CN117827952A - Data association analysis method, device, equipment and medium - Google Patents
Data association analysis method, device, equipment and medium Download PDFInfo
- Publication number
- CN117827952A CN117827952A CN202311865005.6A CN202311865005A CN117827952A CN 117827952 A CN117827952 A CN 117827952A CN 202311865005 A CN202311865005 A CN 202311865005A CN 117827952 A CN117827952 A CN 117827952A
- Authority
- CN
- China
- Prior art keywords
- data
- analyzed
- vulnerability
- target
- standard
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012097 association analysis method Methods 0.000 title claims abstract description 22
- 238000012545 processing Methods 0.000 claims abstract description 58
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000012098 association analyses Methods 0.000 claims abstract description 36
- 238000010606 normalization Methods 0.000 claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 15
- 230000011218 segmentation Effects 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 10
- 238000010219 correlation analysis Methods 0.000 claims description 9
- 238000002372 labelling Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/258—Data format conversion from or to a database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to the technical field of network security, and discloses a data association analysis method, device, equipment and medium, which are used for improving the efficiency, accuracy and effectiveness of association analysis of asset data and vulnerability data. The method comprises the following steps: obtaining data to be analyzed, wherein the data to be analyzed comprises: asset data and vulnerability data to be analyzed; performing normalization processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed, and deleting abnormal data in the data to be analyzed; and carrying out association analysis on the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for data association analysis.
Background
As businesses operate for years, businesses continue to accumulate large numbers of assets, not only hardware assets, such as devices, but also soft assets composed of information or resources valuable to the business, such as websites, business systems, software, services, network resources, and so forth.
Currently, vulnerability detection operation based on asset data is a main means of asset maintenance. After the vulnerability data is detected, association analysis needs to be performed based on the asset data and the vulnerability data, and the existing association analysis method generally performs simple character string matching in field values of the asset data and the vulnerability data, so that association analysis of the asset data and the vulnerability data is performed.
The above-mentioned correlation analysis method has the following drawbacks in practical application: (1) Performing association analysis through character string matching, and when the data volume is too large, the data redundancy and the association analysis efficiency are low; (2) Some field values in the dependent vulnerability data may be incomplete and wrong, so that the correlation analysis accuracy is low; (3) The diversity and complexity of the asset data source and the vulnerability data source are high, and partial false information possibly exists in the acquired data, so that the effectiveness of association analysis is affected.
In summary, the existing association analysis method of the asset data and the vulnerability data has low association analysis efficiency and low association analysis accuracy, and meanwhile, the validity of association analysis is influenced due to possible false information.
Disclosure of Invention
The invention provides a data association analysis method, a device, equipment and a medium, which are used for improving the efficiency, accuracy and effectiveness of association analysis of asset data and vulnerability data.
In a first aspect, an embodiment of the present invention provides a data association analysis method, where the method includes:
obtaining data to be analyzed, wherein the data to be analyzed comprises: asset data and vulnerability data to be analyzed;
performing normalization processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed, and deleting abnormal data in the data to be analyzed;
and carrying out association analysis on the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
As an optional implementation manner, the performing, based on a pre-established standard dictionary library, a normalization process on the data to be analyzed includes:
dividing character strings corresponding to attribute fields and field values in the data to be analyzed respectively to obtain characters to be corrected contained in the character strings;
and carrying out normative processing on the character to be corrected based on the standard dictionary library to obtain a target character contained in the character string.
As an optional implementation manner, the dividing the character strings corresponding to the attribute fields and the field values in the data to be analyzed to obtain the characters to be corrected included in the character strings includes:
matching the characters in the character string with standard field values contained in the standard dictionary library according to sequence by using a first preset algorithm, and if matching is successful, outputting the corresponding standard field values as the characters to be corrected; and/or
And marking and dividing the character strings by using a second preset algorithm based on statistics of standard field values contained in the standard dictionary library to obtain a plurality of characters to be corrected.
As an optional implementation manner, the first preset algorithm at least includes one of the following algorithms: the forward maximum matching FMM algorithm is based on a label field discrimination algorithm of a dictionary tree.
As an optional implementation manner, the second preset algorithm at least includes one of the following algorithms: standard dictionary field labeling segmentation algorithm based on Hidden Markov Model (HMM) and standard dictionary segmentation algorithm based on Maximum Entropy Model (MEM).
As an optional implementation manner, based on the standard dictionary library, performing a normalization process on the character to be corrected to obtain a target character contained in the character string, where the normalization process includes at least one of the following operations:
Matching the character to be corrected with the standard fields in the standard dictionary library, and if the matching is successful, outputting the corresponding standard fields as target characters contained in the character string;
matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string;
recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in a section form;
and deleting the character to be corrected which is not matched with the standard field or the standard field value in the standard dictionary.
As an optional implementation manner, the performing association analysis of the asset data and the vulnerability data based on the data to be analyzed after the normative processing includes:
matching the asset data and the vulnerability data subjected to the normative processing based on at least one first type attribute field, and adding one or more vulnerability data matched with target asset data into a preset set to serve as a vulnerability data set corresponding to the target asset data;
for each vulnerability data set corresponding to target asset data, respectively executing the following operations, and determining an association value of each target vulnerability data in the vulnerability data set and the target asset data:
And aiming at the target asset data and one target vulnerability data, matching is carried out on the basis of at least one second type attribute field, the matching value corresponding to each second type attribute field in the one target vulnerability data is determined, the matching value corresponding to each second attribute field in the one target vulnerability is recorded according to the bit, and the recorded result is used as the associated value of the one target vulnerability data and the target asset data.
As an optional implementation manner, the matching based on at least one second type attribute field, and determining a matching value corresponding to each second type attribute field in the target vulnerability data includes:
and aiming at field values corresponding to the attribute fields of each second type, if the target asset data and the target vulnerability data are successfully matched, taking the first numerical value as a corresponding matched value, and if the target asset data and the target vulnerability data are not successfully matched, taking the second numerical value as a corresponding matched value.
In a second aspect, an embodiment of the present invention provides a data association analysis device, including:
the acquisition unit is used for acquiring data to be analyzed, and the data to be analyzed comprises: asset data and vulnerability data to be analyzed;
The processing unit is used for carrying out normative processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed and deleting abnormal data in the data to be analyzed;
and the analysis unit is used for carrying out association analysis on the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
As an alternative embodiment, the processing unit is specifically configured to:
dividing character strings corresponding to attribute fields and field values in the data to be analyzed respectively to obtain characters to be corrected contained in the character strings;
and carrying out normative processing on the character to be corrected based on the standard dictionary library to obtain a target character contained in the character string.
As an alternative embodiment, the processing unit is specifically configured to:
matching the characters in the character string with standard field values contained in the standard dictionary library according to sequence by using a first preset algorithm, and if matching is successful, outputting the corresponding standard field values as the characters to be corrected; and/or
And marking and dividing the character strings by using a second preset algorithm based on statistics of standard field values contained in the standard dictionary library to obtain a plurality of characters to be corrected.
As an optional implementation manner, the first preset algorithm at least includes one of the following algorithms: the forward maximum matching FMM algorithm is based on a label field discrimination algorithm of a dictionary tree.
As an optional implementation manner, the second preset algorithm at least includes one of the following algorithms: standard dictionary field labeling segmentation algorithm based on Hidden Markov Model (HMM) and standard dictionary segmentation algorithm based on Maximum Entropy Model (MEM).
As an alternative embodiment, the processing unit is specifically configured to:
matching the character to be corrected with the standard fields in the standard dictionary library, and if the matching is successful, outputting the corresponding standard fields as target characters contained in the character string;
matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string;
recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in a section form;
And deleting the character to be corrected which is not matched with the standard field or the standard field value in the standard dictionary.
As an alternative embodiment, the analysis unit is specifically configured to:
matching the asset data and the vulnerability data subjected to the normative processing based on at least one first type attribute field, and adding one or more vulnerability data matched with target asset data into a preset set to serve as a vulnerability data set corresponding to the target asset data;
for each vulnerability data set corresponding to target asset data, respectively executing the following operations, and determining an association value of each target vulnerability data in the vulnerability data set and the target asset data:
and aiming at the target asset data and one target vulnerability data, matching is carried out on the basis of at least one second type attribute field, the matching value corresponding to each second type attribute field in the one target vulnerability data is determined, the matching value corresponding to each second attribute field in the one target vulnerability is recorded according to the bit, and the recorded result is used as the associated value of the one target vulnerability data and the target asset data.
As an alternative embodiment, the analysis unit is specifically configured to:
And aiming at field values corresponding to the attribute fields of each second type, if the target asset data and the target vulnerability data are successfully matched, taking the first numerical value as a corresponding matched value, and if the target asset data and the target vulnerability data are not successfully matched, taking the second numerical value as a corresponding matched value.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a processor and a memory, where the memory is configured to store a program executable by the processor, and the processor is configured to read the program in the memory and execute the steps of the method described in the first aspect
In a fourth aspect, embodiments of the present invention also provide a computer storage medium having stored thereon a computer program for carrying out the steps of the method of the first aspect described above when executed by a processor.
In a fifth aspect, the present application provides a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the method of any of the first aspects.
The embodiment of the invention has the beneficial effects that:
according to the data association analysis method, device, equipment and medium provided by the embodiment of the invention, after data to be analyzed is acquired, firstly, normal processing is carried out on the data to be analyzed based on a pre-established standard dictionary base, specifically, nonstandard data in the data to be analyzed are converted into standardized data, redundant data in the data to be analyzed are integrated, abnormal data in the data to be analyzed are deleted, and then association analysis of asset data and vulnerability data is carried out based on the data to be analyzed after normal processing.
These and other aspects of the present application will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an embodiment of a data association analysis method according to the present invention;
FIG. 2 is a flowchart illustrating a specific implementation flow of a data association analysis method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a data association analysis device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the embodiment of the invention, the term "and/or" describes the association relation of the association objects, which means that three relations can exist, for example, a and/or B can be expressed as follows: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
The application scenario described in the embodiment of the present invention is for more clearly describing the technical solution of the embodiment of the present invention, and does not constitute a limitation on the technical solution provided by the embodiment of the present invention, and as a person of ordinary skill in the art can know that the technical solution provided by the embodiment of the present invention is applicable to similar technical problems as the new application scenario appears. In the description of the present invention, unless otherwise indicated, the meaning of "a plurality" is two or more.
Some of the concepts involved in the embodiments of the present application are described below.
1. Universal platform enumeration (Common Platform Enumeration, CPE), a standardized method for describing and identifying software, operating systems, and hardware devices present in an enterprise computing asset, employs uniform resource identifiers (Uniform Resource Identifier, URI) with the following syntax:
cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>
Wherein, each attribute included in the grammar is introduced: part represents the target type, and the allowed values are a (application program), h (hardware platform) and o (operating system); vendor represents vendor information of the asset; product represents asset name; version represents an asset version number; update represents an update package; edition represents version; language represents a language item.
2. Forward max matching (Forward maximum matching, FMM) algorithm: for an input text, a word with the largest length at the current position is cut out from left to right in a greedy way, and the FMM is a dictionary-based word segmentation method, and the word segmentation principle is as follows: the larger the granularity of the word, the more exact the meaning can be represented.
3. Trie, also known as a dictionary Tree, prefix Tree (Prefix Tree), word search Tree, or key Tree, is a multi-way Tree structure.
4. Hidden markov model (Hidden Markov Model, HMM) algorithms are used to describe a markov process with hidden unknown parameters.
5. Normative processing is a process of converting unstructured or semi-structured data into structured data, which enables the data to be managed, stored, and analyzed uniformly by normalizing the format, content, and structure of the data. The method of the normative processing mainly comprises data cleaning, data conversion and data integration. The data cleaning refers to preprocessing the original data, removing repeated, missing or wrong data, and guaranteeing the accuracy and the integrity of the data; data conversion refers to converting data into a specific format or form to meet specific requirements; data integration refers to combining data from different sources and in different formats to form a complete data set.
6. Generic vulnerability disclosure (Common Vulnerabilities & Exposures, CVE): CVE appears as a dictionary table giving a common name for widely agreed information security vulnerabilities or vulnerabilities that have been exposed.
7. Chinese national information security vulnerability library (China National Vulnerability Database of Information Security, CNNVD): the Chinese information security assessment center is responsible for constructing a national information security vulnerability library of operation and maintenance for practically fulfilling the functions of vulnerability analysis and risk assessment, and provides basic services for information security assurance of China.
8. The maximum entropy model (Maximum Entropy Model, MEM) is derived from the maximum entropy principle, wherein the maximum entropy principle is one criterion for probability model learning, and the maximum entropy principle considers that the model with the maximum entropy is the best model among all possible probability models when learning the probability model.
Before describing the data association analysis method provided in the embodiments of the present application, for convenience of understanding, the following detailed description is first provided for the technical background of the embodiments of the present application.
As businesses operate for years, businesses continue to accumulate large numbers of assets, not only hardware assets, such as devices, but also soft assets composed of information or resources valuable to the business, such as websites, business systems, software, services, network resources, and so forth.
Currently, vulnerability detection operation based on asset data is a main means of asset maintenance. After the vulnerability data is detected, association analysis needs to be performed based on the asset data and the vulnerability data, and the existing association analysis method generally performs simple character string matching in field values of the asset data and the vulnerability data, so that association analysis of the asset data and the vulnerability data is performed.
The above-mentioned correlation analysis method has the following drawbacks in practical application: (1) Performing association analysis through character string matching, and when the data volume is too large, the data redundancy and the association analysis efficiency are low; (2) Some field values in the dependent vulnerability data may be incomplete and wrong, so that the correlation analysis accuracy is low; (3) The diversity and complexity of the asset data source and the vulnerability data source are high, and partial false information possibly exists in the acquired data, so that the effectiveness of association analysis is affected.
In summary, the existing association analysis method of the asset data and the vulnerability data has low association analysis efficiency and low association analysis accuracy, and meanwhile, the validity of association analysis is influenced due to possible false information.
Based on this, this embodiment provides a data association analysis method, device, equipment and medium, after obtaining data to be analyzed, firstly perform normal processing on the data to be analyzed based on a pre-established standard dictionary library, specifically, convert nonstandard data in the data to be analyzed into standardized data, integrate redundant data in the data to be analyzed, delete abnormal data in the data to be analyzed, and then perform association analysis on asset data and vulnerability data based on the data to be analyzed after normal processing.
As shown in fig. 1, the implementation flow of the data association analysis method provided in this embodiment is as follows:
step 101, obtaining data to be analyzed, wherein the data to be analyzed comprises: asset data and vulnerability data to be analyzed.
It should be noted that the data to be analyzed includes the asset data to be analyzed and the vulnerability data to be analyzed, and the data to be analyzed is obtained, that is, the asset data to be analyzed and the vulnerability data to be analyzed are obtained.
In specific implementation, when the asset data to be analyzed is acquired, the asset data can be manually input by a user, and also can be acquired from vulnerability scanning equipment of different security manufacturers, and the acquisition mode is not limited in the embodiment of the invention. The specifically acquired asset data may include at least the attribute fields shown in table 1 below.
| Asset information field | Chinese character | Field format |
| id | Asset ID | Integer |
| asset_type | Asset type | String |
| name | Product name | String |
| class | Products and products | String |
| vendor | Suppliers (suppliers) | String |
| version | Product version | String |
| os | Operating system type | String |
| os_version | Operating system version | String |
| device_vendor | Equipment manufacturer | String |
| device_type | Device type | String |
| device_model | Device model | String |
| service_name | Service name | String |
| service_protocol | Service agreement | String |
| port_number | Port number | Integer |
| application_name | Application name | String |
| application_version | Application version | String |
TABLE 1
In the specific implementation, when the vulnerability data to be analyzed is acquired, the vulnerability data can be manually input by a user, can be acquired from a vulnerability database of different security manufacturers, and can also be acquired from a CVE vulnerability knowledge base or a CNNVD vulnerability knowledge base, and the acquisition mode is not limited in the embodiment of the invention. The specific obtained vulnerability data may include at least the attribute fields shown in table 2 below.
TABLE 2
In practical application, after the asset data to be analyzed and the vulnerability data to be analyzed are obtained, the asset data to be analyzed and the vulnerability data to be analyzed can be integrated based on the attribute information respectively to construct an asset data resource library to be analyzed and a vulnerability data resource library to be analyzed.
Wherein, the asset data resource base to be analyzed at least comprises: asset databases, operating system databases, application databases, service databases, device databases, and the like. The vulnerability data resource library to be analyzed at least comprises: vulnerability database, CVE vulnerability knowledge base, CNNVD vulnerability knowledge base.
Step 102, performing normalization processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed, and deleting abnormal data in the data to be analyzed.
It should be noted that, the pre-established standard dictionary library is generated based on CPE data. Specifically, firstly, based on CPE data source, completing the comparison analysis of different asset fields, completing the field design of a standard dictionary base based on CPE standard fields, and outputting a structured query language (Structured Query Language, SQL) database; and meanwhile, a standard dictionary library is formed based on the database refinement so as to be used subsequently.
The CPE standard field is shown in table 3 below:
TABLE 3 Table 3
The standard dictionary library is generated based on the CPE source data after extraction and conversion, and is a set of values of fields defined in table 3 except id, CPE, type, and is divided into two forms according to requirements:
form 1, all field dictionary, namely value and value number of all fields form a dictionary, store and transmit in json form, format is as follows:
{ "field takes the value 1": the value number is counted and counted,
"field takes the value 2": the value number is counted and counted,
......}
form 2, the attribute dictionary, namely according to the value of different fields to form the value set, transfer and store in json form, the key is different attribute fields, value is the value set list, the list element is the binary tuple of the value and the value number, the format is as follows:
{ "Attribute field": [ (field takes value 1, takes value number statistics),
(field value 2, value count),
.......]}
in specific implementation, after the standard dictionary library is established, the data to be analyzed can be subjected to normalization processing based on the pre-established standard dictionary library, which specifically comprises the following steps: and respectively dividing character strings corresponding to the attribute fields and the field values in the data to be analyzed to obtain characters to be corrected contained in the character strings, and performing normative processing on the characters to be corrected based on a standard dictionary library to obtain target characters contained in the character strings.
The method specifically divides character strings corresponding to attribute fields and field values in the data to be analyzed respectively, and when characters to be corrected contained in the character strings are obtained, the method can be divided into the following two scenes according to the condition that the characters are contained in the character strings:
scene 1, determining that the input character string contains standard fields in a standard dictionary library, but needs to identify characters contained in the character string.
In this scenario, the first preset algorithm may be used to match the characters in the character string with the standard field values included in the standard dictionary library according to the sequence, and if the matching is successful, the corresponding standard field values are output as the characters to be corrected. The first preset algorithm at least comprises one of the following algorithms: the forward maximum matching FMM algorithm is a label field discrimination algorithm based on a dictionary tree (Trie tree).
Scene 2, wherein the input character string is determined to contain standard fields in a standard dictionary library, but the contained standard fields are non-standard, incomplete or erroneous, and the scene can be further subdivided into the following two scenes:
scenario 2.1, namely, determining that the input character string contains standard fields in the standard dictionary library, wherein the contained standard fields are incomplete, and only a part of the standard fields, namely, the character is missing but not in error.
Scenario 2.2, namely, determining that the input character string contains standard fields in a standard dictionary library, wherein the standard fields are incomplete and wrong, and the input character string contains not only missing but also misspelled characters.
In this scenario, the second preset algorithm may be utilized to convert segmentation of the standard field into a character string labeling problem based on statistics of standard field values contained in the standard dictionary library, and label and segment the character string to obtain a plurality of characters to be corrected. The second preset algorithm at least comprises one of the following algorithms: standard dictionary field labeling segmentation algorithm based on Hidden Markov Model (HMM) and standard dictionary segmentation algorithm based on Maximum Entropy Model (MEM).
It should be noted that, if it is determined that the input character string includes the situation described in the above scenario 1 and the situation described in the above scenario 2, or it is not determined that the input character string accords with the above situation, for such character string, the first preset algorithm may be used to segment, then the second preset algorithm may be used to segment, or the second preset algorithm may be used to segment, then the first preset algorithm may be used to segment, and this sequence is not specifically limited in this application.
In practical application, after obtaining a plurality of characters to be corrected, performing normative processing on the characters to be corrected based on a standard dictionary library, and when obtaining target characters contained in a character string, including at least one of the following operations:
and (1) matching the character to be corrected with the standard fields in the standard dictionary library, and if the matching is successful, outputting the corresponding standard fields as target characters contained in the character string.
And 2, matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string.
In one example, assuming that the character to be corrected is misspelled, if the character to be corrected is Linnx, replacing the character to be corrected with Linux in the standard dictionary library, and if the character to be corrected is Win, replacing the character to be corrected with complete character Windows in the standard dictionary library.
And 3, recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in the form of intervals.
In one example, assuming that there are a plurality of characters to be corrected corresponding to the product version among the characters to be corrected, such as version 0.9,1.0.dev1,1.0.dev2,1.0.c1,1.0.post1,1.1.dev1, the product version may be recorded in the form of interval version: [0.9,1.1.dev1 ].
And 4, deleting the character to be corrected which is not matched with the standard field or the standard field value in the standard dictionary.
And step 103, performing association analysis of the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
The correlation analysis of the asset data and the vulnerability data is performed based on the data to be analyzed after the normative processing, that is, the correlation analysis of the asset data and the vulnerability data is performed based on the asset data after the normative processing and the vulnerability data after the normative processing.
When the association analysis is specifically performed, fuzzy query affecting software is performed on the asset data and the vulnerability data after the normative processing, matching is performed on the basis of at least one first type attribute field, and one or more vulnerability data matched with the target asset data are added into a preset set to serve as a vulnerability data set corresponding to the target asset data.
It should be noted that the first type attribute field may include, but is not limited to: part, vendor, product, target, etc. And matching the asset data with the vulnerability data based on at least one first type attribute field, screening the asset data and the vulnerability data with the field values matched, and adding one or more vulnerability data matched with the target asset data (any one of the screened asset data) into a preset set to serve as a vulnerability data set corresponding to the target asset data.
Of course, the software version field in the asset data may have version interval type records, after the asset data is screened, version matching is performed based on the version of the target asset data, if the asset version in the asset data subjected to the normalization processing has intersection with the asset version of the target asset data, the matching is successful, and the asset version in the asset data subjected to the normalization processing is screened.
In practical application, after determining the vulnerability data set corresponding to the target asset data, for each vulnerability data set corresponding to the target asset data, the following operations are respectively executed to determine the association value of each target vulnerability data in the vulnerability data set and the target asset data: aiming at the target asset data and the target vulnerability data, matching is carried out on the basis of at least one second type attribute field, the matching value corresponding to each second type attribute field in the target vulnerability data is determined, the matching value corresponding to each second attribute field in the target vulnerability data is recorded according to the bit, and the recorded result is used as the association value of the target vulnerability data and the target asset data.
Wherein, based on at least one second type attribute field, matching is performed, and determining a matching value corresponding to each second type attribute field in one target vulnerability data includes: and aiming at field values corresponding to the attribute fields of each second type, if the target asset data and the target vulnerability data are successfully matched, taking the first numerical value as a corresponding matching value, and if the target asset data and the target vulnerability data are not successfully matched, taking the second numerical value as a corresponding matching value.
It should be noted that the second type attribute field may include, but is not limited to: the first value and the second value may be set arbitrarily, for example, the first value is 1, and the second value is 0, which is not limited in the embodiment of the present invention.
In one example, assuming that the target asset data is a, the corresponding vulnerability sets have vulnerability data B1, vulnerability data B2, and vulnerability data B3, the second type attribute fields have an influence software name (application_name), an influence software version (application_version), a target environment (os), and a target environment version (os_version), and the matching values of the respective attribute fields are recorded in 4-bit binary numbers, the bit numbers of the respective attribute fields when recorded in bits are allocated according to the weight of the respective attribute fields, for example, the target environment (os) is at bit 1, the target environment version (os_version) is at bit 2, the influence software name (application_name) is at bit 3, and the influence software version (application_version) is at bit 4.
If the vulnerability data B1 matches the target environment (os) and influencing software name (application_name) fields of the target asset data a successfully, the matching values of the 1 st bit and the 3 rd bit are set to 1, the matching values of the 2 nd bit and the 4 th bit are set to 0, and at this time, the association value of the vulnerability data B1 and the target asset data a is 1010.
If the vulnerability data B2 is successfully matched with the target environment (os) and target environment version (os_version) fields of the target asset data a, the matching values of the 1 st bit and the 2 nd bit are set to 1, the matching values of the 3 rd bit and the 4 th bit are set to 0, and at this time, the association value of the vulnerability data B2 and the target asset data a is 1100.
If the vulnerability data B3 is successfully matched with the influence software name (application_name) and influence software version (application_version) fields of the target asset data a, the matching values of the 3 rd bit and the 4 th bit are set to 1, the matching values of the 1 st bit and the 2 nd bit are set to 0, and at this time, the association value of the vulnerability data B3 and the target asset data a is 0011.
In practical application, after obtaining the association value corresponding to each vulnerability data in the vulnerability set corresponding to the target asset data, the embodiment of the invention can sort each vulnerability data based on the association value as the association value is larger, because the association value is larger, which indicates that the relevance between the vulnerability data and the target asset data is higher, and sort the vulnerability data B1, the vulnerability data B2 and the vulnerability data B3 based on the association value, which can obtain the sorting: vulnerability data B2 (1100, corresponding to decimal 12), vulnerability data B1 (1010, corresponding to decimal 10), vulnerability data B3 (0011, corresponding to decimal 3).
The following describes in detail the specific implementation flow of the data association analysis method provided in the embodiment of the present invention with reference to fig. 2. It should be noted that, before implementing the embodiment of the present invention, a standard dictionary library may be established in advance based on CPE source data and enterprise built-in data.
As shown in fig. 2, a specific implementation flow of the data association analysis method provided by the embodiment of the present invention includes:
in step 201, asset data to be analyzed and vulnerability data to be analyzed are obtained.
It should be noted that, the obtained asset data to be analyzed and vulnerability data to be analyzed may be nonstandard and nonstandard data.
Step 202, segmenting character strings in fields and field values in asset data to be analyzed and vulnerability data to be analyzed respectively to obtain characters to be corrected.
And 203, performing normalization processing on the character to be corrected based on a pre-established standard dictionary library to obtain normalized asset data and normalized vulnerability data.
The asset data after the normative processing and the vulnerability data after the normative processing are standard and normative data.
The method comprises the following steps of carrying out normative processing on characters to be inspected based on a standard dictionary library, wherein the normative processing comprises at least one of the following operations:
And (1) matching the character to be corrected with the standard fields in the standard dictionary library, and if the matching is successful, outputting the corresponding standard fields as target characters contained in the character string.
And 2, matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string.
And 3, recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in the form of intervals.
And 4, deleting the character to be corrected which is not matched with the standard field or the standard field value in the standard dictionary.
Step 204, performing association analysis based on the asset data after the normative processing and the vulnerability data after the normative processing.
According to the data association analysis method provided by the embodiment of the invention, the information entities which are associated with each other in the asset data and the vulnerability data are extracted and converted, the association relation of core information like vulnerability-affected software and version is effectively obtained, and the accuracy of association analysis detection of the asset data and the vulnerability data is improved.
Meanwhile, nonstandard and nonstandard asset data to be analyzed and vulnerability data to be analyzed are converted into standard and canonical asset data and vulnerability data, normalization processing is carried out on contents with great relevance difficulty such as analysis of influence software versions, matching values are recorded according to bits, and relevant analysis of the asset data and the vulnerability data is carried out.
Based on the same inventive concept, the embodiment of the present invention further provides a data association analysis device, as shown in fig. 3, including:
an obtaining unit 301, configured to obtain data to be analyzed, where the data to be analyzed includes: asset data and vulnerability data to be analyzed;
the processing unit 302 is configured to perform a normalization process on the data to be analyzed based on a pre-established standard dictionary database, so as to convert nonstandard data in the data to be analyzed into standardized data, integrate redundant data in the data to be analyzed, and delete abnormal data in the data to be analyzed;
and an analysis unit 303, configured to perform association analysis of the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
As an alternative embodiment, the processing unit 302 is specifically configured to:
dividing character strings corresponding to attribute fields and field values in the data to be analyzed respectively to obtain characters to be corrected contained in the character strings;
and carrying out normative processing on the character to be corrected based on the standard dictionary library to obtain the target character contained in the character string.
As an alternative embodiment, the processing unit 302 is specifically configured to:
matching the characters in the character string with standard field values contained in a standard dictionary library according to the sequence by using a first preset algorithm, and if the matching is successful, outputting the corresponding standard field values as characters to be corrected; and/or
And labeling and dividing the character strings based on statistics of standard field values contained in the standard dictionary library by using a second preset algorithm to obtain a plurality of characters to be inspected.
As an alternative embodiment, the first preset algorithm includes at least one of the following algorithms: the forward maximum matching FMM algorithm is based on a label field discrimination algorithm of a dictionary tree.
As an alternative embodiment, the second preset algorithm includes at least one of the following algorithms: standard dictionary field labeling segmentation algorithm based on Hidden Markov Model (HMM) and standard dictionary segmentation algorithm based on Maximum Entropy Model (MEM).
As an alternative embodiment, the processing unit 302 is specifically configured to:
matching the character to be corrected with the standard field in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field as a target character contained in the character string;
matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string;
recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in a section form;
Deleting characters to be corrected, which are not matched with standard fields or standard field values in the standard dictionary.
As an alternative embodiment, the analysis unit 303 is specifically configured to:
matching the asset data and the vulnerability data subjected to the normative processing based on at least one first type attribute field, and adding one or more vulnerability data matched with the target asset data into a preset set to serve as a vulnerability data set corresponding to the target asset data;
for each vulnerability data set corresponding to the target asset data, the following operations are respectively executed to determine the association value of each target vulnerability data and the target asset data in the vulnerability data set:
aiming at the target asset data and the target vulnerability data, matching is carried out on the basis of at least one second type attribute field, the matching value corresponding to each second type attribute field in the target vulnerability data is determined, the matching value corresponding to each second attribute field in the target vulnerability data is recorded according to the bit, and the recorded result is used as the association value of the target vulnerability data and the target asset data.
As an alternative embodiment, the analysis unit 303 is specifically configured to:
And aiming at field values corresponding to the attribute fields of each second type, if the target asset data and the target vulnerability data are successfully matched, taking the first numerical value as a corresponding matching value, and if the target asset data and the target vulnerability data are not successfully matched, taking the second numerical value as a corresponding matching value.
Based on the same inventive concept, the embodiment of the present invention further provides an electronic device, and because the electronic device is the electronic device in the method in the embodiment of the present invention, and the principle of the electronic device for solving the problem is similar to that of the method, implementation of the electronic device may refer to implementation of the method, and repeated descriptions are omitted.
As shown in fig. 4, the electronic device includes a processor 400 and a memory 401, the memory 401 for storing a program executable by the processor 400, the processor 400 for reading the program in the memory 401 and performing the data association analysis method as any one of the foregoing discussion.
Based on the same inventive concept, embodiments of the present disclosure provide a computer storage medium, the computer storage medium including: computer program code which, when run on a computer, causes the computer to perform the data correlation analysis method as any of the preceding discussion. Since the principle of solving the problem by the computer storage medium is similar to that of the data association analysis method, the implementation of the computer storage medium can refer to the implementation of the method, and the repetition is omitted.
In a specific implementation, the computer storage medium may include: a universal serial bus flash disk (USB, universal Serial Bus Flash Drive), a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
Based on the same inventive concept, the disclosed embodiments also provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform a data correlation analysis method as any of the preceding discussion. Since the principle of the solution of the problem of the computer program product is similar to that of the data association analysis method, the implementation of the computer program product can refer to the implementation of the method, and the repetition is omitted.
The computer program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (11)
1. A data association analysis method, comprising:
obtaining data to be analyzed, wherein the data to be analyzed comprises: asset data and vulnerability data to be analyzed;
performing normalization processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed, and deleting abnormal data in the data to be analyzed;
and carrying out association analysis on the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
2. The method according to claim 1, wherein the normalizing the data to be analyzed based on a pre-established standard dictionary library comprises:
dividing character strings corresponding to attribute fields and field values in the data to be analyzed respectively to obtain characters to be corrected contained in the character strings;
and carrying out normative processing on the character to be corrected based on the standard dictionary library to obtain a target character contained in the character string.
3. The method according to claim 2, wherein the dividing the character strings corresponding to the attribute fields and the field values in the data to be analyzed to obtain the characters to be corrected included in the character strings includes:
Matching the characters in the character string with standard field values contained in the standard dictionary library according to sequence by using a first preset algorithm, and if matching is successful, outputting the corresponding standard field values as the characters to be corrected; and/or
And marking and dividing the character strings by using a second preset algorithm based on statistics of standard field values contained in the standard dictionary library to obtain a plurality of characters to be corrected.
4. A method according to claim 3, wherein the first preset algorithm comprises at least one of the following algorithms: the forward maximum matching FMM algorithm is based on a label field discrimination algorithm of a dictionary tree.
5. A method according to claim 3, wherein the second preset algorithm comprises at least one of the following algorithms: standard dictionary field labeling segmentation algorithm based on Hidden Markov Model (HMM) and standard dictionary segmentation algorithm based on Maximum Entropy Model (MEM).
6. The method according to any one of claims 2-5, wherein the normalizing the character to be inspected based on the standard dictionary library to obtain the target character contained in the character string includes at least one of the following operations:
Matching the character to be corrected with the standard fields in the standard dictionary library, and if the matching is successful, outputting the corresponding standard fields as target characters contained in the character string;
matching the character to be corrected with the standard field value in the standard dictionary library, and if the matching is successful, outputting the corresponding standard field value as a target character contained in the character string;
recording a plurality of characters to be corrected corresponding to the same standard field in the standard dictionary library in a section form;
and deleting the character to be corrected which is not matched with the standard field or the standard field value in the standard dictionary.
7. The method according to any one of claims 1-5, wherein the performing the association analysis of the asset data and the vulnerability data based on the normative processed data to be analyzed comprises:
matching the asset data and the vulnerability data subjected to the normative processing based on at least one first type attribute field, and adding one or more vulnerability data matched with target asset data into a preset set to serve as a vulnerability data set corresponding to the target asset data;
for each vulnerability data set corresponding to target asset data, respectively executing the following operations, and determining an association value of each target vulnerability data in the vulnerability data set and the target asset data:
And aiming at the target asset data and one target vulnerability data, matching is carried out on the basis of at least one second type attribute field, the matching value corresponding to each second type attribute field in the one target vulnerability data is determined, the matching value corresponding to each second attribute field in the one target vulnerability is recorded according to the bit, and the recorded result is used as the associated value of the one target vulnerability data and the target asset data.
8. The method of claim 7, wherein the matching based on the at least one second type attribute field, determining a matching value for each second type attribute field in the one target vulnerability data, comprises:
and aiming at field values corresponding to the attribute fields of each second type, if the target asset data and the target vulnerability data are successfully matched, taking the first numerical value as a corresponding matched value, and if the target asset data and the target vulnerability data are not successfully matched, taking the second numerical value as a corresponding matched value.
9. A data correlation analysis device, comprising:
the acquisition unit is used for acquiring data to be analyzed, and the data to be analyzed comprises: asset data and vulnerability data to be analyzed;
The processing unit is used for carrying out normative processing on the data to be analyzed based on a pre-established standard dictionary library so as to convert nonstandard data in the data to be analyzed into standardized data, integrating redundant data in the data to be analyzed and deleting abnormal data in the data to be analyzed;
and the analysis unit is used for carrying out association analysis on the asset data and the vulnerability data based on the data to be analyzed after the normative processing.
10. An electronic device comprising a processor and a memory for storing a program executable by the processor, the processor being adapted to read the program in the memory and to perform the steps of the method according to any one of claims 1-8.
11. A computer storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311865005.6A CN117827952A (en) | 2023-12-29 | 2023-12-29 | Data association analysis method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311865005.6A CN117827952A (en) | 2023-12-29 | 2023-12-29 | Data association analysis method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117827952A true CN117827952A (en) | 2024-04-05 |
Family
ID=90507444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311865005.6A Pending CN117827952A (en) | 2023-12-29 | 2023-12-29 | Data association analysis method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117827952A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118364476A (en) * | 2024-06-19 | 2024-07-19 | 鹏城实验室 | Vulnerability-associated product data processing method, device, equipment and storage medium |
-
2023
- 2023-12-29 CN CN202311865005.6A patent/CN117827952A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118364476A (en) * | 2024-06-19 | 2024-07-19 | 鹏城实验室 | Vulnerability-associated product data processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11848913B2 (en) | Pattern-based malicious URL detection | |
| CN106033416B (en) | Character string processing method and device | |
| US20180181646A1 (en) | System and method for determining identity relationships among enterprise data entities | |
| CN111262730B (en) | Method and device for processing alarm information | |
| CN113760891B (en) | Data table generation method, device, equipment and storage medium | |
| CN116149669B (en) | Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium | |
| CN113609261A (en) | Vulnerability information mining method and device based on knowledge graph of network information security | |
| CN117827952A (en) | Data association analysis method, device, equipment and medium | |
| CN113688240A (en) | Threat element extraction method, device, equipment and storage medium | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| CN116841779A (en) | Abnormality log detection method, abnormality log detection device, electronic device and readable storage medium | |
| US11604923B2 (en) | High volume message classification and distribution | |
| CN117873905B (en) | Method, device, equipment and medium for code homology detection | |
| CN112612810A (en) | Slow SQL statement identification method and system | |
| CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
| CN114021116B (en) | Construction method of homologous analysis knowledge base, homologous analysis method and device | |
| CN116578700A (en) | Log classification method, log classification device, equipment and medium | |
| US11789982B2 (en) | Order independent data categorization, indication, and remediation across realtime datasets of live service environments | |
| CN109446516B (en) | Data processing method and system based on theme recommendation model | |
| CN114860673B (en) | Log feature identification method and device based on dynamic and static combination | |
| CN118427842B (en) | LLM-based SAST vulnerability rapid analysis method, device and equipment | |
| CN113138936B (en) | Data processing method, device, storage medium and processor | |
| CN116136866B (en) | Knowledge graph-based correction method and device for Chinese news abstract factual knowledge | |
| CN112989793B (en) | Article detection method and device | |
| US20240259183A1 (en) | Similarity hashing of binary file feature sets for clustering and malicious detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |