The method includes the steps of 1, flow early warning based on a time window; 2, abnormal flow characteristic processing; 3, rapid attack detection based on rule matching; 4, excavation and detection of attacks of unknown types; 5, attack filtering based on an IP list. Compared with the prior art, through the combination of the light-weight intrusion detection technology with characteristic selection, the problem that an original DoS/DDoS attack detection method based on classification detection is poor in instantaneity is basically solved; through the combination of online incremental learning and characteristic selection, the problems existing in detection of attacks of unknown types are solved, wherein pre-built attack modes of the attacks are not matched.

A method and apparatus for pattern matching using packet reassembly are provided. The pattern matching method using packet reassembly includes: extracting serial information in relation to a current input packet; determining whether or not pattern matching result information in relation to one or more previous packets and/or subsequent packets on the basis of the serial number of the current input packet is already stored; loading the pattern matching result information in relation to the previous packets and/or subsequent packets; and reassembling the loaded pattern matching result information in relation to the previous packets and/or subsequent packets and the current input packet and performing pattern matching with attack patterns which are already stored. Accordingly, by using packet reassembly, a method and apparatus for pattern matching capable of reducing memory usage without lowering the speed can be provided

A method for restoring or enhancing an environmental resistant coating of a coating total thickness within a coating design thickness range on a metal substrate of an article includes the application of a restoring or enhancing metal to at least one discrete local surface area. Then at least the discrete local surface area is coated with an environmental resistant coating. For use of the method to restore a coating on an article which has experienced service operation and the discrete surface area includes an undesirable amount of oxidation/corrosion products, the oxidation/corrosion products first are removed from an outer portion of the coating while retaining a coating present at the discrete surface areas and retaining the entire coating on surface areas adjacent the discrete surface areas. Then the restoration metal is applied. For use of the method to enhance an existing coating, at least one discrete surface area is selected based on an oxidation/corrosion attack pattern identified from similar articles which experienced service operation in apparatus of a design for which the article is intended. Then the enhancing metal is applied to the selected area.

This invention relates to an system based on alarming cluster and associated network safety including a monitor module, a buffer memory module, a hierachi clustering module, a database process module, an associated analysis module and an alarm and response module integrated on the upper control stand. The hierachi clustering module can reduce the same or similar redundant alarm information, so as to reduce its transmission volume or extra loads and reduce process burden of network managers who can be even more clear about the attack behavior and configurated safety strategy.

The invention provides an information security risk assessment method oriented to a typical metallurgy process control system and belongs to the technical field of industrial control system information security. The system robustness under different attack modes and policies is analyzed by establishing an attack model under the typical scenes of the metallurgy process, and therefore, the security risk assessment on the typical metallurgy process control system in different attack modes and a failure mode can be realized. Based on the risk theory, the method is used for performing the security risk assessment by use of a random probability algorithm by defining the metallurgy process control system as a physical information fusion system; from the two aspects of the occurrence probability and the influence of attack sources or failure sources, a security assessment method based on risk indexes is developed. Quantitative estimation is performed based on risk indexes; a security incident set is created based on the established physical information fusion model and attack model, and then the security incident set is combined with the calculated robustness assessment indexes for the quantitative estimation, and therefore, the weak security links in the control system can be located conveniently.

The invention discloses an information security event automatic association and rapid response method and system based on big data analysis. The method and the system comprise an offline association module, an online association module, an element alarm comparison module, an element alarm priority module, an element alarm clustering module, an attack mode discovering module and an alarm response system/work order module. Through adoption of the method and the system, alarms reported by a security device are aggregated into element alarms for correlation analysis by using a big data technique, thus generating multiple element alarms. Element alarm priority analysis is carried out after alarm correlation analysis is carried out; alarm priorities corresponding to element alarms are distributed; an alarm response system informs related personnel and the delegates related personnel to check and repair faults according to the alarm level priorities; the alarm response time is remarkably shortened; and misinformation generated by information security devices such as IDS (Intrusion Detection Systems) is eliminated.

The invention relates to an attack mode detection method based on an event slide window. The method comprises the steps of S1, normalizing, integrating, compressing and preprocessing warning information, and aggregating the warning information with approximate attribute similarity into super warning; S2, carrying out protocol on frequent items, thereby obtaining frequent correlation sequence patterns according to a causal correlation matrix; S3, for the new frequent correlation sequence patterns at each time and warning pairs of the frequent correlation sequence patterns with different attributes, carrying out weight average on the participating attributes; and S4, generating an attack pattern graph consistent with invasion characteristics. According to the method, attack patterns existing in warning logs can be mined efficiently and accurately, new invasion access behaviors can be identified or intercepted rapidly, and the accuracy and speed of mining the attack patterns in the massive and seemingly meaningless warning logs can be greatly improved.

The invention discloses a wireless multi-step attack mode excavation method for WLAN. The method comprises the following steps of: 1, building a global attack library, consisting of: classifying wireless alarm according to different AP information in a WLAN environment and BSSID information of the AP, and building the global attack library based on the AP according to attributes of occurrence time; 2, building candidate attack links; 3, screening the candidate attack links; 4, correlating a multi-step attack behavior; 5, identifying a multi-step attack mode, consisting of: computing the correlation between adjacent attacks in the attack link, deleting the attack link with the correlation lower than a predetermined correlation threshold, and finally identifying the wireless multi-step attack mode. The wireless multi-step attack mode excavation method for WLAN has the advantages of being applicable to actual attack scenes of WLAN, and capable of effectively excavating the wireless multi-step attack mode and providing bases for the pre-identification of the multi-step attack intention.

The invention relates to the technical field of communication security, and more particularly to a key generation and distribution method for a wireless communication system. The key generation and distribution method comprises the steps that: a terminal and an access point generate physical layer keys based on wireless communication channel features of the two parties; an authentication center generates authentication data and a non-access-layer key by means of a root key associated with identity of the terminal and an access-layer authentication key; the terminal authenticates the access point and the authentication center by utilizing the root key, the access-layer authentication key and the received authentication data of the authentication center; the authentication center authenticates the terminal by utilizing the root key, the access-layer authentication key and received terminal authentication data; the terminal and the access point each generates a secondary access-layer encryption and integrity protection key; and the terminal and the access point can update a primary access-layer key and the access-layer authentication key synchronously at any time, and realizes updating and continuous authentication of the access-layer keys. The key generation and distribution method utilizes the uniqueness, reciprocity and time-varying property of the wireless channel, generates the physical layer keys at the terminal and the access point separately, introduces the physical layer keys into the access-layer keys and the authentication keys, realizes dual authentication of identity and path, and can prevent the attack pattern of acquiring the access-layer keys from a non-access layer.

The invention discloses a random Petri net-based network security risk analysis method, which comprises the following steps of: acquiring related attributes of a network topology structure and property; acquiring and saving threat information and frangibility information of the property; constructing a risk analysis model; simplifying the risk analysis model; acquiring user index information which is needed to be calculated; performing index quantitative analysis and calculation, and the like. The system risk associated analysis in a general information system environment is provided, the problems that the conventional security analysis tool is difficult to discover an unknown attack mode or security hole in the system, cannot perform global security analysis on the system and the like are solved, the comprehensive network risk analysis capacity is greatly improved, and the security of a network information system is effectively guaranteed.

The invention belongs to the technical field of information security, and particularly relates to an automatic intrusion response decision making method based on Q-learning. The method comprises the following steps: scanning system vulnerability, constructing an attack graph, and establishing a network state layer, an attack pattern matching layer and a response measure layer according to the attack graph; establishing a mapping relationship among the network state layer, the attack pattern matching layer and the response measure layer; receiving an intrusion alarm from a network defense device, and mapping the intrusion alarm to a corresponding network state; selecting a defense action according to the mapping relationship, and notifying the system of the result; performing online learning by using the execution result of the defense action, and updating the mapping relationship between the attack pattern matching layer and the response measure layer; and returning to the step of mapping the intrusion alarm to the corresponding network state, and performing automatic response decision marking and online learning, until a defender terminates the defense. By adoption of the automatic intrusion response decision making method based on Q-learning provided by the invention, evaluation of multiple response purposes of the strategy can be achieved, the demand of multiple response purposes can be met, the instantaneity and accuracy of the intrusion detection are improved, the network resource consumption is reduced, and the overall performance of the system is improved.

A method for detecting a network attack in a wireless terminal, including storing, in a pattern database (DB), information about an attack pattern that is determined using a plurality of control bits indicating a type of a socket data packet, receiving a socket data packet of a target selected to be accessed through a wireless communication interface identifying the at least one socket data packet received, and generating a socket access history by extracting the plurality of control bits indicating the type of the socket data packet using the at least one socket data packet identified, and determining whether a network is under attack, using the pattern DB and the socket access history.

Techniques for using honeypots to lure attackers and gather data about attackers and attack patterns on Infrastructure-as-a-Service (IaaS) instances. The gathered data may then be analyzed and used to proactively prevent such attacks.

The invention relates to a multi-step attack prediction method based on a cause-and-effect Byesian network. First of all, a multi-step attack mode in an attack scene sample is mined by use of a frequent mode, the multi-step attack mode is depicted through a cause-and-effect Byesian network mode, based on this, a probability of future attacks is calculated through attack evidence, and thus next-step attack behaviors of network multi-step attacks and attack intensions of attackers can be predicted. According to the invention, a multi-step attack prediction method of manually constructing a network attack structure graph is optimized, the multi-step attack mode is mined automatically based on a frequent sequence mode, by means of the cause-and-effect Byesian network mode, the attack mode is depicted, network parameters are learnt, next-step attacks and the attack attentions are predicted, the attack prediction capability for unknown changing multi-step attack modes is improved, next-step attack means and a final attack attention of the multi-step attacks can be rapidly and accurately predicted, and the method has great realistic significance for safeguarding network and computer information security.

The invention belongs to the field of software security and relates to a software defect based method for quantificationally estimating software credibility. The method comprises steps of: classifying each defect according to a credible definition; confirming attack modes probably existed in each defect; confirming corresponding threaten degree levels of the attack modes in high and low damage degrees by analyzing the damage degree caused by the involved attack modes; selecting corresponding threaten degree with the maximum quantitative degree as the defect damage degree of the defect in each probably existed attack mode of each defect; confirming the level of an impact factor of each defect to the whole software according to the influence degree of each defect to the software; and for some kinds of defects, confirming the credibility metric of the defects according to a credibility metric formula. The method enables a developer to more clearly understand the security problem their software products face and improves the weakness of the product again till the effect is satisfied.

The invention discloses a system-asset-based software security requirement analysis method. The method comprises the following steps of: 1, establishing the corresponding relation between system asset categories and security functional components, and the corresponding relation between assets and threats which may appear among the security functional components, constructing a security knowledge library, classifying system assets, threats and attack modes, and establishing the corresponding relation so as to ensure that the corresponding security components can be determined from the system assets; and 2, acquiring the corresponding security functional components in the security knowledge library aiming at the concrete system development according to the system assets determined by requirement personnel, performing refined selection by security requirement analysts in consideration of concrete technologies and security policies, and describing the finally selected security functional components into a security profile specification. Compared with the prior art, the method has the advantages that requirement analysts who have inadequate security knowledge can quickly perform security requirement analysis, the difficulty of the analysis of security functional requirements is effectively reduced, and the development cost of security requirements is reduced.

The invention relates to a parallel vulnerability mining method based on an open source library and test mining, and belongs to the technical field of computer information safety. The parallel vulnerability mining method comprises the steps that vulnerability data are obtained from the open source library and pre-processed, a vulnerability set is extracted, text vectorization is conducted, the threshold is calculated and parallel vulnerabilities are discovered. The parallel vulnerability mining method has the advantages that on the basis of the open source library, relevant vulnerability information in the same attack mode is extracted, and therefore potential parallel relationships between the vulnerabilities can be analyzed conveniently; text description information of the vulnerabilities are vectorized, and therefore a computer system can conduct intelligent processing on vulnerability recording data conveniently; the method differs from query on the basis of keyword matching in that the similarity between the vulnerabilities is studied according to the threshold obtained through a training set; the parallel relationships between the vulnerabilities can be calculated, so that when it is found that one vulnerability is utilized, the other parallel vulnerabilities are made up rapidly, therefore, the vulnerability of a whole network is made up, the defense capacity is enhanced and great significance for information safety is achieved.

The invention belongs to the technical field of network space security and discloses a social worker attack knowledge representation and excavation method based on an SOEKS. The method includes the steps that social worker knowledge representation based on the SOEKS is designed, and the social worker attack knowledge can be abstracted and shared; the relationship between neutral network excavation attack states and attack methods based on the SOEKS is established, an attack about to occur is subjected to early warning, meta-information about to be changed is subjected to early warning, and a user is reminded of defense in advance; combinations of a large quantity of meta-information and attack methods are excavated, and a new social worker attack mode is discovered. Social worker attacks are subjected to abstract knowledge representation for the first time; abstract social worker attack information based on the SOEKS is conveniently shared and subjected to experience accumulation; through mode excavation of the relationship between the social worker attack states and attack methods, attack steps can be predicted, defense weak links can be disclosed, existing defense is theoretically guided, and dependence on experience is reduced.