32 results about "Threatening behaviour" patented technology

The invention belongs to the technical field of computers, and discloses an alarm log processing method and device, equipment and a storage medium. The method comprises: determining threat behavior information and the alarm identification information according to the alarm log of the target device; obtaining an alarm accumulated score and an event generation threshold corresponding to the alarm identification information, and determining an alarm type and a threat level corresponding to the alarm log according to the threat behavior information; adjusting the alarm accumulated score according to the alarm type and the threat level to obtain a current alarm score; and if the current alarm score is greater than or equal to an event generation threshold, generating an alarm event according to the alarm type and the alarm identification information, and displaying the alarm event. The alarm accumulated score is accumulated according to the alarm log, and the alarm event is generated and displayed when the alarm accumulated score is greater than or equal to the event generation threshold value, so that a manager does not need to pay attention to a complex log, and can quickly respond to a network security event according to the alarm event.

The invention provides a threat processing method and device, electronic equipment and a computer readable storage medium, and the method is applied to a target node of a cloud platform, and comprises the steps: capturing a self network interaction data flow; extracting data flow characteristics from the network interaction data flow; inputting the data flow features into a pre-trained threat behavior detection model, and determining whether a threat behavior exists at present or not and the type of the existing threat behavior when the threat behavior exists; and when the threat behavior exists, determining a target defense strategy corresponding to the threat behavior type from preset defense strategies, and executing the target defense strategy. Therefore, the monitoring and disposal of the network threat of the cloud platform are realized, and the security protection of the cloud platform is enhanced.

The invention relates to an Android application threat disposal method and a safety monitoring probe. The method comprises the steps: carrying out the abnormal environment monitoring and HOOK monitoring of an Android application in a preset time period, and correspondingly obtaining the environment abnormal behavior and sensitive behavior of the Android application in the preset time period; generating a threat behavior sequence of the Android application in the preset time period based on the environment abnormal behavior and the sensitive behavior of the Android application in the preset time period; and based on the threat behavior sequence of the Android application in the preset time period, performing threat disposal on the Android application. According to the technical scheme provided by the invention, the abnormal behavior of the Android application environment and the sensitive behavior of the application are jointly monitored, so that the threat disposal operation of the Android application is accurately executed, and the safety risk of the Android application is reduced.

The invention discloses a virtual platform threat behavior analysis method and system based on KNN, and belongs to the field of network security, and the method comprises the steps: firstly, extracting memory data in a virtual platform; analyzing the memory data to obtain threat source data; finally, identifying threat software of the threat source data by using a K-nearest algorithm, and if the threat software does not exist, ending the algorithm; if the threatening software exists, finishing the behavior reduction of the threatening software by utilizing a clue database, and ending the algorithm; according to the method, clue data can be collected based on the outside of the VMware Vshpere virtual platform, clue coverage cannot be generated in the virtual platform, and the clue data cannot be deceived by threatening software; full-automatic analysis is peformed on the threat clues through the K-nearest algorithm, and the analysis efficiency of the threat behaviors is improved.

The invention discloses a threat vulnerability decision-making method based on information security big data and an information security system, and the method comprises the steps: considering a threat intelligence chain expressed by a penetration relation between behavior track nodes in a historical threat behavior model according to chain intelligence formed through the arrangement of multiple types of historical threat behavior information; the threat penetration vulnerability decision is performed according to the threat intelligence chain, so that the situation that vulnerability decision errors exist due to the fact that threat penetration vulnerability decision is performed by only considering the triggering activity of the threat behavior in the traditional scheme can be improved, and the decision accuracy of the threat penetration vulnerability between the threat protection activity and the sensitive service request activity is improved; therefore, the effectiveness of subsequent safety protection reinforcement is improved.

The invention provides a threat behavior detection and model establishment method and a device, electronic equipment and a storage medium, and relates to the technical field of network security. The threat behavior detection model establishment method comprises the steps of establishing a training set and a verification set based on attribute features and behavior features in a user data set; calling an LGBMClassifier interface instantiation model, and setting model parameters of the interface instantiation model; and training the interface instantiation model based on the training set and theverification set to obtain a LightGBM-based threat behavior detection model; the detection model is used for outputting an illegal probability based on an input detection feature, and the detection feature comprises an attribute feature and a behavior feature of a to-be-detected user. Threat behavior detection is performed through the threat behavior detection model without setting a separate detection model for each user, and the LightGBM algorithm has the characteristic of parallel calculation, so that the detection efficiency is improved, and the consumption of computing resources is reduced.

The invention discloses a dragging-based privileged threat behavior track associated playback method and device, being applied to a privileged account threat analysis system. The dragging-based privileged threat behavior track associated playback method comprises the following steps: A) accessing privileged account session log data, and accessing privileged account terminal operation audit log data; B) processing the privileged account session log data and the privileged account terminal operation audit log data; C) visualizing each dimension index related to privilege threat abnormal behaviors into a draggable field block; D) selecting related dimension indexes through a mouse dragging mode according to needs; E) selecting a track playback time range as required; and F) associating the selected dimension index with the trajectory playback time range, and restoring the privileged threat abnormal behavior trajectory. According to the dragging-based privileged threat behavior track associated playback method, even related personnel who do not understand technologies or are not deep in technologies can rapidly achieve track playback analysis of privilege threat abnormal behaviors in asimple mouse dragging combination association mode, and timeliness and usability are improved.

The invention relates to a network security protection method based on XDR telephone bill data. The method comprises that: abnormal behaviors of users are identified according to XDR telephone bill data, network security protection is performed then, and identification for the abnormal behaviors of the users Specifically comprises, according to the indexes of the XDR telephone bill data, identifying the abnormal behaviors of the users, wherein the indexes comprise signaling connection times, air interface time, flow, destination or source IP, destination or source port number, data packet number and / or application service type, and the user abnormal behaviors comprise threat behaviors of a network to a user, threat behaviors of the user to the Internet and abuse behaviors of the user to wireless resources. Compared with the prior art, the abnormal behaviors of the wireless user network are effectively monitored, then network security protection measures are taken, bad behaviors of thenetwork are purified, a green and safe network environment is achieved, and the method has the advantages of being wide in recognition range, effective and the like.

The invention provides a threat behavior analysis method based on big data analysis and a server, and the method comprises the steps: determining updated second to-be-analyzed session behavior data through first to-be-analyzed session behavior data and second to-be-analyzed session behavior data; the accuracy and reliability of the first threat behavior recognition result determined through the first to-be-analyzed session behavior data and the updated second to-be-analyzed session behavior data are better than those of the threat behavior recognition result determined through the first to-be-analyzed session behavior data and the second to-be-analyzed session behavior data; in this way, threat behavior recognition processing can be accurately and credibly realized as much as possible through limited to-be-analyzed session behavior data, so that the recognition efficiency of threat behaviors is improved, and the operation pressure of a big data analysis server is reduced.

The invention belongs to the technical field of network security, and discloses a method, a device and equipment for testing family confidence of a machine, and a storage medium. The method comprises the steps of obtaining sample information of a suspected test machine sample; matching the sample information with each matching rule in a family matching rule set corresponding to the target advanced threat behavior body family to obtain a rule matching result; and determining family confidence scores of the suspected test machine sample and the target advanced threat behavior body family according to a rule matching result. As the family matching rule set is preset, real-time setting is not needed, the matching efficiency is high, the family confidence score can be quickly determined, and then the possibility that the suspected test machine sample belongs to the target advanced threat behavior body family can be judged through the family confidence score; whether the suspected test machine sample is the advanced threat behavior body or not can be judged according to the possibility that the suspected test machine sample belongs to the target advanced threat behavior body family, so that whether the suspected test machine sample is the advanced threat behavior body or not can be quickly identified.

The invention belongs to the technical field of network security, and discloses a data noise reduction method and device based on sample dimensions, equipment and a storage medium. According to the method, sample features corresponding to all suspected test machine samples in a suspected test machine sample set are obtained, the sample features are matched with a sample organization rule, a corresponding sample family is obtained, and then the incidence relation between the sample family and an advanced threat behavior body is obtained; and performing noise reduction processing on the suspected test machine sample set according to the association relationship. According to the method, the sample features of the suspected test machine samples are matched with the sample organization rules to obtain the corresponding sample family, so that the suspected test machine sample set can be quickly de-noised according to the incidence relation between the sample family and the advanced threat behavior body; and the samples with relatively low possibility that the suspected test machine samples are test machine samples are cleared, so that the loss of computing resources is reduced, the sample analysis speed is increased, and the sample analysis difficulty is reduced.

The invention provides a mining method for discovering a dependency relationship between threat behaviors, a terminal and a storage medium, and the method comprises the steps: collecting log files ofall users a in a system, cleaning and arranging data in the log files, forming an employee behavior set S = {behai}, and carrying out the statistics of the time span wt in the set S; counting a behavior occurrence probability P (behai) and a behavior co-occurrence probability P (behai, behaj) based on S and wt; calculating dependency relationship values depai, aj based on the two probabilities, wherein the depai, aj reflects the dependency degree of the behavior behai on the behavior behaj; constructing an attack dependence matrix M according to all depai and aj, wherein the matrix M reflectsthe dependence relationship between every two of all behaviors of one employee; and obtaining an attack behavior path pahag -> ak through the M, wherein the pahag -> ak represents a series of completeattack actions which are most likely to occur. According to the method, the potential relationship among employee behaviors is found out, and the dependency relationship is quantified. Enterprises can quickly find out two behaviors with the closest relationship through the dependency relationship numerical value, early warning is conducted on threat behaviors according to a preset danger threshold value, and the enterprises are prevented from suffering from some threat attacks from the inside.

The invention discloses an electric power information threat context awareness and defense system based on big data. The system comprises a power grid big data information acquisition module, a power grid big data storage module, an information threat feature extraction module, a context awareness module, a protection monitoring module and a response processing module. Wherein the power grid big data information acquisition module is used for acquiring power grid threat information; the power grid big data storage module is used for storing power grid threat intelligence; the information threat feature extraction module is used for extracting operation features of current power grid threat intelligence and realizing extraction of threat feature information; the context awareness module generates a threat behavior warning according to the threat feature information extracted by the information threat feature extraction module; the protection monitoring module is used for blocking threat behaviors; and the response processing module is used for studying and judging the threat behavior, obtaining evidence and feeding back the threat behavior to the context awareness module. The method provides powerful guarantee for information security of power systems, communication systems and the like, and has a good application effect.

The invention provides a script dynamic execution monitoring method and device, electronic equipment and a storage medium, and the method comprises the steps: in a process that a Windows script host process executes a script, a hook function preset in a script engine monitors the call of the script engine to a target function; the hook function obtains information of the target function and transmits the information of the target function to a threat behavior recognition engine, so that the threat behavior recognition engine performs security detection on the information of the target function; and receiving a security detection result of the target function, and processing the target function based on the security detection result. According to the method, the target function called by the script engine is obtained through the preset hook function, and the target function information is detected through the threat behavior recognition engine, so that the security protection monitoring capability on malicious script execution is greatly improved.

The invention discloses an industrial robot system security threat evaluation method based on time-sharing frequency. The method comprises the following steps of: S1, recognizing potential threats of an industrial robot system according to system logs, historical behaviors and other information, classifying the threats according to a threat expression form, and determining a threat subject and a threat approach; S2, aiming at a threat behavior selected by the industrial robot system, counting occurrence frequency of the threat behavior in a historical period, and forming a threat frequency sequence diagram of the industrial robot system; S3, performing segmentation processing on the total statistical time of the occurrence frequency of the threat behavior, selecting multiple experts to evaluate the threat frequency, and sequentially evaluating the threat frequency in different time periods by each expert; and S4, calculating a threat frequency evaluation result trust weight of each expert, forming a threat frequency vector, and realizing threat assignment of the industrial robot system. According to the method, security threat evaluation can be carried out on the industrial robot system with a relatively long historical security threat behavior record.

The embodiment of the invention provides a method and a system for monitoring threat behaviors in a virtual network. The method comprises: acquiring a tenant normal behavior request, and constructinga credible level calling model based on the normal behavior request; collecting actual behavior requests of the tenants, and if it is monitored that the tenants carry out virtual network management configuration operation, generating an actual call process model through a behavior tracing mode based on the collected actual behavior request information; and matching the actual call process model with the trusted level call model to obtain a behavior matching result, judging whether the actual behavior request is a malicious attack behavior or not according to the matching result, and feeding back the matching result to the tenant. According to the embodiment of the invention, by adopting a behavior tracing and monitoring method for internal security threats and combining behavior matching,on the basis of a credible hierarchical association model, an actual behavior is compared with a credible behavior model, and feedback is realized, so that internal security risk monitoring is realized, and the security of a virtual network in a cloud environment is ensured.

The invention belongs to the field of network data security, and relates to a semi-automatic anti-crawling system based on behavior characteristics, which comprises an ETL processing unit, a behavioranalysis and management unit, a log analysis engine and a request protection processing unit, wherein the ELT processing unit is used for carrying out ETL (Extract Transform and Load) processing on request information of a request initiated by a user side to obtain UID (Uniform Identifier) and URI (Uniform Resource Identifier) data; the behavior analysis and management unit performs deduplicationprocessing on the received URI data by taking the received URI as a main key aggregation to generate a behavior set and statistical indexes related to a service scene;, takes the behavior set as a main key aggregation, and generates an analysis view to judge whether the behavior set is threatened or not; manages the threat behavior set,and if it is judged that the behavior set is the threat behavior set, records and tracks the threat behavior set, automatically generates a disposal strategy parameter according to the behavior set access frequency, the URI data type and the URI data quantity, and pushs the disposal strategy parameter to a database for crawler real-time monitoring.