31 results about "Threatening behaviour" patented technology

A system and method is provided to monitor user and system behavior associated with computer and network activity to determine deviations from normal behavior that represent a potential cyber threat or cyber malicious activity. The system and method uses a multi-factor behavioral and activity analysis approach to determine when a trusted insider might be exhibiting threatening behavior or when a user's computer or network credentials have been compromised and are in use by a third-party. As a result, changes in insider behavior that could be indicative of malicious intent can be detected, or an external entity masquerading as a legitimate user can be detected.

According to the data processing method for coping with the cloud computing office threats and the server provided by the invention, when a derivative dynamic threat event relationship network is determined, threat behavior event expressions do not need to be frequently updated, so that the execution complexity is weakened to a certain extent; in combination with the periodic characteristics of the collaborative office staged task description content, the information scale of the specified threat distribution template set determined in advance is relatively small; the data processing server is combined with the potential office resource threat description content of the to-be-processed collaborative office activity data to timely position the target threat behavior event expression from the specified threat distribution template set; and accurately and timely determining a derivative dynamic threat event relationship network which satisfies a set relationship with the to-be-processed collaborative office activity data by means of the target threat behavior event expression and the specified basic collaborative office threat distribution.

The invention relates to a network security protection method based on XDR telephone bill data. The method comprises that: abnormal behaviors of users are identified according to XDR telephone bill data, network security protection is performed then, and identification for the abnormal behaviors of the users Specifically comprises, according to the indexes of the XDR telephone bill data, identifying the abnormal behaviors of the users, wherein the indexes comprise signaling connection times, air interface time, flow, destination or source IP, destination or source port number, data packet number and / or application service type, and the user abnormal behaviors comprise threat behaviors of a network to a user, threat behaviors of the user to the Internet and abuse behaviors of the user to wireless resources. Compared with the prior art, the abnormal behaviors of the wireless user network are effectively monitored, then network security protection measures are taken, bad behaviors of thenetwork are purified, a green and safe network environment is achieved, and the method has the advantages of being wide in recognition range, effective and the like.

The invention discloses a security alarm threat research and judgment method and device, belonging to the technical field of network security. The method includes: constructing a network security intelligence knowledge graph based on historical intelligence database data, forming a security alarm correlation subgraph of security alarm data on this basis, performing entity threat coefficient calculation on the security alarm correlation subgraph, and obtaining the information of each threat entity element. The entity threat coefficient comprehensively calculates the security alarm threat degree of the security alarm data. The present invention applies the knowledge map technology to the field of threat intelligence, builds a network security intelligence knowledge map based on historical intelligence database data, and makes full use of the historical threat behavior of threat entity elements in the threat research and judgment of security alarms, making the judgment results more accurate.

The present invention proposes a heuristic detection method, system, and storage medium for nested files. The method includes: splitting the obtained nested files; Regularized processing, sorting into knowledge data; matching the knowledge data with the knowledge base; if the matching is successful, the nested class file is malicious, output the detection result, and end the detection; otherwise, the nested class file that has not been matched successfully file for malicious analysis. The present invention does not need complex logical analysis, nor does it need a virtual environment to dynamically execute scripts, but performs heuristic detection based on the nature of threatening behaviors that will occur in abnormal environments based on nested class files, which can effectively improve detection speed, accuracy, etc.

The present invention provides a function-impaired network security threat identification device and an information system, the device comprising: a threat behavior judgment definition module, a threat initiator identification module, a threat action asset identification module, a threat path identification module, and a threat capability identification module , a threat occurrence frequency identification module and a threat occurrence timing identification module. The function-impaired network security threat identification device provided by the present invention can comprehensively and accurately identify the function-impaired network security threat, so as to accurately analyze and calculate the risks brought by the function-impaired network security threat; and the present invention provides The information system can accurately take different levels of risk protection measures for different levels of risk of function-damaging network security threats, which improves the security protection performance of the information system provided by the present invention.

The invention discloses a drag-and-drop-based method and device for associated playback of privileged threat behavior tracks, which are applied to a privileged account threat analysis system. The method includes: A) accessing privileged account session log data, accessing privileged account terminal operation audit log data; B) process the privileged account session log data and the privileged account terminal operation audit log data; C) visualize the indicators of various dimensions related to the abnormal behavior of the privileged threat into draggable field blocks; D) drag and drop the Select the relevant dimension index by dragging; E) Select the track playback time range according to the needs; F) Associate the selected dimension index with the track playback time range to restore the track of privileged threat abnormal behavior. The invention enables relevant personnel who do not understand technology or are not deep in technology to quickly realize the trajectory playback analysis of privilege threat abnormal behavior through a simple mouse dragging and combining method, thereby improving timeliness and ease of use.

This application provides a threat processing method, device, electronic equipment, and computer-readable storage medium. The method is applied to the target node of the cloud platform, including: grabbing its own network interaction data stream; extracting from the network interaction data stream Data flow characteristics; input data flow characteristics into the pre-trained threat behavior detection model to determine whether there is currently a threat behavior, and when there is a threat behavior, the type of threat behavior that exists; when there is a threat behavior, from the preset In the defense strategy, determine the target defense strategy corresponding to the type of threat behavior, and execute the target defense strategy. This realizes the monitoring and handling of network threats to the cloud platform itself, and strengthens the security protection of the cloud platform.

The invention provides a mining method for discovering a dependency relationship between threat behaviors, a terminal and a storage medium, and the method comprises the steps: collecting log files ofall users a in a system, cleaning and arranging data in the log files, forming an employee behavior set S = {behai}, and carrying out the statistics of the time span wt in the set S; counting a behavior occurrence probability P (behai) and a behavior co-occurrence probability P (behai, behaj) based on S and wt; calculating dependency relationship values depai, aj based on the two probabilities, wherein the depai, aj reflects the dependency degree of the behavior behai on the behavior behaj; constructing an attack dependence matrix M according to all depai and aj, wherein the matrix M reflectsthe dependence relationship between every two of all behaviors of one employee; and obtaining an attack behavior path pahag -> ak through the M, wherein the pahag -> ak represents a series of completeattack actions which are most likely to occur. According to the method, the potential relationship among employee behaviors is found out, and the dependency relationship is quantified. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical value, early warning is conducted on threat behaviors according to a preset danger threshold value, and the enterprises are prevented from suffering from some threat attacks from the inside.

The invention discloses a method and a device compatible with structured and unstructured privilege threat behavior data. The method comprises the following steps: accessing privilege account sessionlog data and privilege account terminal operation audit log data; planning classified storage indexes for the privileged account session log data and the privileged account terminal operation audit log data as required, wherein the classified storage indexes comprise a structured log data structure and an unstructured log data structure; respectively defining corresponding analysis templates for the structured log data structure and the unstructured log data structure, and manually updating the analysis templates as required; according to the analysis template, carrying out isomorphism processing on various abnormal log data; and associating various types of heterogeneous privilege threat abnormal behavior data as required, and detecting privilege threat abnormal behaviors. According to the method, various heterogeneous log data can be accessed and analyzed in a perfect adaptation manner, and a guarantee is provided for subsequent privilege threat abnormal behavior detection and analysis, so that the risk of loss caused by privilege threat abnormal behaviors of enterprises is reduced to the minimum.

The present invention provides a mining method, a terminal and a storage medium for discovering dependencies between threat behaviors, collects log files of all users a in the system, cleans and organizes the data in the log files, and forms an employee behavior set S={ beh ai }, the time span w in the statistical set S t ; based on S and w t The probability of occurrence of statistical behavior P(beh ai ) and the behavior co-occurrence probability P(beh ai ,beh aj ); calculates the dependency value dep based on the two probabilities ai,aj , dep ai,aj reflects the behavior beh ai on behavior beh aj degree of dependence; according to all dep ai,aj Construct the attack dependency matrix M, which reflects the dependency between all behaviors of an employee; the attack behavior path path is obtained from M ag→ak , path ag→ak Represents a complete, most likely series of attack actions. The present invention finds potential connections between employee behaviors and quantifies such dependencies. Enterprises can quickly find out the two most closely related behaviors through the value of the dependency relationship, and warn the threat behavior according to the pre-specified risk threshold to prevent the enterprise from being attacked by some internal threats.

The embodiment of the invention provides a real-time detection method and system based on threat behaviors, and is applied to the technical field of computer security management. Application semantics are selected according to occurrence scenes of threat events, and a semantic rule template or a semantic rule configuration file is formed through sorting and combination according to analysis strategies of the threat events. And generating a semantic rule object tree according to the semantic rule template or the semantic rule configuration file, wherein the semantic rule object tree comprises nodes corresponding to application semantics in the semantic rule template. And finally, according to the semantic rule object tree, generating a directed acyclic graph used for checking a target behavior feature log corresponding to the threat event step by step. When the threat event is changed, the semantic rule template or the semantic rule configuration file can be redefined to generate a new semantic rule object tree, and the directed acyclic graph is updated to detect the target behavior feature log corresponding to the changed threat event in real time, so that the problem that the static network analysis of the threat event lacks timeliness is solved.

The present application provides a method, device, electronic device and storage medium for threat behavior detection and model establishment, and relates to the technical field of network security. The method for establishing a threat behavior detection model includes: creating a training set and a verification set based on the attribute features and behavior features in the user data set; calling the LGBMClassifier interface to instantiate the model, and setting the model parameters of the instantiated model through the interface; The interface instantiation model is trained to obtain a threat behavior detection model based on LightGBM. The detection model is used to output the illegal probability based on the input detection features. The detection features include the attribute features and behavior features of the user to be detected. Threat behavior detection through the threat behavior detection model does not need to set a separate detection model for each user, and the LightGBM algorithm has the characteristics of parallel computing, which improves the detection efficiency and reduces its consumption of computing resources.

The embodiment of the invention discloses a threat behavior processing method, device and equipment based on a block chain as well as a storage medium, applied to electronic equipment including a firewall. The threat behavior processing based on the block chain comprises the following steps: analyzing a suspected data flow of a threat behavior, and acquiring data features of the suspected data flow; extracting recorded threat behavior features in the block chain, wherein the block chain is shared among multiple firewalls; and based on the data features and the threat behavior features, forminga judgment result, wherein the data features are used for updating the block chain when the suspected data flow is determined to be the data flow of the threat behavior. In the embodiment, based on the threat behavior features recorded in the block chain, the firewalls can be assisted to further determine whether the suspected data flow which can not be precisely identified by the firewalls basedon the current attack rules is a data flow of an attack behavior, an information barrier among the firewalls is broken, and interception capability of a single firewall and all the firewalls on the threat behavior is improved, so that security capability is improved.

The embodiments of the present application provide a real-time detection method and system based on threat behavior, which are applied to the technical field of computer security management. By selecting the application semantics according to the occurrence scene of the threat event, according to the analysis strategy of the threat event, sorting and combining them into a semantic rule template or a semantic rule configuration file. Then, a semantic rule object tree is generated according to the semantic rule template or the semantic rule configuration file, and the semantic rule object tree includes nodes corresponding to the application semantics in the semantic rule template. Finally, according to the semantic rule object tree, a directed acyclic graph is generated for checking the target behavior feature log corresponding to the threat event step by step. When the threat event changes, the semantic rule template or semantic rule configuration file can also be redefined to generate a new semantic rule object tree, and the directed acyclic graph can be updated to detect the target behavior feature log corresponding to the changed threat event in real time. Solve the problem of lack of timeliness of static network analysis threat events.

Embodiments of the present invention provide a method and system for monitoring internal threat behaviors in a virtual network. The method includes: acquiring a tenant's normal behavior request, and constructing a trusted level calling model based on the normal behavior request; collecting the tenant's actual behavior request, and if it is detected that the tenant performs a virtual network management configuration operation, based on the collected actual behavior request information, The actual invocation process model is generated through behavior tracing; the actual invocation process model and the trusted-level invocation model are matched to obtain the behavior matching result. According to the matching result, it is judged whether the actual behavior request is a malicious attack behavior, and the matching result is fed back to the tenant. In the embodiment of the present invention, by adopting a behavior tracing and monitoring method for internal security threats and combining behavior matching, on the basis of a credible hierarchical association model, the actual behavior is compared with the credible behavior model, and feedback is realized, so as to realize the internal security Risk monitoring to ensure the security of virtual networks in the cloud environment.